当前位置: 文江博客 话题详情

SQL注入:是否可以修改select的子查询?

发布于 2025-01-05 15:49:53 字数 284 浏览 0 评论 0 原文

是否可以在 SELECT 查询中使用子查询来修改数据库?相关数据库是mysql数据库。

更多细节: 相关查询如下所示:

SELECT * FROM table WHERE id = $x

变量 $x 可以替换为任何内容。唯一的限制是,查询是通过 php 的 mysql_query() 执行的,这会阻止执行多个后续查询。在这种情况下,修改数据库就很容易了,只需设置

$x = "42; DROP TABLE foo;"
原文

Is it possible to have a subquery modifying the database in a SELECT-Query? The relevant database is a mysql database.

Some more details:
The relevant query looks like this:

SELECT * FROM table WHERE id = $x

And the variable $x can be replaced with anything. The only restriction is, that the query is executed via php's mysql_query(), which prevents the execution of multiple subsequent queries. In that case, modifying the DB would be easy, simply set

$x = "42; DROP TABLE foo;"

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

零度° 2025-01-12 15:49:53

编辑:

mysql_query() 仅阻止 MySql 5.0 之前版本中的多个查询。 MySql 5.0 或更高版本将允许使用 < 分隔多个命令code>; 使用 mysql_query() 时。

所以,是的,SQL 注入攻击能够执行用于连接数据库的登录名有权执行的任何命令。

如果您使用管理员权限进行连接,则攻击实际上可以对您的数据库进行任何可能的修改。

例如,假设您将 $email 值连接到下面的 SQL 字符串:

"SELECT email, passwd, login_id, full_name
  FROM members
 WHERE email = '" + $email + "'"

但是假设 $email 值包含字符串:

        x';INSERT INTO members ('email','passwd','login_id','full_name') 
        VALUES ('[email protected]','hello','steve','Steve Friedl');--

您最终会得到以下语句:

SELECT email, passwd, login_id, full_name
  FROM members
 WHERE email = 'x';
        INSERT INTO members ('email','passwd','login_id','full_name') 
        VALUES ('[email protected]','hello','steve','Steve Friedl');--';

即使您的登录不允许修改当使用连接到数据库时,SQL 注入攻击可用于抓取数据库中的所有数据...

绝对建议您在客户端应用程序中使用某种形式的参数化查询来保护自己。

EDIT:

mysql_query() only prevents multiple queries in versions of MySql earlier than 5.0. MySql 5.0 or later will allow multiple commands separated by ; when using mysql_query().

So, yes, a SQL Injection attack is capable of doing whatever commands the login used to connect to the database has permissions to do.

If you connect using admin privileges, the attack could do essentially any possible modification to your database.

For example, say that you concatenate the $email value to the SQL string below:

"SELECT email, passwd, login_id, full_name
  FROM members
 WHERE email = '" + $email + "'"

But lets say that the $email value contains the string:

        x';INSERT INTO members ('email','passwd','login_id','full_name') 
        VALUES ('[email protected]','hello','steve','Steve Friedl');--

You end up with the following statement:

SELECT email, passwd, login_id, full_name
  FROM members
 WHERE email = 'x';
        INSERT INTO members ('email','passwd','login_id','full_name') 
        VALUES ('[email protected]','hello','steve','Steve Friedl');--';

Even if modifications weren't allowed by the login that you're using to connect to the database, SQL Injection attacks could be used to scrape every bit of data our of your database...

It's definitely recommended that you protect yourself by using some form of parameterized queries in your client application.

回复 原文
多像笑话 2025-01-12 15:49:53

可以想象,可以让子查询在 SELECT 语句中修改数据库。只要所使用的 API 允许每个语句进行多个查询,以下示例就可以工作:

考虑用以下错误数据填充的 injectvar。它的目的是在子查询 WHERE 子句中使用:

injectvar = "0); DELETE FROM tbl; --"

SELECT a, b
FROM tbl 
WHERE a IN (SELECT DISTINCT c FROM tbl2 WHERE d = injectvar)

结果:

SELECT a, b
FROM tbl 
WHERE a IN (SELECT DISTINCT c FROM tbl2 WHERE d = 0); DELETE FROM tbl; --)

只要可注入代码可以形成有效的 SQL 语句,您就会遇到麻烦。在这种情况下,需要使用 ) 关闭子查询,并且攻击者需要了解您的查询结构。盲目地尝试注入攻击会更加困难,但如果机器人正在这样做,那是完全有可能的。

It would be conceivably possible to have a subquery modify the database in a SELECT statement. As long as the API used permits multiple queries per statement, the following example would work:

Consider injectvar populated with the following bad data. Its purpose was to be used in a subquery WHERE clause:

injectvar = "0); DELETE FROM tbl; --"

SELECT a, b
FROM tbl 
WHERE a IN (SELECT DISTINCT c FROM tbl2 WHERE d = injectvar)

Results in :

SELECT a, b
FROM tbl 
WHERE a IN (SELECT DISTINCT c FROM tbl2 WHERE d = 0); DELETE FROM tbl; --)

As long as the injectable code can form a valid SQL statement, you will have trouble. In this case, it requires closing the subquery with a ) and the attacker would need some knowledge of your query structure. It would be more difficult to blindly try injection attacks, but if a robot is doing that it is entirely possible.

回复 原文
多情出卖 2025-01-12 15:49:53

我认为问这样的问题没有任何意义。

那么,如果您对一种特定的注射方法得到否定的答案怎么办?
那你认为自己安全吗?如果注射是可能的 - 无论是哪一种注射都没有关系。一个或另一个 - 没关系。阅读所带来的灾难并不比写作少。

I see no point in asking such kind of questions.

So what if you get a negative answer regarding one particular injection method?
You consider yourself safe then? If injection is possible - it doesn't matter which one it is. One or another - it doesn't matter. Reading can be no less disastrous than writing.

回复 原文
~没有更多了~

关于作者

十六岁半

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

tomoekana

文章 0 评论 0

无边思念无边月

文章 0 评论 0

眼角的笑意。

文章 0 评论 0

在风中等你

文章 0 评论 0

是你

文章 0 评论 0

syong71

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文