1、SQL注入
<?php
header("Content-type:text/html;charset=utf-8");
$id = $_GET['id'];
$conn = mysql_connect('127.0.0.1','root','root');
mysql_select_db("lsj",$conn);
$sql = "select * from game where id = '$id'";
$request = mysql_query($sql);
if (mysql_num_rows($request)){
while($row = mysql_fetch_array($request))
{
echo "Hero ID : ".$row['Hid']."<br>";
echo "Hero Name : ".$row['Name']."<br>";
echo "Hero Sex : ".$row['Sex']."<br>";
}
}
else{
echo "None";
}
mysql_close($conn);
?>
2、MySQL报错注入
<?php
$conn = mysql_connect("localhost", "root", "root");
if (!$conn) {
die("Connection failed: " . mysql_error());
}
mysql_select_db("sqli", $conn);
if (isset($_GET['name']) && isset($_GET['pass'])) {
$name = $_GET['name'];
$pass = md5($_GET['pass']);
$query = "select * from user where name='$name' and pass='$pass'";
if ($result = mysql_query($query, $conn)) {
$row = mysql_fetch_array($result, MYSQL_ASSOC);
if ($row) {
echo "<script>alert('login successful!');</script>";
}
} else {
die("Operation error: " . mysql_error());
}
}
mysql_close();
?>
<!DOCTYPE html>
<html>
<head>
<title>Login</title>
</head>
<body>
<center>
<form method="get" action="">
<label>Username:</label><input type="text" name="name" value=""/><br/>
<label>Password:</label><input type="password" name="pass" value=""/><br/>
<input type="submit" value="login"/>
</form>
</center>
</body>
</html>
3、文件包含
<?php
header("Content-type:text/html;charset=utf-8");
$file = $_GET['file'];
include($file);
?>
4、文件上传
<?php
header("Content-type:text/html;charset=utf-8");
$uploaddir = 'upload/';
if (isset($_POST['submit'])) {
if (file_exists($uploaddir)) {
if (($_FILES['upfile']['type'] == 'image/gif') || ($_FILES['upfile']['type'] == 'image/jpeg') ||
($_FILES['upfile']['type'] == 'image/png') || ($_FILES['upfile']['type'] == 'image/bmp')
) {
if (move_uploaded_file($_FILES['upfile']['tmp_name'], $uploaddir . '/' . $_FILES['upfile']['name'])) {
echo '文件上传成功,保存于:' . $uploaddir . $_FILES['upfile']['name'] . "n";
}
} else {echo '文件类型不正确,请重新上传!' . "n"; }
} else {exit($uploaddir . '文件夹不存在,请手工创建!');} }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=gbk"/>
<meta http-equiv="content-language" content="zh-CN"/>
<title>文件上传--MIME验证实例</title>
<body>
<h3>文件上传--MIME验证实例</h3>
<form action="" method="post" enctype="multipart/form-data" name="upload">
请选择要上传的文件:<input type="file" name="upfile"/>
<input type="submit" name="submit" value="上传"/>
</form> </body> </html>
5、XXE
<?php
header("Content-type:text/html;charset=utf-8");
echo "XXE"."<hr>";
$xml = $_GET['x'];
$data = simplexml_load_file($xml);
var_dump($data);
?>
6、代码执行
<?php
header("Content-type:text/html;charset=utf-8");
echo "代码执行 "."<hr>";
echo ($_GET['x']);
?>
7、命令执行
<?php
header("Content-type:text/html;charset=utf-8");
echo "命令执行"."<hr>";
echo shell_exec($_GET['x']);
?>
8、变量覆盖
<?php
header("Content-type:text/html;charset=utf-8");
echo "变量覆盖"."<hr>";
$id = 1;
$i = $_GET['x'];
$$i = $_GET['y'];
$conn = mysql_connect('127.0.0.1','root','root');
mysql_select_db("lsj",$conn);
$sql = "select * from game where Hid = '$id'";
$request = mysql_query($sql);
if (mysql_num_rows($request)){
while($row = mysql_fetch_array($request))
{
echo "Hero ID : ".$row['Hid']."<br>";
echo "Hero Name : ".$row['Name']."<br>";
echo "Hero Sex : ".$row['Sex']."<br>";
} }
else{
echo "None";
}
mysql_close($conn);
?>
9、目录遍历
<?php
header("Content-type:text/html;charset=utf-8");
echo "目录遍历"."<hr>";
$dir_path = $_REQUEST['path'];
$file = scandir($dir_path);
var_temp($file);
?>
安全学习交流群:687398569