孤独的光头儿 發表於 2008-10-8 19:36:36

EditPlus查找PHP源码简单数字型注入的正则表达式

今天看一个项目代码,文件不多,不过每个文件中都N多注入,一个一个看实在太累,索性花了点时间,弄了个正则表达式,搜索出来,然后再将安全的筛选出去。省了不少时间的说。

1.查找select、update、delete语句<br />

((select|SELECT|update|UPDATE|delete|DELETE) .*(from|FROM|set|SET) .*(where|WHERE) .*)

查询语句,对于没有条件判断的基本不存在注入问题,因而仅搜索此语句即可 <br />

例子: <br />

select * from user where

2.简单的数字型注入<br />

((select|SELECT|update|UPDATE|delete|DELETE) .*(from|FROM|set|SET) .*(where|WHERE) .*=[ ]?[&quot;]?[&quot;]?\$)

能找到select、update delete三种语句,5种格式的整形注入,如: <br />

直接变量传入 <br />

select * from guess where id=$subject_id <br />

update guess set is_valid=0 where id=$subject_id <br />

delete from guess where id=$subject_id <br />

=与变量之间存在空格 <br />

select * from guess where id= $subject_id <br />

update guess set is_valid=0 where id= $subject_id <br />

delete from guess where id= $subject_id <br />

变量双引号 <br />

select * from guess where id=&quot;$subject_id&quot; <br />

update guess set is_valid=0 where id=&quot;$subject_id&quot; <br />

delete from guess where id=&quot;$subject_id&quot; <br />

=与双引号之间存在空格 <br />

select * from guess where id= &quot;$subject_id&quot; <br />

update guess set is_valid=0 where id= &quot;$subject_id&quot; <br />

delete from guess where id= &quot;$subject_id&quot; <br />

=与引号、双引号之间存在空格 <br />

select * from guess where id= &quot; $subject_id&quot; <br />

update guess set is_valid=0 where id= &quot; $subject_id&quot; <br />

delete from guess where id= &quot; $subject_id&quot;



<br />
頁: [1]
查看完整版本: EditPlus查找PHP源码简单数字型注入的正则表达式