基本增,删,查,改配合like,between等操作
假设存在数据库为WebApplication 表名User 如下所示
ID
Username
Password
Access
1
admin
admin@nimda
true
2
Alice
alice@ecila
false
3
Bob
bob@bob
false
4
Cindy
cindy@ydnic
false
语法使用
查 应用场景:查到可能是管理员且有权限的用户名以及密码
select * from User where Access and (Username like "*admin*" or Username like "*sa*" or Username like "*root*") ;
ID
Username
Password
Access
1
admin
admin@nimda
true
注意区分下面几个SQL执行语句
select * from User where Access and Username like "*admin*" or Username like "*sa*" or Username like "*root*" ;
select * from User where Access and Username like ("*admin*" or "*sa*" or "*root*") ;
假设存在数据库为WebApplication 表名User 如下所示
ID
Username
Password
Access
1
admin
admin@nimda
true
2
Alice
alice@ecila
false
3
Bob
bob@bob
false
4
Cindy
cindy@ydnic
false
5
tt
1234
false
6
ss
34234
false
7
east
43254
false
删 应用场景:删除密码为1~999999纯数字密码的所有账户
delete from User where password between "1" and "999999"
ID
Username
Password
Access
1
admin
admin@nimda
true
2
Alice
alice@ecila
false
3
Bob
bob@bob
false
4
Cindy
cindy@ydnic
false
SQL注入应用场景
php源代码:
$Username = $ _GET ['user'];
$Password = $ _GET ['pwd'];
$conn = mysql_connect('IP','sql_user','sql_pwd')
if($conn){
echo "It's OK!"
}
mysql_select_db("WebApplicatiobn", $conn);
$result = mysql_query("SELECT * FROM User where Username='".$Username."' and Password ='".$Password."'");
mysql_close($conn);
?>
其中
"SELECT * FROM User where Username='".
Password."'"是通过URL进行GET方式进行用户账户密码传输,一般应当存储MD5之后的密码,为了简单测试SQL注入,故意存储明文密码;
注入方式如下
1.构造条件恒成立 where ture;
SELECT * FROM User where Username='admin' and Password =''or '1'='1'
SELECT * FROM User where Username='admin' -- and Password =''
2.使用联合查询/堆叠查询进行处理,可以执行后边构造的恶意SQL语句;