可以使用 '|"|}|) 等特殊字符进行检测,除了正常的参数提交外,注入的位置也可能存在于 HTTP header 中,比如 X-Forwarded-For、User-Agent、Referer、Cookie 中。不同数据库的报错内容:
MSSQL ASPX Error
代码语言:javascript复制Server Error in '/' ApplicationMSAccess (Apache PHP)
代码语言:javascript复制Fatal error: Uncaught exception 'com_exception' with message Source: Microsoft JET Database EngineMSAccesss (IIS ASP)
代码语言:javascript复制Microsoft JET Database Engine error '80040e14'Oracle Error
代码语言:javascript复制ORA-00933: SQL command not properly endedODBC Error
代码语言:javascript复制Microsoft OLE DB Provider for ODBC Drivers (0x80040E14)PostgreSQL Error
代码语言:javascript复制PSQLException: ERROR: unterminated quoted string at or near "'" Position: 1
or
Query failed: ERROR: syntax error at or near
"'" at character 56 in /www/site/test.php on line 121.MS SQL Server: Error
代码语言:javascript复制Microsoft SQL Native Client error ‘80040e14’
Unclosed quotation mark after the character string参考资料:
https://www.securityidiots.com/Web-Pentest/SQL-Injection/Part-2-Basic-of-SQL-for-SQLi.html
