SQL注入与XSS漏洞挖掘实战教学文档<\/h1>

1. SQL注入漏洞挖掘<\/h2>

1.1 基础SQL注入检测<\/h3>

原理<\/strong>：通过构造特殊输入改变SQL查询逻辑，获取未授权数据访问<\/p>

检测方法<\/strong>：<\/p>

在POST请求体中寻找ID或User等参数<\/li>
使用真\/假条件测试：

patient_id=5'and'1'='1<\/code> (始终为真条件)<\/li>
patient_id=5'and'1'='2<\/code> (始终为假条件)<\/li> <\/ul> <\/li> <\/ol> 判断依据<\/strong>：<\/p> 真条件返回正常结果 → 可能存在注入漏洞<\/li> 假条件返回错误信息 → 确认存在注入漏洞<\/li> <\/ul> 1.2 时间盲注技术<\/h3> 适用场景<\/strong>：当应用不直接返回错误信息时<\/p> 测试方法<\/strong>：<\/p> 使用延迟函数： patient_id=5' or sleep(5)--+<\/code><\/li> patient_id=5' and sleep(5)--+<\/code><\/li> <\/ul> <\/li> <\/ol> 注意事项<\/strong>：<\/p> OR和AND优先级不同会影响结果<\/li> 延迟可能不精确为5秒，但应有明显延迟<\/li> 其他可用函数：BENCHMARK()<\/code>, WAITFOR DELAY<\/code><\/li> <\/ul> 技术要点<\/strong>：<\/p> --+<\/code>是注释符，确保后续查询部分被忽略<\/li> 优先测试常用函数，再尝试其他函数<\/li> <\/ul> 2. 代码层面分析<\/h2> 2.1 漏洞代码示例<\/h3> \/\/获取患者档案 <\/span><\/span><\/span><\/span>function<\/span> getUserInfo<\/span>() { <\/span><\/span> var<\/span> patient_id<\/span>=<\/span>$<\/span>("#patient_id"<\/span>).<\/span>val<\/span>(); <\/span><\/span> if<\/span>(patient_id<\/span>><\/span>0<\/span>){ <\/span><\/span> $<\/span>.<\/span>post<\/span>('\/Doctor\/getUserInfo'<\/span>,{patient_id<\/span>:<\/span>patient_id<\/span>},function<\/span> (res<\/span>) { <\/span><\/span> if<\/span>(res<\/span>.<\/span>status<\/span>==<\/span>0<\/span>){ <\/span><\/span> if<\/span>(res<\/span>.<\/span>data<\/span>.<\/span>file_id<\/span>><\/span>0<\/span>){ <\/span><\/span> var<\/span> d<\/span>=<\/span>res<\/span>.<\/span>data<\/span>; <\/span><\/span> var<\/span> txt<\/span>=<\/span>'<dt class="whiteBg">体重:'<\/span>+<\/span>d<\/span>.<\/span>weight<\/span>+<\/span>'kg身高:'<\/span>+<\/span>d<\/span>.<\/span>height<\/span>+<\/span>'cm<\/span> \n'<\/span> <\/span><\/span> +<\/span> '血型:'<\/span>+<\/span>d<\/span>.<\/span>blood_a<\/span>+<\/span>'RH'<\/span>+<\/span>d<\/span>.<\/span>blood_b<\/span>+<\/span>'<\/span> \n'<\/span> <\/span><\/span> +<\/span> '左耳听力:'<\/span>+<\/span>d<\/span>.<\/span>left_ear_hearing<\/span>+<\/span>'右耳听力:'<\/span>+<\/span>d<\/span>.<\/span>right_ear_hearing<\/span>+<\/span>'<\/span> \n'<\/span> <\/span><\/span> +<\/span> '左眼视力:'<\/span>+<\/span>d<\/span>.<\/span>left_vision<\/span>+<\/span>'右眼视力:'<\/span>+<\/span>d<\/span>.<\/span>right_vision<\/span>+<\/span>'<\/span><\/dt>\n'<\/span> <\/span><\/span> +<\/span> '<dd>个人史:'<\/span>+<\/span>d<\/span>.<\/span>personal_info<\/span>+<\/span>'<\/dd>\n'<\/span> <\/span><\/span> +<\/span> '<dd>家族史:'<\/span>+<\/span>d<\/span>.<\/span>family_info<\/span>+<\/span>'<\/dd>\n'<\/span> <\/span><\/span> +<\/span> '<dd>身*证:'<\/span>+<\/span>d<\/span>.<\/span>id_card<\/span>+<\/span>'<\/dd>\n'<\/span> <\/span><\/span> +<\/span> '<dd>紧急联系人:'<\/span>+<\/span>d<\/span>.<\/span>emergency_contact_name<\/span>+<\/span>'关系:'<\/span>+<\/span> d<\/span>.<\/span>emergency_contact_relation_label<\/span>+<\/span>'<\/span><\/dd>\n'<\/span> <\/span><\/span> +<\/span> '<dd>电话:'<\/span>+<\/span>d<\/span>.<\/span>emergency_contact_mobile<\/span>+<\/span>'<\/dd>'<\/span>; <\/span><\/span> $<\/span>("#user_file_box"<\/span>).<\/span>html<\/span>(txt<\/span>); <\/span><\/span> }else<\/span>{ <\/span><\/span><\/code><\/pre>问题点<\/strong>：<\/p> 直接拼接用户输入的patient_id到SQL查询<\/li> 未对返回数据进行过滤直接输出到HTML<\/li> <\/ol> 3. XSS漏洞挖掘<\/h2> 3.1 反射型XSS测试<\/h3> 测试方法<\/strong>：<\/p> 寻找输出用户输入的参数<\/li> 测试基本XSS payload： <script>alert(1)<\/script><\/code><\/li> ``<\/li> <\/ul> <\/li> <\/ol> 现代浏览器防护<\/strong>：<\/p> 内置XSS过滤器可能阻止简单payload<\/li> 需要测试绕过技术<\/li> <\/ul> 3.2 输出上下文分析<\/h3> 关键点<\/strong>：<\/p> 数据输出在HTML标签属性中<\/li> 数据输出在JavaScript代码中<\/li> 数据输出在HTML注释中<\/li> <\/ol> 测试技巧<\/strong>：<\/p> 闭合当前上下文<\/li> 测试各种编码方式<\/li> 利用DOM-based XSS技术<\/li> <\/ul> 4. 防护措施<\/h2> 4.1 SQL注入防护<\/h3> 使用参数化查询\/预处理语句<\/li> 实施最小权限原则<\/li> 输入验证和过滤<\/li> 使用ORM框架<\/li> <\/ol> 4.2 XSS防护<\/h3> 输出编码： HTML实体编码<\/li> JavaScript编码<\/li> URL编码<\/li> <\/ul> <\/li> 使用CSP策略<\/li> 设置HttpOnly标志<\/li> 输入验证和过滤<\/li> <\/ol> 5. 漏洞挖掘工具与技巧<\/h2> 5.1 工具使用<\/h3> Seay审计工具（注意规则更新）<\/li> Burp Suite<\/li> SQLMap<\/li> XSS Hunter<\/li> <\/ol> 5.2 手工测试技巧<\/h3> Fuzz测试技术<\/li> 边界条件测试<\/li> 异常输入测试<\/li> 逻辑漏洞挖掘<\/li> <\/ol> 6. 实战总结<\/h2> 工具扫描+手工验证结合<\/li> 关注ID\/User等关键参数<\/li> 多种注入技术组合测试<\/li> 代码审计与黑盒测试互补<\/li> 持续更新测试payload库<\/li> <\/ol> 通过掌握这些技术和方法，安全测试人员可以更有效地发现和验证SQL注入与XSS漏洞，提升应用安全性。<\/p>