SQL\u6ce8\u5165<\/h2>\n1. \u4ec0\u4e48\u662fSQL\u6ce8\u5165<\/h3>\n
SQL\u6ce8\u5165\u662f\u4e00\u79cd\u4ee3\u7801\u6ce8\u5165\u653b\u51fb,\u653b\u51fb\u8005\u901a\u8fc7\u5728\u8f93\u5165\u6846\u3001URL\u53c2\u6570\u7b49\u4f4d\u7f6e\u63d2\u5165\u6076\u610fSQL\u4ee3\u7801,\u6b3a\u9a97\u6570\u636e\u5e93\u6267\u884c\u975e\u6388\u6743\u64cd\u4f5c(\u5982\u67e5\u8be2\u3001\u4fee\u6539\u3001\u5220\u9664\u6570\u636e\u751a\u81f3\u83b7\u53d6\u670d\u52a1\u5668\u6743\u9650)\u3002<\/p>\n
\u6ce8\u5165\u4ea7\u751f\u7684\u539f\u56e0\u662f\u540e\u53f0\u670d\u52a1\u5668\u5728\u63a5\u6536\u76f8\u5173\u53c2\u6570\u65f6\u672a\u505a\u597d\u8fc7\u6ee4\u76f4\u63a5\u5e26\u5165\u5230\u6570\u636e\u5e93\u4e2d\u67e5\u8be2,\u5bfc\u81f4\u53ef\u4ee5\u62fc\u63a5\u6267\u884c\u6784\u9020\u7684SQL\u8bed\u53e5<\/p>\n
SQL\u6ce8\u5165\u5c31\u662f\u6307WEB\u5e94\u7528\u7a0b\u5e8f\u5bf9\u7528\u6237\u8f93\u5165\u6570\u636e\u7684\u5408\u6cd5\u6027\u6ca1\u6709\u5224\u65ad,\u524d\u7aef\u4f20\u5165\u540e\u7aef\u7684\u53c2\u6570\u662f\u653b\u51fb\u8005\u53ef\u63a7\u7684,\u5e76\u4e14\u53c2\u6570\u4ee3\u5165\u6570\u636e\u5e93\u67e5\u8be2,\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u6784\u9020\u4e0d\u540c\u7684SQL\u8bed\u53e5\u6765\u662f\u5b9e\u73b0\u5bf9\u6570\u636e\u5e93\u7684\u4efb\u610f\u64cd\u4f5c\u3002<\/p>\n
\u5373\u901a\u8fc7\u628a SQL \u547d\u4ee4\u63d2\u5165\u5230 Web \u8868\u5355\u9012\u4ea4\u6216\u8f93\u5165\u57df\u540d\u6216\u9875\u9762\u8bf7\u6c42\u7684\u67e5\u8be2\u5b57\u7b26\u4e32,\u6700\u7ec8\u8fbe\u5230\u6b3a\u9a97\u670d\u52a1\u5668\u6267\u884c\u6076\u610f\u7684 SQL \u547d\u4ee4\u3002<\/p>\n
\u4e00\u822c\u60c5\u51b5\u4e0b,\u5f00\u53d1\u4eba\u5458\u53ef\u4ee5\u4f7f\u7528\u52a8\u6001SQL\u8bed\u53e5\u521b\u5efa\u901a\u7528\u3001\u7075\u6d3b\u7684\u5e94\u7528\u3002\u52a8\u6001SQL\u8bed\u53e5\u662f\u5728\u6267\u884c\u8fc7\u7a0b\u4e2d\u6784\u9020\u7684,\u4ed6\u6839\u636e\u4e0d\u540c\u7684\u6761\u4ef6\u4ea7\u751f\u4e0d\u540c\u7684SQL\u8bed\u53e5\u3002\u5f53\u5f00\u53d1\u4eba\u5458\u5728\u8fd0\u884c\u8fc7\u7a0b\u4e2d\u9700\u8981\u6839\u636e\u4e0d\u540c\u7684\u67e5\u8be2\u6807\u51c6\u51b3\u5b9a\u63d0\u53d6\u4ec0\u4e48\u5b57\u6bb5(\u5982select\u8bed\u53e5),\u6216\u8005\u6839\u636e\u4e0d\u540c\u7684\u6761\u4ef6\u9009\u62e9\u4e0d\u540c\u7684\u67e5\u8be2\u8868\u65f6,\u52a8\u6001\u7684SQL\u8bed\u53e5\u4f1a\u975e\u5e38\u6709\u7528\u3002<\/p>\n
2. SQL\u6ce8\u5165\u7684\u539f\u7406<\/h3>\n
\u5f53\u5e94\u7528\u7a0b\u5e8f\u672a\u5bf9\u7528\u6237\u8f93\u5165\u8fdb\u884c\u6709\u6548\u8fc7\u6ee4\u65f6,\u653b\u51fb\u8005\u8f93\u5165\u7684\u6076\u610fSQL\u4f1a\u88ab\u6570\u636e\u5e93\u5f53\u4f5c\u5408\u6cd5\u6307\u4ee4\u6267\u884c\u3002<\/p>\n
SQL\u6ce8\u5165\u6f0f\u6d1e\u7684\u4ea7\u751f\u9700\u8981\u6ee1\u8db3\u4ee5\u4e0b\u4e24\u4e2a\u6761\u4ef6\u3002<\/h6>\n
(1)\u53c2\u6570\u7528\u6237\u53ef\u63a7:\u524d\u7aef\u4f20\u7ed9\u540e\u7aef\u7684\u53c2\u6570\u5185\u5bb9\u662f\u7528\u6237\u53ef\u4ee5\u63a7\u5236\u7684\u3002 (2)\u53c2\u6570\u4ee3\u5165\u6570\u636e\u5e93\u67e5\u8be2:\u4f20\u5165\u7684\u53c2\u6570\u62fc\u63a5\u5230SQL\u8bed\u53e5,\u4e14\u5e26\u5165\u6570\u636e\u5e93\u67e5\u8be2,\u7528\u6237\u80fd\u63a7\u5236\u8f93\u5165\u4e14\u8f93\u5165\u7684\u5185\u5bb9\u88ab\u5e26\u5230\u6570\u636e\u5e93\u53bb\u6267\u884c<\/p>\n
\u4f8b\u5b50<\/h6>\n
select * from users where id = 1<\/p>\n
\/\/\u8fd9\u53e5\u8bdd\u662f\u6b63\u786e\u7684,\u5408\u6cd5\u7684,\u53ef\u4ee5\u67e5\u8be2\u7528\u6237 id=1 \u7684\u8bb0\u5f55 \u5f53\u4f20\u5165\u7684ID\u53c2\u6570\u4e3a1\u65f6,\u6570\u636e\u5e93\u6267\u884c\u7684\u4ee3\u7801\u5982\u4e0b\u6240\u793a\u3002 select * from users where id = 1' \u8fd9\u4e0d\u7b26\u5408\u6570\u636e\u5e93\u7684\u8bed\u6cd5\u89c4\u8303,\u591a\u4e86\u4e2a\u5355\u5f15\u53f7,\u6240\u4ee5\u4f1a\u62a5\u9519\u3002<\/p>\n
\/\/\u4e0d\u7ba1\u4ec0\u4e48\u8bed\u8a00,\u53ea\u8981\u591a\u4e86\u4e00\u4e2a\u6ca1\u95ed\u5408\u7684\u5355\u5f15\u53f7\u9664\u975e\u4ed6\u88ab\u8f6c\u4e49\u4e86,\u4e0d\u7136\u90fd\u4f1a\u62a5\u9519\u7684<\/p>\n
\u5f53\u4f20\u5165\u7684ID\u53c2\u6570\u4e3aand 1=1\u65f6,\u6267\u884c\u7684SQL\u8bed\u53e5\u5982\u4e0b\u6240\u793a\u3002 select * from users where id=1 and 1=1<\/p>\n
\u6570\u636e\u5e93\u4f1a\u8fd4\u56de\u4e0e id=1 \u76f8\u540c\u7684\u7ed3\u679c\u3002\u653b\u51fb\u8005\u901a\u8fc7\u8fd9\u79cd\u65b9\u5f0f\u9a8c\u8bc1\u5e94\u7528\u7a0b\u5e8f\u662f\u5426\u4f1a\u6267\u884c\u989d\u5916\u7684\u903b\u8f91\u3002\u5982\u679c\u9875\u9762\u8fd4\u56de\u6b63\u5e38\u7ed3\u679c,\u8bf4\u660e\u5e94\u7528\u7a0b\u5e8f\u53ef\u80fd\u6ca1\u6709\u5bf9\u8f93\u5165\u8fdb\u884c\u8fc7\u6ee4\u3002\u5f53\u4f20\u5165\u7684ID\u53c2\u6570\u4e3aand 1=2\u65f6,\u7531\u4e8e1=2\u4e0d\u6210\u7acb,\u6240\u4ee5\u8fd4\u56de\u5047,\u9875\u9762\u5c31\u4f1a\u8fd4\u56de\u4e0eid=1\u4e0d\u540c\u7684\u7ed3\u679c,\u8bf4\u660e\u8f93\u5165\u786e\u5b9e\u5f71\u54cd\u4e86\u67e5\u8be2\u903b\u8f91\u3002 \u5728\u5b9e\u9645\u73af\u5883\u4e2d,\u51e1\u662f\u6ee1\u8db3\u4e0a\u8ff0\u4e24\u4e2a\u6761\u4ef6\u7684\u53c2\u6570\u7686\u53ef\u80fd\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e<\/p>\n
3. \u4e3a\u4ec0\u4e48\u4f1a\u6709SQL\u6ce8\u5165<\/h3>\n\n- \u4ee3\u7801\u5bf9\u5e26\u5165SQL\u8bed\u53e5\u7684\u53c2\u6570\u8fc7\u6ee4\u4e0d\u4e25\u683c<\/li>\n
- \u672a\u542f\u7528\u6846\u67b6\u7684\u5b89\u5168\u914d\u7f6e,\u4f8b\u5982:PHP\u7684magic_quotes_gpc<\/li>\n
- \u672a\u4f7f\u7528\u6846\u67b6\u5b89\u5168\u7684\u67e5\u8be2\u65b9\u6cd5<\/li>\n
- \u6d4b\u8bd5\u501f\u53e3\u672a\u5220\u9664<\/li>\n
- \u672a\u542f\u7528\u9632\u706b\u5899,\u4f8b\u5982IPTABLES\u3002<\/li>\n
- \u672a\u4f7f\u7528\u5176\u4ed6\u7684\u5b89\u5168\u9632\u62a4\u8bbe\u5907,\u4f8b\u5982:WAF<\/li>\n<\/ul>\n
4. SQL\u6ce8\u5165\u4e00\u822c\u6d41\u7a0b\u3010\u653b\u51fb\u3011<\/h3>\n
\u63a2\u6d4b\u2192\u5229\u7528\u2192\u6df1\u5ea6\u6e17\u900f<\/p>\n
1. \u6f0f\u6d1e\u63a2\u6d4b:\u5bfb\u627e\u6ce8\u5165\u70b9<\/h5>\n
\u653b\u51fb\u8005\u901a\u8fc7\u8f93\u5165\u6d4b\u8bd5\u5b57\u7b26\u5224\u65ad\u5e94\u7528\u662f\u5426\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e,\u5e38\u89c1\u65b9\u6cd5\u5305\u62ec:<\/p>\n
\n- \u5355\u5f15\u53f7\u6d4b\u8bd5:\u5728\u8f93\u5165\u6846(\u5982\u641c\u7d22\u6846\u3001URL\u53c2\u6570)\u4e2d\u8f93\u5165',\u82e5\u9875\u9762\u62a5\u9519(\u5982\u6570\u636e\u5e93\u9519\u8bef\u63d0\u793a)\u6216\u8fd4\u56de\u5f02\u5e38,\u8bf4\u660e\u8f93\u5165\u672a\u88ab\u8fc7\u6ee4,\u53ef\u80fd\u5b58\u5728\u6ce8\u5165\u70b9\u3002<\/li>\n
- \u5e03\u5c14\u76f2\u6ce8\u6d4b\u8bd5:\u8f93\u5165and 1=1(\u9875\u9762\u6b63\u5e38)\u548cand 1=2(\u9875\u9762\u5f02\u5e38),\u901a\u8fc7\u8fd4\u56de\u5dee\u5f02\u9a8c\u8bc1\u8f93\u5165\u662f\u5426\u5f71\u54cdSQL\u903b\u8f91(\u5982\u4f60\u4e4b\u524d\u63d0\u5230\u7684\u6848\u4f8b)\u3002<\/li>\n
- \u65f6\u95f4\u76f2\u6ce8\u6d4b\u8bd5:\u8f93\u5165and sleep(5),\u82e5\u9875\u9762\u52a0\u8f7d\u5ef6\u8fdf5\u79d2,\u8bf4\u660e\u6570\u636e\u5e93\u6267\u884c\u4e86\u6076\u610f\u4ee3\u7801,\u5b58\u5728\u6ce8\u5165\u70b9\u3002<\/li>\n<\/ul>\n
2. \u6f0f\u6d1e\u5229\u7528:\u83b7\u53d6\u6570\u636e\u6216\u6743\u9650<\/h5>\n
\u786e\u8ba4\u6ce8\u5165\u70b9\u540e,\u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u6076\u610fSQL\u5b9e\u73b0\u4e0d\u540c\u76ee\u6807:<\/p>\n
\n- \u83b7\u53d6\u9690\u85cf\u6570\u636e:\u901a\u8fc7OR 1=1\u6216UNION SELECT\u8bfb\u53d6\u654f\u611f\u6570\u636e\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
SELECT * FROM products WHERE category='Gifts' OR 1=1– <\/p>\n
\u5229\u7528OR 1=1\u8fd4\u56de\u6240\u6709\u5546\u54c1(\u5305\u62ec\u672a\u53d1\u5e03\u7684)\u3002<\/p>\n
\n- \u7ed5\u8fc7\u767b\u5f55\u9a8c\u8bc1:\u901a\u8fc7' OR '1'='1'–\u8df3\u8fc7\u5bc6\u7801\u68c0\u67e5\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE username='admin' OR '1'='1'–' AND password='xxx' <\/p>\n
\u76f4\u63a5\u767b\u5f55\u7ba1\u7406\u5458\u8d26\u6237\u3002<\/p>\n
\n- \u8bfb\u53d6\u6570\u636e\u5e93\u7ed3\u6784:\u901a\u8fc7UNION SELECT\u67e5\u8be2\u6570\u636e\u5e93\u7248\u672c\u3001\u8868\u540d\u7b49\u4fe1\u606f\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
' UNION SELECT version(), database()– <\/p>\n
3. \u6df1\u5ea6\u6e17\u900f:\u6269\u5927\u653b\u51fb\u8303\u56f4<\/h5>\n
\u82e5\u6743\u9650\u8db3\u591f,\u653b\u51fb\u8005\u53ef\u80fd\u8fdb\u4e00\u6b65:<\/p>\n
\n- \u7be1\u6539\u6216\u5220\u9664\u6570\u636e:\u901a\u8fc7UPDATE\u6216DROP\u8bed\u53e5\u7834\u574f\u6570\u636e\u5e93\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
'; DROP TABLE users– <\/p>\n
\n- \u6267\u884c\u7cfb\u7edf\u547d\u4ee4:\u5229\u7528\u6570\u636e\u5e93\u5b58\u50a8\u8fc7\u7a0b(\u5982MySQL\u7684xp_cmdshell)\u63a7\u5236\u670d\u52a1\u5668\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
'; EXEC xp_cmdshell 'whoami'– <\/p>\n
\n- \u6301\u4e45\u5316\u63a7\u5236:\u521b\u5efa\u540e\u95e8\u8d26\u6237\u6216\u690d\u5165\u6076\u610f\u811a\u672c,\u957f\u671f\u63a7\u5236\u7cfb\u7edf\u3002<\/li>\n<\/ul>\n
4. \u653b\u51fb\u7ed3\u675f:\u6e05\u7406\u75d5\u8ff9<\/h5>\n
\u653b\u51fb\u8005\u53ef\u80fd\u5220\u9664\u6570\u636e\u5e93\u65e5\u5fd7\u6216\u4fee\u6539\u8bbf\u95ee\u8bb0\u5f55,\u63a9\u76d6\u653b\u51fb\u884c\u4e3a\u3002<\/p>\n
5. SQL\u6ce8\u5165\u7684\u83b7\u53d6\u6570\u636e\u7684\u7b80\u5355\u6d41\u7a0b\u3010sqli-labs\u7684\u9898\u76ee\u3011<\/h3>\n5.1. \u5224\u65ad\u6709\u65e0\u95ed\u5408 and 1=1 and 1=2<\/h4>\n5.1.1. \u76ee\u7684<\/h5>\n
\u786e\u5b9a\u4f60\u7684 SQL \u8bed\u53e5\u662f\u88ab\u4ec0\u4e48\u7b26\u53f7\u201c\u5305\u56f4\u201d\u7684(\u6bd4\u5982\u5355\u5f15\u53f7 \u00a0'\u00a0\u3001\u53cc\u5f15\u53f7 \u00a0"\u00a0\u3001\u62ec\u53f7 \u00a0()\u00a0 \u7b49),\u8fd9\u4e00\u6b65\u662f SQL \u6ce8\u5165\u7684\u57fa\u7840\u524d\u63d0\u3002<\/p>\n
\u5728 SQL \u4e2d,\u201c\u95ed\u5408\u201d\u901a\u5e38\u6307\u7684\u662f\u4e00\u4e9b\u7279\u5b9a\u7684\u903b\u8f91\u6216\u8bed\u6cd5\u7ed3\u6784\u662f\u5426\u5b8c\u6574,\u4f8b\u5982\u62ec\u53f7\u662f\u5426\u5339\u914d\u3001\u4e8b\u52a1\u662f\u5426\u6b63\u786e\u63d0\u4ea4\u3001\u6761\u4ef6\u8bed\u53e5\u662f\u5426\u5b8c\u6574\u7b49\u3002<\/p>\n
5.1.2. \u64cd\u4f5c<\/h5>\n
\u6267\u884c\u4e24\u4e2a SQL \u7247\u6bb5:<\/p>\n
– \u7247\u6bb5 1:\u00a0and 1=1\u00a0<\/p>\n
– \u7247\u6bb5 2:\u00a0and 1=2\u00a0<\/p>\n
5.1.3. \u539f\u7406<\/h5>\n
– \u5f53\u6267\u884c \u00a0and 1=1\u00a0 \u65f6,\u56e0\u4e3a \u00a01=1\u00a0 \u662f\u201c\u6c38\u771f\u6761\u4ef6\u201d,\u5982\u679c\u7ed3\u679c\u548c\u4f60\u539f\u672c\u7684\u67e5\u8be2\u7ed3\u679c\u4e00\u6837,\u8bf4\u660e SQL \u8bed\u53e5\u7684\u95ed\u5408\u89c4\u5219\u662f\u7b26\u5408\u9884\u671f\u7684(\u6ca1\u6709\u56e0\u4e3a\u8bed\u6cd5\u9519\u8bef\u4e2d\u65ad)\u3002<\/p>\n
– \u5f53\u6267\u884c \u00a0and 1=2\u00a0 \u65f6,\u56e0\u4e3a \u00a01=2\u00a0 \u662f\u201c\u6c38\u5047\u6761\u4ef6\u201d,\u5982\u679c\u7ed3\u679c\u4e3a\u7a7a,\u8bf4\u660e SQL \u8bed\u53e5\u7684\u95ed\u5408\u89c4\u5219\u662f\u5bf9\u7684;\u53cd\u4e4b\u5982\u679c\u7ed3\u679c\u6ca1\u53d8\u5316,\u5c31\u9700\u8981\u6362\u5176\u4ed6\u65b9\u5f0f\u6d4b\u8bd5\u95ed\u5408\u7b26\u3002<\/p>\n
\u7ed3\u679c\u548c\u7b2c\u4e00\u4e2a\u4e00\u6837\u8bf4\u660e\u9700\u8981\u95ed\u5408,\u53cd\u4e4b\u65e0\u95ed\u5408 \u6709\u95ed\u5408\u5219\u9700\u8981\u7528\u5230 –+\u95ed\u5408<\/p>\n
\n
5.1.3.1. \u6ca1\u61c2?\u8be6\u7ec6<\/h6>\n
\u5e03\u5c14\u76f2\u6ce8\u539f\u7406:\u901a\u8fc7and 1=1\/and 1=2\u9a8c\u8bc1SQL\u6ce8\u5165\u6f0f\u6d1e<\/p>\n
\u8fd9\u79cd\u64cd\u4f5c\u5c5e\u4e8e\u5e03\u5c14\u76f2\u6ce8(Boolean-based Blind SQL Injection),\u6838\u5fc3\u662f\u901a\u8fc7\u6784\u9020\u771f\u5047\u6761\u4ef6\u6765\u5224\u65ad\u5e94\u7528\u662f\u5426\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002<\/p>\n
\u4ee5\u4e0b\u662f\u9010\u53e5\u89e3\u91ca:<\/p>\n
5.1.3.1.1. id=1 and 1=1:\u9a8c\u8bc1\u6ce8\u5165\u70b9\u662f\u5426\u5b58\u5728<\/h6>\n
\u6b63\u5e38\u67e5\u8be2:select * from users where id=1 \u2192 \u8fd4\u56deid=1\u7684\u7528\u6237\u6570\u636e\u3002<\/p>\n
\u6ce8\u5165\u540e\u67e5\u8be2:select * from users where id=1 and 1=1 \u2192 \u7531\u4e8e1=1\u6052\u4e3a\u771f,\u6574\u4e2a\u6761\u4ef6\u7b49\u4ef7\u4e8eid=1,\u8fd4\u56de\u7ed3\u679c\u4e0e\u6b63\u5e38\u67e5\u8be2\u4e00\u81f4\u3002<\/p>\n
\u653b\u51fb\u8005\u610f\u56fe:\u5982\u679c\u9875\u9762\u8fd4\u56de\u6b63\u5e38(\u663e\u793aid=1\u7684\u5185\u5bb9),\u8bf4\u660e\u5e94\u7528\u672a\u8fc7\u6ee4and\u7b49SQL\u5173\u952e\u5b57,\u8f93\u5165\u7684and 1=1\u88ab\u6570\u636e\u5e93\u5f53\u4f5c\u5408\u6cd5\u903b\u8f91\u6267\u884c,\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\u3002<\/p>\n
5.1.3.1.2. id=1 and 1=2:\u786e\u8ba4\u8f93\u5165\u5f71\u54cd\u67e5\u8be2\u903b\u8f91<\/h6>\n
\u6b63\u5e38\u67e5\u8be2:select * from users where id=1 \u2192 \u8fd4\u56deid=1\u7684\u7528\u6237\u6570\u636e\u3002<\/p>\n
\u6ce8\u5165\u540e\u67e5\u8be2:select * from users where id=1 and 1=2 \u2192 \u7531\u4e8e1=2\u6052\u4e3a\u5047,\u6574\u4e2a\u6761\u4ef6\u7b49\u4ef7\u4e8efalse,\u8fd4\u56de\u7ed3\u679c\u4e3a\u7a7a\u6216\u9519\u8bef\u9875\u9762(\u4e0e\u6b63\u5e38\u67e5\u8be2\u4e0d\u540c)\u3002<\/p>\n
\u653b\u51fb\u8005\u610f\u56fe:\u5982\u679c\u9875\u9762\u8fd4\u56de\u5f02\u5e38(\u5982\u7a7a\u767d\u3001\u62a5\u9519),\u8bf4\u660e\u8f93\u5165\u7684and 1=2\u786e\u5b9e\u6539\u53d8\u4e86\u67e5\u8be2\u7ed3\u679c,\u8bc1\u660e\u7528\u6237\u8f93\u5165\u76f4\u63a5\u53c2\u4e0e\u4e86SQL\u903b\u8f91\u6267\u884c,\u6f0f\u6d1e\u5b58\u5728\u3002<\/p>\n
5.1.3.1.3. \u4e3a\u4ec0\u4e48\u8fd9\u80fd\u9a8c\u8bc1\u6f0f\u6d1e?<\/h6>\n
\u6838\u5fc3\u903b\u8f91:<\/p>\n
SQL\u6ce8\u5165\u7684\u672c\u8d28\u662f\u7528\u6237\u8f93\u5165\u88ab\u5f53\u4f5cSQL\u4ee3\u7801\u6267\u884c\u3002\u5982\u679c\u5e94\u7528\u5bf9\u8f93\u5165\u505a\u4e86\u8fc7\u6ee4(\u5982\u8f6c\u4e49and\u3001=\u7b49\u5b57\u7b26),\u90a3\u4e48id=1 and 1=1\u4f1a\u88ab\u5f53\u4f5c\u666e\u901a\u5b57\u7b26\u4e32\u5904\u7406(\u5982id='1 and 1=1'),\u67e5\u8be2\u7ed3\u679c\u4f1a\u662f\u7a7a(\u56e0\u4e3a\u6ca1\u6709id\u7b49\u4e8e\u201c1 and 1=1\u201d\u7684\u7528\u6237)\u3002<\/p>\n
\u5bf9\u6bd4\u7ed3\u679c:<\/p>\n
\u82e5and 1=1\u8fd4\u56de\u6b63\u5e38 \u2192 \u8f93\u5165\u672a\u8fc7\u6ee4,\u6f0f\u6d1e\u5b58\u5728\u3002<\/p>\n
\u82e5and 1=2\u8fd4\u56de\u5f02\u5e38 \u2192 \u8f93\u5165\u5f71\u54cd\u4e86SQL\u903b\u8f91,\u6f0f\u6d1e\u5b58\u5728\u3002<\/p>\n
\u603b\u7ed3:\u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u771f\u5047\u6761\u4ef6,\u89c2\u5bdf\u9875\u9762\u8fd4\u56de\u5dee\u5f02,\u6765\u5224\u65ad\u5e94\u7528\u662f\u5426\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fd9\u79cd\u65b9\u6cd5\u65e0\u9700\u83b7\u53d6\u5177\u4f53\u6570\u636e,\u4ec5\u901a\u8fc7\u201c\u662f\/\u5426\u201d\u7684\u5e03\u5c14\u7ed3\u679c\u5c31\u80fd\u9a8c\u8bc1\u6f0f\u6d1e,\u662f\u76f2\u6ce8\u4e2d\u6700\u57fa\u7840\u7684\u6280\u5de7\u3002\u3002<\/p>\n
5.1.4. \u5224\u65ad\u201c\u6709\u65e0\u95ed\u5408\u201d\u7684\u573a\u666f<\/h5>\n5.1.4.1. \u5224\u65ad\u62ec\u53f7\u662f\u5426\u95ed\u5408<\/h6>\n
SQL \u67e5\u8be2\u4e2d\u7ecf\u5e38\u4f7f\u7528\u62ec\u53f7\u6765\u5b9a\u4e49\u4f18\u5148\u7ea7(\u5982 WHERE \u5b50\u53e5\u4e2d\u7684\u6761\u4ef6)\u6216\u7ec4\u7ec7\u590d\u6742\u67e5\u8be2(\u5982\u5b50\u67e5\u8be2)\u3002<\/p>\n
\u5982\u679c\u62ec\u53f7\u6ca1\u6709\u6b63\u786e\u95ed\u5408,\u4f1a\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef\u3002<\/p>\n
\u5de6\u53f3\u62ec\u53f7\u6570\u91cf\u5fc5\u987b\u76f8\u7b49,\u4e14\u5de6\u62ec\u53f7\u5728\u524d\u3001\u53f3\u62ec\u53f7\u5728\u540e<\/p>\n
SELECT *
\nFROM employees
\nWHERE (department_id = 3 AND salary > 5000;<\/p>\n
\/\/\u95ee\u9898:
\n\u5de6\u62ec\u53f7 ( \u6ca1\u6709\u5bf9\u5e94\u7684\u53f3\u62ec\u53f7 )\u3002
\n\/\/\u89e3\u51b3\u65b9\u6cd5:
\n\u786e\u4fdd\u6bcf\u4e2a\u5de6\u62ec\u53f7\u90fd\u6709\u5bf9\u5e94\u7684\u53f3\u62ec\u53f7\u3002
\n\/\/\u5de5\u5177\u8f85\u52a9:
\n\u4f7f\u7528 SQL \u7f16\u8f91\u5668(\u5982 MySQL Workbench\u3001DBeaver \u7b49),
\n\u5b83\u4eec\u901a\u5e38\u4f1a\u9ad8\u4eae\u663e\u793a\u5339\u914d\u7684\u62ec\u53f7,\u5e2e\u52a9\u53d1\u73b0\u672a\u95ed\u5408\u7684\u62ec\u53f7\u3002 <\/p>\n
5.1.4.2. \u5224\u65ad\u4e8b\u52a1\u662f\u5426\u95ed\u5408<\/h6>\n
\u4e8b\u52a1(Transaction)\u662f\u6570\u636e\u5e93\u64cd\u4f5c\u7684\u4e00\u4e2a\u91cd\u8981\u6982\u5ff5\u3002<\/p>\n
\u5982\u679c\u4e8b\u52a1\u6ca1\u6709\u6b63\u786e\u63d0\u4ea4(COMMIT)\u6216\u56de\u6eda(ROLLBACK),\u53ef\u80fd\u4f1a\u5bfc\u81f4\u6570\u636e\u4e0d\u4e00\u81f4\u6216\u9501\u8868\u95ee\u9898\u3002<\/p>\n
START TRANSACTION;<\/p>\n
— \u6267\u884c\u4e00\u7cfb\u5217\u64cd\u4f5c
\nUPDATE accounts SET balance = balance – 100 WHERE id = 1;
\nUPDATE accounts SET balance = balance + 100 WHERE id = 2;<\/p>\n
— \u63d0\u4ea4\u4e8b\u52a1
\nCOMMIT; <\/p>\n
\n- MySQL:<\/li>\n<\/ul>\n
— \u67e5\u770b\u6240\u6709\u672a\u63d0\u4ea4\u7684\u4e8b\u52a1(\u5305\u542b\u4e8b\u52a1ID\u3001\u72b6\u6001\u3001\u6267\u884c\u65f6\u95f4\u7b49)
\nSELECT * FROM INFORMATION_SCHEMA.INNODB_TRX; <\/p>\n
\n- \n
\n- \u82e5\u7ed3\u679c\u4e3a\u7a7a \u2192 \u65e0\u672a\u95ed\u5408\u4e8b\u52a1;<\/li>\n
- \u82e5\u7ed3\u679c\u4e0d\u4e3a\u7a7a \u2192 \u5b58\u5728\u672a\u63d0\u4ea4\/\u56de\u6eda\u7684\u4e8b\u52a1(\u9700\u624b\u52a8COMMIT\u6216ROLLBACK)\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
5.1.4.3. \u5224\u65ad\u6761\u4ef6\u8bed\u53e5\u662f\u5426\u95ed\u5408<\/h6>\n\n- \u5173\u952e\u5b57\u914d\u5bf9:<\/li>\n<\/ul>\n
\n- \n
\n- CASE WHEN\u5fc5\u987b\u6709END(\u5982CASE WHEN id>10 THEN '\u5927' ELSE '\u5c0f' END);<\/li>\n
- IN\u540e\u7684\u62ec\u53f7\u9700\u95ed\u5408(\u5982id IN (1,2,3),\u800c\u975eid IN (1,2,3);<\/li>\n
- BETWEEN\u9700\u4e0eAND\u914d\u5bf9(\u5982age BETWEEN 18 AND 30,\u800c\u975eage BETWEEN 18)\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \u7b26\u53f7\u95ed\u5408:<\/li>\n<\/ul>\n
\n- \n
\n- \u5b57\u7b26\u4e32\u9700\u7528\u5355\u5f15\u53f7\/\u53cc\u5f15\u53f7\u95ed\u5408(\u5982name='\u5f20\u4e09',\u800c\u975ename='\u5f20\u4e09);<\/li>\n
- \u62ec\u53f7\u9700\u6210\u5bf9(\u5982WHERE (id>10 AND name='a'),\u800c\u975eWHERE (id>10 AND name='a')\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SQL \u4e2d\u7684\u6761\u4ef6\u8bed\u53e5(\u5982 CASE\u3001IF)\u9700\u8981\u6b63\u786e\u7684\u95ed\u5408,\u5426\u5219\u4f1a\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef\u3002<\/p>\n
SELECT employee_id,
\n CASE
\n WHEN department_id = 1 THEN 'HR'
\n WHEN department_id = 2 THEN 'Finance'
\n END AS department_name
\nFROM employees;<\/p>\n
\/\/\u786e\u4fdd\u6bcf\u4e2a CASE \u8bed\u53e5\u90fd\u4ee5 END \u7ed3\u675f\u3002 <\/p>\n
5.1.4.4. \u5224\u65ad\u5b57\u7b26\u4e32\u662f\u5426\u95ed\u5408<\/h6>\n
\u65ad\u5b57\u7b26\u4e32\u662f\u5426\u95ed\u5408,\u6838\u5fc3\u662f\u68c0\u67e5\u8d77\u6b62\u5f15\u53f7\u662f\u5426\u4e00\u81f4\u4e14\u6210\u5bf9<\/p>\n
SQL \u67e5\u8be2\u4e2d\u4f7f\u7528\u7684\u5b57\u7b26\u4e32\u9700\u8981\u7528\u5f15\u53f7(\u5355\u5f15\u53f7 ' \u6216\u53cc\u5f15\u53f7 ")\u5305\u88f9\u3002\u5982\u679c\u5f15\u53f7\u6ca1\u6709\u6b63\u786e\u95ed\u5408,\u4f1a\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef\u3002<\/p>\n
\u82e5\u5b57\u7b26\u4e32\u672a\u95ed\u5408,SQL\u6267\u884c\u65f6\u4f1a\u8fd4\u56de\u8bed\u6cd5\u9519\u8bef:<\/p>\n
\n- MySQL\u62a5\u9519:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near…;<\/li>\n<\/ul>\n
SELECT *
\nFROM employees
\nWHERE name = 'Alice'; <\/p>\n
5.1.4.5. \u5224\u65ad\u6ce8\u91ca\u662f\u5426\u95ed\u5408<\/h6>\n
SQL \u652f\u6301\u4e24\u79cd\u6ce8\u91ca\u98ce\u683c:<\/p>\n
- \u5355\u884c\u6ce8\u91ca:– \u6ce8\u91ca\u5185\u5bb9<\/li>\n
- \u591a\u884c\u6ce8\u91ca:\/* \u6ce8\u91ca\u5185\u5bb9 *\/<\/li>\n
\u5982\u679c\u591a\u884c\u6ce8\u91ca\u672a\u6b63\u786e\u95ed\u5408,\u53ef\u80fd\u4f1a\u5bfc\u81f4\u540e\u7eed\u4ee3\u7801\u88ab\u5ffd\u7565\u3002<\/p>\n
SELECT *
\nFROM employees
\n\/* WHERE department_id = 1 *\/ <\/p>\n
5.1.4.6. \u603b\u7ed3<\/h6>\n
\u5224\u65ad SQL \u662f\u5426\u201c\u95ed\u5408\u201d\u53ef\u4ee5\u4ece\u4ee5\u4e0b\u51e0\u4e2a\u65b9\u9762\u5165\u624b:<\/p>\n
- \u62ec\u53f7\u95ed\u5408:<\/li>\n
\n- \n
\n- \u786e\u4fdd\u6bcf\u4e2a\u5de6\u62ec\u53f7 ( \u90fd\u6709\u5bf9\u5e94\u7684\u53f3\u62ec\u53f7 )\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \u4e8b\u52a1\u95ed\u5408:<\/li>\n
\n- \n
\n- \u786e\u4fdd\u6bcf\u4e2a\u4e8b\u52a1\u4ee5 COMMIT \u6216 ROLLBACK \u7ed3\u675f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \u6761\u4ef6\u8bed\u53e5\u95ed\u5408:<\/li>\n
\n- \n
\n- \u786e\u4fdd CASE\u3001IF \u7b49\u8bed\u53e5\u4ee5\u6b63\u786e\u7684\u5173\u952e\u5b57(\u5982 END)\u7ed3\u675f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \u5b57\u7b26\u4e32\u95ed\u5408:<\/li>\n
\n- \n
\n- \u786e\u4fdd\u6bcf\u4e2a\u5b57\u7b26\u4e32\u90fd\u4ee5\u5339\u914d\u7684\u5f15\u53f7\u7ed3\u675f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \u6ce8\u91ca\u95ed\u5408:<\/li>\n
\n- \n
\n- \u786e\u4fdd\u591a\u884c\u6ce8\u91ca\u4ee5 *\/ \u7ed3\u675f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
5.2. \u731c\u89e3\u5b57\u6bb5 order by 10<\/h4>\n
\u63a2\u6d4b\u76ee\u6807\u8868\u7684\u5b57\u6bb5\u6570\u91cf<\/p>\n
– \u00a0order by n\u00a0 \u7528\u4e8e\u5bf9\u7b2c\u00a0n\u00a0\u4e2a\u5b57\u6bb5\u6392\u5e8f,\u82e5\u00a0n\u00a0\u8d85\u8fc7\u8868\u7684\u5b9e\u9645\u5b57\u6bb5\u6570,\u4f1a\u62a5\u9519;<\/p>\n
– \u7528\u4e8c\u5206\u6cd5(\u5982\u5148\u8bd5\u00a0order by 10\u00a0,\u518d\u6839\u636e\u662f\u5426\u62a5\u9519\u8c03\u6574\u6570\u503c)\u53ef\u5feb\u901f\u786e\u5b9a\u8868\u7684\u5b57\u6bb5\u603b\u6570\u3002<\/p>\n
5.3. \u5224\u65ad\u6570\u636e\u56de\u663e\u4f4d\u7f6e -1 union select 1,2,3,4,5….<\/h4>\n
\/\/-1\u00a0 \u662f\u4e3a\u4e86\u8ba9\u524d\u534a\u6bb5\u67e5\u8be2\u7ed3\u679c\u4e3a\u7a7a,\u786e\u4fdd\u53ea\u663e\u793a \u00a0union select\u00a0 \u540e\u7684\u7ed3\u679c;<\/p>\n
– \u4f9d\u6b21\u6784\u9020 \u00a0select 1,2,3…\u00a0,\u89c2\u5bdf\u9875\u9762\u4e0a\u663e\u793a\u7684\u6570\u5b57\u4f4d\u7f6e,\u8fd9\u4e9b\u4f4d\u7f6e\u5c31\u662f\u53ef\u5229\u7528\u7684\u56de\u663e\u5b57\u6bb5\u3002\u53c2\u6570\u7b49\u53f7\u540e\u9762\u52a0-\u8868\u793a\u4e0d\u663e\u793a\u5f53\u524d\u6570\u636e<\/p>\n
\u786e\u5b9a\u54ea\u4e9b\u5b57\u6bb5\u4f1a\u5728\u9875\u9762\u4e0a\u663e\u793a<\/p>\n
5.4. \u83b7\u53d6\u5f53\u524d\u6570\u636e\u5e93\u540d\u3001\u7528\u6237\u3001\u7248\u672c ,\u83b7\u53d6\u5168\u90e8\u6570\u636e\u5e93\u540d<\/h4>\n
\u6536\u96c6\u6570\u636e\u5e93\u7684\u57fa\u7840\u4fe1\u606f<\/p>\n
eg.\u00a0union select database(), user(), version(),…\u00a0<\/p>\n
union select group_concat(schema_name) from information_schema.schemata,…\u00a0<\/p>\n
5\u3001\u83b7\u53d6\u8868\u540d<\/h5>\n
\u5b9a\u4f4d\u76ee\u6807\u6570\u636e\u5e93\u4e2d\u7684\u8868\u7ed3\u6784\u3002<\/p>\n
select group_concat(table_name) from information_schema.tables where table_schema= '\u5e93\u540d'<\/p>\n
6\u3001\u83b7\u53d6\u5b57\u6bb5\u540d<\/h5>\n
\u660e\u786e\u76ee\u6807\u8868\u7684\u5217\u4fe1\u606f<\/p>\n
select group_concat(column_name) from information_schema.columns where table_schema= '\u5e93\u540d' and table_name='\u8868\u540d'<\/p>\n
7\u3001\u83b7\u53d6\u6570\u636e union select 1,2,(select group_concat(\u5b57\u6bb51,\u5b57\u6bb52)from \u5e93\u540d.\u8868\u540d<\/h5>\n
\u6700\u7ec8\u63d0\u53d6\u76ee\u6807\u6570\u636e<\/p>\n
\u901a\u8fc7 \u00a0group_concat\u00a0 \u628a\u5b57\u6bb5\u5185\u5bb9\u62fc\u63a5\u6210\u5b57\u7b26\u4e32,\u5728\u56de\u663e\u4f4d\u4e0a\u663e\u793a,\u4ece\u800c\u83b7\u53d6\u8868\u4e2d\u7684\u5177\u4f53\u6570\u636e(\u5982\u7528\u6237\u8d26\u53f7\u3001\u5bc6\u7801\u7b49\u654f\u611f\u4fe1\u606f)\u3002<\/p>\n
6. \u6ce8\u5165\u7684\u7c7b\u578b<\/h3>\n<\/p>\n
![\"\"](\"https:\/\/www.wsisp.com\/helps\/wp-content\/uploads\/2026\/01\/20260123131633-697374b123518.jpg\")
<\/p>\n
\u76ee\u524d\u5e94\u8be5\u5c31\u5b66\u4e86\u8fd9\u4e9b,,\u53ef\u80fd\u540e\u9762\u4f1a\u8865\u5145\u3002<\/p>\n
\u672c\u4eba\u5229\u7528\u7684\u662fsqli-labs\u7684\u9776\u573a,\u53ef\u4ee5\u53bbGithub\u4e0a\u9762\u627e\u6e90\u4ee3\u7801\u5230\u5c0f\u76ae\u4e0a\u9762,\u5373\u53ef<\/p>\n
6.1. \u6570\u503c\u578b\u6ce8\u5165<\/h4>\n6.1.1. \u6838\u5fc3\u5b9a\u4e49:\u4ec0\u4e48\u662f\u6570\u503c\u578b\u6ce8\u5165?<\/h5>\n
\u6570\u503c\u578b\u6ce8\u5165\u662fSQL\u6ce8\u5165\u7684\u4e00\u79cd\u5e38\u89c1\u7c7b\u578b,\u53d1\u751f\u5728\u53c2\u6570\u4e3a\u6570\u503c\u7c7b\u578b(\u5982\u6574\u6570\u3001\u6d6e\u70b9\u6570)\u7684\u573a\u666f\u4e2d\u3002<\/p>\n
\u5176\u6838\u5fc3\u7279\u5f81\u662f:<\/p>\n
\n- \u540e\u53f0SQL\u8bed\u53e5\u4e2d,\u53c2\u6570\u76f4\u63a5\u4f5c\u4e3a\u6570\u503c\u4f7f\u7528,\u65e0\u9700\u5355\u5f15\u53f7\/\u53cc\u5f15\u53f7\u5305\u88f9(\u533a\u522b\u4e8e\u5b57\u7b26\u578b\u6ce8\u5165)\u3002<\/li>\n
- \u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u7279\u6b8a\u6570\u503c,\u4fee\u6539\u539f\u6709SQL\u7684\u903b\u8f91,\u5b9e\u73b0\u672a\u6388\u6743\u7684\u6570\u636e\u67e5\u8be2\u6216\u64cd\u4f5c\u3002<\/li>\n
- \u524d\u53f0\u9875\u9762\u8f93\u5165\u7684\u53c2\u6570\u662f\u300c\u6570\u5b57\u300d\u3002<\/li>\n<\/ul>\n
\n- \n
\n- \u5199\u5165and1=1 \u4e0eand1=2\u56de\u663e\u4e0d\u76f8\u540c\u8bf4\u660e\u540e\u9762\u7684and1=1\u548cand1=2\u5bf9\u7f51\u9875\u9020\u6210\u4e86\u5f71\u54cd,\u5224\u65ad\u4e3a\u6570\u503c\u578b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.1.2. \u5173\u952e\u7279\u5f81\u4e0e\u5224\u65ad\u65b9\u6cd5<\/h5>\n6.1.2.1. \u5178\u578b\u573a\u666f<\/h6>\n
\u5e38\u89c1\u4e8e\u6309ID\u67e5\u8be2\u7684\u529f\u80fd(\u5982\u6587\u7ae0\u8be6\u60c5\u3001\u7528\u6237\u4fe1\u606f),\u540e\u53f0SQL\u683c\u5f0f\u901a\u5e38\u4e3a:<\/p>\n
SELECT * FROM users WHERE id = [\u7528\u6237\u8f93\u5165] — \u4f8b\u5982:id=1 <\/p>\n
6.1.2.2. \u5224\u65ad\u65b9\u6cd5(\u5b9e\u6218\u6b65\u9aa4)<\/h6>\n
\u901a\u8fc7\u6784\u9020\u6052\u771f\/\u6052\u5047\u6761\u4ef6,\u89c2\u5bdf\u9875\u9762\u54cd\u5e94\u5dee\u5f02,\u5373\u53ef\u5224\u65ad\u662f\u5426\u5b58\u5728\u6570\u503c\u578b\u6ce8\u5165:<\/p>\n
\n- \u6b65\u9aa41:\u6052\u771f\u6761\u4ef6\u6d4b\u8bd5 \u8f93\u5165 id=1 AND 1=1,\u82e5\u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0e\u539f\u8bf7\u6c42id=1\u4e00\u81f4),\u8bf4\u660e\u6ce8\u5165\u7684\u6761\u4ef6\u88ab\u6570\u636e\u5e93\u6267\u884c,\u4e14\u7ed3\u679c\u4e3a\u771f\u3002 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE id = 1 AND 1=1 — \u6761\u4ef6\u6c38\u8fdc\u6210\u7acb,\u8fd4\u56de\u6240\u6709id=1\u7684\u7ed3\u679c <\/p>\n
\n- \u6b65\u9aa42:\u6052\u5047\u6761\u4ef6\u6d4b\u8bd5 \u8f93\u5165 id=1 AND 1=2,\u82e5\u9875\u9762\u5f02\u5e38\u663e\u793a(\u7a7a\u767d\u3001\u62a5\u9519\u6216\u65e0\u6570\u636e),\u8bf4\u660e\u6ce8\u5165\u7684\u6761\u4ef6\u88ab\u6267\u884c\u4e3a\u5047,\u5b58\u5728\u6ce8\u5165\u70b9\u3002 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE id = 1 AND 1=2 — \u6761\u4ef6\u6c38\u8fdc\u4e0d\u6210\u7acb,\u65e0\u7ed3\u679c\u8fd4\u56de <\/p>\n
\n- \u6b65\u9aa43:\u5355\u5f15\u53f7\u6d4b\u8bd5(\u8f85\u52a9\u9a8c\u8bc1) \u8f93\u5165 id=1',\u82e5\u9875\u9762\u62a5\u9519(\u5982SQL syntax error),\u8fdb\u4e00\u6b65\u786e\u8ba4\u662f\u6570\u503c\u578b\u6ce8\u5165(\u56e0\u4e3a\u6570\u503c\u578b\u53c2\u6570\u65e0\u9700\u5355\u5f15\u53f7,\u591a\u4f59\u7684\u5355\u5f15\u53f7\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef)\u3002<\/li>\n<\/ul>\n
6.1.2.3. \u5b9e\u6218\u6848\u4f8b:\u4ece\u5224\u65ad\u5230\u6570\u636e\u83b7\u53d6<\/h6>\n
\u4ee5SQLi-Labs\u9776\u573aLess-2(\u6570\u503c\u578b\u6ce8\u5165\u7ecf\u5178\u573a\u666f)\u4e3a\u4f8b:<\/p>\n
6.1.2.3.1. \u73af\u5883\u51c6\u5907<\/h6>\n\n- \u9776\u573aURL:http:\/\/localhost\/sqli-labs\/Less-2\/?id=1<\/li>\n
- \u540e\u53f0SQL:SELECT * FROM users WHERE id = $_GET['id']<\/li>\n<\/ul>\n
6.1.2.3.2. \u6ce8\u5165\u8fc7\u7a0b<\/h6>\n\n- \u5224\u65ad\u6ce8\u5165\u70b9: \u8f93\u5165 id=1 AND 1=1 \u2192 \u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0eid=1\u4e00\u81f4); \u8f93\u5165 id=1 AND 1=2 \u2192 \u9875\u9762\u7a7a\u767d(\u65e0\u6570\u636e),\u786e\u8ba4\u5b58\u5728\u6570\u503c\u578b\u6ce8\u5165\u3002<\/li>\n
- \u83b7\u53d6\u6570\u636e\u5e93\u4fe1\u606f: \u6784\u9020\u6ce8\u5165\u8bed\u53e5,\u67e5\u8be2\u6570\u636e\u5e93\u540d:<\/li>\n<\/ul>\n
id=1 UNION SELECT 1, database(), 3 — \u5047\u8bbeusers\u8868\u67093\u4e2a\u5b57\u6bb5 <\/p>\n
\u6b64\u65f6SQL\u53d8\u4e3a:<\/p>\n
SELECT * FROM users WHERE id = 1 UNION SELECT 1, database(), 3 <\/p>\n
\u9875\u9762\u4f1a\u8fd4\u56de\u5f53\u524d\u6570\u636e\u5e93\u540d(\u5982security)\u3002<\/p>\n
\n- \u83b7\u53d6\u8868\u540d: \u8fdb\u4e00\u6b65\u67e5\u8be2\u6570\u636e\u5e93\u4e2d\u7684\u8868:<\/li>\n<\/ul>\n
id=1 UNION SELECT 1, group_concat(table_name), 3 FROM information_schema.tables WHERE table_schema=database() <\/p>\n
\u7ed3\u679c\u4f1a\u8fd4\u56de\u6240\u6709\u8868\u540d(\u5982users\u3001emails\u7b49)\u3002<\/p>\n
6.1.2.4. \u9632\u5fa1\u5efa\u8bae<\/h6>\n\n- \u53c2\u6570\u7c7b\u578b\u6821\u9a8c:\u5bf9\u6570\u503c\u578b\u53c2\u6570\u5f3a\u5236\u8f6c\u6362\u4e3a\u6574\u6570(\u5982PHP\u4e2d\u7528intval());<\/li>\n
- \u4f7f\u7528\u9884\u7f16\u8bd1\u8bed\u53e5:\u5982PDO\u6216MyBatis\u7684\u53c2\u6570\u7ed1\u5b9a,\u907f\u514d\u76f4\u63a5\u62fc\u63a5SQL;<\/li>\n
- \u6700\u5c0f\u6743\u9650\u539f\u5219:\u6570\u636e\u5e93\u7528\u6237\u4ec5\u6388\u4e88\u5fc5\u8981\u6743\u9650(\u5982\u7981\u6b62FILE\u3001ALTER\u7b49\u9ad8\u5371\u64cd\u4f5c)\u3002<\/li>\n<\/ul>\n
6.1.2.5. \u4e00\u53e5\u8bdd\u603b\u7ed3<\/h6>\n
\u6570\u503c\u578b\u6ce8\u5165\u662f\u5229\u7528\u6570\u503c\u578b\u53c2\u6570\u65e0\u5f15\u53f7\u5305\u88f9\u7684\u7279\u6027,\u901a\u8fc7\u6784\u9020\u903b\u8f91\u6761\u4ef6\u4fee\u6539SQL\u8bed\u53e5,<\/p>\n
\u6838\u5fc3\u5224\u65ad\u65b9\u6cd5\u662f1 AND 1=1(\u6b63\u5e38)+ 1 AND 1=2(\u5f02\u5e38),\u5b9e\u6218\u4e2d\u53ef\u7ed3\u5408\u8054\u5408\u67e5\u8be2\u83b7\u53d6\u654f\u611f\u6570\u636e\u3002 🛡\ufe0f<\/p>\n
6.1.3. \u7b80\u5355\u6761\u4ef6\u6ce8\u5165<\/h5>\n\n- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
\n- \n
\n- \u5728\u6570\u503c\u53c2\u6570\u540e\u6dfb\u52a0\u903b\u8f91\u8fd0\u7b97\u7b26(\u5982 OR\u3001AND)\u548c\u6052\u771f\/\u6052\u5047\u6761\u4ef6\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \u793a\u4f8b:<\/li>\n<\/ul>\n
\u6b63\u5e38\u7684 SQL \u67e5\u8be2<\/p>\n
\u5047\u8bbe\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u6839\u636e\u7528\u6237\u8f93\u5165\u7684 id \u67e5\u8be2\u5458\u5de5\u4fe1\u606f:<\/p>\n
SELECT * FROM employees WHERE id = 1; <\/p>\n
\u5982\u679c\u7528\u6237\u8f93\u5165 1,\u67e5\u8be2\u4f1a\u8fd4\u56de id=1 \u7684\u5458\u5de5\u4fe1\u606f\u3002<\/p>\n
\u6ce8\u5165\u540e\u7684 SQL \u67e5\u8be2<\/p>\n
\u5982\u679c\u653b\u51fb\u8005\u8f93\u5165\u6076\u610f\u7684\u6570\u503c(\u5982 1 OR 1=1),\u67e5\u8be2\u53ef\u80fd\u53d8\u6210:<\/p>\n
SELECT * FROM employees WHERE id = 1 OR 1=1; <\/p>\n
\n- \u89e3\u91ca:<\/li>\n<\/ul>\n
\n- \n
\n- \u6761\u4ef6 1=1 \u59cb\u7ec8\u4e3a\u771f,\u5bfc\u81f4\u67e5\u8be2\u8fd4\u56de\u6240\u6709\u5458\u5de5\u7684\u4fe1\u606f\u3002<\/li>\n
- \u8fd9\u79cd\u6ce8\u5165\u53ef\u4ee5\u7528\u4e8e\u6570\u636e\u6cc4\u9732\u6216\u6743\u9650\u7ed5\u8fc7\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\u3010\u7528or \u53ea\u8981\u6ee1\u8db3\u5176\u4e00\u5373\u53ef,\u53c81=1\u6c38\u8fdc\u6210\u7acb,\u6240\u4ee5id=1\u8fd9\u4e00\u6761\u4ef6\u4f1a\u88ab\u5ffd\u7565\u3011<\/p>\n
6.1.4. \u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/h5>\n\n- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
\n- \n
\n- \u4f7f\u7528 UNION \u5c06\u6076\u610f\u67e5\u8be2\u7ed3\u679c\u4e0e\u539f\u59cb\u67e5\u8be2\u7ed3\u679c\u5408\u5e76\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \u793a\u4f8b:<\/li>\n<\/ul>\n
\n- \n
\n- \u7528\u6237\u8f93\u5165:1 UNION SELECT username, password FROM users<\/li>\n
- \u62fc\u63a5\u540e\u7684 SQL:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE id = 1
\nUNION
\nSELECT username, password FROM users; <\/p>\n
\n- \n
\n- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- \n
\n- \u8fd4\u56de\u5458\u5de5\u4fe1\u606f\u7684\u540c\u65f6,\u8fd8\u6cc4\u9732\u4e86\u7528\u6237\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.1.5. \u5b50\u67e5\u8be2\u6ce8\u5165<\/h5>\n\n- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
\n- \n
\n- \u5728\u6570\u503c\u53c2\u6570\u4e2d\u5d4c\u5957\u5b50\u67e5\u8be2,\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \u793a\u4f8b:<\/li>\n<\/ul>\n
\n- \n
\n- \u7528\u6237\u8f93\u5165:1 AND (SELECT COUNT(*) FROM users) > 0<\/li>\n
- \u62fc\u63a5\u540e\u7684 SQL:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE id = 1 AND (SELECT COUNT(*) FROM users) > 0;<\/p>\n
— \u67e5\u8be2employees\u8868\u4e2did=1\u7684\u5458\u5de5\u6570\u636e,\u4f46\u4ec5\u5f53users\u8868\u4e2d\u5b58\u5728\u81f3\u5c111\u6761\u8bb0\u5f55\u65f6\u624d\u8fd4\u56de\u7ed3\u679c\u3002 <\/p>\n
\n- \n
\n- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- \n
\n- \u9a8c\u8bc1 users \u8868\u662f\u5426\u5b58\u5728,\u5e76\u5c1d\u8bd5\u83b7\u53d6\u66f4\u591a\u4fe1\u606f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.1.6. \u603b\u7ed3<\/h5>\n\n- \u6570\u503c\u578b\u6ce8\u5165\u7684\u7279\u70b9:<\/li>\n<\/ul>\n
\n- \n
\n- \u53c2\u6570\u4e3a\u6570\u503c\u578b,\u65e0\u9700\u5f15\u53f7\u5305\u88f9\u3002<\/li>\n
- \u653b\u51fb\u8005\u901a\u8fc7\u903b\u8f91\u8fd0\u7b97\u7b26\u3001\u8054\u5408\u67e5\u8be2\u3001\u5b50\u67e5\u8be2\u7b49\u65b9\u5f0f\u7be1\u6539\u67e5\u8be2\u903b\u8f91\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \u9632\u5fa1\u63aa\u65bd:<\/li>\n<\/ul>\n
\n- \n
\n- \u4f7f\u7528\u53c2\u6570\u5316\u67e5\u8be2(\u907f\u514d\u76f4\u63a5\u62fc\u63a5\u7528\u6237\u8f93\u5165)\u3002<\/li>\n
- \u9a8c\u8bc1\u7528\u6237\u8f93\u5165\u3002<\/li>\n
- \u6700\u5c0f\u5316\u6570\u636e\u5e93\u6743\u9650\u3002<\/li>\n
- \u76d1\u63a7\u548c\u8bb0\u5f55\u5f02\u5e38\u884c\u4e3a<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.2. \u5b57\u7b26\u578b\u6ce8\u5165<\/h4>\n6.2.1. \u6838\u5fc3\u5b9a\u4e49:\u4ec0\u4e48\u662f\u5b57\u7b26\u578b\u6ce8\u5165?<\/h5>\n
\u5b57\u7b26\u578b\u6ce8\u5165\u662fSQL\u6ce8\u5165\u7684\u5178\u578b\u7c7b\u578b,\u53d1\u751f\u5728\u53c2\u6570\u4e3a\u5b57\u7b26\u4e32\u7c7b\u578b\u7684\u573a\u666f\u4e2d\u3002\u5176\u6838\u5fc3\u7279\u5f81\u662f:<\/p>\n
\n- \u540e\u53f0SQL\u8bed\u53e5\u4e2d,\u53c2\u6570\u88ab\u5355\u5f15\u53f7(')\u6216\u53cc\u5f15\u53f7(")\u5305\u88f9(\u533a\u522b\u4e8e\u6570\u503c\u578b\u6ce8\u5165\u7684\u65e0\u5f15\u53f7)\u3002<\/li>\n
- \u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u5305\u542b\u7279\u6b8a\u5b57\u7b26\u7684\u5b57\u7b26\u4e32,\u95ed\u5408\u539f\u6709\u5f15\u53f7\u5e76\u6ce8\u5165\u6076\u610fSQL\u903b\u8f91,\u5b9e\u73b0\u672a\u6388\u6743\u64cd\u4f5c\u3002<\/li>\n<\/ul>\n
6.2.2. \u5173\u952e\u7279\u5f81\u4e0e\u5224\u65ad\u65b9\u6cd5<\/h5>\n6.2.2.1. \u5178\u578b\u573a\u666f<\/h6>\n
\u5e38\u89c1\u4e8e\u7528\u6237\u540d\u3001\u641c\u7d22\u5173\u952e\u8bcd\u7b49\u5b57\u7b26\u578b\u53c2\u6570,\u540e\u53f0SQL\u683c\u5f0f\u901a\u5e38\u4e3a:<\/p>\n
SELECT * FROM users WHERE username = '[\u7528\u6237\u8f93\u5165]' — \u4f8b\u5982:username='admin' <\/p>\n
6.2.2.2. \u5224\u65ad\u65b9\u6cd5(\u5b9e\u6218\u6b65\u9aa4)<\/h6>\n
\u901a\u8fc7\u6784\u9020\u5355\u5f15\u53f7\u95ed\u5408\u903b\u8f91,\u89c2\u5bdf\u9875\u9762\u54cd\u5e94\u5dee\u5f02,\u5373\u53ef\u5224\u65ad\u662f\u5426\u5b58\u5728\u5b57\u7b26\u578b\u6ce8\u5165:<\/p>\n
\n- \u6b65\u9aa41:\u5355\u5f15\u53f7\u6d4b\u8bd5(\u6838\u5fc3) \u8f93\u5165 username=admin'(\u5728\u539f\u53c2\u6570\u540e\u52a0\u5355\u5f15\u53f7),<\/li>\n
- \u82e5\u9875\u9762\u62a5\u9519(\u5982Unclosed quotation mark),\u8bf4\u660e\u53c2\u6570\u88ab\u5f15\u53f7\u5305\u88f9(\u5b57\u7b26\u578b\u6ce8\u5165\u7279\u5f81)\u3002<\/li>\n
- \u3010\u6ce8\u610f,\u4e00\u4e2a\u662f\u8bed\u6cd5\u9519\u8bef,\u4e00\u4e2a\u662f\u5f15\u53f7\u672a\u95ed\u5408,\u9519\u8bef\u63d0\u793a\u4e0d\u540c\u3011 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE username = 'admin'' — \u5f15\u53f7\u672a\u95ed\u5408,\u8bed\u6cd5\u9519\u8bef <\/p>\n
\n- \u6b65\u9aa42:\u903b\u8f91\u6761\u4ef6\u6d4b\u8bd5(\u9a8c\u8bc1\u6ce8\u5165\u70b9) \u6784\u9020\u95ed\u5408+\u6052\u771f\u6761\u4ef6:\u8f93\u5165 username=admin' AND '1'='1 –+(–+\u7528\u4e8e\u6ce8\u91ca\u540e\u7eed\u5185\u5bb9),\u82e5\u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0e\u539f\u8bf7\u6c42\u4e00\u81f4),\u8bf4\u660e\u6ce8\u5165\u6210\u529f\u3002 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE username = 'admin' AND '1'='1 –+' — \u6761\u4ef6\u6052\u771f,\u8fd4\u56de\u6240\u6709\u7528\u6237 <\/p>\n
\n- \u6b65\u9aa43:\u5bf9\u6bd4\u6052\u5047\u6761\u4ef6 \u8f93\u5165 username=admin' AND '1'='2 –+,\u82e5\u9875\u9762\u5f02\u5e38\u663e\u793a(\u7a7a\u767d\u6216\u62a5\u9519),\u8fdb\u4e00\u6b65\u786e\u8ba4\u5b58\u5728\u5b57\u7b26\u578b\u6ce8\u5165\u3002<\/li>\n<\/ul>\n
6.2.2.3. \u5b9e\u6218\u6848\u4f8b:\u4ece\u5224\u65ad\u5230\u6570\u636e\u83b7\u53d6<\/h6>\n
\u4ee5SQLi-Labs\u9776\u573aLess-1(\u5b57\u7b26\u578b\u6ce8\u5165\u7ecf\u5178\u573a\u666f)\u4e3a\u4f8b:<\/p>\n
6.2.2.3.1. \u73af\u5883\u51c6\u5907<\/h6>\n\n- \u9776\u573aURL:http:\/\/localhost\/sqli-labs\/Less-1\/?id=1<\/li>\n
- \u540e\u53f0SQL:SELECT * FROM users WHERE id = '[\u7528\u6237\u8f93\u5165]'<\/li>\n<\/ul>\n
6.2.2.3.2. \u6ce8\u5165\u8fc7\u7a0b<\/h6>\n\n- \u5224\u65ad\u6ce8\u5165\u70b9: \u8f93\u5165 id=1' \u2192 \u9875\u9762\u62a5\u9519(You have an error in your SQL syntax),\u786e\u8ba4\u53c2\u6570\u88ab\u5355\u5f15\u53f7\u5305\u88f9\u3002 \u8f93\u5165 id=1' AND '1'='1 –+ \u2192 \u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0eid=1\u4e00\u81f4),\u6ce8\u5165\u70b9\u5b58\u5728\u3002<\/li>\n
- \u83b7\u53d6\u6570\u636e\u5e93\u4fe1\u606f: \u6784\u9020\u8054\u5408\u67e5\u8be2,\u83b7\u53d6\u6570\u636e\u5e93\u540d:<\/li>\n<\/ul>\n
id=-1' UNION SELECT 1, database(), 3 –+ — \u7528-1\u8ba9\u539f\u67e5\u8be2\u65e0\u7ed3\u679c,\u663e\u793a\u8054\u5408\u67e5\u8be2\u5185\u5bb9 <\/p>\n
\u6b64\u65f6SQL\u53d8\u4e3a:<\/p>\n
SELECT * FROM users WHERE id = '-1' UNION SELECT 1, database(), 3 –+' <\/p>\n
\u9875\u9762\u8fd4\u56de\u5f53\u524d\u6570\u636e\u5e93\u540d(\u5982security)\u3002<\/p>\n
\n- \u83b7\u53d6\u8868\u540d: \u8fdb\u4e00\u6b65\u67e5\u8be2\u6570\u636e\u5e93\u4e2d\u7684\u8868:<\/li>\n<\/ul>\n
id=-1' UNION SELECT 1, group_concat(table_name), 3 FROM information_schema.tables WHERE table_schema=database() –+ <\/p>\n
\u7ed3\u679c\u8fd4\u56de\u6240\u6709\u8868\u540d(\u5982users\u3001emails)\u3002<\/p>\n
6.2.2.4. \u9632\u5fa1\u5efa\u8bae<\/h6>\n\n- \u53c2\u6570\u8fc7\u6ee4:\u5bf9\u8f93\u5165\u7684\u5355\u5f15\u53f7\u3001\u53cc\u5f15\u53f7\u7b49\u7279\u6b8a\u5b57\u7b26\u8fdb\u884c\u8f6c\u4e49(\u5982PHP\u4e2d\u7528addslashes());<\/li>\n
- \u9884\u7f16\u8bd1\u8bed\u53e5:\u4f7f\u7528PDO\u6216MyBatis\u7684\u53c2\u6570\u7ed1\u5b9a,\u907f\u514d\u76f4\u63a5\u62fc\u63a5SQL;<\/li>\n
- \u7c7b\u578b\u6821\u9a8c:\u5bf9\u5b57\u7b26\u578b\u53c2\u6570\u9650\u5236\u957f\u5ea6\u548c\u683c\u5f0f(\u5982\u7528\u6237\u540d\u4ec5\u5141\u8bb8\u5b57\u6bcd\u6570\u5b57)\u3002<\/li>\n<\/ul>\n
6.2.2.5. \u4e00\u53e5\u8bdd\u603b\u7ed3<\/h6>\n
\u5b57\u7b26\u578b\u6ce8\u5165\u662f\u5229\u7528\u53c2\u6570\u88ab\u5f15\u53f7\u5305\u88f9\u7684\u7279\u6027,\u901a\u8fc7\u6784\u9020\u95ed\u5408\u903b\u8f91\u6ce8\u5165\u6076\u610fSQL,\u6838\u5fc3\u5224\u65ad\u65b9\u6cd5\u662f\u5355\u5f15\u53f7\u6d4b\u8bd5+\u903b\u8f91\u6761\u4ef6\u9a8c\u8bc1,\u5b9e\u6218\u4e2d\u53ef\u7ed3\u5408\u8054\u5408\u67e5\u8be2\u83b7\u53d6\u654f\u611f\u6570\u636e\u3002 🛡\ufe0f<\/p>\n
\n- \n
\n- \u524d\u53f0\u9875\u9762\u8f93\u5165\u7684\u53c2\u6570\u662f\u300c\u5b57\u7b26\u4e32\u300d\u3002<\/li>\n
- \u5b57\u7b26\u53ef\u4ee5\u4f7f\u7528\u5355\u5f15\u53f7\u5305\u88f9,\u4e5f\u53ef\u4ee5\u4f7f\u7528\u53cc\u5f15\u53f7\u5305\u88f9\u3002<\/li>\n
- \u6839\u636e\u5305\u88f9\u5b57\u7b26\u4e32\u7684\u300c\u5f15\u53f7\u300d\u4e0d\u540c,\u5b57\u7b26\u578b\u6ce8\u5165\u53ef\u4ee5\u5206\u4e3a:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- \n
\n- \u5355\u5f15\u53f7\u5b57\u7b26\u578b\u6ce8\u5165<\/li>\n
- \u53cc\u5f15\u53f7\u5b57\u7b26\u578b\u6ce8\u5165<\/li>\n
- \u5e26\u6709\u62ec\u53f7\u7684\u6ce8\u5165<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- \n
\n- \n
\n- SQL\u7684\u8bed\u6cd5,\u652f\u6301\u4f7f\u7528\u4e00\u4e2a\u6216\u591a\u4e2a\u300c\u62ec\u53f7\u300d\u5305\u88f9\u53c2\u6570,\u4f7f\u5f97\u8fd9\u4e24\u4e2a\u57fa\u7840\u7684\u6ce8\u5165\u7c7b\u578b\u5b58\u5728\u4e00\u4e9b\u53d8\u79cd\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- \n
\n- \n
\n- \n
\n- a. \u6570\u503c\u578b+\u62ec\u53f7\u7684\u6ce8\u5165:\u4f7f\u7528\u62ec\u53f7\u5305\u88f9\u6570\u503c\u578b\u53c2\u6570<\/li>\n
- b. \u5355\u5f15\u53f7\u5b57\u7b26\u4e32+\u62ec\u53f7\u7684\u6ce8\u5165:\u4f7f\u7528\u62ec\u53f7\u548c\u5355\u5f15\u53f7\u5305\u88f9\u53c2\u6570<\/li>\n
- c. \u53cc\u5f15\u53f7\u5b57\u7b26\u4e32+\u62ec\u53f7\u7684\u6ce8\u5165\u4f7f\u7528\u62ec\u53f7\u548c\u53cc\u5f15\u53f7\u5305\u88f9\u53c2\u6570<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- \u4e0d\u53ef\u76f4\u63a5\u62fc\u63a5\u7528\u6237\u8f93\u5165\u5230SQL\u67e5\u8be2\u4e2d,\u53ef\u80fd\u5bfc\u81f4\u903b\u8f91\u88ab\u7be1\u6539\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\u793a\u4f8b:
\nselect \\\\* from user where id = (1);
\n\/\/\u8fd9\u662f\u67e5\u8be2 user \u8868\u4e2did\u7b49\u4e8e1\u7684\u6240\u6709\u8bb0\u5f55\u3002
\n\u8fd9\u91cc\u7684 (1) \u662f\u5355\u503c\u5b50\u67e5\u8be2\u7684\u5199\u6cd5(\u867d\u7136\u8fd9\u91cc\u76f4\u63a5\u51991\u4e5f\u53ef\u4ee5),\u6700\u7ec8\u6548\u679c\u548c id = 1 \u4e00\u81f4\u3002<\/p>\n
select \\\\* from user where id = ((1));
\n\/\/\u548c\u7b2c\u4e00\u4e2a\u8bed\u53e5\u6548\u679c\u5b8c\u5168\u76f8\u540c,\u53ea\u662f\u591a\u5957\u4e86\u4e00\u5c42\u62ec\u53f7,SQL\u4f1a\u81ea\u52a8\u89e3\u6790\u62ec\u53f7\u5185\u7684\u5185\u5bb9,
\n\u6700\u7ec8\u8fd8\u662f\u67e5\u8be2 id=1 \u7684\u8bb0\u5f55\u3002<\/p>\n
select \\\\* from user where username = ('zhangsan');
\n\/\/\u67e5\u8be2 user \u8868\u4e2d**username\u7b49\u4e8e'zhangsan'**\u7684\u6240\u6709\u8bb0\u5f55\u3002
\n\u8fd9\u91cc 'zhangsan' \u662f\u5b57\u7b26\u4e32\u5e38\u91cf,\u5355\u5f15\u53f7\u662fSQL\u4e2d\u8868\u793a\u5b57\u7b26\u4e32\u7684\u6807\u51c6\u65b9\u5f0f\u3002<\/p>\n
select \\\\* from user where username = (('zhangsan'));
\n\/\/\u548c\u7b2c\u4e09\u4e2a\u8bed\u53e5\u6548\u679c\u4e00\u81f4,\u591a\u5957\u4e86\u62ec\u53f7\u4e0d\u5f71\u54cd\u7ed3\u679c,\u4f9d\u7136\u662f\u67e5\u8be2username='zhangsan' \u7684\u8bb0\u5f55\u3002<\/p>\n
select \\\\* from user where username = ("zhangsan");
\n\/\/\u591a\u5957\u4e86\u62ec\u53f7\u4e0d\u5f71\u54cd\u7ed3\u679c,\u4f9d\u7136\u662f\u67e5\u8be2username="zhangsan" \u7684\u8bb0\u5f55 <\/p>\n
6.2.3. \u7b80\u5355\u6761\u4ef6\u6ce8\u5165<\/h5>\n\n- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
\n- \n
\n- \u5728\u5b57\u7b26\u4e32\u53c2\u6570\u540e\u6dfb\u52a0\u903b\u8f91\u8fd0\u7b97\u7b26(\u5982 OR\u3001AND)\u548c\u6052\u771f\/\u6052\u5047\u6761\u4ef6\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \u793a\u4f8b:<\/li>\n
- \u5047\u8bbe\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u6839\u636e\u7528\u6237\u8f93\u5165\u7684 name \u67e5\u8be2\u5458\u5de5\u4fe1\u606f:<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE name = 'Alice'; <\/p>\n
\u5982\u679c\u7528\u6237\u8f93\u5165 Alice,\u67e5\u8be2\u4f1a\u8fd4\u56de name='Alice' \u7684\u5458\u5de5\u4fe1\u606f\u3002<\/p>\n
\n- \n
\n- \u7528\u6237\u8f93\u5165:Alice' OR '1'='1<\/li>\n
- \u62fc\u63a5\u540e\u7684 SQL:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE name = 'Alice' OR '1'='1'; <\/p>\n
\n- \n
\n- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
\n- \n
\n- \u8fd4\u56de\u6240\u6709\u5458\u5de5\u7684\u4fe1\u606f\u3002\u3010\u539f\u7406\u540c\u6570\u503c\u578b,\u53ea\u4e0d\u8fc7\u6ce8\u610f'\u7684\u6709\u65e0\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.2.4. \u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/h5>\n\n- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
\n- \n
\n- \u4f7f\u7528 UNION \u5c06\u6076\u610f\u67e5\u8be2\u7ed3\u679c\u4e0e\u539f\u59cb\u67e5\u8be2\u7ed3\u679c\u5408\u5e76\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \u793a\u4f8b:<\/li>\n<\/ul>\n
\n- \n
\n- \u7528\u6237\u8f93\u5165:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Alice' UNION SELECT username, password FROM users —<\/p>\n
\n- \n
\n- \u62fc\u63a5\u540e\u7684 SQL:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE name = 'Alice'
\nUNION
\nSELECT username, password FROM users — '; <\/p>\n
\n- \n
\n- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\n- \n
4. SQL\u6ce8\u5165\u4e00\u822c\u6d41\u7a0b\u3010\u653b\u51fb\u3011<\/h3>\n
\u63a2\u6d4b\u2192\u5229\u7528\u2192\u6df1\u5ea6\u6e17\u900f<\/p>\n
1. \u6f0f\u6d1e\u63a2\u6d4b:\u5bfb\u627e\u6ce8\u5165\u70b9<\/h5>\n
\u653b\u51fb\u8005\u901a\u8fc7\u8f93\u5165\u6d4b\u8bd5\u5b57\u7b26\u5224\u65ad\u5e94\u7528\u662f\u5426\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e,\u5e38\u89c1\u65b9\u6cd5\u5305\u62ec:<\/p>\n
- \n
- \u5355\u5f15\u53f7\u6d4b\u8bd5:\u5728\u8f93\u5165\u6846(\u5982\u641c\u7d22\u6846\u3001URL\u53c2\u6570)\u4e2d\u8f93\u5165',\u82e5\u9875\u9762\u62a5\u9519(\u5982\u6570\u636e\u5e93\u9519\u8bef\u63d0\u793a)\u6216\u8fd4\u56de\u5f02\u5e38,\u8bf4\u660e\u8f93\u5165\u672a\u88ab\u8fc7\u6ee4,\u53ef\u80fd\u5b58\u5728\u6ce8\u5165\u70b9\u3002<\/li>\n
- \u5e03\u5c14\u76f2\u6ce8\u6d4b\u8bd5:\u8f93\u5165and 1=1(\u9875\u9762\u6b63\u5e38)\u548cand 1=2(\u9875\u9762\u5f02\u5e38),\u901a\u8fc7\u8fd4\u56de\u5dee\u5f02\u9a8c\u8bc1\u8f93\u5165\u662f\u5426\u5f71\u54cdSQL\u903b\u8f91(\u5982\u4f60\u4e4b\u524d\u63d0\u5230\u7684\u6848\u4f8b)\u3002<\/li>\n
- \u65f6\u95f4\u76f2\u6ce8\u6d4b\u8bd5:\u8f93\u5165and sleep(5),\u82e5\u9875\u9762\u52a0\u8f7d\u5ef6\u8fdf5\u79d2,\u8bf4\u660e\u6570\u636e\u5e93\u6267\u884c\u4e86\u6076\u610f\u4ee3\u7801,\u5b58\u5728\u6ce8\u5165\u70b9\u3002<\/li>\n<\/ul>\n
2. \u6f0f\u6d1e\u5229\u7528:\u83b7\u53d6\u6570\u636e\u6216\u6743\u9650<\/h5>\n
\u786e\u8ba4\u6ce8\u5165\u70b9\u540e,\u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u6076\u610fSQL\u5b9e\u73b0\u4e0d\u540c\u76ee\u6807:<\/p>\n
- \n
- \u83b7\u53d6\u9690\u85cf\u6570\u636e:\u901a\u8fc7OR 1=1\u6216UNION SELECT\u8bfb\u53d6\u654f\u611f\u6570\u636e\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
SELECT * FROM products WHERE category='Gifts' OR 1=1– <\/p>\n
\u5229\u7528OR 1=1\u8fd4\u56de\u6240\u6709\u5546\u54c1(\u5305\u62ec\u672a\u53d1\u5e03\u7684)\u3002<\/p>\n
- \n
- \u7ed5\u8fc7\u767b\u5f55\u9a8c\u8bc1:\u901a\u8fc7' OR '1'='1'–\u8df3\u8fc7\u5bc6\u7801\u68c0\u67e5\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE username='admin' OR '1'='1'–' AND password='xxx' <\/p>\n
\u76f4\u63a5\u767b\u5f55\u7ba1\u7406\u5458\u8d26\u6237\u3002<\/p>\n
- \n
- \u8bfb\u53d6\u6570\u636e\u5e93\u7ed3\u6784:\u901a\u8fc7UNION SELECT\u67e5\u8be2\u6570\u636e\u5e93\u7248\u672c\u3001\u8868\u540d\u7b49\u4fe1\u606f\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
' UNION SELECT version(), database()– <\/p>\n
3. \u6df1\u5ea6\u6e17\u900f:\u6269\u5927\u653b\u51fb\u8303\u56f4<\/h5>\n
\u82e5\u6743\u9650\u8db3\u591f,\u653b\u51fb\u8005\u53ef\u80fd\u8fdb\u4e00\u6b65:<\/p>\n
- \n
- \u7be1\u6539\u6216\u5220\u9664\u6570\u636e:\u901a\u8fc7UPDATE\u6216DROP\u8bed\u53e5\u7834\u574f\u6570\u636e\u5e93\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
'; DROP TABLE users– <\/p>\n
- \n
- \u6267\u884c\u7cfb\u7edf\u547d\u4ee4:\u5229\u7528\u6570\u636e\u5e93\u5b58\u50a8\u8fc7\u7a0b(\u5982MySQL\u7684xp_cmdshell)\u63a7\u5236\u670d\u52a1\u5668\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
'; EXEC xp_cmdshell 'whoami'– <\/p>\n
- \n
- \u6301\u4e45\u5316\u63a7\u5236:\u521b\u5efa\u540e\u95e8\u8d26\u6237\u6216\u690d\u5165\u6076\u610f\u811a\u672c,\u957f\u671f\u63a7\u5236\u7cfb\u7edf\u3002<\/li>\n<\/ul>\n
4. \u653b\u51fb\u7ed3\u675f:\u6e05\u7406\u75d5\u8ff9<\/h5>\n
\u653b\u51fb\u8005\u53ef\u80fd\u5220\u9664\u6570\u636e\u5e93\u65e5\u5fd7\u6216\u4fee\u6539\u8bbf\u95ee\u8bb0\u5f55,\u63a9\u76d6\u653b\u51fb\u884c\u4e3a\u3002<\/p>\n
5. SQL\u6ce8\u5165\u7684\u83b7\u53d6\u6570\u636e\u7684\u7b80\u5355\u6d41\u7a0b\u3010sqli-labs\u7684\u9898\u76ee\u3011<\/h3>\n
5.1. \u5224\u65ad\u6709\u65e0\u95ed\u5408 and 1=1 and 1=2<\/h4>\n
5.1.1. \u76ee\u7684<\/h5>\n
\u786e\u5b9a\u4f60\u7684 SQL \u8bed\u53e5\u662f\u88ab\u4ec0\u4e48\u7b26\u53f7\u201c\u5305\u56f4\u201d\u7684(\u6bd4\u5982\u5355\u5f15\u53f7 \u00a0'\u00a0\u3001\u53cc\u5f15\u53f7 \u00a0"\u00a0\u3001\u62ec\u53f7 \u00a0()\u00a0 \u7b49),\u8fd9\u4e00\u6b65\u662f SQL \u6ce8\u5165\u7684\u57fa\u7840\u524d\u63d0\u3002<\/p>\n
\u5728 SQL \u4e2d,\u201c\u95ed\u5408\u201d\u901a\u5e38\u6307\u7684\u662f\u4e00\u4e9b\u7279\u5b9a\u7684\u903b\u8f91\u6216\u8bed\u6cd5\u7ed3\u6784\u662f\u5426\u5b8c\u6574,\u4f8b\u5982\u62ec\u53f7\u662f\u5426\u5339\u914d\u3001\u4e8b\u52a1\u662f\u5426\u6b63\u786e\u63d0\u4ea4\u3001\u6761\u4ef6\u8bed\u53e5\u662f\u5426\u5b8c\u6574\u7b49\u3002<\/p>\n
5.1.2. \u64cd\u4f5c<\/h5>\n
\u6267\u884c\u4e24\u4e2a SQL \u7247\u6bb5:<\/p>\n
– \u7247\u6bb5 1:\u00a0and 1=1\u00a0<\/p>\n
– \u7247\u6bb5 2:\u00a0and 1=2\u00a0<\/p>\n
5.1.3. \u539f\u7406<\/h5>\n
– \u5f53\u6267\u884c \u00a0and 1=1\u00a0 \u65f6,\u56e0\u4e3a \u00a01=1\u00a0 \u662f\u201c\u6c38\u771f\u6761\u4ef6\u201d,\u5982\u679c\u7ed3\u679c\u548c\u4f60\u539f\u672c\u7684\u67e5\u8be2\u7ed3\u679c\u4e00\u6837,\u8bf4\u660e SQL \u8bed\u53e5\u7684\u95ed\u5408\u89c4\u5219\u662f\u7b26\u5408\u9884\u671f\u7684(\u6ca1\u6709\u56e0\u4e3a\u8bed\u6cd5\u9519\u8bef\u4e2d\u65ad)\u3002<\/p>\n
– \u5f53\u6267\u884c \u00a0and 1=2\u00a0 \u65f6,\u56e0\u4e3a \u00a01=2\u00a0 \u662f\u201c\u6c38\u5047\u6761\u4ef6\u201d,\u5982\u679c\u7ed3\u679c\u4e3a\u7a7a,\u8bf4\u660e SQL \u8bed\u53e5\u7684\u95ed\u5408\u89c4\u5219\u662f\u5bf9\u7684;\u53cd\u4e4b\u5982\u679c\u7ed3\u679c\u6ca1\u53d8\u5316,\u5c31\u9700\u8981\u6362\u5176\u4ed6\u65b9\u5f0f\u6d4b\u8bd5\u95ed\u5408\u7b26\u3002<\/p>\n
\u7ed3\u679c\u548c\u7b2c\u4e00\u4e2a\u4e00\u6837\u8bf4\u660e\u9700\u8981\u95ed\u5408,\u53cd\u4e4b\u65e0\u95ed\u5408 \u6709\u95ed\u5408\u5219\u9700\u8981\u7528\u5230 –+\u95ed\u5408<\/p>\n
\n
5.1.3.1. \u6ca1\u61c2?\u8be6\u7ec6<\/h6>\n
\u5e03\u5c14\u76f2\u6ce8\u539f\u7406:\u901a\u8fc7and 1=1\/and 1=2\u9a8c\u8bc1SQL\u6ce8\u5165\u6f0f\u6d1e<\/p>\n
\u8fd9\u79cd\u64cd\u4f5c\u5c5e\u4e8e\u5e03\u5c14\u76f2\u6ce8(Boolean-based Blind SQL Injection),\u6838\u5fc3\u662f\u901a\u8fc7\u6784\u9020\u771f\u5047\u6761\u4ef6\u6765\u5224\u65ad\u5e94\u7528\u662f\u5426\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002<\/p>\n
\u4ee5\u4e0b\u662f\u9010\u53e5\u89e3\u91ca:<\/p>\n
5.1.3.1.1. id=1 and 1=1:\u9a8c\u8bc1\u6ce8\u5165\u70b9\u662f\u5426\u5b58\u5728<\/h6>\n
\u6b63\u5e38\u67e5\u8be2:select * from users where id=1 \u2192 \u8fd4\u56deid=1\u7684\u7528\u6237\u6570\u636e\u3002<\/p>\n
\u6ce8\u5165\u540e\u67e5\u8be2:select * from users where id=1 and 1=1 \u2192 \u7531\u4e8e1=1\u6052\u4e3a\u771f,\u6574\u4e2a\u6761\u4ef6\u7b49\u4ef7\u4e8eid=1,\u8fd4\u56de\u7ed3\u679c\u4e0e\u6b63\u5e38\u67e5\u8be2\u4e00\u81f4\u3002<\/p>\n
\u653b\u51fb\u8005\u610f\u56fe:\u5982\u679c\u9875\u9762\u8fd4\u56de\u6b63\u5e38(\u663e\u793aid=1\u7684\u5185\u5bb9),\u8bf4\u660e\u5e94\u7528\u672a\u8fc7\u6ee4and\u7b49SQL\u5173\u952e\u5b57,\u8f93\u5165\u7684and 1=1\u88ab\u6570\u636e\u5e93\u5f53\u4f5c\u5408\u6cd5\u903b\u8f91\u6267\u884c,\u5b58\u5728\u6ce8\u5165\u6f0f\u6d1e\u3002<\/p>\n
5.1.3.1.2. id=1 and 1=2:\u786e\u8ba4\u8f93\u5165\u5f71\u54cd\u67e5\u8be2\u903b\u8f91<\/h6>\n
\u6b63\u5e38\u67e5\u8be2:select * from users where id=1 \u2192 \u8fd4\u56deid=1\u7684\u7528\u6237\u6570\u636e\u3002<\/p>\n
\u6ce8\u5165\u540e\u67e5\u8be2:select * from users where id=1 and 1=2 \u2192 \u7531\u4e8e1=2\u6052\u4e3a\u5047,\u6574\u4e2a\u6761\u4ef6\u7b49\u4ef7\u4e8efalse,\u8fd4\u56de\u7ed3\u679c\u4e3a\u7a7a\u6216\u9519\u8bef\u9875\u9762(\u4e0e\u6b63\u5e38\u67e5\u8be2\u4e0d\u540c)\u3002<\/p>\n
\u653b\u51fb\u8005\u610f\u56fe:\u5982\u679c\u9875\u9762\u8fd4\u56de\u5f02\u5e38(\u5982\u7a7a\u767d\u3001\u62a5\u9519),\u8bf4\u660e\u8f93\u5165\u7684and 1=2\u786e\u5b9e\u6539\u53d8\u4e86\u67e5\u8be2\u7ed3\u679c,\u8bc1\u660e\u7528\u6237\u8f93\u5165\u76f4\u63a5\u53c2\u4e0e\u4e86SQL\u903b\u8f91\u6267\u884c,\u6f0f\u6d1e\u5b58\u5728\u3002<\/p>\n
5.1.3.1.3. \u4e3a\u4ec0\u4e48\u8fd9\u80fd\u9a8c\u8bc1\u6f0f\u6d1e?<\/h6>\n
\u6838\u5fc3\u903b\u8f91:<\/p>\n
SQL\u6ce8\u5165\u7684\u672c\u8d28\u662f\u7528\u6237\u8f93\u5165\u88ab\u5f53\u4f5cSQL\u4ee3\u7801\u6267\u884c\u3002\u5982\u679c\u5e94\u7528\u5bf9\u8f93\u5165\u505a\u4e86\u8fc7\u6ee4(\u5982\u8f6c\u4e49and\u3001=\u7b49\u5b57\u7b26),\u90a3\u4e48id=1 and 1=1\u4f1a\u88ab\u5f53\u4f5c\u666e\u901a\u5b57\u7b26\u4e32\u5904\u7406(\u5982id='1 and 1=1'),\u67e5\u8be2\u7ed3\u679c\u4f1a\u662f\u7a7a(\u56e0\u4e3a\u6ca1\u6709id\u7b49\u4e8e\u201c1 and 1=1\u201d\u7684\u7528\u6237)\u3002<\/p>\n
\u5bf9\u6bd4\u7ed3\u679c:<\/p>\n
\u82e5and 1=1\u8fd4\u56de\u6b63\u5e38 \u2192 \u8f93\u5165\u672a\u8fc7\u6ee4,\u6f0f\u6d1e\u5b58\u5728\u3002<\/p>\n
\u82e5and 1=2\u8fd4\u56de\u5f02\u5e38 \u2192 \u8f93\u5165\u5f71\u54cd\u4e86SQL\u903b\u8f91,\u6f0f\u6d1e\u5b58\u5728\u3002<\/p>\n
\u603b\u7ed3:\u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u771f\u5047\u6761\u4ef6,\u89c2\u5bdf\u9875\u9762\u8fd4\u56de\u5dee\u5f02,\u6765\u5224\u65ad\u5e94\u7528\u662f\u5426\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fd9\u79cd\u65b9\u6cd5\u65e0\u9700\u83b7\u53d6\u5177\u4f53\u6570\u636e,\u4ec5\u901a\u8fc7\u201c\u662f\/\u5426\u201d\u7684\u5e03\u5c14\u7ed3\u679c\u5c31\u80fd\u9a8c\u8bc1\u6f0f\u6d1e,\u662f\u76f2\u6ce8\u4e2d\u6700\u57fa\u7840\u7684\u6280\u5de7\u3002\u3002<\/p>\n
5.1.4. \u5224\u65ad\u201c\u6709\u65e0\u95ed\u5408\u201d\u7684\u573a\u666f<\/h5>\n
5.1.4.1. \u5224\u65ad\u62ec\u53f7\u662f\u5426\u95ed\u5408<\/h6>\n
SQL \u67e5\u8be2\u4e2d\u7ecf\u5e38\u4f7f\u7528\u62ec\u53f7\u6765\u5b9a\u4e49\u4f18\u5148\u7ea7(\u5982 WHERE \u5b50\u53e5\u4e2d\u7684\u6761\u4ef6)\u6216\u7ec4\u7ec7\u590d\u6742\u67e5\u8be2(\u5982\u5b50\u67e5\u8be2)\u3002<\/p>\n
\u5982\u679c\u62ec\u53f7\u6ca1\u6709\u6b63\u786e\u95ed\u5408,\u4f1a\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef\u3002<\/p>\n
\u5de6\u53f3\u62ec\u53f7\u6570\u91cf\u5fc5\u987b\u76f8\u7b49,\u4e14\u5de6\u62ec\u53f7\u5728\u524d\u3001\u53f3\u62ec\u53f7\u5728\u540e<\/p>\n
SELECT *
\nFROM employees
\nWHERE (department_id = 3 AND salary > 5000;<\/p>\n\/\/\u95ee\u9898:
\n\u5de6\u62ec\u53f7 ( \u6ca1\u6709\u5bf9\u5e94\u7684\u53f3\u62ec\u53f7 )\u3002
\n\/\/\u89e3\u51b3\u65b9\u6cd5:
\n\u786e\u4fdd\u6bcf\u4e2a\u5de6\u62ec\u53f7\u90fd\u6709\u5bf9\u5e94\u7684\u53f3\u62ec\u53f7\u3002
\n\/\/\u5de5\u5177\u8f85\u52a9:
\n\u4f7f\u7528 SQL \u7f16\u8f91\u5668(\u5982 MySQL Workbench\u3001DBeaver \u7b49),
\n\u5b83\u4eec\u901a\u5e38\u4f1a\u9ad8\u4eae\u663e\u793a\u5339\u914d\u7684\u62ec\u53f7,\u5e2e\u52a9\u53d1\u73b0\u672a\u95ed\u5408\u7684\u62ec\u53f7\u3002 <\/p>\n5.1.4.2. \u5224\u65ad\u4e8b\u52a1\u662f\u5426\u95ed\u5408<\/h6>\n
\u4e8b\u52a1(Transaction)\u662f\u6570\u636e\u5e93\u64cd\u4f5c\u7684\u4e00\u4e2a\u91cd\u8981\u6982\u5ff5\u3002<\/p>\n
\u5982\u679c\u4e8b\u52a1\u6ca1\u6709\u6b63\u786e\u63d0\u4ea4(COMMIT)\u6216\u56de\u6eda(ROLLBACK),\u53ef\u80fd\u4f1a\u5bfc\u81f4\u6570\u636e\u4e0d\u4e00\u81f4\u6216\u9501\u8868\u95ee\u9898\u3002<\/p>\n
START TRANSACTION;<\/p>\n
— \u6267\u884c\u4e00\u7cfb\u5217\u64cd\u4f5c
\nUPDATE accounts SET balance = balance – 100 WHERE id = 1;
\nUPDATE accounts SET balance = balance + 100 WHERE id = 2;<\/p>\n— \u63d0\u4ea4\u4e8b\u52a1
\nCOMMIT; <\/p>\n- \n
- MySQL:<\/li>\n<\/ul>\n
— \u67e5\u770b\u6240\u6709\u672a\u63d0\u4ea4\u7684\u4e8b\u52a1(\u5305\u542b\u4e8b\u52a1ID\u3001\u72b6\u6001\u3001\u6267\u884c\u65f6\u95f4\u7b49)
\nSELECT * FROM INFORMATION_SCHEMA.INNODB_TRX; <\/p>\n- \n
- \n
- \n
- \u82e5\u7ed3\u679c\u4e3a\u7a7a \u2192 \u65e0\u672a\u95ed\u5408\u4e8b\u52a1;<\/li>\n
- \u82e5\u7ed3\u679c\u4e0d\u4e3a\u7a7a \u2192 \u5b58\u5728\u672a\u63d0\u4ea4\/\u56de\u6eda\u7684\u4e8b\u52a1(\u9700\u624b\u52a8COMMIT\u6216ROLLBACK)\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
5.1.4.3. \u5224\u65ad\u6761\u4ef6\u8bed\u53e5\u662f\u5426\u95ed\u5408<\/h6>\n
- \n
- \u5173\u952e\u5b57\u914d\u5bf9:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- CASE WHEN\u5fc5\u987b\u6709END(\u5982CASE WHEN id>10 THEN '\u5927' ELSE '\u5c0f' END);<\/li>\n
- IN\u540e\u7684\u62ec\u53f7\u9700\u95ed\u5408(\u5982id IN (1,2,3),\u800c\u975eid IN (1,2,3);<\/li>\n
- BETWEEN\u9700\u4e0eAND\u914d\u5bf9(\u5982age BETWEEN 18 AND 30,\u800c\u975eage BETWEEN 18)\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u7b26\u53f7\u95ed\u5408:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u5b57\u7b26\u4e32\u9700\u7528\u5355\u5f15\u53f7\/\u53cc\u5f15\u53f7\u95ed\u5408(\u5982name='\u5f20\u4e09',\u800c\u975ename='\u5f20\u4e09);<\/li>\n
- \u62ec\u53f7\u9700\u6210\u5bf9(\u5982WHERE (id>10 AND name='a'),\u800c\u975eWHERE (id>10 AND name='a')\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SQL \u4e2d\u7684\u6761\u4ef6\u8bed\u53e5(\u5982 CASE\u3001IF)\u9700\u8981\u6b63\u786e\u7684\u95ed\u5408,\u5426\u5219\u4f1a\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef\u3002<\/p>\n
SELECT employee_id,
\n CASE
\n WHEN department_id = 1 THEN 'HR'
\n WHEN department_id = 2 THEN 'Finance'
\n END AS department_name
\nFROM employees;<\/p>\n\/\/\u786e\u4fdd\u6bcf\u4e2a CASE \u8bed\u53e5\u90fd\u4ee5 END \u7ed3\u675f\u3002 <\/p>\n
5.1.4.4. \u5224\u65ad\u5b57\u7b26\u4e32\u662f\u5426\u95ed\u5408<\/h6>\n
\u65ad\u5b57\u7b26\u4e32\u662f\u5426\u95ed\u5408,\u6838\u5fc3\u662f\u68c0\u67e5\u8d77\u6b62\u5f15\u53f7\u662f\u5426\u4e00\u81f4\u4e14\u6210\u5bf9<\/p>\n
SQL \u67e5\u8be2\u4e2d\u4f7f\u7528\u7684\u5b57\u7b26\u4e32\u9700\u8981\u7528\u5f15\u53f7(\u5355\u5f15\u53f7 ' \u6216\u53cc\u5f15\u53f7 ")\u5305\u88f9\u3002\u5982\u679c\u5f15\u53f7\u6ca1\u6709\u6b63\u786e\u95ed\u5408,\u4f1a\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef\u3002<\/p>\n
\u82e5\u5b57\u7b26\u4e32\u672a\u95ed\u5408,SQL\u6267\u884c\u65f6\u4f1a\u8fd4\u56de\u8bed\u6cd5\u9519\u8bef:<\/p>\n
- \n
- MySQL\u62a5\u9519:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near…;<\/li>\n<\/ul>\n
SELECT *
\nFROM employees
\nWHERE name = 'Alice'; <\/p>\n5.1.4.5. \u5224\u65ad\u6ce8\u91ca\u662f\u5426\u95ed\u5408<\/h6>\n
SQL \u652f\u6301\u4e24\u79cd\u6ce8\u91ca\u98ce\u683c:<\/p>\n
- \u5355\u884c\u6ce8\u91ca:– \u6ce8\u91ca\u5185\u5bb9<\/li>\n
- \u591a\u884c\u6ce8\u91ca:\/* \u6ce8\u91ca\u5185\u5bb9 *\/<\/li>\n
\u5982\u679c\u591a\u884c\u6ce8\u91ca\u672a\u6b63\u786e\u95ed\u5408,\u53ef\u80fd\u4f1a\u5bfc\u81f4\u540e\u7eed\u4ee3\u7801\u88ab\u5ffd\u7565\u3002<\/p>\n
SELECT *
\nFROM employees
\n\/* WHERE department_id = 1 *\/ <\/p>\n5.1.4.6. \u603b\u7ed3<\/h6>\n
\u5224\u65ad SQL \u662f\u5426\u201c\u95ed\u5408\u201d\u53ef\u4ee5\u4ece\u4ee5\u4e0b\u51e0\u4e2a\u65b9\u9762\u5165\u624b:<\/p>\n
- \u62ec\u53f7\u95ed\u5408:<\/li>\n
- \n
- \n
- \n
- \u786e\u4fdd\u6bcf\u4e2a\u5de6\u62ec\u53f7 ( \u90fd\u6709\u5bf9\u5e94\u7684\u53f3\u62ec\u53f7 )\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \u4e8b\u52a1\u95ed\u5408:<\/li>\n
- \n
- \n
- \n
- \u786e\u4fdd\u6bcf\u4e2a\u4e8b\u52a1\u4ee5 COMMIT \u6216 ROLLBACK \u7ed3\u675f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \u6761\u4ef6\u8bed\u53e5\u95ed\u5408:<\/li>\n
- \n
- \n
- \n
- \u786e\u4fdd CASE\u3001IF \u7b49\u8bed\u53e5\u4ee5\u6b63\u786e\u7684\u5173\u952e\u5b57(\u5982 END)\u7ed3\u675f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \u5b57\u7b26\u4e32\u95ed\u5408:<\/li>\n
- \n
- \n
- \n
- \u786e\u4fdd\u6bcf\u4e2a\u5b57\u7b26\u4e32\u90fd\u4ee5\u5339\u914d\u7684\u5f15\u53f7\u7ed3\u675f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \u6ce8\u91ca\u95ed\u5408:<\/li>\n
- \n
- \n
- \n
- \u786e\u4fdd\u591a\u884c\u6ce8\u91ca\u4ee5 *\/ \u7ed3\u675f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
5.2. \u731c\u89e3\u5b57\u6bb5 order by 10<\/h4>\n
\u63a2\u6d4b\u76ee\u6807\u8868\u7684\u5b57\u6bb5\u6570\u91cf<\/p>\n
– \u00a0order by n\u00a0 \u7528\u4e8e\u5bf9\u7b2c\u00a0n\u00a0\u4e2a\u5b57\u6bb5\u6392\u5e8f,\u82e5\u00a0n\u00a0\u8d85\u8fc7\u8868\u7684\u5b9e\u9645\u5b57\u6bb5\u6570,\u4f1a\u62a5\u9519;<\/p>\n
– \u7528\u4e8c\u5206\u6cd5(\u5982\u5148\u8bd5\u00a0order by 10\u00a0,\u518d\u6839\u636e\u662f\u5426\u62a5\u9519\u8c03\u6574\u6570\u503c)\u53ef\u5feb\u901f\u786e\u5b9a\u8868\u7684\u5b57\u6bb5\u603b\u6570\u3002<\/p>\n
5.3. \u5224\u65ad\u6570\u636e\u56de\u663e\u4f4d\u7f6e -1 union select 1,2,3,4,5….<\/h4>\n
\/\/-1\u00a0 \u662f\u4e3a\u4e86\u8ba9\u524d\u534a\u6bb5\u67e5\u8be2\u7ed3\u679c\u4e3a\u7a7a,\u786e\u4fdd\u53ea\u663e\u793a \u00a0union select\u00a0 \u540e\u7684\u7ed3\u679c;<\/p>\n
– \u4f9d\u6b21\u6784\u9020 \u00a0select 1,2,3…\u00a0,\u89c2\u5bdf\u9875\u9762\u4e0a\u663e\u793a\u7684\u6570\u5b57\u4f4d\u7f6e,\u8fd9\u4e9b\u4f4d\u7f6e\u5c31\u662f\u53ef\u5229\u7528\u7684\u56de\u663e\u5b57\u6bb5\u3002\u53c2\u6570\u7b49\u53f7\u540e\u9762\u52a0-\u8868\u793a\u4e0d\u663e\u793a\u5f53\u524d\u6570\u636e<\/p>\n
\u786e\u5b9a\u54ea\u4e9b\u5b57\u6bb5\u4f1a\u5728\u9875\u9762\u4e0a\u663e\u793a<\/p>\n
5.4. \u83b7\u53d6\u5f53\u524d\u6570\u636e\u5e93\u540d\u3001\u7528\u6237\u3001\u7248\u672c ,\u83b7\u53d6\u5168\u90e8\u6570\u636e\u5e93\u540d<\/h4>\n
\u6536\u96c6\u6570\u636e\u5e93\u7684\u57fa\u7840\u4fe1\u606f<\/p>\n
eg.\u00a0union select database(), user(), version(),…\u00a0<\/p>\n
union select group_concat(schema_name) from information_schema.schemata,…\u00a0<\/p>\n
5\u3001\u83b7\u53d6\u8868\u540d<\/h5>\n
\u5b9a\u4f4d\u76ee\u6807\u6570\u636e\u5e93\u4e2d\u7684\u8868\u7ed3\u6784\u3002<\/p>\n
select group_concat(table_name) from information_schema.tables where table_schema= '\u5e93\u540d'<\/p>\n
6\u3001\u83b7\u53d6\u5b57\u6bb5\u540d<\/h5>\n
\u660e\u786e\u76ee\u6807\u8868\u7684\u5217\u4fe1\u606f<\/p>\n
select group_concat(column_name) from information_schema.columns where table_schema= '\u5e93\u540d' and table_name='\u8868\u540d'<\/p>\n
7\u3001\u83b7\u53d6\u6570\u636e union select 1,2,(select group_concat(\u5b57\u6bb51,\u5b57\u6bb52)from \u5e93\u540d.\u8868\u540d<\/h5>\n
\u6700\u7ec8\u63d0\u53d6\u76ee\u6807\u6570\u636e<\/p>\n
\u901a\u8fc7 \u00a0group_concat\u00a0 \u628a\u5b57\u6bb5\u5185\u5bb9\u62fc\u63a5\u6210\u5b57\u7b26\u4e32,\u5728\u56de\u663e\u4f4d\u4e0a\u663e\u793a,\u4ece\u800c\u83b7\u53d6\u8868\u4e2d\u7684\u5177\u4f53\u6570\u636e(\u5982\u7528\u6237\u8d26\u53f7\u3001\u5bc6\u7801\u7b49\u654f\u611f\u4fe1\u606f)\u3002<\/p>\n
6. \u6ce8\u5165\u7684\u7c7b\u578b<\/h3>\n<\/p>\n
<\/p>\n\u76ee\u524d\u5e94\u8be5\u5c31\u5b66\u4e86\u8fd9\u4e9b,,\u53ef\u80fd\u540e\u9762\u4f1a\u8865\u5145\u3002<\/p>\n
\u672c\u4eba\u5229\u7528\u7684\u662fsqli-labs\u7684\u9776\u573a,\u53ef\u4ee5\u53bbGithub\u4e0a\u9762\u627e\u6e90\u4ee3\u7801\u5230\u5c0f\u76ae\u4e0a\u9762,\u5373\u53ef<\/p>\n
6.1. \u6570\u503c\u578b\u6ce8\u5165<\/h4>\n
6.1.1. \u6838\u5fc3\u5b9a\u4e49:\u4ec0\u4e48\u662f\u6570\u503c\u578b\u6ce8\u5165?<\/h5>\n
\u6570\u503c\u578b\u6ce8\u5165\u662fSQL\u6ce8\u5165\u7684\u4e00\u79cd\u5e38\u89c1\u7c7b\u578b,\u53d1\u751f\u5728\u53c2\u6570\u4e3a\u6570\u503c\u7c7b\u578b(\u5982\u6574\u6570\u3001\u6d6e\u70b9\u6570)\u7684\u573a\u666f\u4e2d\u3002<\/p>\n
\u5176\u6838\u5fc3\u7279\u5f81\u662f:<\/p>\n
- \n
- \u540e\u53f0SQL\u8bed\u53e5\u4e2d,\u53c2\u6570\u76f4\u63a5\u4f5c\u4e3a\u6570\u503c\u4f7f\u7528,\u65e0\u9700\u5355\u5f15\u53f7\/\u53cc\u5f15\u53f7\u5305\u88f9(\u533a\u522b\u4e8e\u5b57\u7b26\u578b\u6ce8\u5165)\u3002<\/li>\n
- \u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u7279\u6b8a\u6570\u503c,\u4fee\u6539\u539f\u6709SQL\u7684\u903b\u8f91,\u5b9e\u73b0\u672a\u6388\u6743\u7684\u6570\u636e\u67e5\u8be2\u6216\u64cd\u4f5c\u3002<\/li>\n
- \u524d\u53f0\u9875\u9762\u8f93\u5165\u7684\u53c2\u6570\u662f\u300c\u6570\u5b57\u300d\u3002<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u5199\u5165and1=1 \u4e0eand1=2\u56de\u663e\u4e0d\u76f8\u540c\u8bf4\u660e\u540e\u9762\u7684and1=1\u548cand1=2\u5bf9\u7f51\u9875\u9020\u6210\u4e86\u5f71\u54cd,\u5224\u65ad\u4e3a\u6570\u503c\u578b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.1.2. \u5173\u952e\u7279\u5f81\u4e0e\u5224\u65ad\u65b9\u6cd5<\/h5>\n
6.1.2.1. \u5178\u578b\u573a\u666f<\/h6>\n
\u5e38\u89c1\u4e8e\u6309ID\u67e5\u8be2\u7684\u529f\u80fd(\u5982\u6587\u7ae0\u8be6\u60c5\u3001\u7528\u6237\u4fe1\u606f),\u540e\u53f0SQL\u683c\u5f0f\u901a\u5e38\u4e3a:<\/p>\n
SELECT * FROM users WHERE id = [\u7528\u6237\u8f93\u5165] — \u4f8b\u5982:id=1 <\/p>\n
6.1.2.2. \u5224\u65ad\u65b9\u6cd5(\u5b9e\u6218\u6b65\u9aa4)<\/h6>\n
\u901a\u8fc7\u6784\u9020\u6052\u771f\/\u6052\u5047\u6761\u4ef6,\u89c2\u5bdf\u9875\u9762\u54cd\u5e94\u5dee\u5f02,\u5373\u53ef\u5224\u65ad\u662f\u5426\u5b58\u5728\u6570\u503c\u578b\u6ce8\u5165:<\/p>\n
- \n
- \u6b65\u9aa41:\u6052\u771f\u6761\u4ef6\u6d4b\u8bd5 \u8f93\u5165 id=1 AND 1=1,\u82e5\u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0e\u539f\u8bf7\u6c42id=1\u4e00\u81f4),\u8bf4\u660e\u6ce8\u5165\u7684\u6761\u4ef6\u88ab\u6570\u636e\u5e93\u6267\u884c,\u4e14\u7ed3\u679c\u4e3a\u771f\u3002 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE id = 1 AND 1=1 — \u6761\u4ef6\u6c38\u8fdc\u6210\u7acb,\u8fd4\u56de\u6240\u6709id=1\u7684\u7ed3\u679c <\/p>\n
- \n
- \u6b65\u9aa42:\u6052\u5047\u6761\u4ef6\u6d4b\u8bd5 \u8f93\u5165 id=1 AND 1=2,\u82e5\u9875\u9762\u5f02\u5e38\u663e\u793a(\u7a7a\u767d\u3001\u62a5\u9519\u6216\u65e0\u6570\u636e),\u8bf4\u660e\u6ce8\u5165\u7684\u6761\u4ef6\u88ab\u6267\u884c\u4e3a\u5047,\u5b58\u5728\u6ce8\u5165\u70b9\u3002 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE id = 1 AND 1=2 — \u6761\u4ef6\u6c38\u8fdc\u4e0d\u6210\u7acb,\u65e0\u7ed3\u679c\u8fd4\u56de <\/p>\n
- \n
- \u6b65\u9aa43:\u5355\u5f15\u53f7\u6d4b\u8bd5(\u8f85\u52a9\u9a8c\u8bc1) \u8f93\u5165 id=1',\u82e5\u9875\u9762\u62a5\u9519(\u5982SQL syntax error),\u8fdb\u4e00\u6b65\u786e\u8ba4\u662f\u6570\u503c\u578b\u6ce8\u5165(\u56e0\u4e3a\u6570\u503c\u578b\u53c2\u6570\u65e0\u9700\u5355\u5f15\u53f7,\u591a\u4f59\u7684\u5355\u5f15\u53f7\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef)\u3002<\/li>\n<\/ul>\n
6.1.2.3. \u5b9e\u6218\u6848\u4f8b:\u4ece\u5224\u65ad\u5230\u6570\u636e\u83b7\u53d6<\/h6>\n
\u4ee5SQLi-Labs\u9776\u573aLess-2(\u6570\u503c\u578b\u6ce8\u5165\u7ecf\u5178\u573a\u666f)\u4e3a\u4f8b:<\/p>\n
6.1.2.3.1. \u73af\u5883\u51c6\u5907<\/h6>\n
- \n
- \u9776\u573aURL:http:\/\/localhost\/sqli-labs\/Less-2\/?id=1<\/li>\n
- \u540e\u53f0SQL:SELECT * FROM users WHERE id = $_GET['id']<\/li>\n<\/ul>\n
6.1.2.3.2. \u6ce8\u5165\u8fc7\u7a0b<\/h6>\n
- \n
- \u5224\u65ad\u6ce8\u5165\u70b9: \u8f93\u5165 id=1 AND 1=1 \u2192 \u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0eid=1\u4e00\u81f4); \u8f93\u5165 id=1 AND 1=2 \u2192 \u9875\u9762\u7a7a\u767d(\u65e0\u6570\u636e),\u786e\u8ba4\u5b58\u5728\u6570\u503c\u578b\u6ce8\u5165\u3002<\/li>\n
- \u83b7\u53d6\u6570\u636e\u5e93\u4fe1\u606f: \u6784\u9020\u6ce8\u5165\u8bed\u53e5,\u67e5\u8be2\u6570\u636e\u5e93\u540d:<\/li>\n<\/ul>\n
id=1 UNION SELECT 1, database(), 3 — \u5047\u8bbeusers\u8868\u67093\u4e2a\u5b57\u6bb5 <\/p>\n
\u6b64\u65f6SQL\u53d8\u4e3a:<\/p>\n
SELECT * FROM users WHERE id = 1 UNION SELECT 1, database(), 3 <\/p>\n
\u9875\u9762\u4f1a\u8fd4\u56de\u5f53\u524d\u6570\u636e\u5e93\u540d(\u5982security)\u3002<\/p>\n
- \n
- \u83b7\u53d6\u8868\u540d: \u8fdb\u4e00\u6b65\u67e5\u8be2\u6570\u636e\u5e93\u4e2d\u7684\u8868:<\/li>\n<\/ul>\n
id=1 UNION SELECT 1, group_concat(table_name), 3 FROM information_schema.tables WHERE table_schema=database() <\/p>\n
\u7ed3\u679c\u4f1a\u8fd4\u56de\u6240\u6709\u8868\u540d(\u5982users\u3001emails\u7b49)\u3002<\/p>\n
6.1.2.4. \u9632\u5fa1\u5efa\u8bae<\/h6>\n
- \n
- \u53c2\u6570\u7c7b\u578b\u6821\u9a8c:\u5bf9\u6570\u503c\u578b\u53c2\u6570\u5f3a\u5236\u8f6c\u6362\u4e3a\u6574\u6570(\u5982PHP\u4e2d\u7528intval());<\/li>\n
- \u4f7f\u7528\u9884\u7f16\u8bd1\u8bed\u53e5:\u5982PDO\u6216MyBatis\u7684\u53c2\u6570\u7ed1\u5b9a,\u907f\u514d\u76f4\u63a5\u62fc\u63a5SQL;<\/li>\n
- \u6700\u5c0f\u6743\u9650\u539f\u5219:\u6570\u636e\u5e93\u7528\u6237\u4ec5\u6388\u4e88\u5fc5\u8981\u6743\u9650(\u5982\u7981\u6b62FILE\u3001ALTER\u7b49\u9ad8\u5371\u64cd\u4f5c)\u3002<\/li>\n<\/ul>\n
6.1.2.5. \u4e00\u53e5\u8bdd\u603b\u7ed3<\/h6>\n
\u6570\u503c\u578b\u6ce8\u5165\u662f\u5229\u7528\u6570\u503c\u578b\u53c2\u6570\u65e0\u5f15\u53f7\u5305\u88f9\u7684\u7279\u6027,\u901a\u8fc7\u6784\u9020\u903b\u8f91\u6761\u4ef6\u4fee\u6539SQL\u8bed\u53e5,<\/p>\n
\u6838\u5fc3\u5224\u65ad\u65b9\u6cd5\u662f1 AND 1=1(\u6b63\u5e38)+ 1 AND 1=2(\u5f02\u5e38),\u5b9e\u6218\u4e2d\u53ef\u7ed3\u5408\u8054\u5408\u67e5\u8be2\u83b7\u53d6\u654f\u611f\u6570\u636e\u3002 🛡\ufe0f<\/p>\n
6.1.3. \u7b80\u5355\u6761\u4ef6\u6ce8\u5165<\/h5>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u5728\u6570\u503c\u53c2\u6570\u540e\u6dfb\u52a0\u903b\u8f91\u8fd0\u7b97\u7b26(\u5982 OR\u3001AND)\u548c\u6052\u771f\/\u6052\u5047\u6761\u4ef6\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u793a\u4f8b:<\/li>\n<\/ul>\n
\u6b63\u5e38\u7684 SQL \u67e5\u8be2<\/p>\n
\u5047\u8bbe\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u6839\u636e\u7528\u6237\u8f93\u5165\u7684 id \u67e5\u8be2\u5458\u5de5\u4fe1\u606f:<\/p>\n
SELECT * FROM employees WHERE id = 1; <\/p>\n
\u5982\u679c\u7528\u6237\u8f93\u5165 1,\u67e5\u8be2\u4f1a\u8fd4\u56de id=1 \u7684\u5458\u5de5\u4fe1\u606f\u3002<\/p>\n
\u6ce8\u5165\u540e\u7684 SQL \u67e5\u8be2<\/p>\n
\u5982\u679c\u653b\u51fb\u8005\u8f93\u5165\u6076\u610f\u7684\u6570\u503c(\u5982 1 OR 1=1),\u67e5\u8be2\u53ef\u80fd\u53d8\u6210:<\/p>\n
SELECT * FROM employees WHERE id = 1 OR 1=1; <\/p>\n
- \n
- \u89e3\u91ca:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u6761\u4ef6 1=1 \u59cb\u7ec8\u4e3a\u771f,\u5bfc\u81f4\u67e5\u8be2\u8fd4\u56de\u6240\u6709\u5458\u5de5\u7684\u4fe1\u606f\u3002<\/li>\n
- \u8fd9\u79cd\u6ce8\u5165\u53ef\u4ee5\u7528\u4e8e\u6570\u636e\u6cc4\u9732\u6216\u6743\u9650\u7ed5\u8fc7\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\u3010\u7528or \u53ea\u8981\u6ee1\u8db3\u5176\u4e00\u5373\u53ef,\u53c81=1\u6c38\u8fdc\u6210\u7acb,\u6240\u4ee5id=1\u8fd9\u4e00\u6761\u4ef6\u4f1a\u88ab\u5ffd\u7565\u3011<\/p>\n
6.1.4. \u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/h5>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u4f7f\u7528 UNION \u5c06\u6076\u610f\u67e5\u8be2\u7ed3\u679c\u4e0e\u539f\u59cb\u67e5\u8be2\u7ed3\u679c\u5408\u5e76\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u793a\u4f8b:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u7528\u6237\u8f93\u5165:1 UNION SELECT username, password FROM users<\/li>\n
- \u62fc\u63a5\u540e\u7684 SQL:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE id = 1
\nUNION
\nSELECT username, password FROM users; <\/p>\n- \n
- \n
- \n
- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \n
- \n
- \u8fd4\u56de\u5458\u5de5\u4fe1\u606f\u7684\u540c\u65f6,\u8fd8\u6cc4\u9732\u4e86\u7528\u6237\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.1.5. \u5b50\u67e5\u8be2\u6ce8\u5165<\/h5>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u5728\u6570\u503c\u53c2\u6570\u4e2d\u5d4c\u5957\u5b50\u67e5\u8be2,\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u793a\u4f8b:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u7528\u6237\u8f93\u5165:1 AND (SELECT COUNT(*) FROM users) > 0<\/li>\n
- \u62fc\u63a5\u540e\u7684 SQL:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE id = 1 AND (SELECT COUNT(*) FROM users) > 0;<\/p>\n
— \u67e5\u8be2employees\u8868\u4e2did=1\u7684\u5458\u5de5\u6570\u636e,\u4f46\u4ec5\u5f53users\u8868\u4e2d\u5b58\u5728\u81f3\u5c111\u6761\u8bb0\u5f55\u65f6\u624d\u8fd4\u56de\u7ed3\u679c\u3002 <\/p>\n
- \n
- \n
- \n
- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \n
- \n
- \u9a8c\u8bc1 users \u8868\u662f\u5426\u5b58\u5728,\u5e76\u5c1d\u8bd5\u83b7\u53d6\u66f4\u591a\u4fe1\u606f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.1.6. \u603b\u7ed3<\/h5>\n
- \n
- \u6570\u503c\u578b\u6ce8\u5165\u7684\u7279\u70b9:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u53c2\u6570\u4e3a\u6570\u503c\u578b,\u65e0\u9700\u5f15\u53f7\u5305\u88f9\u3002<\/li>\n
- \u653b\u51fb\u8005\u901a\u8fc7\u903b\u8f91\u8fd0\u7b97\u7b26\u3001\u8054\u5408\u67e5\u8be2\u3001\u5b50\u67e5\u8be2\u7b49\u65b9\u5f0f\u7be1\u6539\u67e5\u8be2\u903b\u8f91\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u9632\u5fa1\u63aa\u65bd:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u4f7f\u7528\u53c2\u6570\u5316\u67e5\u8be2(\u907f\u514d\u76f4\u63a5\u62fc\u63a5\u7528\u6237\u8f93\u5165)\u3002<\/li>\n
- \u9a8c\u8bc1\u7528\u6237\u8f93\u5165\u3002<\/li>\n
- \u6700\u5c0f\u5316\u6570\u636e\u5e93\u6743\u9650\u3002<\/li>\n
- \u76d1\u63a7\u548c\u8bb0\u5f55\u5f02\u5e38\u884c\u4e3a<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.2. \u5b57\u7b26\u578b\u6ce8\u5165<\/h4>\n
6.2.1. \u6838\u5fc3\u5b9a\u4e49:\u4ec0\u4e48\u662f\u5b57\u7b26\u578b\u6ce8\u5165?<\/h5>\n
\u5b57\u7b26\u578b\u6ce8\u5165\u662fSQL\u6ce8\u5165\u7684\u5178\u578b\u7c7b\u578b,\u53d1\u751f\u5728\u53c2\u6570\u4e3a\u5b57\u7b26\u4e32\u7c7b\u578b\u7684\u573a\u666f\u4e2d\u3002\u5176\u6838\u5fc3\u7279\u5f81\u662f:<\/p>\n
- \n
- \u540e\u53f0SQL\u8bed\u53e5\u4e2d,\u53c2\u6570\u88ab\u5355\u5f15\u53f7(')\u6216\u53cc\u5f15\u53f7(")\u5305\u88f9(\u533a\u522b\u4e8e\u6570\u503c\u578b\u6ce8\u5165\u7684\u65e0\u5f15\u53f7)\u3002<\/li>\n
- \u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u5305\u542b\u7279\u6b8a\u5b57\u7b26\u7684\u5b57\u7b26\u4e32,\u95ed\u5408\u539f\u6709\u5f15\u53f7\u5e76\u6ce8\u5165\u6076\u610fSQL\u903b\u8f91,\u5b9e\u73b0\u672a\u6388\u6743\u64cd\u4f5c\u3002<\/li>\n<\/ul>\n
6.2.2. \u5173\u952e\u7279\u5f81\u4e0e\u5224\u65ad\u65b9\u6cd5<\/h5>\n
6.2.2.1. \u5178\u578b\u573a\u666f<\/h6>\n
\u5e38\u89c1\u4e8e\u7528\u6237\u540d\u3001\u641c\u7d22\u5173\u952e\u8bcd\u7b49\u5b57\u7b26\u578b\u53c2\u6570,\u540e\u53f0SQL\u683c\u5f0f\u901a\u5e38\u4e3a:<\/p>\n
SELECT * FROM users WHERE username = '[\u7528\u6237\u8f93\u5165]' — \u4f8b\u5982:username='admin' <\/p>\n
6.2.2.2. \u5224\u65ad\u65b9\u6cd5(\u5b9e\u6218\u6b65\u9aa4)<\/h6>\n
\u901a\u8fc7\u6784\u9020\u5355\u5f15\u53f7\u95ed\u5408\u903b\u8f91,\u89c2\u5bdf\u9875\u9762\u54cd\u5e94\u5dee\u5f02,\u5373\u53ef\u5224\u65ad\u662f\u5426\u5b58\u5728\u5b57\u7b26\u578b\u6ce8\u5165:<\/p>\n
- \n
- \u6b65\u9aa41:\u5355\u5f15\u53f7\u6d4b\u8bd5(\u6838\u5fc3) \u8f93\u5165 username=admin'(\u5728\u539f\u53c2\u6570\u540e\u52a0\u5355\u5f15\u53f7),<\/li>\n
- \u82e5\u9875\u9762\u62a5\u9519(\u5982Unclosed quotation mark),\u8bf4\u660e\u53c2\u6570\u88ab\u5f15\u53f7\u5305\u88f9(\u5b57\u7b26\u578b\u6ce8\u5165\u7279\u5f81)\u3002<\/li>\n
- \u3010\u6ce8\u610f,\u4e00\u4e2a\u662f\u8bed\u6cd5\u9519\u8bef,\u4e00\u4e2a\u662f\u5f15\u53f7\u672a\u95ed\u5408,\u9519\u8bef\u63d0\u793a\u4e0d\u540c\u3011 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE username = 'admin'' — \u5f15\u53f7\u672a\u95ed\u5408,\u8bed\u6cd5\u9519\u8bef <\/p>\n
- \n
- \u6b65\u9aa42:\u903b\u8f91\u6761\u4ef6\u6d4b\u8bd5(\u9a8c\u8bc1\u6ce8\u5165\u70b9) \u6784\u9020\u95ed\u5408+\u6052\u771f\u6761\u4ef6:\u8f93\u5165 username=admin' AND '1'='1 –+(–+\u7528\u4e8e\u6ce8\u91ca\u540e\u7eed\u5185\u5bb9),\u82e5\u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0e\u539f\u8bf7\u6c42\u4e00\u81f4),\u8bf4\u660e\u6ce8\u5165\u6210\u529f\u3002 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
SELECT * FROM users WHERE username = 'admin' AND '1'='1 –+' — \u6761\u4ef6\u6052\u771f,\u8fd4\u56de\u6240\u6709\u7528\u6237 <\/p>\n
- \n
- \u6b65\u9aa43:\u5bf9\u6bd4\u6052\u5047\u6761\u4ef6 \u8f93\u5165 username=admin' AND '1'='2 –+,\u82e5\u9875\u9762\u5f02\u5e38\u663e\u793a(\u7a7a\u767d\u6216\u62a5\u9519),\u8fdb\u4e00\u6b65\u786e\u8ba4\u5b58\u5728\u5b57\u7b26\u578b\u6ce8\u5165\u3002<\/li>\n<\/ul>\n
6.2.2.3. \u5b9e\u6218\u6848\u4f8b:\u4ece\u5224\u65ad\u5230\u6570\u636e\u83b7\u53d6<\/h6>\n
\u4ee5SQLi-Labs\u9776\u573aLess-1(\u5b57\u7b26\u578b\u6ce8\u5165\u7ecf\u5178\u573a\u666f)\u4e3a\u4f8b:<\/p>\n
6.2.2.3.1. \u73af\u5883\u51c6\u5907<\/h6>\n
- \n
- \u9776\u573aURL:http:\/\/localhost\/sqli-labs\/Less-1\/?id=1<\/li>\n
- \u540e\u53f0SQL:SELECT * FROM users WHERE id = '[\u7528\u6237\u8f93\u5165]'<\/li>\n<\/ul>\n
6.2.2.3.2. \u6ce8\u5165\u8fc7\u7a0b<\/h6>\n
- \n
- \u5224\u65ad\u6ce8\u5165\u70b9: \u8f93\u5165 id=1' \u2192 \u9875\u9762\u62a5\u9519(You have an error in your SQL syntax),\u786e\u8ba4\u53c2\u6570\u88ab\u5355\u5f15\u53f7\u5305\u88f9\u3002 \u8f93\u5165 id=1' AND '1'='1 –+ \u2192 \u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0eid=1\u4e00\u81f4),\u6ce8\u5165\u70b9\u5b58\u5728\u3002<\/li>\n
- \u83b7\u53d6\u6570\u636e\u5e93\u4fe1\u606f: \u6784\u9020\u8054\u5408\u67e5\u8be2,\u83b7\u53d6\u6570\u636e\u5e93\u540d:<\/li>\n<\/ul>\n
id=-1' UNION SELECT 1, database(), 3 –+ — \u7528-1\u8ba9\u539f\u67e5\u8be2\u65e0\u7ed3\u679c,\u663e\u793a\u8054\u5408\u67e5\u8be2\u5185\u5bb9 <\/p>\n
\u6b64\u65f6SQL\u53d8\u4e3a:<\/p>\n
SELECT * FROM users WHERE id = '-1' UNION SELECT 1, database(), 3 –+' <\/p>\n
\u9875\u9762\u8fd4\u56de\u5f53\u524d\u6570\u636e\u5e93\u540d(\u5982security)\u3002<\/p>\n
- \n
- \u83b7\u53d6\u8868\u540d: \u8fdb\u4e00\u6b65\u67e5\u8be2\u6570\u636e\u5e93\u4e2d\u7684\u8868:<\/li>\n<\/ul>\n
id=-1' UNION SELECT 1, group_concat(table_name), 3 FROM information_schema.tables WHERE table_schema=database() –+ <\/p>\n
\u7ed3\u679c\u8fd4\u56de\u6240\u6709\u8868\u540d(\u5982users\u3001emails)\u3002<\/p>\n
6.2.2.4. \u9632\u5fa1\u5efa\u8bae<\/h6>\n
- \n
- \u53c2\u6570\u8fc7\u6ee4:\u5bf9\u8f93\u5165\u7684\u5355\u5f15\u53f7\u3001\u53cc\u5f15\u53f7\u7b49\u7279\u6b8a\u5b57\u7b26\u8fdb\u884c\u8f6c\u4e49(\u5982PHP\u4e2d\u7528addslashes());<\/li>\n
- \u9884\u7f16\u8bd1\u8bed\u53e5:\u4f7f\u7528PDO\u6216MyBatis\u7684\u53c2\u6570\u7ed1\u5b9a,\u907f\u514d\u76f4\u63a5\u62fc\u63a5SQL;<\/li>\n
- \u7c7b\u578b\u6821\u9a8c:\u5bf9\u5b57\u7b26\u578b\u53c2\u6570\u9650\u5236\u957f\u5ea6\u548c\u683c\u5f0f(\u5982\u7528\u6237\u540d\u4ec5\u5141\u8bb8\u5b57\u6bcd\u6570\u5b57)\u3002<\/li>\n<\/ul>\n
6.2.2.5. \u4e00\u53e5\u8bdd\u603b\u7ed3<\/h6>\n
\u5b57\u7b26\u578b\u6ce8\u5165\u662f\u5229\u7528\u53c2\u6570\u88ab\u5f15\u53f7\u5305\u88f9\u7684\u7279\u6027,\u901a\u8fc7\u6784\u9020\u95ed\u5408\u903b\u8f91\u6ce8\u5165\u6076\u610fSQL,\u6838\u5fc3\u5224\u65ad\u65b9\u6cd5\u662f\u5355\u5f15\u53f7\u6d4b\u8bd5+\u903b\u8f91\u6761\u4ef6\u9a8c\u8bc1,\u5b9e\u6218\u4e2d\u53ef\u7ed3\u5408\u8054\u5408\u67e5\u8be2\u83b7\u53d6\u654f\u611f\u6570\u636e\u3002 🛡\ufe0f<\/p>\n
- \n
- \n
- \n
- \u524d\u53f0\u9875\u9762\u8f93\u5165\u7684\u53c2\u6570\u662f\u300c\u5b57\u7b26\u4e32\u300d\u3002<\/li>\n
- \u5b57\u7b26\u53ef\u4ee5\u4f7f\u7528\u5355\u5f15\u53f7\u5305\u88f9,\u4e5f\u53ef\u4ee5\u4f7f\u7528\u53cc\u5f15\u53f7\u5305\u88f9\u3002<\/li>\n
- \u6839\u636e\u5305\u88f9\u5b57\u7b26\u4e32\u7684\u300c\u5f15\u53f7\u300d\u4e0d\u540c,\u5b57\u7b26\u578b\u6ce8\u5165\u53ef\u4ee5\u5206\u4e3a:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \n
- \n
- \u5355\u5f15\u53f7\u5b57\u7b26\u578b\u6ce8\u5165<\/li>\n
- \u53cc\u5f15\u53f7\u5b57\u7b26\u578b\u6ce8\u5165<\/li>\n
- \u5e26\u6709\u62ec\u53f7\u7684\u6ce8\u5165<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- SQL\u7684\u8bed\u6cd5,\u652f\u6301\u4f7f\u7528\u4e00\u4e2a\u6216\u591a\u4e2a\u300c\u62ec\u53f7\u300d\u5305\u88f9\u53c2\u6570,\u4f7f\u5f97\u8fd9\u4e24\u4e2a\u57fa\u7840\u7684\u6ce8\u5165\u7c7b\u578b\u5b58\u5728\u4e00\u4e9b\u53d8\u79cd\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- a. \u6570\u503c\u578b+\u62ec\u53f7\u7684\u6ce8\u5165:\u4f7f\u7528\u62ec\u53f7\u5305\u88f9\u6570\u503c\u578b\u53c2\u6570<\/li>\n
- b. \u5355\u5f15\u53f7\u5b57\u7b26\u4e32+\u62ec\u53f7\u7684\u6ce8\u5165:\u4f7f\u7528\u62ec\u53f7\u548c\u5355\u5f15\u53f7\u5305\u88f9\u53c2\u6570<\/li>\n
- c. \u53cc\u5f15\u53f7\u5b57\u7b26\u4e32+\u62ec\u53f7\u7684\u6ce8\u5165\u4f7f\u7528\u62ec\u53f7\u548c\u53cc\u5f15\u53f7\u5305\u88f9\u53c2\u6570<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u4e0d\u53ef\u76f4\u63a5\u62fc\u63a5\u7528\u6237\u8f93\u5165\u5230SQL\u67e5\u8be2\u4e2d,\u53ef\u80fd\u5bfc\u81f4\u903b\u8f91\u88ab\u7be1\u6539\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
\u793a\u4f8b:
\nselect \\\\* from user where id = (1);
\n\/\/\u8fd9\u662f\u67e5\u8be2 user \u8868\u4e2did\u7b49\u4e8e1\u7684\u6240\u6709\u8bb0\u5f55\u3002
\n\u8fd9\u91cc\u7684 (1) \u662f\u5355\u503c\u5b50\u67e5\u8be2\u7684\u5199\u6cd5(\u867d\u7136\u8fd9\u91cc\u76f4\u63a5\u51991\u4e5f\u53ef\u4ee5),\u6700\u7ec8\u6548\u679c\u548c id = 1 \u4e00\u81f4\u3002<\/p>\nselect \\\\* from user where id = ((1));
\n\/\/\u548c\u7b2c\u4e00\u4e2a\u8bed\u53e5\u6548\u679c\u5b8c\u5168\u76f8\u540c,\u53ea\u662f\u591a\u5957\u4e86\u4e00\u5c42\u62ec\u53f7,SQL\u4f1a\u81ea\u52a8\u89e3\u6790\u62ec\u53f7\u5185\u7684\u5185\u5bb9,
\n\u6700\u7ec8\u8fd8\u662f\u67e5\u8be2 id=1 \u7684\u8bb0\u5f55\u3002<\/p>\nselect \\\\* from user where username = ('zhangsan');
\n\/\/\u67e5\u8be2 user \u8868\u4e2d**username\u7b49\u4e8e'zhangsan'**\u7684\u6240\u6709\u8bb0\u5f55\u3002
\n\u8fd9\u91cc 'zhangsan' \u662f\u5b57\u7b26\u4e32\u5e38\u91cf,\u5355\u5f15\u53f7\u662fSQL\u4e2d\u8868\u793a\u5b57\u7b26\u4e32\u7684\u6807\u51c6\u65b9\u5f0f\u3002<\/p>\nselect \\\\* from user where username = (('zhangsan'));
\n\/\/\u548c\u7b2c\u4e09\u4e2a\u8bed\u53e5\u6548\u679c\u4e00\u81f4,\u591a\u5957\u4e86\u62ec\u53f7\u4e0d\u5f71\u54cd\u7ed3\u679c,\u4f9d\u7136\u662f\u67e5\u8be2username='zhangsan' \u7684\u8bb0\u5f55\u3002<\/p>\nselect \\\\* from user where username = ("zhangsan");
\n\/\/\u591a\u5957\u4e86\u62ec\u53f7\u4e0d\u5f71\u54cd\u7ed3\u679c,\u4f9d\u7136\u662f\u67e5\u8be2username="zhangsan" \u7684\u8bb0\u5f55 <\/p>\n6.2.3. \u7b80\u5355\u6761\u4ef6\u6ce8\u5165<\/h5>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u5728\u5b57\u7b26\u4e32\u53c2\u6570\u540e\u6dfb\u52a0\u903b\u8f91\u8fd0\u7b97\u7b26(\u5982 OR\u3001AND)\u548c\u6052\u771f\/\u6052\u5047\u6761\u4ef6\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u793a\u4f8b:<\/li>\n
- \u5047\u8bbe\u4e00\u4e2a\u5e94\u7528\u7a0b\u5e8f\u6839\u636e\u7528\u6237\u8f93\u5165\u7684 name \u67e5\u8be2\u5458\u5de5\u4fe1\u606f:<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE name = 'Alice'; <\/p>\n
\u5982\u679c\u7528\u6237\u8f93\u5165 Alice,\u67e5\u8be2\u4f1a\u8fd4\u56de name='Alice' \u7684\u5458\u5de5\u4fe1\u606f\u3002<\/p>\n
- \n
- \n
- \n
- \u7528\u6237\u8f93\u5165:Alice' OR '1'='1<\/li>\n
- \u62fc\u63a5\u540e\u7684 SQL:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE name = 'Alice' OR '1'='1'; <\/p>\n
- \n
- \n
- \n
- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \n
- \n
- \u8fd4\u56de\u6240\u6709\u5458\u5de5\u7684\u4fe1\u606f\u3002\u3010\u539f\u7406\u540c\u6570\u503c\u578b,\u53ea\u4e0d\u8fc7\u6ce8\u610f'\u7684\u6709\u65e0\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.2.4. \u8054\u5408\u67e5\u8be2\u6ce8\u5165<\/h5>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u4f7f\u7528 UNION \u5c06\u6076\u610f\u67e5\u8be2\u7ed3\u679c\u4e0e\u539f\u59cb\u67e5\u8be2\u7ed3\u679c\u5408\u5e76\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u793a\u4f8b:<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \u7528\u6237\u8f93\u5165:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
Alice' UNION SELECT username, password FROM users —<\/p>\n
- \n
- \n
- \n
- \u62fc\u63a5\u540e\u7684 SQL:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
SELECT * FROM employees WHERE name = 'Alice'
\nUNION
\nSELECT username, password FROM users — '; <\/p>\n- \n
- \n
- \n
- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u62fc\u63a5\u540e\u7684 SQL:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u7528\u6237\u8f93\u5165:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u793a\u4f8b:<\/li>\n<\/ul>\n
- \u4f7f\u7528 UNION \u5c06\u6076\u610f\u67e5\u8be2\u7ed3\u679c\u4e0e\u539f\u59cb\u67e5\u8be2\u7ed3\u679c\u5408\u5e76\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \u8fd4\u56de\u6240\u6709\u5458\u5de5\u7684\u4fe1\u606f\u3002\u3010\u539f\u7406\u540c\u6570\u503c\u578b,\u53ea\u4e0d\u8fc7\u6ce8\u610f'\u7684\u6709\u65e0\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \u5728\u5b57\u7b26\u4e32\u53c2\u6570\u540e\u6dfb\u52a0\u903b\u8f91\u8fd0\u7b97\u7b26(\u5982 OR\u3001AND)\u548c\u6052\u771f\/\u6052\u5047\u6761\u4ef6\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \u4e0d\u53ef\u76f4\u63a5\u62fc\u63a5\u7528\u6237\u8f93\u5165\u5230SQL\u67e5\u8be2\u4e2d,\u53ef\u80fd\u5bfc\u81f4\u903b\u8f91\u88ab\u7be1\u6539\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \n
- \n
- SQL\u7684\u8bed\u6cd5,\u652f\u6301\u4f7f\u7528\u4e00\u4e2a\u6216\u591a\u4e2a\u300c\u62ec\u53f7\u300d\u5305\u88f9\u53c2\u6570,\u4f7f\u5f97\u8fd9\u4e24\u4e2a\u57fa\u7840\u7684\u6ce8\u5165\u7c7b\u578b\u5b58\u5728\u4e00\u4e9b\u53d8\u79cd\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \n
- \n
- \n
- \u83b7\u53d6\u8868\u540d: \u8fdb\u4e00\u6b65\u67e5\u8be2\u6570\u636e\u5e93\u4e2d\u7684\u8868:<\/li>\n<\/ul>\n
- \u6b65\u9aa43:\u5bf9\u6bd4\u6052\u5047\u6761\u4ef6 \u8f93\u5165 username=admin' AND '1'='2 –+,\u82e5\u9875\u9762\u5f02\u5e38\u663e\u793a(\u7a7a\u767d\u6216\u62a5\u9519),\u8fdb\u4e00\u6b65\u786e\u8ba4\u5b58\u5728\u5b57\u7b26\u578b\u6ce8\u5165\u3002<\/li>\n<\/ul>\n
- \u6b65\u9aa42:\u903b\u8f91\u6761\u4ef6\u6d4b\u8bd5(\u9a8c\u8bc1\u6ce8\u5165\u70b9) \u6784\u9020\u95ed\u5408+\u6052\u771f\u6761\u4ef6:\u8f93\u5165 username=admin' AND '1'='1 –+(–+\u7528\u4e8e\u6ce8\u91ca\u540e\u7eed\u5185\u5bb9),\u82e5\u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0e\u539f\u8bf7\u6c42\u4e00\u81f4),\u8bf4\u660e\u6ce8\u5165\u6210\u529f\u3002 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
- \n
- \u9632\u5fa1\u63aa\u65bd:<\/li>\n<\/ul>\n
- \n
- \u6570\u503c\u578b\u6ce8\u5165\u7684\u7279\u70b9:<\/li>\n<\/ul>\n
- \u9a8c\u8bc1 users \u8868\u662f\u5426\u5b58\u5728,\u5e76\u5c1d\u8bd5\u83b7\u53d6\u66f4\u591a\u4fe1\u606f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \u793a\u4f8b:<\/li>\n<\/ul>\n
- \u5728\u6570\u503c\u53c2\u6570\u4e2d\u5d4c\u5957\u5b50\u67e5\u8be2,\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \u8fd4\u56de\u5458\u5de5\u4fe1\u606f\u7684\u540c\u65f6,\u8fd8\u6cc4\u9732\u4e86\u7528\u6237\u7684\u7528\u6237\u540d\u548c\u5bc6\u7801\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \u6548\u679c:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \u793a\u4f8b:<\/li>\n<\/ul>\n
- \u4f7f\u7528 UNION \u5c06\u6076\u610f\u67e5\u8be2\u7ed3\u679c\u4e0e\u539f\u59cb\u67e5\u8be2\u7ed3\u679c\u5408\u5e76\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \n
- \u89e3\u91ca:<\/li>\n<\/ul>\n
- \u793a\u4f8b:<\/li>\n<\/ul>\n
- \u5728\u6570\u503c\u53c2\u6570\u540e\u6dfb\u52a0\u903b\u8f91\u8fd0\u7b97\u7b26(\u5982 OR\u3001AND)\u548c\u6052\u771f\/\u6052\u5047\u6761\u4ef6\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u653b\u51fb\u65b9\u5f0f:<\/li>\n<\/ul>\n
- \u83b7\u53d6\u8868\u540d: \u8fdb\u4e00\u6b65\u67e5\u8be2\u6570\u636e\u5e93\u4e2d\u7684\u8868:<\/li>\n<\/ul>\n
- \u6b65\u9aa43:\u5355\u5f15\u53f7\u6d4b\u8bd5(\u8f85\u52a9\u9a8c\u8bc1) \u8f93\u5165 id=1',\u82e5\u9875\u9762\u62a5\u9519(\u5982SQL syntax error),\u8fdb\u4e00\u6b65\u786e\u8ba4\u662f\u6570\u503c\u578b\u6ce8\u5165(\u56e0\u4e3a\u6570\u503c\u578b\u53c2\u6570\u65e0\u9700\u5355\u5f15\u53f7,\u591a\u4f59\u7684\u5355\u5f15\u53f7\u5bfc\u81f4\u8bed\u6cd5\u9519\u8bef)\u3002<\/li>\n<\/ul>\n
- \u6b65\u9aa42:\u6052\u5047\u6761\u4ef6\u6d4b\u8bd5 \u8f93\u5165 id=1 AND 1=2,\u82e5\u9875\u9762\u5f02\u5e38\u663e\u793a(\u7a7a\u767d\u3001\u62a5\u9519\u6216\u65e0\u6570\u636e),\u8bf4\u660e\u6ce8\u5165\u7684\u6761\u4ef6\u88ab\u6267\u884c\u4e3a\u5047,\u5b58\u5728\u6ce8\u5165\u70b9\u3002 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
- \u6b65\u9aa41:\u6052\u771f\u6761\u4ef6\u6d4b\u8bd5 \u8f93\u5165 id=1 AND 1=1,\u82e5\u9875\u9762\u6b63\u5e38\u663e\u793a(\u4e0e\u539f\u8bf7\u6c42id=1\u4e00\u81f4),\u8bf4\u660e\u6ce8\u5165\u7684\u6761\u4ef6\u88ab\u6570\u636e\u5e93\u6267\u884c,\u4e14\u7ed3\u679c\u4e3a\u771f\u3002 \u6b64\u65f6SQL\u53d8\u4e3a:<\/li>\n<\/ul>\n
- \u5199\u5165and1=1 \u4e0eand1=2\u56de\u663e\u4e0d\u76f8\u540c\u8bf4\u660e\u540e\u9762\u7684and1=1\u548cand1=2\u5bf9\u7f51\u9875\u9020\u6210\u4e86\u5f71\u54cd,\u5224\u65ad\u4e3a\u6570\u503c\u578b<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \u786e\u4fdd\u591a\u884c\u6ce8\u91ca\u4ee5 *\/ \u7ed3\u675f\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- \n
- \n
- \n
- \n
- \n
- MySQL\u62a5\u9519:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near…;<\/li>\n<\/ul>\n
- \n
- \u7b26\u53f7\u95ed\u5408:<\/li>\n<\/ul>\n
- \n
- \u5173\u952e\u5b57\u914d\u5bf9:<\/li>\n<\/ul>\n
- \n
- MySQL:<\/li>\n<\/ul>\n
- \u6301\u4e45\u5316\u63a7\u5236:\u521b\u5efa\u540e\u95e8\u8d26\u6237\u6216\u690d\u5165\u6076\u610f\u811a\u672c,\u957f\u671f\u63a7\u5236\u7cfb\u7edf\u3002<\/li>\n<\/ul>\n
- \u6267\u884c\u7cfb\u7edf\u547d\u4ee4:\u5229\u7528\u6570\u636e\u5e93\u5b58\u50a8\u8fc7\u7a0b(\u5982MySQL\u7684xp_cmdshell)\u63a7\u5236\u670d\u52a1\u5668\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
- \u7be1\u6539\u6216\u5220\u9664\u6570\u636e:\u901a\u8fc7UPDATE\u6216DROP\u8bed\u53e5\u7834\u574f\u6570\u636e\u5e93\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
- \u8bfb\u53d6\u6570\u636e\u5e93\u7ed3\u6784:\u901a\u8fc7UNION SELECT\u67e5\u8be2\u6570\u636e\u5e93\u7248\u672c\u3001\u8868\u540d\u7b49\u4fe1\u606f\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
- \u7ed5\u8fc7\u767b\u5f55\u9a8c\u8bc1:\u901a\u8fc7' OR '1'='1'–\u8df3\u8fc7\u5bc6\u7801\u68c0\u67e5\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n
- \u83b7\u53d6\u9690\u85cf\u6570\u636e:\u901a\u8fc7OR 1=1\u6216UNION SELECT\u8bfb\u53d6\u654f\u611f\u6570\u636e\u3002\u4f8b\u5982:<\/li>\n<\/ul>\n