Get.php
<!DOCTYPE html>
<html>
<head>
<title>Sql Waf Test</title>
</head>
<body>
<div style="text-align:center;">
<form method="GET" action="">
<h1>Insert Data</h1>
<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
<br><br>
<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
<br><br>
<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php
$black_list="/select|sleep|and|or|union|\"|'|--|#|where|from|limit/i";
$con = mysqli_connect("127.0.0.1:3306","root","root");
mysqli_query($con,"create database test");
mysqli_select_db($con,"test");
mysqli_query($con,"create table tb_user
(
uid int(11) primary key auto_increment not null,
username varchar(50) not null,
password varchar(50) not null,
UNIQUE(username)
)");
if(isset($_GET['submit1'])){
$username = $_GET['username'];
$password = md5($_GET['password']);
if(preg_match($black_list,$username)){
echo "<h2>Illegal Char<h2>";
}else{
if(empty($username) || empty($password)){
echo "<h2>Username or Password can not be empty</h2>";
}else{
$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
if($insert_sql){
echo "<h2>Insert Success</h2>";
}else{
echo "<h2>Insert Fail</h2>";
}
}
}
}
?>
</form>
</div>
<div style="text-align:center;">
<form method="GET" action="">
<br><br><br><br><br><br><br>
<h1>Query Data</h1>
<input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
<br><br>
<input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php
if(isset($_GET['submit2'])){
$query_name = $_GET['query'];
if(preg_match($black_list,$query_name)){
die("<h2>Illegal Char</h2>");
}else{
if(empty($query_name)){
echo "<h2>Query data can not be empty</h2>";
}else{
$query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
if($query_data){
$sql_data = mysqli_fetch_assoc($query_data);
echo "<br><br><br><br>";
var_dump($sql_data);
}else{
echo "<h2>Query Fail</h2>";
}
}
}
}
?>
</form>
</div>
</body>
</html>sql_waf_test.py
import requests
sql_char = ['select',
'union',
'and',
'or',
'sleep',
'where',
'from',
'limit',
'group',
'by',
'like',
'prepare',
'as',
'if',
'char',
'ascii',
'mid',
'left',
'right',
'substring',
'handler',
'updatexml',
'extractvalue',
'benchmark',
'insert',
'update',
'all',
'@',
'#',
'^',
'&',
'*',
'\'',
'"',
'~',
'`',
'(',
')',
'--',
'=',
'/',
'\\',
' ']
for char in sql_char:
res = requests.get("http://127.0.0.1/get.php?query="+char+"&submit2=sbumit")
if 'Illegal Char' in res.text:
print("该字符是非法字符: {0}".format(char))
else:
print("通过: {0}".format(char))PS C:\Users\Administrator\Desktop> python .\sql_waf_test.py
该字符是非法字符: select
该字符是非法字符: union
该字符是非法字符: and
该字符是非法字符: or
该字符是非法字符: sleep
该字符是非法字符: where
该字符是非法字符: from
该字符是非法字符: limit
通过: group
通过: by
通过: like
通过: prepare
通过: as
通过: if
通过: char
通过: ascii
通过: mid
通过: left
通过: right
通过: substring
该字符是非法字符: handler
通过: updatexml
通过: extractvalue
通过: benchmark
通过: insert
通过: update
通过: all
通过: @
通过: #
通过: ^
通过: &
通过: *
该字符是非法字符: '
该字符是非法字符: "
通过: ~
通过: `
通过: (
通过: )
该字符是非法字符: --
通过: =
通过: /
通过: \
通过:
Post.php
<!DOCTYPE html>
<html>
<head>
<title>Sql Waf Test</title>
</head>
<body>
<div style="text-align:center;">
<form method="POST" action="">
<h1>Insert Data</h1>
<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
<br><br>
<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
<br><br>
<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php
$black_list="/select|and|or|union|limit/i";
$con = mysqli_connect("127.0.0.1:3306","root","root");
mysqli_query($con,"create database test");
mysqli_select_db($con,"test");
mysqli_query($con,"create table tb_user
(
uid int(11) primary key auto_increment not null,
username varchar(50) not null,
password varchar(50) not null,
UNIQUE(username)
)");
if(isset($_POST['submit1'])){
$username = $_POST['username'];
$password = md5($_POST['password']);
if(preg_match($black_list,$username)){
echo "<h2>Illegal Char<h2>";
}else{
if(empty($username) || empty($password)){
echo "<h2>Username or Password can not be empty</h2>";
}else{
$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
if($insert_sql){
echo "<h2>Insert Success</h2>";
}else{
echo "<h2>Insert Fail</h2>";
}
}
}
}
?>
</form>
</div>
<div style="text-align:center;">
<form method="POST" action="">
<br><br><br><br><br><br><br>
<h1>Query Data</h1>
<input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
<br><br>
<input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php
if(isset($_POST['submit2'])){
$query_name = $_POST['query'];
if(preg_match($black_list,$query_name)){
die("<h2>Illegal Char</h2>");
}else{
if(empty($query_name)){
echo "<h2>Query data can not be empty</h2>";
}else{
$query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
if($query_data){
$sql_data = mysqli_fetch_assoc($query_data);
echo "<br><br><br><br>";
var_dump($sql_data);
}else{
echo "<h2>Query Fail</h2>";
}
}
}
}
?>
</form>
</div>
</body>
</html>
531
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
