Mysql下可能存在注入的点。

  总结下mysql下可能存在注入的点,适用于mssql和oracle,先写语句,以后再写语句可能出现在哪些场景下:

  针对查询:

    

select * from x where id=* 
select * from x where id='*'

 针对删除:

  

delete from x where id=*
delete from x where id='*'

 针对修改:

  

update x set name='*'
update x set name='x',x='*' where id=x

 

针对插入:

  

insert into x values(1,'*')
insert into x(id,name) values(1,'*')

 

针对搜索查询(like):

select * from x  where name like '*%' 
select * from x  where name like '%*%' 
select * from x  where name like '%*' 

 

针对排序(order by):

select * from x order by *

 

针对统计(group by):

select from x group by *

 

针对in:

 

select * from user1 where id in (1,*)
select * from user1 where id in ('1','*')

 

针对limit:

select * from x limit *
select * from x limit 0,*
select * from x order by id limit *
select * from x order by id limit 0,*

 

 针对数组key:

  

function addslashes_array($value) { return is_array($value) ? array_map('addslashes_array', $value) : addslashes($value); } print_R($_GET); foreach ($_GET AS $key => $value) { print $key; } ?> ....

 

假设http://*.com/test=123,代码中过滤了value没有过滤key,白盒/fuzz中可以通过http://*.com/test'=123注入

 

暂时先总结这么多。注入的时候可能遇到的一些。

 

 

  

posted @ 2019-05-16 22:04  飘渺__红尘  阅读(...)  评论(... 编辑 收藏