总结下mysql下可能存在注入的点,适用于mssql和oracle,先写语句,以后再写语句可能出现在哪些场景下:
针对查询:
select * from x where id=* select * from x where id='*'
针对删除:
delete from x where id=* delete from x where id='*'
针对修改:
update x set name='*'
update x set name='x',x='*' where id=x
针对插入:
insert into x values(1,'*') insert into x(id,name) values(1,'*')
针对搜索查询(like):
select * from x where name like '*%' select * from x where name like '%*%' select * from x where name like '%*'
针对排序(order by):
select * from x order by *
针对统计(group by):
select from x group by *
针对in:
select * from user1 where id in (1,*) select * from user1 where id in ('1','*')
针对limit:
select * from x limit * select * from x limit 0,* select * from x order by id limit * select * from x order by id limit 0,*
针对数组key:
function addslashes_array($value) { return is_array($value) ? array_map('addslashes_array', $value) : addslashes($value); } print_R($_GET); foreach ($_GET AS $key => $value) { print $key; } ?> ....
假设http://*.com/test=123,代码中过滤了value没有过滤key,白盒/fuzz中可以通过http://*.com/test'=123注入
暂时先总结这么多。注入的时候可能遇到的一些。