SQL注入过滤字符的Fuzz脚本测试

Get.php

  <!DOCTYPE html>
    <html>
    <head>
	<title>Sql Waf Test</title>
    </head>
    <body>
	<div style="text-align:center;">
	<form method="GET" action="">
		<h1>Insert Data</h1>
		<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
		<br><br>
		<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
		<br><br>
		<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
	<?php 
	$black_list="/select|sleep|and|or|union|\"|'|--|#|where|from|limit/i";
	$con = mysqli_connect("127.0.0.1:3306","root","root");
	mysqli_query($con,"create database test");
	mysqli_select_db($con,"test");
	mysqli_query($con,"create table tb_user
		(
		uid int(11) primary key auto_increment not null,
		username varchar(50) not null,
		password varchar(50) not null,
		UNIQUE(username)
		)");
	if(isset($_GET['submit1'])){
		$username = $_GET['username'];
		$password = md5($_GET['password']);
		if(preg_match($black_list,$username)){
			echo "<h2>Illegal Char<h2>";
		}else{
			if(empty($username) || empty($password)){
				echo "<h2>Username or Password can not be empty</h2>";
			}else{
				$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
				if($insert_sql){
					echo "<h2>Insert Success</h2>";
				}else{
					echo "<h2>Insert Fail</h2>";
				}
			}
		}
	}
    ?>
    </form>
    </div>
    <div style="text-align:center;">
    <form method="GET" action="">
    <br><br><br><br><br><br><br>
    <h1>Query Data</h1>
    <input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
    <br><br>
    <input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
    <?php 
    if(isset($_GET['submit2'])){
    $query_name = $_GET['query'];
    if(preg_match($black_list,$query_name)){
    die("<h2>Illegal Char</h2>");
    }else{
    if(empty($query_name)){
    echo "<h2>Query data can not be empty</h2>";
    }else{
    $query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
    if($query_data){
    $sql_data = mysqli_fetch_assoc($query_data);
    echo "<br><br><br><br>";
    var_dump($sql_data);
    }else{
    echo "<h2>Query Fail</h2>";
    }
    }
    }
    }
    ?>
    </form>
    </div>
    </body>
    </html>

sql_waf_test.py

import requests

    sql_char = ['select',
			'union',
			'and',
			'or',
			'sleep',
			'where',
			'from',
			'limit',
			'group',
			'by',
			'like',
			'prepare',
			'as',
			'if',
			'char',
			'ascii',
			'mid',
			'left',
			'right',
			'substring',
			'handler',
			'updatexml',
			'extractvalue',
			'benchmark',
			'insert',
			'update',
			'all',
			'@',
			'#',
			'^',
			'&',
			'*',
			'\'',
			'"',
			'~',
			'`',
			'(',
			')',
			'--',
			'=',
			'/',
			'\\',
			' ']

    for char in sql_char:
	res = requests.get("http://127.0.0.1/get.php?query="+char+"&submit2=sbumit")
	if 'Illegal Char' in res.text:
		print("该字符是非法字符: {0}".format(char))
	else:
		print("通过: {0}".format(char))

PS C:\Users\Administrator\Desktop> python .\sql_waf_test.py

该字符是非法字符: select

该字符是非法字符: union

该字符是非法字符: and

该字符是非法字符: or

该字符是非法字符: sleep

该字符是非法字符: where

该字符是非法字符: from

该字符是非法字符: limit

通过: group

通过: by

通过: like

通过: prepare

通过: as

通过: if

通过: char

通过: ascii

通过: mid

通过: left

通过: right

通过: substring

该字符是非法字符: handler

通过: updatexml

通过: extractvalue

通过: benchmark

通过: insert

通过: update

通过: all

通过: @

通过: #

通过: ^

通过: &

通过: *

该字符是非法字符: '

该字符是非法字符: "

通过: ~

通过: `

通过: (

通过: )

该字符是非法字符: --

通过: =

通过: /

通过: \

通过:

Post.php


    <!DOCTYPE html>
    <html>
    <head>
	<title>Sql Waf Test</title>
    </head>
    <body>
	<div style="text-align:center;">
	<form method="POST" action="">
		<h1>Insert Data</h1>
		<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
		<br><br>
		<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
		<br><br>
		<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
	<?php 
	$black_list="/select|and|or|union|limit/i";
	$con = mysqli_connect("127.0.0.1:3306","root","root");
	mysqli_query($con,"create database test");
	mysqli_select_db($con,"test");
	mysqli_query($con,"create table tb_user
		(
		uid int(11) primary key auto_increment not null,
		username varchar(50) not null,
		password varchar(50) not null,
		UNIQUE(username)
		)");
	if(isset($_POST['submit1'])){
		$username = $_POST['username'];
		$password = md5($_POST['password']);
		if(preg_match($black_list,$username)){
			echo "<h2>Illegal Char<h2>";
		}else{
			if(empty($username) || empty($password)){
				echo "<h2>Username or Password can not be empty</h2>";
			}else{
				$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
				if($insert_sql){
					echo "<h2>Insert Success</h2>";
				}else{
					echo "<h2>Insert Fail</h2>";
				}
			}
		}
	}
    ?>
    </form>
    </div>
    <div style="text-align:center;">
    <form method="POST" action="">
    <br><br><br><br><br><br><br>
    <h1>Query Data</h1>
    <input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
    <br><br>
    <input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
    <?php 
    if(isset($_POST['submit2'])){
    $query_name = $_POST['query'];
    if(preg_match($black_list,$query_name)){
    die("<h2>Illegal Char</h2>");
    }else{
    if(empty($query_name)){
    echo "<h2>Query data can not be empty</h2>";
    }else{
    $query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
    if($query_data){
    $sql_data = mysqli_fetch_assoc($query_data);
    echo "<br><br><br><br>";
    var_dump($sql_data);
    }else{
    echo "<h2>Query Fail</h2>";
    }
    }
    }
    }
    ?>
    </form>
    </div>
    </body>
    </html>

  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值