【网络安全】php代码审计-sql注入进阶篇
<h3 style="color: black; text-align: left; margin-bottom: 10px;">前言</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">经过上一篇<span style="color: black;">文案</span><span style="color: black;">咱们</span><span style="color: black;">已然</span>大概的<span style="color: black;">认识</span>sql注入去<span style="color: black;">怎么样</span>审计了。<span style="color: black;">然则</span>在<span style="color: black;">实质</span>的网站中和用户的输入输出接口不可能想那样<span style="color: black;">无</span>防御<span style="color: black;">办法</span>的。<span style="color: black;">此刻</span>各大网站都在<span style="color: black;">运用</span>waf对网站<span style="color: black;">或</span>APP的业务流量进行恶意特征识别及防护,,避免网站服务器被恶意入侵。<span style="color: black;">因此</span><span style="color: black;">咱们</span>就<span style="color: black;">必须</span>绕过waf,这篇<span style="color: black;">文案</span>就用代码审计的方式给<span style="color: black;">大众</span>讲解<span style="color: black;">有些</span>sql的绕过技巧。</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">关键字过滤</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">部分waf会对关键字进行过滤,<span style="color: black;">咱们</span><span style="color: black;">能够</span>用<span style="color: black;">体积</span>写<span style="color: black;">或</span>双写关键字来绕过。</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">源代码分析</h3>
<div style="color: black; text-align: left; margin-bottom: 10px;"><?php
require db.php;
header(Content-type:text/html;charset=utf8);
$username=dl($_POST);
$password=dl($_POST);
$dl="SELECT * FROM xs WHERE username=$username and password=$password"; //登录界面后台处理
$ck=mysqli_query($db,$dl);
$row = mysqli_fetch_array($ck);
if($_POST){
if($row) {
echo"你的<span style="color: black;">暗码</span>".$row;
}else{
echo"登录失败";
}
}
function dl($gl){
$gl=str_replace(array("union","UNION"),"","$gl");
$gl=str_replace(array("select","SELECT"),"","$gl");
$gl=str_replace(array("database","DATABASE"),"","$gl");
$gl=str_replace(array("sleep","SLEEP"),"","$gl");
$gl=str_replace(array("if","IF"),"","$gl");
$gl=str_replace("--","","$gl");
$gl=str_replace("order","","$gl");
return $gl;
}</div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">分析一下代码,<span style="color: black;">首要</span>获取了数据,加载dl函数以后带入了数据库中执行,<span style="color: black;">而后</span>if判定<span style="color: black;">是不是</span>有提交,<span style="color: black;">是不是</span>登录成功,登录成功后回显用户的账号,这是一个非常简单的后台登录代码。往下看有一个自定义函数dl,函数内<span style="color: black;">运用</span>了str_replace(),str_replace()的<span style="color: black;">功效</span>是替换字符串,<span style="color: black;">这儿</span>union,select,database ,if这些常用的注入字符<span style="color: black;">体积</span>写都被替换成空。做了一个简单的危险字符过滤自定义函数。</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">关键字过滤注入<span style="color: black;">办法</span></h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">用<span style="color: black;">体积</span>写和双写关键字来尝试绕过,返回代码里有回显位<span style="color: black;">因此</span><span style="color: black;">能够</span>union注入,dl函数把union,select这些字符替换成空<span style="color: black;">然则</span>mysql中是不不区分<span style="color: black;">体积</span>写的,<span style="color: black;">因此</span><span style="color: black;">能够</span><span style="color: black;">体积</span>写混写来绕过dl函数的过滤。<span style="color: black;">例如</span>Select Union DAtabase()<span style="color: black;">这般</span>的字符是<span style="color: black;">能够</span>执行的。<span style="color: black;">亦</span><span style="color: black;">能够</span>用双写的手法,<span style="color: black;">例如</span>seselectlect<span style="color: black;">这般</span>的语句, dl函数会把里面的select替换为空<span style="color: black;">这般</span>两边的字符凑在<span style="color: black;">一块</span>刚好又是一个select<span style="color: black;">这般</span>就起到了绕过的<span style="color: black;">功效</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">体积</span>写绕过语句为 -1’ unioN Select dataBASE(),2 #</p>
同意、说得对、没错、我也是这么想的等。 期待楼主的下一次分享!”
页:
[1]