SQL注入进阶篇一php代码审计
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">前言</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在<span style="color: black;">实质</span>的网站中和用户的输入输出接口不可能想那样<span style="color: black;">无</span>防御<span style="color: black;">办法</span>的。<span style="color: black;">此刻</span>各大网站都在<span style="color: black;">运用</span>waf对网站<span style="color: black;">或</span>APP的业务流量进行恶意特征识别及防护,,避免网站服务器被恶意入侵。<span style="color: black;">因此</span><span style="color: black;">咱们</span>就<span style="color: black;">必须</span>绕过waf,这篇<span style="color: black;">文案</span>就用代码审计的方式给<span style="color: black;">大众</span>讲解<span style="color: black;">有些</span>sql的绕过技巧。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">关键字过滤</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">部分waf会对关键字进行过滤,<span style="color: black;">咱们</span>可以用<span style="color: black;">体积</span>写<span style="color: black;">或</span>双写关键字来绕过。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">源代码分析</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><?php require db.php; header(Content-type:text/html;charset=utf8); $username=dl($_POST); $password=dl($_POST); $dl="SELECT * FROM xs WHERE username=$username and password=$password"; //登录界面后台处理 $ck=mysqli_query($db,$dl); $row = mysqli_fetch_array($ck); if($_POST){ if($row) { echo"你的<span style="color: black;">暗码</span>".$row; }else{ echo"登录失败"; } } function dl($gl){ $gl=str_replace(array("union","UNION"),"","$gl"); $gl=str_replace(array("select","SELECT"),"","$gl"); $gl=str_replace(array("database","DATABASE"),"","$gl"); $gl=str_replace(array("sleep","SLEEP"),"","$gl"); $gl=str_replace(array("if","IF"),"","$gl"); $gl=str_replace("--","","$gl"); $gl=str_replace("order","","$gl"); return $gl; }</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">分析一下代码,<span style="color: black;">首要</span>获取了数据,加载dl函数以后带入了数据库中执行,<span style="color: black;">而后</span>if判定<span style="color: black;">是不是</span>有提交,<span style="color: black;">是不是</span>登录成功,登录成功后回显用户的账号,这是一个非常简单的后台登录代码。往下看有一个自定义函数dl,函数内<span style="color: black;">运用</span>了str_replace(),str_replace()的<span style="color: black;">功效</span>是替换字符串,<span style="color: black;">这儿</span>union,select,database ,if这些常用的注入字符<span style="color: black;">体积</span>写都被替换成空。做了一个简单的危险字符过滤自定义函数。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">关键字过滤注入<span style="color: black;">办法</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">用<span style="color: black;">体积</span>写和双写关键字来尝试绕过,返回代码里有回显位<span style="color: black;">因此</span><span style="color: black;">能够</span>union注入,dl函数把union,select这些字符替换成空<span style="color: black;">然则</span>mysql中是不不区分<span style="color: black;">体积</span>写的,<span style="color: black;">因此</span><span style="color: black;">能够</span><span style="color: black;">体积</span>写混写来绕过dl函数的过滤。<span style="color: black;">例如</span>Select Union DAtabase()<span style="color: black;">这般</span>的字符是<span style="color: black;">能够</span>执行的。<span style="color: black;">亦</span><span style="color: black;">能够</span>用双写的手法,<span style="color: black;">例如</span>seselectlect<span style="color: black;">这般</span>的语句, dl函数会把里面的select替换为空<span style="color: black;">这般</span>两边的字符凑在<span style="color: black;">一块</span>刚好又是一个select<span style="color: black;">这般</span>就起到了绕过的<span style="color: black;">功效</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">体积</span>写绕过语句为 -1’ unioN Select dataBASE(),2 #</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic2.zhimg.com/80/v2-66685bd3c22399bcfeebbe35d23ed1bd_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">双写关键字绕过语句为 -1’ ununionion selecselectt databasdatabasee(),2 #</p>
你的言辞如同繁星闪烁,点亮了我心中的夜空。 你的见解独到,让我受益匪浅,非常感谢。
页:
[1]