SQL注入进阶篇一php代码审计
<h1 style="color: black; text-align: left; margin-bottom: 10px;">前言</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在<span style="color: black;">实质</span>的网站中和用户的输入输出接口不可能想那样<span style="color: black;">无</span>防御<span style="color: black;">办法</span>的。<span style="color: black;">此刻</span>各大网站都在<span style="color: black;">运用</span>waf对网站<span style="color: black;">或</span>APP的业务流量进行恶意特征识别及防护,,避免网站服务器被恶意入侵。<span style="color: black;">因此</span><span style="color: black;">咱们</span>就需要绕过waf,这篇<span style="color: black;">文案</span>就用代码审计的方式给<span style="color: black;">大众</span>讲解<span style="color: black;">有些</span>sql的绕过技巧。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">关键字过滤</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">部分waf会对关键字进行过滤,<span style="color: black;">咱们</span>可以用<span style="color: black;">体积</span>写<span style="color: black;">或</span>双写关键字来绕过。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">源代码分析</h1><span style="color: black;"><span style="color: black;"><?php</span>
<span style="color: black;">require</span> <span style="color: black;">db.php</span>;
header(<span style="color: black;">Content-type:text/html;charset=utf8</span>);
$username=dl($_POST[<span style="color: black;">username</span>]);
$password=dl($_POST[<span style="color: black;">password</span>]);
$dl=<span style="color: black;">"SELECT * FROM xs WHERE username=$username and password=$password"</span>; <span style="color: black;">//登录界面后台处理</span>$ck=mysqli_query($db,$dl);
$row = mysqli_fetch_array($ck);<span style="color: black;">if</span>($_POST[<span style="color: black;">login</span>]){
<span style="color: black;">if</span>($row) {
<span style="color: black;">echo</span><span style="color: black;">"你的<span style="color: black;">秘码</span>"</span>.$row[<span style="color: black;">username</span>];
}<span style="color: black;">else</span>{
<span style="color: black;">echo</span><span style="color: black;">"登录失败"</span>;
}
}
<span style="color: black;"><span style="color: black;">function</span> <span style="color: black;">dl</span><span style="color: black;">($gl)</span></span>{
$gl=str_replace(<span style="color: black;">array</span>(<span style="color: black;">"union"</span>,<span style="color: black;">"UNION"</span>),<span style="color: black;">""</span>,<span style="color: black;">"$gl"</span>);
$gl=str_replace(<span style="color: black;">array</span>(<span style="color: black;">"select"</span>,<span style="color: black;">"SELECT"</span>),<span style="color: black;">""</span>,<span style="color: black;">"$gl"</span>);
$gl=str_replace(<span style="color: black;">array</span>(<span style="color: black;">"database"</span>,<span style="color: black;">"DATABASE"</span>),<span style="color: black;">""</span>,<span style="color: black;">"$gl"</span>);
$gl=str_replace(<span style="color: black;">array</span>(<span style="color: black;">"sleep"</span>,<span style="color: black;">"SLEEP"</span>),<span style="color: black;">""</span>,<span style="color: black;">"$gl"</span>);
$gl=str_replace(<span style="color: black;">array</span>(<span style="color: black;">"if"</span>,<span style="color: black;">"IF"</span>),<span style="color: black;">""</span>,<span style="color: black;">"$gl"</span>);
$gl=str_replace(<span style="color: black;">"--"</span>,<span style="color: black;">""</span>,<span style="color: black;">"$gl"</span>);
$gl=str_replace(<span style="color: black;">"order"</span>,<span style="color: black;">""</span>,<span style="color: black;">"$gl"</span>);
<span style="color: black;">return</span> $gl;
}
</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">分析一下代码,<span style="color: black;">首要</span>获取了数据,加载dl函数以后带入了数据库中执行,<span style="color: black;">而后</span>if判定<span style="color: black;">是不是</span>有提交,<span style="color: black;">是不是</span>登录成功,登录成功后回显用户的账号,这是一个非常简单的后台登录代码。往下看有一个自定义函数dl,函数内<span style="color: black;">运用</span>了str_replace(),str_replace()的<span style="color: black;">功效</span>是替换字符串,<span style="color: black;">这儿</span>union,select,database ,if这些常用的注入字符<span style="color: black;">体积</span>写都被替换成空。做了一个简单的危险字符过滤自定义函数。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">关键字过滤注入<span style="color: black;">办法</span></h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">用<span style="color: black;">体积</span>写和双写关键字来尝试绕过,返回代码里有回显位<span style="color: black;">因此</span><span style="color: black;">能够</span>union注入,dl函数把union,select这些字符替换成空<span style="color: black;">然则</span>mysql中是不不区分<span style="color: black;">体积</span>写的,<span style="color: black;">因此</span><span style="color: black;">能够</span><span style="color: black;">体积</span>写混写来绕过dl函数的过滤。<span style="color: black;">例如</span>Select Union DAtabase()<span style="color: black;">这般</span>的字符是<span style="color: black;">能够</span>执行的。<span style="color: black;">亦</span><span style="color: black;">能够</span>用双写的手法,比如seselectlect<span style="color: black;">这般</span>的语句, dl函数会把里面的select替换为空<span style="color: black;">这般</span>两边的字符凑在<span style="color: black;">一块</span>刚好又是一个select<span style="color: black;">这般</span>就起到了绕过的<span style="color: black;">功效</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">体积</span>写绕过语句为 -1’ unioN Select dataBASE(),2 #</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/ece81d9e9b2746bb849bf2829538f197~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838937&x-signature=0v2zeYVQ2iQiyQmoIg5fN9AbyaI%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">双写关键字绕过语句为 -1’ ununionion selecselectt databasdatabasee(),2 #</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/b1b60436ea774b06859741988366db17~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838937&x-signature=02RdNvQhqHeMEkorGMIKTrJI0ek%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">都运行成功</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">or and xor not过滤</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">or and xor not 像<span style="color: black;">这般</span>的<span style="color: black;">规律</span>运算<span style="color: black;">亦</span>会被过滤袋掉那<span style="color: black;">咱们</span>怎么绕过呢?</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">源代码分析</h1><?php
require <span style="color: black;">db.php</span>;
header(<span style="color: black;">Content-type:text/html;charset=utf8</span>);
<span style="color: black;">$username</span>=dl(<span style="color: black;">$_POST</span>[<span style="color: black;">username</span>]);
<span style="color: black;">$password</span>=dl(<span style="color: black;">$_POST</span>[<span style="color: black;">password</span>]);
<span style="color: black;">$zifu</span>=<span style="color: black;">/(and|or|xor|not)/i</span>;
<span style="color: black;">if</span>(preg_match(<span style="color: black;">"<span style="color: black;">$zifu</span>"</span>,<span style="color: black;">"<span style="color: black;">$username</span>&&<span style="color: black;">$password</span>"</span>)){
<span style="color: black;">echo</span> <span style="color: black;">"<script>alert(存在危险字符)</script>"</span>;
}
<span style="color: black;">$dl</span>=<span style="color: black;">"SELECT * FROM xs WHERE username=<span style="color: black;">$username</span> and password=<span style="color: black;">$password</span>"</span>; //登录界面后台处理
<span style="color: black;">$ck</span>=mysqli_query(<span style="color: black;">$db</span>,<span style="color: black;">$dl</span>);
<span style="color: black;">$row</span> = mysqli_fetch_array(<span style="color: black;">$ck</span>);
<span style="color: black;">if</span>(<span style="color: black;">$_POST</span>[<span style="color: black;">login</span>]){
<span style="color: black;">if</span>(<span style="color: black;">$row</span>) {
<span style="color: black;">echo</span><span style="color: black;">"登录成功"</span>;
}<span style="color: black;">else</span>{
<span style="color: black;">echo</span><span style="color: black;">"登录失败"</span>;
}
}
<span style="color: black;">function</span> dl(<span style="color: black;">$gl</span>){
<span style="color: black;">$gl</span>=str_replace(array(<span style="color: black;">"union"</span>,<span style="color: black;">"UNION"</span>),<span style="color: black;">""</span>,<span style="color: black;">"<span style="color: black;">$gl</span>"</span>);
<span style="color: black;">$gl</span>=str_replace(array(<span style="color: black;">"select"</span>,<span style="color: black;">"SELECT"</span>),<span style="color: black;">""</span>,<span style="color: black;">"<span style="color: black;">$gl</span>"</span>);
<span style="color: black;">$gl</span>=str_replace(array(<span style="color: black;">"database"</span>,<span style="color: black;">"DATABASE"</span>),<span style="color: black;">""</span>,<span style="color: black;">"<span style="color: black;">$gl</span>"</span>);
<span style="color: black;">$gl</span>=str_replace(array(<span style="color: black;">"sleep"</span>,<span style="color: black;">"SLEEP"</span>),<span style="color: black;">""</span>,<span style="color: black;">"<span style="color: black;">$gl</span>"</span>);
<span style="color: black;">$gl</span>=str_replace(array(<span style="color: black;">"if"</span>,<span style="color: black;">"IF"</span>),<span style="color: black;">""</span>,<span style="color: black;">"<span style="color: black;">$gl</span>"</span>);
<span style="color: black;">$gl</span>=str_replace(<span style="color: black;">"--"</span>,<span style="color: black;">""</span>,<span style="color: black;">"<span style="color: black;">$gl</span>"</span>);
<span style="color: black;">$gl</span>=str_replace(<span style="color: black;">"order"</span>,<span style="color: black;">""</span>,<span style="color: black;">"<span style="color: black;">$gl</span>"</span>);
<span style="color: black;">return</span> <span style="color: black;">$gl</span>;
}
?><p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">阅读一遍代码<span style="color: black;">发掘</span>在上一段的<span style="color: black;">基本</span>上面添加了一个preg_match函数,这个函数过滤了or and xor not关键字,需要<span style="color: black;">重视</span>的是preg_match会<span style="color: black;">体积</span>写都过滤,继续往下读回显位改<span style="color: black;">成为了</span>成功<span style="color: black;">或</span>失败<span style="color: black;">因此</span><span style="color: black;">咱们</span>只能采用盲注<span style="color: black;">或</span>延时注入。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">规律</span>运算符绕过</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">先尝试<span style="color: black;">体积</span>写绕过,果然是失败的。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/4c9179d269ff404fb268fcc1fcd757d6~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838937&x-signature=MjA383v%2FsbxJ1jLt1ogBq4vpcKY%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">运用</span><span style="color: black;">规律</span>运算符尝试</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">and = &&</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">or = ||</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">xor = | # 异或</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">not = !</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">运用</span>&&代替and构造盲注语句1’ && length(DATAbase())=3 # <span style="color: black;">由于</span>关键字过滤函数还在<span style="color: black;">因此</span>还<span style="color: black;">同期</span>需要<span style="color: black;">体积</span>写绕过。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/dda674c3e45641fc98438ab0ba415560~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838937&x-signature=SuDGJ4IfzyBnTQpuoY31ztPUyV8%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">注入成功</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">url编码绕过</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在平常<span style="color: black;">运用</span>url提交数据时,web容器在接到url后会自动进行一次url编码解析,<span style="color: black;">然则</span><span style="color: black;">因为</span>业务问题有些网站在web容器自动解析之后,<span style="color: black;">经过</span>编写程序对解析的参数进行再次url编码解析,就会出大问题。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">源代码分析</h1><span style="color: black;"><span style="color: black;"><?php</span>
<span style="color: black;">require</span> <span style="color: black;">db.php</span>;
header(<span style="color: black;">Content-type:text/html;charset=utf8</span>);
$id1=$_GET[<span style="color: black;">id</span>];
$gl=<span style="color: black;">"/and|or|not|xor|length|union|select|database|if|sleep|substr/i"</span>;
<span style="color: black;">if</span>(preg_match($gl,$id1)){
<span style="color: black;">echo</span><span style="color: black;">"<script>alert(存在危险字符)</script>"</span>;
}<span style="color: black;">else</span>{
$id=urldecode($id1);
$dl=<span style="color: black;">"SELECT * FROM xs WHERE id=$id"</span>;
$result=mysqli_query($db,$dl);
$row = mysqli_fetch_assoc($result);<span style="color: black;">if</span>($_GET[<span style="color: black;">id</span>]) {
<span style="color: black;">if</span> ($row) {
<span style="color: black;">echo</span> <span style="color: black;">"登录成功:"</span> . $row[<span style="color: black;">username</span>];
}
}}
<span style="color: black;">?></span></span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">上来还是先<span style="color: black;">瞧瞧</span>代码,把客户端传入的get参数赋值进了id1,用if加preg_match对变量</span><span style="color: black;">id</span><span style="color: black;">1,用</span><span style="color: black;">if</span><span style="color: black;">加</span><span style="color: black;">pregm</span><span style="color: black;">atch</span><span style="color: black;">对变量id1里的值进行检索。<span style="color: black;">倘若</span>客户端传入的参数有gl里的值<span style="color: black;">那样</span>就会返回前端代码进行警告。<span style="color: black;">无</span>危险字符才会执行下面的代码,接着把</span><span style="color: black;">gl</span><span style="color: black;">里的值<span style="color: black;">那样</span>就会返回前端代码进行警告。<span style="color: black;">无</span>危险字符才会执行下面的代码,接着把id1里的参数进行一次url解编码并赋值给$id。此时客户端传入的参数<span style="color: black;">已然</span>经过了两次url编码解析。最后过滤完成把id变量带入数据库中进行<span style="color: black;">查找</span>并返回用户的账号。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">注入语句</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">分析代码时说到客户端传入的参数会进行两次url编码解析之后带入数据库,但危险过滤是在<span style="color: black;">第1</span>次解析之后第二次解析之前执行的。<span style="color: black;">亦</span><span style="color: black;">便是</span>说<span style="color: black;">咱们</span><span style="color: black;">能够</span>写入两次url编码过的语句绕过preg_match,<span style="color: black;">例如</span>and在过滤范围之中,对and一次url全编码后变为%61%6e%64%0,再进行一次编码为</p>%25%36%31%25%36%65%25%36%34
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">。把经过两次编码后的and提交数据会经过web容器解码后变为%61%6e%64,preg_match判定就不会触发。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">构造尝试语句</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">把-1’ union select database(),2,3 --+编码为-1’</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65 %25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34 %25%36%34%25%36%31%25%37%34%25%36%31%25%36%32%25%36%31%25%37%33%25%36%35(),2,3 --+</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/pgc-image/07ff05012ad445e2a554dab38bfe4efa~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838937&x-signature=SG4vA8r1EhvcbTM1Zd8Q4svmL8Y%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">成功绕过,代码执行带出了当前数据库。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">最后,为了感谢广大读者伙伴的支持,准备了以下福利给到<span style="color: black;">大众</span>:</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;"><span style="color: black;">[一>获取<一]</span></span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1、200多本网络安全系列电子书(该有的都有了)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2、全套工具包(最全中文版,想用哪个用哪个)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">3、100份src源码技术文档(项目学习<span style="color: black;">一直</span>,实践得真知)</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4、网络安全<span style="color: black;">基本</span>入门、Linux、web安全、攻防方面的视频(2021最新版)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">6、 网络安全学习路线(告别不入流的学习)</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">7、ctf夺旗赛解析(题目解析实战操作)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">[一>关注我,私信回复“资料”获取<一]</p>
百度seo优化论坛 http://www.fok120.com/
页:
[1]