我可以在这个网站上做 sql 注入吗 [英] Can I do sql injection on this website

问题描述

我正在尝试从网站数据库中获取批量数据，但未能成功.有人可以建议 SQL 注入是否可能以及在这种情况下如何做.

I am trying to fetch bulk data from a website database but could not succeed. Can somebody suggest if SQL injection is possible and how to do in this case.

推荐答案

有很多方法可以对与您提供的网站类似的网站进行 SQL 注入.

There are many ways to do SQL Injection to a website similar to the one you provided.

在 where 子句中，它期望 ac_no.我假设这个值是作为用户输入从浏览器传递的.在这种情况下，您可以将 ac_no 值与 或 1 = 1 一起传递.例如 其中 ac_no = 123 或 1 = 1.它返回表 RollPdf1 中的所有内容.

In the where clause it is expecting ac_no. I assume that this value is being passed from the browser as user input. In that case you can pass ac_no value along with or 1 = 1. e.g where ac_no = 123 or 1 = 1. It returns everything from the table RollPdf1.

对于字符串比较，您可以将 "" = "" 添加到 where 子句.

For string comparison you can add "" = "" to the where clause.

如果您想执行其他select 操作(如果您知道其他表名)，那么您可以附加由; 分隔的select 语句.

If you want to perform other select operations ( if you know other table names) then you can append select statements delmited by ;.

联合运算符:

如果您知道查询中所选列的数据类型，则可以使用 UNION 从其他表中获取其他数据.

If you know the data types of the columns selected in the query then you can use UNION to get additional data from other tables.

例如

  original query :  select  name, age, sex from table1 where id = 1

  sql injected query  :  select name, age, sex from table1 where id = 1 AND 1 = 2 UNION select username, id, password from userstable or someother table.

这篇关于我可以在这个网站上做 sql 注入吗的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！