1、SQL注入
<?php header("Content-type:text/html;charset=utf-8"); $id = $_GET['id']; $conn
= mysql_connect('127.0.0.1','root','root'); mysql_select_db("lsj",$conn); $sql
= "select * from game where id = '$id'"; $request = mysql_query($sql); if
(mysql_num_rows($request)){ while($row = mysql_fetch_array($request)) { echo
"Hero ID : ".$row['Hid']."<br>"; echo "Hero Name : ".$row['Name']."<br>"; echo
"Hero Sex : ".$row['Sex']."<br>"; } } else{ echo "None"; } mysql_close($conn);
?>
2、MySQL报错注入
<?php $conn = mysql_connect("localhost", "root", "root"); if (!$conn) {
die("Connection failed: " . mysql_error()); } mysql_select_db("sqli", $conn);
if (isset($_GET['name']) && isset($_GET['pass'])) { $name = $_GET['name'];
$pass = md5($_GET['pass']); $query = "select * from user where name='$name' and
pass='$pass'"; if ($result = mysql_query($query, $conn)) { $row =
mysql_fetch_array($result, MYSQL_ASSOC); if ($row) { echo "<script>alert('login
successful!');</script>"; } } else { die("Operation error: " . mysql_error());
} } mysql_close(); ?> <!DOCTYPE html> <html> <head> <title>Login</title>
</head> <body> <center> <form method="get" action="">
<label>Username:</label><input type="text" name="name" value=""/><br/>
<label>Password:</label><input type="password" name="pass" value=""/><br/>
<input type="submit" value="login"/> </form> </center> </body> </html>
3、文件包含
<?php header("Content-type:text/html;charset=utf-8"); $file = $_GET['file'];
include($file); ?>
4、文件上传
<?php header("Content-type:text/html;charset=utf-8"); $uploaddir = 'upload/';
if (isset($_POST['submit'])) { if (file_exists($uploaddir)) { if
(($_FILES['upfile']['type'] == 'image/gif') || ($_FILES['upfile']['type'] ==
'image/jpeg') || ($_FILES['upfile']['type'] == 'image/png') ||
($_FILES['upfile']['type'] == 'image/bmp') ) { if
(move_uploaded_file($_FILES['upfile']['tmp_name'], $uploaddir . '/' .
$_FILES['upfile']['name'])) { echo '文件上传成功,保存于:' . $uploaddir .
$_FILES['upfile']['name'] . "n"; } } else {echo '文件类型不正确,请重新上传!' . "n"; } }
else {exit($uploaddir . '文件夹不存在,请手工创建!');} } ?> <!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html
xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type"
content="text/html;charset=gbk"/> <meta http-equiv="content-language"
content="zh-CN"/> <title>文件上传--MIME验证实例</title> <body> <h3>文件上传--MIME验证实例</h3>
<form action="" method="post" enctype="multipart/form-data" name="upload">
请选择要上传的文件:<input type="file" name="upfile"/> <input type="submit" name="submit"
value="上传"/> </form> </body> </html>
5、XXE
<?php header("Content-type:text/html;charset=utf-8"); echo "XXE"."<hr>"; $xml
= $_GET['x']; $data = simplexml_load_file($xml); var_dump($data); ?>
6、代码执行
<?php header("Content-type:text/html;charset=utf-8"); echo "代码执行 "."<hr>";
echo ($_GET['x']); ?>
7、命令执行
<?php header("Content-type:text/html;charset=utf-8"); echo "命令执行"."<hr>"; echo
shell_exec($_GET['x']); ?>
8、变量覆盖
<?php header("Content-type:text/html;charset=utf-8"); echo "变量覆盖"."<hr>"; $id
= 1; $i = $_GET['x']; $$i = $_GET['y']; $conn =
mysql_connect('127.0.0.1','root','root'); mysql_select_db("lsj",$conn); $sql =
"select * from game where Hid = '$id'"; $request = mysql_query($sql); if
(mysql_num_rows($request)){ while($row = mysql_fetch_array($request)) { echo
"Hero ID : ".$row['Hid']."<br>"; echo "Hero Name : ".$row['Name']."<br>"; echo
"Hero Sex : ".$row['Sex']."<br>"; } } else{ echo "None"; } mysql_close($conn);
?>
9、目录遍历
<?php header("Content-type:text/html;charset=utf-8"); echo "目录遍历"."<hr>";
$dir_path = $_REQUEST['path']; $file = scandir($dir_path); var_temp($file); ?>
热门工具 换一换