Mysql下可能存在注入的点。

　　总结下mysql下可能存在注入的点,适用于mssql和oracle，先写语句，以后再写语句可能出现在哪些场景下:

　　针对查询:

　　　　

select * from x where id=* 
select * from x where id='*'

　针对删除:

　　

delete from x where id=*
delete from x where id='*'

　针对修改:

　　

update x set name='*'
update x set name='x',x='*' where id=x

 

针对插入:

　　

insert into x values(1,'*')
insert into x(id,name) values(1,'*')

 

针对搜索查询(like):

select * from x  where name like '*%' 
select * from x  where name like '%*%' 
select * from x  where name like '%*' 

 

针对排序(order by):

select * from x order by *

 

针对统计(group by):

select from x group by *

 

针对in:

　

select * from user1 where id in (1,*)
select * from user1 where id in ('1','*')

 

针对limit:

select * from x limit *
select * from x limit 0,*
select * from x order by id limit *
select * from x order by id limit 0,*

 

　针对数组key:

　　

function addslashes_array($value) { return is_array($value) ? array_map('addslashes_array', $value) : addslashes($value); } print_R($_GET); foreach ($_GET AS $key => $value) { print $key; } ?> ....

 

假设http://*.com/test=123,代码中过滤了value没有过滤key,白盒/fuzz中可以通过http://*.com/test'=123注入

 

暂时先总结这么多。注入的时候可能遇到的一些。