????SQL????????
???????????? ???????[ 2016/10/19 16:03:55 ] ????????SQL??? ?????
????????SQL???
????SQL???????SQL Injection????????????????Web?????г???????????????????????????????????????????????????????????????????????????????????ж?????????????п?????????????????????????
?????????SQL?????????????????????Ч??????????????????????????????????????SQL??????????????????????????????????????????????????У???????????????????????????????????????????????
????SQL??????
???????Web??????????????SQL???????????????????SQL????????????ε?????????SQL??????????????????????????????????????????????????п??????SQL?????????????????????
???????潫????Щ??????????????????SQL????????
<form action="/login" method="POST">
<p>Username:<input type="text" name="username" /></p>
<p>Password:<input type="password" name="password" /></p>
<p><input type="submit" value="???" /></p>
</form>
?????????????????SQL?????????????
username:=r.Form.Get("username")
password:=r.Form.Get("password")
sql:="SELECT * FROM user WHERE username='"+username+"' AND password='"+password+"'"
?????????????????????????£?????????:
????myuser' or 'foo' = 'foo' --
????????????SQL??????????????
????SELECT * FROM user WHERE username='myuser' or 'foo'=='foo' --'' AND password='xxx'
??????SQL????--??????????????????????ж?????ù????????????κκ??????????????????3????????
????????MSSQL???и???Σ??????SQL??????????????????????μ???????????????Щ?汾??MSSQL???????????????
????sql:="SELECT * FROM products WHERE name LIKE '%"+prod+"%'"
????Db.Exec(sql)
?????????????a%' exec master..xp_cmdshell 'net user test testpass /ADD' --??????? prod????????sql??????
????sql:="SELECT * FROM products WHERE name LIKE '%a%' exec master..xp_cmdshell 'net user test testpass /ADD'--%'"
??????????SQL???
??????????????????????????????????????SQL????????????????????????????????ò?????Щ??????????????????????????й???Σ?????????????????????????????????????????????????????????????????????????Щ???????????????????????????Discuz??phpwind??phpcms????Щ???е????????б?SQL?????????????
??????Щ?????????????????????????????????????????????????????????????????????????????????????????????? cookie?????????????????????????????????????п???????????
????SQL???????Σ??????????????????????????????Щ???????????SQL???????????????
???????????Web??????????????????????????????????????乤??????????????????????????????????Σ????
??????????????????????????????????????????????????????????????regexp???????Щ?????????????strconv???????????????????????????????????ж??
????????????????????????'"??????&*;?????????崦?????????????Go ??text/template???????HTMLEscapeString????????????????????崦???
???????е?????佨???????????????????????????????????????ò???????????????????????SQL????У????????????SQL??????????database/sql???????????Prepare??Query??????Exec(query string?? args ...interface{})??
????????÷????????????????SQL?????????м????????????????SQL?????????????к??????????????????sqlmap??SQLninja???
????????????????SQL??????????????????????β??????????????SQL??????????????????????????Щ???????????SQL???
???????
???????????????????????????SQL?????Σ??????????????????????????????д??Web??????????????С??????????????????????????????????дWeb????????????
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com