如何在这段 PHP 和 MySQL 代码中演示 SQL 注入?
我首先要指出的是,这是对我自己的数据库的一次教育尝试,目的是更好地理解 MySQL 注入以保护我自己的代码。
我需要找出几个示例来说明如何根据以下代码构建 MySQL 注入。这是一个基本的用户登录系统,我接受用户名和密码而不进行任何转义
$user = (!empty($_POST['user'])) ? $_POST['user'] : '';
$pass = (!empty($_POST['pass'])) ? $_POST['pass'] : '';
MySQL 查询然后尝试在名为 users 的表中查找输入的用户名和密码,如下所示:
$res = mysql_query("SELECT * from users where user='{$user}' AND pass='{$pass}'");
这是未转义的输入,我是尝试提出 MySQL 注入:
- 绕过知道合法用户用户名的密码(我的用户表中的一个用户是测试员),以及
- 会删除 users 表的完整内容。
我已经尝试了 Wikipedia 中的几个 MySQL 注入示例,但我猜 <我的查询中的 code>{} 正在阻止注入,因此我希望得到那些对此有信心的人的帮助,并感谢所有人。
I'd like to note first that this is an education attempt on my own database to better understand MySQL injections to protect my own code.
I need to work out a couple of examples of how a MySQL injection can be constructed against the following code. It's a basic user login system where I'm accepting the username and password without any escaping
$user = (!empty($_POST['user'])) ? $_POST['user'] : '';
$pass = (!empty($_POST['pass'])) ? $_POST['pass'] : '';
The MySQL query then tries to find the entered username and password in my table called users, as follows:
$res = mysql_query("SELECT * from users where user='{$user}' AND pass='{$pass}'");
This is un-escaped input, and I'm trying to come up with MySQL injections to:
- bypass the password knowing a legitimate user's username (one user in my users table is tester), and
- an injection that would drop the users table in its entirety.
I've tried a couple of MySQL injection examples from Wikipedia, but I'm guessing the {} in my query is preventing the injection, so I would appreciate some help from those who are confident with this, and thank you to all.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
像这样的事情应该做:
这将使您的查询看起来像
“--”意味着该行的其余部分被注释掉
这将使您的查询看起来像:
但可能不接受 - 我认为子查询只能选择。
mysql_query 函数只会运行一个查询 - 其他函数会让您执行此操作:
Something like this should do:
This will make your query look like
The "-- " means the rest of the line is commented out
This will make your query look like:
might not accept that though - I think subqueries can only SELECT.
The mysql_query function will only run one query - others would let you do this:
您将无法
DROP该表,因为使用mysql_query您无法发送多个查询。You will not be able to
DROPthe table because usingmysql_queryyou can't send multiple queries.这是一个很长的清单。
http://ha.ckers.org/sqlinjection/
你的代码显然会失败几乎所有的测试因为它完全不受保护。
Here's a long list.
http://ha.ckers.org/sqlinjection/
Your code will obviously fail almost all the test as it is totally unprotected.
这将为您保护代码。
任何人都无法
DROP该表。That will protect code for you.
Anyone will not be able to
DROPthe table.{} 不是原因。 php 的 Magic Quotes(现已弃用)可能会保护您免受相当简单的攻击。
但是,您可以将其关闭,然后再次测试。
{} are not the reason. It might be that php's Magic Quotes (now deprecated) protect you from rather simplistic attacks.
However, you can switch them off and then test again.
尝试一下这个,看看它是否转储整个表:
这当然假设我知道您正在使用大括号来包装数据值。
我真的不确定 MySQL 如何处理这样的混合逻辑,因为它没有括在括号中,所以让我知道它是否有效!
Try this one out and see if it dumps the entire table:
This of course assumes that I know you are using the curly brace to wrap the data values.
I'm really not sure how MySQL handles mixed logic like that, since it's not enclosed in parenthesis, so let me know if it works!