|
|
发表于 2022-9-5 21:52:15
|
显示全部楼层
|阅读模式
IP:山东省 移动/数据上网公共出口
登录后更精彩...O(∩_∩)O...
您需要 登录 才可以下载或查看,没有账号?立即注册
×
SQL注入过滤字符的Fuzz脚本测试
Get.php
[PHP] 纯文本查看 复制代码 <!DOCTYPE html>
<html>
<head>
<title>Sql Waf Test</title>
</head>
<body>
<div style="text-align:center;">
<form method="GET" action="">
<h1>Insert Data</h1>
<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
<br><br>
<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
<br><br>
<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php
$black_list="/select|sleep|and|or|union|\"|'|--|#|where|from|limit/i";
$con = mysqli_connect("127.0.0.1:3306","root","root");
mysqli_query($con,"create database test");
mysqli_select_db($con,"test");
mysqli_query($con,"create table tb_user
(
uid int(11) primary key auto_increment not null,
username varchar(50) not null,
password varchar(50) not null,
UNIQUE(username)
)");
if(isset($_GET['submit1'])){
$username = $_GET['username'];
$password = md5($_GET['password']);
if(preg_match($black_list,$username)){
echo "<h2>Illegal Char<h2>";
}else{
if(empty($username) || empty($password)){
echo "<h2>Username or Password can not be empty</h2>";
}else{
$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
if($insert_sql){
echo "<h2>Insert Success</h2>";
}else{
echo "<h2>Insert Fail</h2>";
}
}
}
}
?>
</form>
</div>
<div style="text-align:center;">
<form method="GET" action="">
<br><br><br><br><br><br><br>
<h1>Query Data</h1>
<input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
<br><br>
<input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php
if(isset($_GET['submit2'])){
$query_name = $_GET['query'];
if(preg_match($black_list,$query_name)){
die("<h2>Illegal Char</h2>");
}else{
if(empty($query_name)){
echo "<h2>Query data can not be empty</h2>";
}else{
$query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
if($query_data){
$sql_data = mysqli_fetch_assoc($query_data);
echo "<br><br><br><br>";
var_dump($sql_data);
}else{
echo "<h2>Query Fail</h2>";
}
}
}
}
?>
</form>
</div>
</body>
</html>
sql_waf_test.py
[PHP] 纯文本查看 复制代码 import requests
sql_char = ['select',
'union',
'and',
'or',
'sleep',
'where',
'from',
'limit',
'group',
'by',
'like',
'prepare',
'as',
'if',
'char',
'ascii',
'mid',
'left',
'right',
'substring',
'handler',
'updatexml',
'extractvalue',
'benchmark',
'insert',
'update',
'all',
'@',
'#',
'^',
'&',
'*',
'\'',
'"',
'~',
'`',
'(',
')',
'--',
'=',
'/',
'\\',
' ']
for char in sql_char:
res = requests.get("http://127.0.0.1/get.php?query="+char+"&submit2=sbumit")
if 'Illegal Char' in res.text:
print("该字符是非法字符: {0}".format(char))
else:
print("通过: {0}".format(char))
PS C:\Users\Administrator\Desktop> python .\sql_waf_test.py 该字符是非法字符: select 该字符是非法字符: union 该字符是非法字符: and 该字符是非法字符: or 该字符是非法字符: sleep 该字符是非法字符: where 该字符是非法字符: from 该字符是非法字符: limit 通过: group 通过: by 通过: like 通过: prepare 通过: as 通过: if 通过: char 通过: ascii 通过: mid 通过: left 通过: right 通过: substring 该字符是非法字符: handler 通过: updatexml 通过: extractvalue 通过: benchmark 通过: insert 通过: update 通过: all 通过: @ 通过: # 通过: ^ 通过: & 通过: * 该字符是非法字符: ' 该字符是非法字符: " 通过: ~ 通过: ` 通过: ( 通过: ) 该字符是非法字符: -- 通过: = 通过: / 通过: \ 通过:
Post.php
[PHP] 纯文本查看 复制代码
<!DOCTYPE html>
<html>
<head>
<title>Sql Waf Test</title>
</head>
<body>
<div style="text-align:center;">
<form method="POST" action="">
<h1>Insert Data</h1>
<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
<br><br>
<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
<br><br>
<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php
$black_list="/select|and|or|union|limit/i";
$con = mysqli_connect("127.0.0.1:3306","root","root");
mysqli_query($con,"create database test");
mysqli_select_db($con,"test");
mysqli_query($con,"create table tb_user
(
uid int(11) primary key auto_increment not null,
username varchar(50) not null,
password varchar(50) not null,
UNIQUE(username)
)");
if(isset($_POST['submit1'])){
$username = $_POST['username'];
$password = md5($_POST['password']);
if(preg_match($black_list,$username)){
echo "<h2>Illegal Char<h2>";
}else{
if(empty($username) || empty($password)){
echo "<h2>Username or Password can not be empty</h2>";
}else{
$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
if($insert_sql){
echo "<h2>Insert Success</h2>";
}else{
echo "<h2>Insert Fail</h2>";
}
}
}
}
?>
</form>
</div>
<div style="text-align:center;">
<form method="POST" action="">
<br><br><br><br><br><br><br>
<h1>Query Data</h1>
<input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
<br><br>
<input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php
if(isset($_POST['submit2'])){
$query_name = $_POST['query'];
if(preg_match($black_list,$query_name)){
die("<h2>Illegal Char</h2>");
}else{
if(empty($query_name)){
echo "<h2>Query data can not be empty</h2>";
}else{
$query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
if($query_data){
$sql_data = mysqli_fetch_assoc($query_data);
echo "<br><br><br><br>";
var_dump($sql_data);
}else{
echo "<h2>Query Fail</h2>";
}
}
}
}
?>
</form>
</div>
</body>
</html>
from: https://blog.csdn.net/m0_51428325/article/details/121357604 https://blog.csdn.net/mochu7777777/article/details/108073359
|
|
