手工注入之常见字符串函数

(Updated: )
SQL注入

前言

前两天整理了一下关于手工注入的方法,今天来说一说手工注入的几个字符串函数。在手工注入中常常需要一次查询多个结果,这里字符串函数就派上用场了。

手工注入字符串常用函数三个老朋友:

1
2
3
concat()
group_concat()
concat_ws()

concat

基本格式

1
CONCAT(str1,str2)

返回结果为连接参数产生的字符串。如有任何一个参数为NULL ,则返回值为 NULL。可以有一个或多个参数。

使用案例

  • 参数中有NULL

    1
    2
    3
    4
    5
    6
    7
      mysql> SELECT CONCAT(id,',',NULL,',',password) AS users FROM users LIMIT 1,1;
    +-------+
    | users |
    +-------+
    | NULL  |
    +-------+
    1 row in set (0.00 sec)

  • 使用LIMIT来控制结果数量

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    mysql> SELECT CONCAT(id,',',username,',',password) AS users FROM users;          
    +-----------------------+                                                        
    | users                 |                                                        
    +-----------------------+                                                        
    | 1,Dumb,Dumb           |                                                        
    | 2,Angelina,I-kill-you |                                                        
    | 3,Dummy,p@ssword      |                                                        
    | 4,secure,crappy       |                                                        
    | 5,stupid,stupidity    |                                                        
    | 6,superman,genious    |                                                        
    | 7,batman,mob!le       |                                                        
    | 8,admin,admin         |                                                        
    | 9,admin1,admin1       |                                                        
    | 10,admin2,admin2      |                                                        
    | 11,admin3,admin3      |                                                        
    | 12,dhakkan,dumbo      |                                                        
    | 14,admin4,admin4      |                                                        
    +-----------------------+                                                        
    13 rows in set (0.00 sec)
    mysql> SELECT CONCAT(id,',',username,',',password) AS users FROM users LIMIT 1;  
    +-------------+                                                                  
    | users       |                                                                  
    +-------------+                                                                  
    | 1,Dumb,Dumb |                                                                  
    +-------------+                                                                  
    1 row in set (0.00 sec)                                                          
    mysql> SELECT CONCAT(id,',',username,',',password) AS users FROM users LIMIT 2;  
    +-----------------------+                                                        
    | users                 |                                                        
    +-----------------------+                                                        
    | 1,Dumb,Dumb           |                                                        
    | 2,Angelina,I-kill-you |                                                        
    +-----------------------+                                                        
    2 rows in set (0.00 sec)                                                         
    mysql> SELECT CONCAT(id,',',username,',',password) AS users FROM users LIMIT 0,1;
    +-------------+                                                                  
    | users       |                                                                  
    +-------------+                                                                  
    | 1,Dumb,Dumb |                                                                  
    +-------------+                                                                  
    1 row in set (0.00 sec)                                                          
    mysql> SELECT CONCAT(id,',',username,',',password) AS users FROM users LIMIT 0,2;
    +-----------------------+                                                        
    | users                 |                                                        
    +-----------------------+                                                        
    | 1,Dumb,Dumb           |                                                        
    | 2,Angelina,I-kill-you |                                                        
    +-----------------------+                                                        
    2 rows in set (0.00 sec)                                                         
    mysql> SELECT CONCAT(id,',',username,',',password) AS users FROM users LIMIT 1,1;
    +-----------------------+                                                        
    | users                 |                                                        
    +-----------------------+                                                        
    | 2,Angelina,I-kill-you |                                                        
    +-----------------------+                                                        
    1 row in set (0.00 sec)

CONCAT_WS

CONCAT_WS() 代表 CONCAT With Separator ,是CONCAT()的特殊形式。第一个参数是其它参数的分隔符。感觉比CONCAT更方便了呀,这样参数多的话就不用手动的去添加分隔符了。

基本格式

1
CONCAT_WS(separator,str1,str2,…)

使用案例

1
2
3
4
5
6
7
8
mysql> SELECT CONCAT_WS('~',id,username,password) AS users FROM users LIMIT 0,2;
+-----------------------+                                                       
| users                 |                                                       
+-----------------------+                                                       
| 1~Dumb~Dumb           |                                                       
| 2~Angelina~I-kill-you |                                                       
+-----------------------+                                                       
2 rows in set (0.00 sec)

GROUP_CONCAT

GROUP_CONCAT函数返回一个字符串结果,默认查询所有结果。该结果由分组中的值连接组合而成。

基本格式

1
GROUP_CONCAT(str1,str2,…)

使用案例

1
2
3
4
5
6
7
mysql> SELECT GROUP_CONCAT(id,username,password) AS users FROM users;                                                                                                                               
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| users                                                                                                                                                                                            |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1DumbDumb,2AngelinaI-kill-you,3Dummyp@ssword,4securecrappy,5stupidstupidity,6supermangenious,7batmanmob!le,8adminadmin,9admin1admin1,10admin2admin2,11admin3admin3,12dhakkandumbo,14admin4admin4 |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

sql注入中一般使用方法

  • 列出所有的数据库

select group_concat(schema_name) from information_schema.schemata

  • 列出某个库当中所有的表

select group_concat(table_name) from information_schema.tables where table_schema='xxxxx'