发现SQL注入漏洞

发布于 2024-08-12 00:35:08 字数 1011 浏览 7 评论 0原文

昨天我收到了一封来自某人的电子邮件,称我们的网站容易受到 SQL 注入攻击。电子邮件中写道:

我尝试了一些经典的 SQL 注入 你的服务器。该网址包含 结果:

http://www.mysite.com/ppreview.php?id=611111161%20and%201=0%20UNION%20all%20SELECT%201,2,3,4,密码,6,7,8, 9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33, 34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58, 59,60,61,62,63,64,65,66,67,68,user_id,70,71%20%20来自%20admin--&u=10064&t=users_cars

注意上面的URL,我没有公开我的实际域名,而是将其替换为 mysite.com。

任何人都可以解释一下上面的 URL 的含义吗,因为我的网站很容易受到此类 URL 的攻击,也可能受到您的网站的攻击。

如何解码该网址,那里发生了什么?

Yesterday i received an email from a guy that our site is vulnerable to SQL injection. The email said:

I tried some classic SQL injection on
your server. This URL contains the
result:

http://www.mysite.com/ppreview.php?id=611111161%20and%201=0%20UNION%20all%20SELECT%201,2,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,user_id,70,71%20%20from%20admin--&u=10064&t=users_cars

Note that in the above URL, i do not expose my actual domain and have replaced it with mysite.com.

Can any one explain what above URL means as my site is vulnerable to that sort of url and possibly to your sites too.

How to decode that url, what is happening there?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

静若繁花 2024-08-19 00:35:08

问题是您正在将查询字符串上的 SQL 命令连接到 SQL 命令中。

大概你的代码会说这样的话

"select * from preview where ID=" + Request.QueryString["id"]

一旦你使用该查询字符串,它就会变成

select * from preview where ID=611111161 and 1=0
UNION ALL
SELECT 1,2,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,user=id,70,71
FROM admin

EG:他让你的管理员帐户登录信息显示在你的预览页面上。

您应该始终确保 SQL 转义从用户获得的任何输入,或者更好地使用参数化查询,服务器会处理这一点。如果不了解 SQL Server 的语言或类型,我无法真正指出您需要哪些代码来执行此操作。

The problem is that you're concatenating that SQL command on the query string into your SQL command.

Presumably your code says something like

"select * from preview where ID=" + Request.QueryString["id"]

Once you use that QueryString it becomes

select * from preview where ID=611111161 and 1=0
UNION ALL
SELECT 1,2,3,4,password,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,user=id,70,71
FROM admin

EG: He's made your admin account logins show up on your preview page.

You should always make sure to SQL escape any inputs you get from the user, or even better use parametrized queries and the server will take care of that. Without knowing the language or the type of SQL server I can't really point you in the direction of what code you'd need to do that.

森末i 2024-08-19 00:35:08

您可能有如下代码(我不知道 php 语法):

string sql = "select * from mytable where customerid = " + Request.QueryString("id");

现在,由于给你发邮件的人在页面的查询字符串中添加的不仅仅是 id,你的 sql 语句将类似于:

select * from mytable where customerid = 6111111661 并合并所有你不想要的表。< /code>

始终在查询中使用参数并检查用户输入!
如果可能的话尽量避免动态sql。

You probably have code that looks like (I don't know php syntax):

string sql = "select * from mytable where customerid = " + Request.QueryString("id");

Now, since the guy who mailed you added a lot more than just the id to your page's querystring, your sql statement is going to like like:

select * from mytable where customerid = 6111111661 and union all the tables that you don't want.

Always use parameters in your queries and check the user input!
Try to avoid dynamic sql if possible.

那小子欠揍 2024-08-19 00:35:08

更改您的代码以像这样工作。

$id = $_GET['id'];
$user = mysql_real_escape_string($_GET['user']);

if( is_numeric($id) )
{
   mysql_query($query);
}

现在,您的代码将不会接受无效的用户 ID,并且只要您使用我概述的方法清理所有字符串,就不会有 SQL 注入问题。

Change your code to work like this.

$id = $_GET['id'];
$user = mysql_real_escape_string($_GET['user']);

if( is_numeric($id) )
{
   mysql_query($query);
}

Now your code won't accept an invalid user ID and you won't have issues with SQL injection so long as you sanitize all strings using the method I've outlined.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文