基于Http Header的SQL注入的方法详解

é常HTTPæ¶æ¯åæ¬å®¢æ·æºåæå¡å¨ç请æ±æ¶æ¯åæå¡å¨å客æ·æºçååºæ¶æ¯ãè¿ä¸¤ç§ç±»åçæ¶æ¯ç±ä¸ä¸ªèµ·å§è¡ï¼ä¸ä¸ªæèå¤ä¸ªå¤´åï¼ä¸ä¸ªåªæ¯å¤´åç»æç空è¡åå¯éçæ¶æ¯ä½ç»æãHTTPç头ååæ¬éç¨å¤´ï¼è¯·æ±å¤´ï¼ååºå¤´åå®ä½å¤´å个é¨åãæ¯ä¸ªå¤´åç±ä¸ä¸ªååï¼åå·ï¼:ï¼ååå¼ä¸é¨åç»æãååæ¯å¤§å°åæ å³çï¼åå¼åå¯ä»¥æ·»å ä»»ä½æ°éç空格符ï¼å¤´åå¯ä»¥è¢«æ©å±ä¸ºå¤è¡ï¼å¨æ¯è¡å¼å§å¤ï¼ä½¿ç¨è³å°ä¸ä¸ªç©ºæ ¼æå¶è¡¨ç¬¦ã
å¦ä¸å¾ï¼
GET / HTTP/1.1
Connection: Keep-Alive
Keep-Alive: 300
Accept:*/*
Host: host
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 ( .NET CLR 3.5.30729; .NET4.0E)
Cookie: guest_id=v1%3A1328019064; pid=v1%3A1328839311134
å¦ä½æ§è¡ä¸ä¸ªHTTP头çSQL注å¥ï¼
ä¸è½½æ件cookie管çæ件
æå¼cookie管çå¨ï¼ç¶ååå»ç®æ ç½ç« 

ç¼è¾ç®æ ç½ç«çcookieï¼æ¥éªè¯ç®æ ç½ç«æ¯å¦å­å¨http头çSQL注å¥ï¼æ们ç¼è¾åélanguage_idçå­æ®µå容ï¼æ·»å åå¼å·’å·æ°é¡µé¢æ¥å¤æ­ã
 
å·æ°é¡µé¢ï¼å¤æ­æ¯å¦å­å¨SQL注å¥æ¼æ´
 
okï¼ä¸è½½æ件tamper-dataæ¥ä¿®æ¹è¯·æ±çæ°æ®å容ã
 
è¾å¥ä¸ä¸ªSQL注å¥è¯­å¥
 
å¦ææ们è¾å¥order by 5– ï¼ä¼æ¥ä»¥ä¸é误ã
 
æ以å¯ä»¥å¤æ­å¾åºç¨æ·è¡¨å为4ï¼å使ç¨cookie管çå¨ï¼æ·»å ä»¥ä¸ä»£ç å¨language_idå­æ®µéé¢ï¼
-1+UNION+ALL+SELECT+1,2,3,4
æèè¾å¥ä¸é¢ç语å¥å¾å°æ°æ®åºç¨æ·æçæ¬ä¿¡æ¯ç­ã
version()
user()
concat(database())
group_concat
ç¨SqlMap注å¥èµ·æ¥ä¼æ´ç®åï¼åç»­ä¼å¸¦æ¥SqlMapçç¸å³æç«  ï¼ï¼
 
ç¸å³é读ï¼
HTTPï¼HyperTextTransferProtocolï¼æ¯è¶ææ¬ä¼ è¾åè®®ç缩åï¼å®ç¨äºä¼ éWWWæ¹å¼çæ°æ®ï¼å³äºHTTPåè®®ç详ç»å容请åèRFC2616ãHTTPåè®®éç¨äºè¯·æ±/ååºæ¨¡åã客æ·ç«¯åæå¡å¨åéä¸ä¸ªè¯·æ±ï¼è¯·æ±å¤´åå«è¯·æ±çæ¹æ³ãURIãåè®®çæ¬ã以ååå«è¯·æ±ä¿®é¥°ç¬¦ã客æ·ä¿¡æ¯åå容ç类似äºMIMEçæ¶æ¯ç»æãæå¡å¨ä»¥ä¸ä¸ªç¶æè¡ä½ä¸ºååºï¼ç¸åºçå容åæ¬æ¶æ¯åè®®ççæ¬ï¼æåæèé误ç¼ç å ä¸åå«æå¡å¨ä¿¡æ¯ãå®ä½åä¿¡æ¯ä»¥åå¯è½çå®ä½å容ã