douxian7808
2011-12-01 11:52
浏览 42
已采纳

PHP / MySQL注入示例

This is a follow-up to this question: Is PHP's addslashes vulnerable to sql injection attack? (thanks to everyone that replied over there).

Same scenario, but I have this code (in another page):

             $ID = $_GET['id'];
             $sql = "SELECT * FROM blog WHERE id='$ID'";
             $result = mysql_query($sql);

This should be easy enough to exploit, right?

If I remember correctly I CANNOT run a second query inside mysql_query() but I should be able to do some other malicious stuff, right? Would love to be able to insert a user into the admin table or change a password or something, but I assume I wouldn't be able to do anything other than touch the blog table. Is that correct? Any suggestions on how I can play around and tweak something to prove that there are concerns?

图片转代码服务由CSDN问答提供 功能建议

这是此问题的后续内容: PHP的addslashes是否容易受到sql注入攻击?(感谢那些在那里回复的人)。 \ n

相同的情况,但我有这个代码(在另一个页面中):

  $ ID = $ _GET ['id']; 
 $ sql =“SELECT  * FROM blog WHERE id ='$ ID'“; 
 $ result = mysql_query($ sql); 
   
 
 

这应该很容易被利用,对吗?

如果我没记错的话,我不能在mysql_query()中运行第二个查询,但我应该可以做一些其他的恶意内容,对吧? 希望能够将用户插入管理表或更改密码或其他内容,但我认为除了触摸博客表之外我无法做任何其他事情。 那是对的吗? 关于我如何玩耍和调整某些东西以证明存在问题的任何建议?

  • 写回答
  • 好问题 提建议
  • 追加酬金
  • 关注问题
  • 收藏
  • 邀请回答

2条回答 默认 最新

  • douyinliu8813 2011-12-01 11:58
    已采纳

    It's called UNION and allows you to pull from extra tables by using a second query.

    I'm guessing something like 1' UNION ALL SELECT username title, password body FROM users WHERE '1'='1 would work. (pulls from the users table and maps the username and password values to their blog "equivalents").

    评论
    解决 无用
    打赏 举报
查看更多回答(1条)

相关推荐 更多相似问题