Gridea

Get.php

<!DOCTYPE html>
<html>
<head>
<title>Sql Waf Test</title>
</head>
<body>
<div style="text-align:center;">
<form method="GET" action="">
	<h1>Insert Data</h1>
	<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
	<br><br>
	<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
	<br><br>
	<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php 
$black_list="/select|sleep|and|or|union|\"|'|--|#|where|from|limit/i";
$con = mysqli_connect("127.0.0.1:3306","root","root");
mysqli_query($con,"create database test");
mysqli_select_db($con,"test");
mysqli_query($con,"create table tb_user
	(
	uid int(11) primary key auto_increment not null,
	username varchar(50) not null,
	password varchar(50) not null,
	UNIQUE(username)
	)");
if(isset($_GET['submit1'])){
	$username = $_GET['username'];
	$password = md5($_GET['password']);
	if(preg_match($black_list,$username)){
		echo "<h2>Illegal Char<h2>";
	}else{
		if(empty($username) || empty($password)){
			echo "<h2>Username or Password can not be empty</h2>";
		}else{
			$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
			if($insert_sql){
				echo "<h2>Insert Success</h2>";
			}else{
				echo "<h2>Insert Fail</h2>";
			}
		}
	}
}
?>
</form>
</div>
<div style="text-align:center;">
<form method="GET" action="">
<br><br><br><br><br><br><br>
<h1>Query Data</h1>
<input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
<br><br>
<input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php 
if(isset($_GET['submit2'])){
$query_name = $_GET['query'];
if(preg_match($black_list,$query_name)){
die("<h2>Illegal Char</h2>");
}else{
if(empty($query_name)){
echo "<h2>Query data can not be empty</h2>";
}else{
$query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
if($query_data){
$sql_data = mysqli_fetch_assoc($query_data);
echo "<br><br><br><br>";
var_dump($sql_data);
}else{
echo "<h2>Query Fail</h2>";
}
}
}
}
?>
</form>
</div>
</body>
</html>

sql_waf_test.py

import requests

sql_char = ['select',
		'union',
		'and',
		'or',
		'sleep',
		'where',
		'from',
		'limit',
		'group',
		'by',
		'like',
		'prepare',
		'as',
		'if',
		'char',
		'ascii',
		'mid',
		'left',
		'right',
		'substring',
		'handler',
		'updatexml',
		'extractvalue',
		'benchmark',
		'insert',
		'update',
		'all',
		'@',
		'#',
		'^',
		'&',
		'*',
		'\'',
		'"',
		'~',
		'`',
		'(',
		')',
		'--',
		'=',
		'/',
		'\\',
		' ']

for char in sql_char:
res = requests.get("http://127.0.0.1/get.php?query="+char+"&submit2=sbumit")
if 'Illegal Char' in res.text:
	print("该字符是非法字符: {0}".format(char))
else:
	print("通过: {0}".format(char))

PS C:\Users\Administrator\Desktop> python .\sql_waf_test.py
该字符是非法字符: select
该字符是非法字符: union
该字符是非法字符: and
该字符是非法字符: or
该字符是非法字符: sleep
该字符是非法字符: where
该字符是非法字符: from
该字符是非法字符: limit
通过: group
通过: by
通过: like
通过: prepare
通过: as
通过: if
通过: char
通过: ascii
通过: mid
通过: left
通过: right
通过: substring
该字符是非法字符: handler
通过: updatexml
通过: extractvalue
通过: benchmark
通过: insert
通过: update
通过: all
通过: @
通过: #
通过: ^
通过: &
通过: *
该字符是非法字符: '
该字符是非法字符: "
通过: ~
通过: `
通过: (
通过: )
该字符是非法字符: --
通过: =
通过: /
通过:
通过:

Post.php

<!DOCTYPE html>
<html>
<head>
<title>Sql Waf Test</title>
</head>
<body>
<div style="text-align:center;">
<form method="POST" action="">
	<h1>Insert Data</h1>
	<input type="text" name="username" style="height:25px;width:250px;" placeholder="Please input your username">
	<br><br>
	<input type="password" name="password" style="height:25px;width:250px;" placeholder="Please input your password">
	<br><br>
	<input type="submit" name="submit1" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php 
$black_list="/select|and|or|union|limit/i";
$con = mysqli_connect("127.0.0.1:3306","root","root");
mysqli_query($con,"create database test");
mysqli_select_db($con,"test");
mysqli_query($con,"create table tb_user
	(
	uid int(11) primary key auto_increment not null,
	username varchar(50) not null,
	password varchar(50) not null,
	UNIQUE(username)
	)");
if(isset($_POST['submit1'])){
	$username = $_POST['username'];
	$password = md5($_POST['password']);
	if(preg_match($black_list,$username)){
		echo "<h2>Illegal Char<h2>";
	}else{
		if(empty($username) || empty($password)){
			echo "<h2>Username or Password can not be empty</h2>";
		}else{
			$insert_sql = mysqli_query($con,"insert into tb_user value(0,'$username','$password')");
			if($insert_sql){
				echo "<h2>Insert Success</h2>";
			}else{
				echo "<h2>Insert Fail</h2>";
			}
		}
	}
}
?>
</form>
</div>
<div style="text-align:center;">
<form method="POST" action="">
<br><br><br><br><br><br><br>
<h1>Query Data</h1>
<input type="text" name="query" style="height:25px;width:250px;" placeholder="Query Username">
<br><br>
<input type="submit" name="submit2" style="height:31px;color:#7d7d7d;" value="sbumit">
<?php 
if(isset($_POST['submit2'])){
$query_name = $_POST['query'];
if(preg_match($black_list,$query_name)){
die("<h2>Illegal Char</h2>");
}else{
if(empty($query_name)){
echo "<h2>Query data can not be empty</h2>";
}else{
$query_data = mysqli_query($con,"select * from tb_user where username='$query_name'");
if($query_data){
$sql_data = mysqli_fetch_assoc($query_data);
echo "<br><br><br><br>";
var_dump($sql_data);
}else{
echo "<h2>Query Fail</h2>";
}
}
}
}
?>
</form>
</div>
</body>
</html>

————————————————
版权声明：本文为CSDN博主「末 初」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/mochu7777777/article/details/108073359