sql 注入
上一篇 /
下一篇 2015-01-30 19:36:58
/ 个人分类:sql注入
Drop table. Guess table name and drop it, note the next flowing SQL language
Select * from A where A.a = ‘testdata’; drop table A---’; |
2. 2. If a field only allow number, give it a String or others
3. Use ‘OR 1=1’, get all records in query function
Select * from A where A.a = ‘testdata’ OR ‘1’=’1’; |
4. 3. In login function, give user name field like ‘username’--’, “--’ and A.password = ‘’” is commented
Select * from user A where A.username = ‘username’--’ and A.password = ‘’; |
5. 4. Adding records function, if there is 4 fields in this table, add 5 fields, eg.
Normal: Insert into table A values(‘’,’’,’’,’’); Test Data: Insert into table A values(‘’,’testdata’,’’,’’,’’); |
6. 5. Input test data in or out of this field data
7. 6. Add single quotation marks and semicolon, and break off string splicing, this is similar with point 4
Update table A set A.a = ‘testdata’;--’ |
Yellow partis test data we input
相关阅读:
- SQL注入测试用例 (zaza9084, 2014-4-24)
- 万能写入sql语句,并且防注入 (zaza9084, 2014-4-30)
- PHP SQL注入的防范 (zaza9084, 2014-5-28)
- JSP网页防止sql注入攻击 (zaza9084, 2014-5-30)
- Hibernate防止sql注入 (zaza9084, 2014-5-27)
- PHP几个防SQL注入攻击自带函数区别 (zaza9084, 2014-6-13)
- 安全攻防之SQL注入 (zaza9084, 2014-6-17)
- 绕过WAF继续SQL注入常用方法 (zaza9084, 2014-7-03)
- 参数化查询为什么能够防止SQL注入 (zaza9084, 2014-7-11)
- 乌云:新浪支付系统曝高危漏洞 (zaza9084, 2014-9-15)
收藏
举报
TAG:
SQL注入
sql注入