douxian7808 2011-12-01 11:52
浏览 42

PHP / MySQL注入示例

This is a follow-up to this question: Is PHP's addslashes vulnerable to sql injection attack? (thanks to everyone that replied over there).

Same scenario, but I have this code (in another page):

             $ID = $_GET['id'];
             $sql = "SELECT * FROM blog WHERE id='$ID'";
             $result = mysql_query($sql);

This should be easy enough to exploit, right?

If I remember correctly I CANNOT run a second query inside mysql_query() but I should be able to do some other malicious stuff, right? Would love to be able to insert a user into the admin table or change a password or something, but I assume I wouldn't be able to do anything other than touch the blog table. Is that correct? Any suggestions on how I can play around and tweak something to prove that there are concerns?

  • 写回答

2条回答 默认 最新

  • douyinliu8813 2011-12-01 11:58

    It's called UNION and allows you to pull from extra tables by using a second query.

    I'm guessing something like 1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1 would work. (pulls from the users table and maps the username and password values to their blog "equivalents").

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
  • doufeinai6081 2011-12-01 11:57

    I don't think anyone would think you're trying to hack someone - this is a legitimate question.

    You can't run a second query here, but you could do something malicious. For example if the query were an authentication query like so:

    SELECT * FROM `users` WHERE `username` = '$username' AND `password` = '$password';

    You could quite easily log in with ' OR 1 = 1 and gain access to the website.

    Also, if the query was a DELETE or UPDATE query you could probably manipulate it to run without a WHERE clause.




  • ¥100 webapi的部署(标签-服务器)
  • ¥20 怎么加快手机软件内部计时的时间(关键词-日期时间)
  • ¥15 C语言除0问题的检测方法
  • ¥15 为什么四分管的内径有的是16mm有的15mm,四分不应该是12.7mm吗
  • ¥15 macos13下 ios交叉编译的问题
  • ¥15 bgz压缩文件怎么打开
  • ¥15 封装dll(引入了pcl的点云设计库)
  • ¥30 关于#开发语言#的问题:我需要在抄板的基础上再抄板抄程序,根据RDA8851CM基础上开发
  • ¥15 oracle 多个括号,怎么删除指定的括号及里面的内容?
  • ¥15 小新14API2019想用bios调风扇