zoukankan      html  css  js  c++  java

  • [sql 注入] 注入类型

    基于整型的注入:

    url:http://localhost/?id=12
拼接sql:$sql = "select * from user where id = {$_GET['id']}";
sql执行语句:select * from user where id = 12
基于整型的sql注入即存在sql注入漏洞的url参数为整数类型,sql语句中参数值两边没有引号。


    基于字符型的注入:

    url:http://localhost/?name=jackWan
拼接sql:$sql = "select * from user where name = '{$_GET['name']}'";
sql执行语句:select * from user where name = 'jackWan'
sql语句中参数值两边带有引号,攻击向量就要闭合该引号(?name=' or 1=1)。

    布尔型注入:

    length()返回字符串的存储长度
char_length()返回字符串的字符个数
left(str, len), right(str, len) 返回最左(右)边的len长度的子串
database() 返回当前数据库名
判断当前数据库名的前两个字符是否比'na'大(比较ascii码):
select * from user where id = 1 and left(database(),2) > 'na';

    时间延迟注入:

    if(condition,A,B)若condition为真时返回A,否则返回B
当前数据库名的长度若为4则休眠10秒:
select * from user where id = 1 and if(char_length(database())=4,sleep(10),1)

    报错型注入:

    http://www.cnblogs.com/natian-ws/p/7204806.html

    联合查询注入:

    select * from user where id = 1 union select * from user_info

    多语句查询注入:

    select * from user where id = 1; update user set password = '123456' where id = 1
  • 相关阅读:
    1026 Table Tennis (30)
    1029 Median
    1025 PAT Ranking (25)
    1017 Queueing at Bank (25)
    1014 Waiting in Line (30)
    1057 Stack (30)
    1010 Radix (25)
    1008 Elevator (20)
    字母大小写转换
    Nmap的基础知识
  • 原文地址:https://www.cnblogs.com/natian-ws/p/7766768.html
Copyright © 2011-2022 走看看