sql娉ㄥ叆鍘熺悊锛歸eb搴旂敤绋嬪簭瀵圭敤鎴风殑杈撳叆娌℃湁杩涜鍚堟硶鎬х殑鍒ゆ柇锛屽墠绔紶鍏ュ悗绔殑鍙傛暟鏄敾鍑昏�呭彲鎺х殑锛屽苟涓斿甫鍏ヤ簡鏁版嵁搴撴煡璇紝瀵艰嚧鏀诲嚮鑰呭彲浠ユ瀯閫犱笉鍚岀殑sql璇彞瀹炵幇瀵规暟鎹簱鐨勪换鎰忔搷浣溿��
涓や釜蹇呰鏉′欢锛�1.鍙傛暟鐢ㄦ埛鍙帶
2.鍙傛暟甯﹀叆鏁版嵁搴撴煡璇�
mysql涓巗ql娉ㄥ叆婕忔礊鐩稿叧鐭ヨ瘑鐐癸細
mysql5.0鐗堟湰鍚庯紝mysql榛樿鍦ㄦ暟鎹簱鏈変竴涓猧nformation_schema搴擄紝鍏朵腑鏈変笁寮犺〃闇�瑕佽浣忥紝
1.schemata 聽 瀛樻斁浜嗘墍鏈夋暟鎹簱鐨勫簱鍚� schema_name
2.tables 聽瀛樻斁浜嗘墍鏈夋暟鎹簱鐨勫簱鍚嶅強鐩稿搴旂殑琛ㄥ悕 table_schema,table_name
3.columns 瀛樻斁浜嗘墍鏈夋暟鎹簱鐨勫簱鍚嶅強鐩稿搴旂殑琛ㄥ悕鍜屽瓧娈靛悕 table_schema,table_name,column_name
mysql鏌ヨ璇彞
select 瑕佹煡璇㈢殑瀛楁鍚� from 搴撳悕.琛ㄥ悕 聽 聽锛堜笉鐭ラ亾浠讳綍鏉′欢鎯呭喌涓嬶級
select 瑕佹煡璇㈢殑瀛楁鍚� from 搴撳悕.琛ㄥ悕 where 宸茬煡鏉′欢鐨勫瓧娈靛悕=鈥樺凡鐭ユ潯浠剁殑鍊尖�� 锛堢煡閬撲竴鏉″凡鐭ユ潯浠讹級
select 瑕佹煡璇㈢殑瀛楁鍚� from 搴撳悕.琛ㄥ悕 where 宸茬煡鏉′欢1鐨勫瓧娈靛悕=鈥樺凡鐭ユ潯浠�1鐨勫�尖�� and 宸茬煡鏉′欢2鐨勫瓧娈靛悕=鈥樺凡鐭ユ潯浠�2鐨勫�尖��
limit鐨勪娇鐢ㄦ牸寮忎负 limit m锛宯
m涓鸿捣濮嬩綅缃紝n涓哄彇n鏉¤褰曪紝濡俵imit 0,1锛屽嵆浠庣涓�鏉¤褰曞紑濮嬶紝鍙栦竴鏉¤褰曘��
涓変釜閲嶈鍑芥暟 database(),version(),user()
娉ㄩ噴绗︼紝# 聽 聽 --绌烘牸 聽 聽 /**/
鍐呰仈娉ㄩ噴/*锛乧ode*/
鏀诲嚮鏂瑰紡锛�
1.缁欏彲鎺у弬鏁版坊鍔犲崟寮曞彿锛宎nd 1=1锛宎nd 1=2.璇曡繃鍚庡熀鏈氨瀛樺湪sql娉ㄥ叆锛屼箣鍚庡彲閲囧彇order by 1-99璇彞鏌ヨ璇ユ暟鎹〃鐨勫瓧娈垫暟閲忋��
濡傝鏁版嵁琛ㄥ瓧娈垫暟閲忎负3锛岃緭鍏d=1 order by 3 鍙嶉缁撴灉鍜宨d=1 order by 4鍙嶉涓�鏍风殑缁撴灉鑰宨d=1 order by 4鍙嶉缁撴灉涓嶅悓锛屽垯瀛楁鏁颁负3
2.union娉ㄥ叆鏀诲嚮锛氳繘琛�1姝ラ鍚庯紝union select 1,2,3 鍒ゆ柇鍦�1,2,3涓彲浠ヨ緭鍏ql璇彞鐨勪綅缃紝鐒跺悗鍗冲彲鎻掑叆sql璇彞杩涜鏌ヨ
3.boolean娉ㄥ叆鏀诲嚮锛氶拡瀵瑰彧鍙嶉yes鎴杗o缁撴灉鐨勯〉闈紝鍗宠繑鍥炵殑缁撴灉涓嶄細瀛樺湪鏁版嵁搴撶殑鏁版嵁锛屽彧鏄壒瀹氱殑姝g‘鎴栭敊璇�
閭d箞鍙互璇曞浘鍒ゆ柇鏁版嵁搴撳悕鐨勯暱搴�
鈥� and length(database())>=1 --+
绫绘帹锛屽彲浠ユ牴鎹〉闈㈠弽棣堢殑姝g‘鍜岄敊璇潵鍒ゆ柇鏄惁鐚滃鏁版嵁搴撳悕闀垮害
褰撶寽瀵归暱搴﹀悗锛屽彲浠ヨ瘯鍥剧寽鏁版嵁搴撳悕鐨勫悕瀛�
濡傜敤
' and substr(database(),1,1)='t' --+ 鎰忔�濇槸鎴彇database()鐨勫�硷紝浠庣涓�涓瓧绗﹀紑濮嬶紝姣忔鍙繑鍥炰竴涓�傝繖涓拰limt涓嶄竴鏍凤紝杩欓噷浠�1寮�濮嬫帓搴�
鍙互閲囧彇burp鐖嗙牬鐨勬柟寮�
涔熷彲浠ラ噰鐢╝scii鐨勫瓧绗︽煡璇紝鍋囧database()鏁版嵁搴撳悕绗竴涓负s锛宻瀵瑰簲ascii鐮佸�间负115閭d箞
' and ord(substr(database(),1,1))=115 --+鍗冲彲鍒ゆ柇鏄惁姝g‘锛宱rd鏄皢瀛楃杞崲涓篴scii鐮佸��
4.鎶ラ敊娉ㄥ叆鏀诲嚮锛屾病鐪嬫噦锛屾殏鏃剁暐锛岄〉闈㈡姤閿欎箣鍚庣敤鐨勬煡璇㈣鍙ョ湅涓嶆噦
5.鏃堕棿娉ㄥ叆鏀诲嚮锛氬嵆鍒╃敤sleep()鎴朾enchmark()绛夊嚱鏁拌MySQL鐨勬墽琛屾椂闂村彉闀匡紝浠庤�岄�氳繃鍒ゆ柇鍙嶉鏃堕棿鏉ュ垽鏂槸鍚﹀瓨鍦ㄦ敞鍏ャ��
閫氬父涓巌f璇彞缁撳悎浣跨敤锛孖F(expr1,expr2,expr3) 鍚箟涓哄鏋渆xpr1涓虹湡锛屽垯杩斿洖expr2锛涘惁鍒欒繑鍥瀍xpr3.
濡傚垽鏂暟鎹簱搴撳悕闀垮害鐨勮鍙ヤ负锛�
if (length(database())>1,sleep(5),1) 聽 鎰忔�濇槸濡傛灉鏁版嵁搴撻暱搴﹀ぇ浜�1锛屽垯mysql鏌ヨ浼戠湢5绉掞紝鍚﹀垯鏌ヨ1.
6.鍫嗗彔鏌ヨ娉ㄥ叆鏀诲嚮锛氬璇彞涔嬮棿浠ュ垎鍙烽殧寮�锛屽
';select if(substr(user(),1,1)='r',sleep(3),1)%23
7.浜屾娉ㄥ叆鏀诲嚮锛氫袱涓笉鍚岄〉闈㈢粨鍚堣捣鏉ワ紝閫氳繃娉ㄥ唽椤甸潰娉ㄥ唽鐢ㄦ埛濡傚皢test'娉ㄥ唽鍒版暟鎹簱閲岋紝铏界劧寮�濮嬭浆涔変簡锛屼絾鏄悗鏉ラ�氳繃鍙傛暟id椤甸潰璇诲彇鏃讹紝璇诲彇鍒版暟鎹簱閲岀殑
鐢ㄦ埛test'锛屽甫鍏ql璇彞鏌ヨ瀵艰嚧澶氫簡涓�涓崟寮曞彿鍑洪敊銆�
8.瀹藉瓧鑺傛敞鍏ユ敾鍑伙細褰撲紶鍏�1'鏃讹紝鍗曞紩鍙疯杞Щ绗�(鍙嶆枩绾匡級杞箟锛屼竴鑸儏鍐典笅鏄笉瀛樺湪sql娉ㄥ叆婕忔礊鐨勶紝浣嗘槸鏈変竴涓壒渚嬶紝褰撴暟鎹簱缂栫爜涓篏BK鏃讹紝鍙互浣跨敤瀹藉瓧鑺傛敞鍏�
鍗崇敤%df鍜屽弽鏂滅嚎鐨勭紪鐮�%5c缁撳悎璧锋潵涓虹箒浣撳瓧杩炪�傚垯鍗曞紩鍙锋垚鍔熼�冮�革紝鎶ュ嚭鏁版嵁搴撻敊璇�
鑰屽悗鍙互杩涗竴姝ュ垽鏂敞鍏ワ紝
1%df' and 1=1%23
1%df and 1=2%23
鎺ョ潃鐢╫rder by鏌ユ暟鎹簱琛ㄥ瓧娈垫暟閲忥紝鍐嶇粨鍚坲nion娉ㄥ叆
9.cookie娉ㄥ叆鏀诲嚮锛氫慨鏀筩ookie涓殑鍙傛暟灏濊瘯鏀诲嚮
10.base64娉ㄥ叆鏀诲嚮锛歜ase64缂栫爜灏濊瘯缁曡繃waf
11.XFF娉ㄥ叆鏀诲嚮锛氶�氳繃burp鎶撳寘鍚庡彲浠ョ湅鍒癶ttp璇锋眰澶翠腑鏈変竴涓ご閮ㄥ弬鏁癤-Forwarded-for锛岀畝绉癤FF澶达紝瀹冧唬琛ㄥ鎴风鐪熷疄鐨刬p鍦板潃锛岄�氳繃淇敼瀹冪殑鍊兼潵杩涜鏀诲嚮
濡傚皢瀹冭缃负127.0.0.1' and 1=1#
sql娉ㄥ叆缁曡繃鎶�鏈�
1.澶у皬鍐欑粫杩�
2.鍙屽啓缁曡繃
3.缂栫爜缁曡繃锛屽base64锛寀rl鍏ㄧ紪鐮侊紙鍜寀rl鏅�氱紪鐮佷笉涓�鏍凤級鑰屼笖鏄紪鐮佷袱娆�
4.鍐呰仈娉ㄩ噴缁曡繃娉ㄥ叆锛�
濡俰d=1 /*!and*/ 1=1