web安全之PHP积累

1、SQL注入

 <?php header("Content-type:text/html;charset=utf-8"); $id = $_GET['id']; $conn = mysql_connect('127.0.0.1','root','root'); mysql_select_db("lsj",$conn); $sql = "select * from game where id = '$id'"; $request = mysql_query($sql); if (mysql_num_rows($request)){ while($row = mysql_fetch_array($request)) { echo "Hero ID : ".$row['Hid']."<br>"; echo "Hero Name : ".$row['Name']."<br>"; echo "Hero Sex : ".$row['Sex']."<br>"; } } else{ echo "None"; } mysql_close($conn); ?>

2、MySQL报错注入

 <?php $conn = mysql_connect("localhost", "root", "root"); if (!$conn) { die("Connection failed: " . mysql_error()); } mysql_select_db("sqli", $conn); if (isset($_GET['name']) && isset($_GET['pass'])) { $name = $_GET['name']; $pass = md5($_GET['pass']); $query = "select * from user where name='$name' and pass='$pass'"; if ($result = mysql_query($query, $conn)) { $row = mysql_fetch_array($result, MYSQL_ASSOC); if ($row) { echo "<script>alert('login successful!');</script>"; } } else { die("Operation error: " . mysql_error()); } } mysql_close(); ?> <!DOCTYPE html> <html> <head> <title>Login</title> </head> <body> <center> <form method="get" action=""> <label>Username:</label><input type="text" name="name" value=""/><br/> <label>Password:</label><input type="password" name="pass" value=""/><br/> <input type="submit" value="login"/> </form> </center> </body> </html>

3、文件包含

 <?php header("Content-type:text/html;charset=utf-8"); $file = $_GET['file']; include($file); ?>

4、文件上传

 <?php header("Content-type:text/html;charset=utf-8"); $uploaddir = 'upload/'; if (isset($_POST['submit'])) { if (file_exists($uploaddir)) { if (($_FILES['upfile']['type'] == 'image/gif') || ($_FILES['upfile']['type'] == 'image/jpeg') || ($_FILES['upfile']['type'] == 'image/png') || ($_FILES['upfile']['type'] == 'image/bmp') ) { if (move_uploaded_file($_FILES['upfile']['tmp_name'], $uploaddir . '/' . $_FILES['upfile']['name'])) { echo '文件上传成功，保存于：' . $uploaddir . $_FILES['upfile']['name'] . "n"; } } else {echo '文件类型不正确，请重新上传！' . "n"; } } else {exit($uploaddir . '文件夹不存在,请手工创建！');} } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html;charset=gbk"/> <meta http-equiv="content-language" content="zh-CN"/> <title>文件上传--MIME验证实例</title> <body> <h3>文件上传--MIME验证实例</h3> <form action="" method="post" enctype="multipart/form-data" name="upload"> 请选择要上传的文件：<input type="file" name="upfile"/> <input type="submit" name="submit" value="上传"/> </form> </body> </html> 

5、XXE

 <?php header("Content-type:text/html;charset=utf-8"); echo "XXE"."<hr>"; $xml = $_GET['x']; $data = simplexml_load_file($xml); var_dump($data); ?>

6、代码执行

 <?php header("Content-type:text/html;charset=utf-8"); echo "代码执行 "."<hr>"; echo ($_GET['x']); ?>

7、命令执行

 <?php header("Content-type:text/html;charset=utf-8"); echo "命令执行"."<hr>"; echo shell_exec($_GET['x']); ?>

8、变量覆盖

 <?php header("Content-type:text/html;charset=utf-8"); echo "变量覆盖"."<hr>"; $id = 1; $i = $_GET['x']; $$i = $_GET['y']; $conn = mysql_connect('127.0.0.1','root','root'); mysql_select_db("lsj",$conn); $sql = "select * from game where Hid = '$id'"; $request = mysql_query($sql); if (mysql_num_rows($request)){ while($row = mysql_fetch_array($request)) { echo "Hero ID : ".$row['Hid']."<br>"; echo "Hero Name : ".$row['Name']."<br>"; echo "Hero Sex : ".$row['Sex']."<br>"; } } else{ echo "None"; } mysql_close($conn); ?>

9、目录遍历

 <?php header("Content-type:text/html;charset=utf-8"); echo "目录遍历"."<hr>"; $dir_path = $_REQUEST['path']; $file = scandir($dir_path); var_temp($file); ?>