需要 sql 注入方面的帮助
首先,我并不想进行黑客攻击或做任何非法的事情。我以为我让你们知道了。我有一个客户希望我对他的系统进行一些修改,当我查看它时,我注意到没有任何内容被逃脱。我不是在开玩笑,没有什么可以逃脱。我向他解释说,拥有这样的系统是不安全的。然后他继续告诉我,他这样的系统已经使用了几年,但什么也没发生。我需要向他表明他的系统不安全,但我真的不知道执行sql注入。以下是一些使用 $_GET 并且未转义的查询。
SELECT *,DATE_FORMAT(joined,'%M %d, %Y') as \"Joined\" FROM `members` WHERE `name` LIKE '".$ltr."%' ORDER BY points DESC LIMIT $page,50
这是另一个:
SELECT * FROM groups WHERE id=$thisladder[grid]
我看到的唯一“可能”清理 $_GET 的是这个函数:
if (!ini_get('register_globals')) {
$superglobals = array($_SERVER, $_ENV,
$_FILES, $_COOKIE, $_POST, $_GET);
if (isset($_SESSION)) {
array_unshift($superglobals, $_SESSION);
}
foreach ($superglobals as $superglobal) {
extract($superglobal, EXTR_SKIP);
}
}
上面的函数可能正在清理变量。是的,系统还使用寄存器全局变量,这也很糟糕。
我还做了备份,以防万一。
First, I'm not trying to hack or do anything illegal. Thought I let you guys know. I have a client that want's me to do some modifications on his system, when I was looking at it I notice that NOTHING was escaped. I'm not joking, nothing is being escaped. I explained to him that it's insecure to have a system like that. He then proceeds to tell me that he's had his system like this for few years and nothing has happened. I need to show him that his system is not safe, but I really don't know to do perform an sql injection. Here's a few queries that use $_GET and are not escaped.
SELECT *,DATE_FORMAT(joined,'%M %d, %Y') as \"Joined\" FROM `members` WHERE `name` LIKE '".$ltr."%' ORDER BY points DESC LIMIT $page,50
Here's another one:
SELECT * FROM groups WHERE id=$thisladder[grid]
The only thing that I see that "might" clean the $_GET is this function:
if (!ini_get('register_globals')) {
$superglobals = array($_SERVER, $_ENV,
$_FILES, $_COOKIE, $_POST, $_GET);
if (isset($_SESSION)) {
array_unshift($superglobals, $_SESSION);
}
foreach ($superglobals as $superglobal) {
extract($superglobal, EXTR_SKIP);
}
}
It's possible that the function above may be sanitizing the variables. And yes, the system also uses register globals, which is also bad.
I also made a backup, just in case.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
没有比 http://xkcd.com/327/ 更好的说法了。
但话又说回来,Marc B 说,忘记 SQL 注入,
register_globals非常多,更糟。从来没想过我真的会看到它模拟,以防万一它关闭了。Can't say it better than http://xkcd.com/327/.
But then again, as Marc B says, forget SQL injection,
register_globalsis much, much worse. Never thought I'd actually see it emulated, just in case it's off.一些有趣的事情可以向你的“朋友”展示他的代码有多么愚蠢:
这种事情完全就是为什么 register_globals 是一个彻头彻尾的白痴想法,并且(在太长时间之后)终于被设为默认关闭。
忘记 SQL 注入 - 那段愚蠢的代码允许远程 PHP 变量注入。
Some fun things to show your 'friend' how stupid his code is:
This sort of thing is EXACTLY why register_globals is such an outright F'ingly moronic idea, and (after FAR too long) has finally been made to default to OFF.
Forgot SQL injection - that idiotic piece of code is allowing remote PHP variable injection.
如果登录代码看起来像这样:
尝试在登录字段中输入此内容
是否有意义?
if login code looked something like this:
try typing this into the login fields
make sense?